A Private Data Exchange for Risk Analytics

The virtue of analytics is its efficiency. It matches up buyer preferences with seller production.

It enables a dozen brands of spaghetti to appear on your grocer’s shelf: thick vs. thin, Sicilian vs. Napolitano, elegant vs. budget, regular vs. organic, generic vs. your Italian Grandma’s authentic style.

But the soggy noodle of analytics is privacy. It doesn’t matter to me if my local grocer takes note of the spaghetti brand I buy, but I flinch at the thought that my ISP or service provider is scanning my personal emails.

I’m not the only one who’s leery of the privacy-negligent way a lot of analytics data is managed. My hunch is the lack of a rock-solid privacy framework is holding analytics back. Consider data monetization. Using real-time telco data to entice people to visit a particular retail store in a mall: why that’s a multi-billion dollar idea. So why hasn’t it taken off? Well, I think the fear of major privacy breaches is a key reason.

Freeing analytics from this privacy strait-jacket is what XOR Data Exchange (Austin, Texas) is all about. XOR has conceived an ingenious privacy and analytics framework that allows telecoms, banks, and money lenders to expand their trading of fraud, credit risk and other data with each other in complete confidence and control.

Here to explain it all is XOR’s Business Leader, Michelle Wheeler, a 25-year veteran of telecom and financial fraud management and the inventor/product manager of the former Lightbridge’s telecom fraud control service, Fraud Centurion, a leading solution serving the US mobile industry in the 1990s.

Hearing what Michelle had to say got my mind spinning about potential use cases across the board in analytics.

Dan Baker: Michelle, can you first explain the genesis of XOR? How did you get this idea started in the first place?

Michelle Wheeler: Absolutely, Dan. Actually three of us with a lot of combined experience in credit and fraud management started XOR Data Exchange in early 2014. There’s myself and Mike Cook, our CEO, who co-founded ID Analytics. And the third founder is Brian Ketelsen, our CIO and analytics guru.

Ever since I started working for Mike 15 years ago, he’s talked about changing the model on how data is shared between companies.

Here’s the issue. Any time a company — banks, telecoms, lenders, etc. — works with a credit bureau, it loses control of its own data. Sure, the bureau provides credit reports and some fraud checks. The trouble is the credit bureau ends up using the data for purposes way beyond what it was originally intended. For instance, the credit bureaus use your data for marketing lists and collections purposes.

In the end, you have no idea how your data is being used, who’s using it, and how often. And if you ever wanted to pull your data back in-house, well, that can’t be done.

So what we aim to do at XOR Data Exchange is to turn this problem on its ear.

The concept is very simple. We set ourselves up to be a facilitator and trusted analytics engine for individual companies who want to share their data. And we do this without ever compromising the privacy of their data. All the data we “house” on our servers comes to us totally encrypted. Plus the data is only used for purposes that each exchange “member” specifically approves.

In fact, the member companies go into the system and say, “Here are the permissions for the use of my data” and the data cannot be used for any other purpose.

The exchange is also “transparent”. And by that I mean, any time their data is accessed or used for any purpose at all, the member gets a notice saying, “Your data was just used by X industry for this purpose at this time.”

OK, I get the privacy and permissions aspect of the Data Exchange, but what’s the business benefit of setting up this exchange?

Dan, the actual use of the exchange is for the members to decide for themselves. This is not like a traditional software product: we rely on the members to decide what exchange mechanisms get built.

Now, given our background in the credit risk industry, we certainly have some solid ideas on how our members can exchange things. But we really don’t have a product to sell per se. We are facilitators of our members trading with each other.

But working with members as a facilitator puts in an ideal position. For example, the communications industry does not report to the credit bureaus. But they will report to us because we allow the telecoms to retain control of their data.

Now the financial services industry is very interested in gaining access to telecom data because they don’t have access to it today. So that’s where we facilitate the conversation. For instance, we contacted the financial services guys and said, “Listen, the communications industry is going to report to us the performance of their customer base, are you interested in obtaining that?” And they say, “Absolutely.” And so we asked, “What can we give them in exchange?” And they said, “Well, we’ll give them our self-reported income data.”

To get conversations like that going, we host cross-industry sessions twice a year to get everybody in the room together. And they talk about what data they want, how they would like to work together, and in our last meeting we had 16 people from on-line lending, communications, financial services, credit card, and banking.

