Daiwa Capital Markets Tackles GDPR Using Multi-Layer Encryption Tools

Daiwa Capital Markets is leveraging multi-layer encryption mechanisms to anonymize data to comply with new data protection and cybersecurity laws globally. The investment bank is reviewing the potential of using ARX’s open-source technology to anonymize client data and support various international risk models.

Speaking on the sidelines at the Asia Pacific Financial Information Conference (Apfic) on June 12, Huayi Dong, global head of electronic trading solutions at Daiwa Capital Markets, told WatersTechnology that the bank is looking at using the anonymization tool for various use cases, such as regulatory reporting. One example is the use of ARX’s double-layer encryption system, where the first layer can only be accessed by regulators, who can decrypt the layer using a specialized key.

As financial institutions are having to comply with multi-faceted data privacy and protection laws—most notably the EU’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018— they need to implement more robust and specialized data governance strategies. While encryption has always been key to the process, firms are now having to experiment with new tools and techniques to better combat information leakage or hacks. 

Dong explains that firms need to understand what data should be anonymized, such as client-identifying data flowing to, from and through their IT systems. The bank’s legal and compliance department works with tech teams to identify what data needs to be encrypted for regulatory purposes, and where they also want to add extra attention. According to Dong, the firm implements a more restrictive internal policy for managing client data and believes that the industry should work towards a common framework for data protection.

“We not only obey [jurisdictional laws], but set ourselves one level higher to say we need a common standard [across the organization],” he adds. “For example, for a country such as South Africa, which doesn’t have very strong personal data protection or cybersecurity rules, we will apply, for example, Japanese cybersecurity rules on top of that so that we have a similar standard.”

Dong believes that the EU’s GDPR is one example of a regulation that is a move in the right direction, but admits that its implementation required major effort and drained resources at banks complying with the rule. As for a true global data security standard, Dong believes we’re still a long way away from something so all-encompassing, as many sovereign nations don’t see eye to eye on data privacy and protection.