Stories like Jordan Belfort exist beyond the 80s. With the increasingly stringent regulatory requirements to tame the latest wolves of Wall Street, more financial institutes are turning towards proactive monitoring tools to avoid fraud. As big data is becoming a helpful tool to detect and alert potential fraud, the technology is also raising concern over its impact on personal data privacy.
"There is a concern of personal data privacy associated with the rising use of data analytics," said Henry Cheng, information technology advisor at the Office of the Privacy Commissioner for Personal Data (PCPD), Hong Kong. "There are on-going studies and debates over this issue, and we can't pretend to have a single answer for this issue."
Cheng said the gray area lies on the use of data. Hong Kong's Personal Data (Privacy) Ordinance (PDPO) prevents the use of data for a different purpose from the point of its collection. But this is almost against the benefit of big data, which is to analyze massive volume of data from different sources to provide insights that businesses are not aware of. Very often the data being analyzed in this process was collected from different sources and various purposes.
"If the purpose of data use has changed or different from the point it was collected, users of the data are required to seek consent from the related individuals," said Cheng. "But the definition on the change of purpose could be debatable."
"Big data is a great tool to identify a trend and correlate between different incidences," he added. "But it does not provide causation, meaning the identified trend is not an absolute cause."
He said conflict often happens when the definition on change of purpose is unclear and when actions --particularly accusations--are taken based purely on the analysis.
Big data for fraud detection
Financial fraud revealed in recent years --like the Libor scandal in 2012, when traders at major banks in London were manipulating interest rate in order to profit from trade--have brought attention towards traders' behaviors.
More financial institutes are looking to monitor their traders and some are turning towards big data for anti-fraud and anti-corruption. According to Chris Fordham, managing partner of Fraud Investigation & Dispute Services (FIDS) at EY, enterprises can now use forensic data analytics to proactively monitor business to help detect potential instances of fraud and mitigate risk.
One of the firm's suites of services is called "know your trader," using big data analytics technologies, including in-memory database and Hadoop, said Jack Jia, director of FIDS at EY. Jia said the software benchmarks a list of structured and unstructured data --including currency exchange rates, interest rate, transactional pricing, key words within email or the messaging system at the trading platforms--to identify high risk traders and potential risk.
"We first develop this set of analytic tools for investigating the Libor scandal," he said. "It is now become a service that allows securities houses to proactively monitor and detect any potential fraud."
Fraud detection VS privacy invasion
To comply with privacy requirements, Fordham said employees of their clients are notified with the installation of such monitoring tools. Although the notification may encourage the fraudster to perform their deeds via different channels, Cheng from PCPD said transparency and disclosure are the rules of thumb for privacy protection.
Fordham added the identification from this analysis serves only as the beginning of the investigation process, further questionings and other investigations often taken place before any conclusions are made.
Jia added that the analytical tool goes beyond monitoring. It also changes the culture and behavior among employees. "Traders are more aware of their processes to ensure they comply with regulatory requirements," he added.
In addition, the service may involve the analytics of their client's customers' data. To ensure these customers' privacy is protected, Jia said their identity and personal information are encrypted and only relevant transactional data will be used for analysis.
EY's FIDS team has also set up physical facilities, which is separate from EY's internal data center, to process and analyze clients' data. Jia said the company has 12 labs in Asia Pacific to process customer's data.
"These labs are physically restricted, only the relevant project members are allowed to access," said he said. "After entering the lab, they also need to log into the system to access the results and information."
Available worldwide for about three years, Jia said there is currently one Asia Pacific customer in Singapore adopting this service. He added similar service is being extended to some insurance companies to monitor and detect insurance agents for developing fake products or manipulating the commission system.
Privacy Management Program (PMP)
To help organizations in Hong Kong to navigate the privacy landmine, PCPD released a best practice guide for the Privacy Management Program (PMP) last month. The guide provides insights and guidelines of developing a PMP--a strategic framework to protect personal data privacy--within the company.
The concept of PMP was initiated by the Organization for Economic Co-operation and Development (OECD) back in the 1980s. According to Cheng PMP is a governance model and organizations that pledged to implement PMP should designate a team or a person to take responsibility of the organization's privacy policies by developing guidelines, training, risk assessment and process of handling incidence on breach of privacy.
All Hong Kong government departments and bureaus together with more than 39 organizations from the insurance, telecommunications and other industries last month pledged to implement PMP.
"IT security often plays a role in privacy policy, thus IT-related personnel could be assigned to implement PMP," said Cheng. "But this is not necessary or ideal, particularly when this role is conveniently thrown to IT."
He said it is a multi-disciplinary role, in which the person should understands the local privacy law, with knowledge over IT and how data is being analyzed and recognize business priorities and processes.
"With the knowledge of data processing and analytics, IT professionals do have the potential to take up the role implementing PMP. But only if they are able to widen their scope of knowhow to include both legal and business," he concluded.