And at the dinner the night before, we were sitting around the dinner table and somebody from the satellite company said, for example, “Hey, Ms. Credit Card, can I try your sprouts?” And Ms. Credit Card said, “Well, unfortunately I don’t have enough sprouts, but Mr. On-line Lender next to me does, so maybe if I give him some of my steak, he will be happy to give you some of his sprouts. And I’d sure be grateful if you would let me try some of your mashed potatoes.”

And that’s how it works :-) We take the data, and based on what our exchange members ask us to build — what business problem they ask us to solve — we go to work and solve it.


Michelle, I noticed a recent press release of yours announcing your first major exchange is in the small business risk area. What’s that about?

Dan, small business fraud and credit risk assessment is a gaping hole in the market and it’s critical that telcos and financial services firms get better intelligence. It’s really one of the hottest issues around. The problem is that traditional business research firms — like Dun & Bradstreet (D&B) — don’t collect much information on small businesses.

Let me illustrate the problem using a telecom example. The credit extended to a household consumer of telecom is relatively limited. Even if a consumer has a good credit rating, a telecom is generally not going to allow more than five mobile or fixed phones on their account.

But if a fraudster represents herself as a small business, it’s much easier for her to get approval for a combination of maybe 15 mobile phones and fixed lines. So as a communications provider, my exposure is much bigger when I serve small business.

So the fraudster calls up to say, “I’m Michelle Wheeler Inc… I have five employees and I am growing rapidly so I want to have 15 lines provisioned”, and I’ll probably get that approved because you will not find any negative history available about me.

So this is a glaring problem in the credit risk system today and solving it will help any industry who gives credit to small business.

Now we also pull in data from geo-location databases. So if somebody is applying for service and claim they are a small business but the location says it’s a residential apartment building, then it’s probably a fraud.

Social media is another out-of-the-ordinary data source. If the small business doesn’t have a presence on LinkedIn, it’s probably not valid. And someday soon we hope to expand the small business risk exchange to something similar on the consumer side.

What does the member receive when they obtain data from the exchange?

We take the data provided by the exchange members and do statistical modeling on it. What we return back is a probability score and attributes that indicate what it is we found about that consumer or small business. So a comms provider will incorporate that into their decision processing.

They take that information and because it’s FCRA compliant, if the data is sufficient, they can confidently say: “This guy is a high fraud risk, so I’m going to decline him right now”, or they can dip into another source of data as well.

And how do you guarantee that the exchange member’s data is not compromised?

Here’s the thing, Dan. When the data is in production, nobody ever sees it. When the application comes over to us from the member, it comes over encrypted. And as we analyze the data, it remains encrypted all the time, yet the engine knows how to handle and match up the encrypted data into the system.

When the data goes back over to the exchange member the data gets de-encrypted on their end, but no personally identifiable information is sent back, only the final probability scores and some attributes. XOR’s attributes provide details about the matching in the exchange. For example, an attribute may be “multiple identities associated with this email address” or “business is located at a residential address”.

So this is a big reason our exchange members trust us: there’s no way for us to fake it. They set the permissions themselves and we are merely hosting the encrypted exchanges and creating the analytics and thinking about how to use that data, but we don’t touch the data itself.

Finally, this is a shot across the bow of the credit bureaus. Can’t they steal your thunder and develop exchanges of their own?

We will certainly be cheaper than the credit bureaus because we do not have the overhead those firms have. We are ten or eleven people and we have brilliant technologists who know how to partition things so we don’t need hundreds of systems to run individual exchanges.

The biggest obstacle for the bureaus getting into the exchange game is it’s hard for them to change their business model. If they were to do something like this, they’d lose a big chunk of the revenue they get reselling other people’s data for marketing purposes. And to incorporate permissions and transparency would require a complete redesign of their systems.

And remember, our model is not about replicating what the credit bureaus offer. The exchange allows our members to greatly expand the number of information exchanges that are out there. These exchanges would never see the light of day in credit bureaus because the lack of trust over data confidentiality issues prevents those use cases from being born.

Finally I think our focused approach will be faster to get new solutions in place. We are better adapted to solving these individual problems. And frankly we’re more fun.

Michelle, hearing your enthusiasm over the phone certainly conveys you’re having fun. Good luck with the roll out.

This interview was originally published by Black Swan. It has been reproduced with their permission.

Dan Baker
Dan Baker
Dan is a founder of the Technology Research Institute (TRI), which has published studies about the telecom software market since 1994.

As a journalist, Dan wrote for B/OSS magazine and recorded webinars with VanillaPlus before launching his own publication, Black Swan Telecom Journal.