Co-authored by Maurizio Cuna
The digitization of financial services has exponentially increased the volume and value of customer data held by banks. Enabled by various Open Banking initiatives globally, there is increasingly a need to establish trust between parties in the financial services eco-system that share this data and protect it from misuse by malicious actors.
The stakes are high: a breach of sensitive personally identifiable information susceptible to identity theft – such as passports, licence, and government identifiers – would create a risk of significant financial penalties and extensive brand damage for institutions. Banks are looking to step up their data protection and cyber capabilities to meet the ongoing threats.
Here we explore one of the more interesting solutions emerging, known as Zero-Knowledge Proof (“ZKP”). ZKP may offer a way to validate customer information without having to expose the personal information itself, potentially alleviating the need for the bank to store such sensitive data.
What is a Zero Knowledge Proof?
A ZKP is a cryptographic algorithm used to “prove the validity of a statement, without revealing the statement itself”. Extending this, a Zero-Knowledge Protocol is a method by which one party can show to another party that something is true without revealing any information, apart from the fact that the statement is true.”
ZKPs involves two parties, a “Prover” (e.g. a customer) who is looking to prove a truth to a “Verifier” (eg a bank). There are generally two classifications of ZKPs:
- Interactive proofs – The verifier asks the prover to respond to a series of questions, confirming their holding of the secret information without revealing the secret information itself. Given the requirement for repeated interactions to “prove” a statement, these would be unsuitable at scale for use within financial services;
- Non-interactive proofs (such as ZK-SNARK) – These require only one round of interaction through the utilization of a shared cryptographic key. The prover is able to share secret information through a cryptographic algorithm that enables the verifier to know that it is true, again without revealing the secret information itself.
Possible Applications in Financial Services?
The phrase “Trust, but Verify”, widely attributed to US President Ronald Regan – and originating from the Russian Proverb “Doveryay, no proveryay” – is often used as a mantra within financial services. Customer relationships are built on trust but require verification of the stated facts.
There are many instances within financial services where a bank is required to verify data from a customer:
- An onboarding process in the provision of identification documents to open a bank account is required to “prove” to the bank their identity
- A loan application requiring the customer to prove their income is of a sufficient amount
- An investment account may require the customer to prove their tax status
Traditionally, the bank (the “verifier”) will not just take their word for this but will ask the customer to provide supporting verification documents (identification, tax returns etc.). ZKP may offer a way for banks to cryptographically verify these details are true and valid without the customer revealing any sensitive personal information through the process.
Where are ZKPs being used today?
In traditional financial services institutions, ZKP remains confined to the innovation labs, with limited understanding largely due to their complex cryptographic nature. However, some industry experimentation has taken place with the focus largely on solving for the protection of sensitive customer data or creating trust between digital eco-systems.
In one example, ING, the global Dutch bank, developed “zero-knowledge range proof” that enabled secret information within a blockchain to be validated as true within a numerical range – useful for perhaps confirming a mortgage applicant’s income was within a range, without revealing the actual income amount. ING also developed “Zero knowledge Set Membership” that extended these capabilities outside of numerical ranges, for example, establishing that a customer was a citizen of a particular country, without revealing their address.
BBVA’s New Digital Business is also experimenting use cases in identity access and payments that utilize ZKP to facilitate privacy within digital environments. What if there was a way to securely identify a customer in a better way that doesn’t require trust on a third party?
Current real-world applications for ZKP are largely the realm of cryptocurrencies and decentralized finance protocols. One of the more controversial applications of ZKP is to enable anonymized payments, such as the recently blacklisted crypto “tumbler” Tornado Cash where ZKP is used to mask the source and identity of payments.
What are the challenges?
The path to widespread commercialized use of ZKP within financial services faces several technical and regulatory challenges.
- Cost: The complex computational power consumed required to enable a zero-knowledge proof validation is prohibitive for deployment at scale. In addition to hardware costs, within the Ethereum blockchain network, the cost in verification is quantifiable by the associated gas fee (transaction cost) to verify the proof on the network.
- Regulation: Regulation currently sets the minimum standards for identification in financial services to comply with various KYC and AML regulations across the globe. The financial system is only as strong as its weakest regulatory link. Although jurisdictions may have differing requirements, cooperation across boundaries would be required to align on the appropriateness of ZKP in validating identification outside of today’s generally accepted standards.
- Trust: As with many blockchain-based innovations, building confidence in new technology will be an important process, not just with institutions and regulators but also among customers. This extends through both the integrity of the technology itself, but also in confidence in the use of the technology.
- Threats: ZKP employs cryptographic algorithms which are theoretically secure based on the known probabilities of today’s computing power. Advances in the realm of quantum computing may cause threats to the security of a zero-knowledge proof that could impact its trust, should there not be an equivalent improvement in the security of the network.
In the wake of ongoing data hacks and leaks of customer data, consumers are continually looking for ways to protect their identity when interacting with banks. Additionally, as our consumption and interactions of financial services become increasingly digital, there is tension between customers wanting to keep their data private and that data being essential to access financial systems in an increasingly “open” dynamic.
We expect experimentation of real-world applications for ZKP to continue at an increasing pace. Combined with various global initiatives to create a digitally native form of identification, ZKP may offer a digitally native mechanism to create trust between such parties without the need to expose personal information.
Principal Consultant, Infosys Consulting
Steven joined Infosys Consulting in 2021 as part of our Financial Services practice in the Asia Pacific region. He brings 14 years of experience both as a banker and as a consultant, with a focus on commercial banking and payments. Steven is passionate about shaping the future of financial institutions through his delivery of management consulting services and executing strategic projects. He is currently completing his MBA with Australian Graduate School of Management in Sydney.
Maurizio joined Infosys Consulting in 2016 as one of the senior leaders within our Financial Services practice in APAC. Over the last 15 years, Maurizio has worked in Europe, America, Asia, and Australia where he has successfully advised banking and insurance institutions on how to strategize, build, transform and orchestrate their business and technology capabilities. At Infosys Consulting, his key responsibilities include providing management consulting leadership capabilities to a number of financial services and insurance clients in the region, in key areas such as core banking, core insurance, digital transformation, operating model design, AI-led data analytics. He is also the consulting leader and representative for Infosys' award-winning corporate social responsibility program, aiming to contribute to education for our youth and support for the disadvantaged. Maurizio holds a bachelor’s and a master’s degree in Computer Science and Engineering from the prestigious University of Padova in Italy.