The financial world is awash with data. But too few organizations are able to use it effectively. In Bank Director’s 2025 Technology Survey, one-third of US banking leaders cite an inability to harness data as a top technology challenge facing their institution. They run the risk of falling behind their peers. For instance, some 42% of issuers and 26% of acquirers have already saved more than $5m in fraud attempts over the past two years thanks to AI, according to Mastercard, and that can create significant competitive differentiation.
Yet too often, security concerns hold back data utility. With the right shift in perspective, stronger data protection can actually free up data for analytics, AI, and fraud detection — unlocking untold value for financial institutions. The key is choosing the right technology approach to do that in a secure and controlled way.
Keeping It Safe
It’s no surprise that banks want to keep their data under lock and key. Financial services remains the second costliest sector worldwide for data breaches, at an average of $5.6m per incident. According to EU security agency ENISA, regulatory penalties and/or reputational damage are also commonplace following breaches.
Yet data teams are also under growing pressure to do more with the wealth of information at their fingertips. As margins shrink and new competitors emerge, there is an increasing demand to make better data-driven business decisions, reduce fraud losses, improve and personalize services to customers, and explore new income streams through Open Banking opportunities.
This often leads to the worst of both worlds: high-friction access processes that frustrate data teams, while sensitive plaintext data continues to spread silently across the environment.
The Data Supply Chain Challenge
So where does that leave data protection? The truth is that most strategies start with the wrong question: Who should be allowed to access the data? A better question to ask would be: Where should real data values appear across the operating environment?
The ideal answer is: nowhere, except within a few strictly governed, high-trust environments. By adopting this principle, banks can use their data extensively without escalating their risk profile. However, there are caveats: success depends entirely on how the data is protected and where in its lifecycle that protection is applied.
This matters because financial institutions are large enterprises with expansive IT environments. Sensitive data doesn’t live in just one system. It moves through a long operational chain that typically includes:
- Core banking systems
- Integration layers
- Fraud platforms
- Analytics platforms
- Reporting engines
- Partner systems
Each of these stages might involve the processing of the same underlying data. Yet many cybersecurity strategies focus only on protecting the database or data warehouse, rather than the entire data lifecycle. That means clear- text might appear at each stage along this chain — exposing that data to potential breach, leak and compliance risks. It’s a big part of the reason why banks struggle to scale AI and analytics securely.
A Better Approach
A better way of doing this is to protect any sensitive elements before they spread across the wider environment. When protection begins closer to the source, downstream systems don’t inherit the same clear-text exposure risk. That changes the economics of data use. Instead of trying to control exposure separately in every analytics, fraud, reporting, and integration environment, banks can reduce how often sensitive values appear in the clear in the first place.
One effective way to do this is through format-preserving tokenization technology, which replaces sensitive values (like PANs or PII) with non-sensitive “tokens” that preserve usability for many operational and analytical tasks. This is one of the data protection methods available in the comforte TAMUNIO platform. You can see other banking use cases here. Unlike traditional encryption, which "breaks" downstream applications, tokenization preserves data utility and could even reduce the scope of GDPR and PCI DSS 4.0. The technology has powerful advocates: as of June 2025, Mastercard had tokenized half of e-commerce transactions in Europe, with plans to achieve 100% by 2030.
When protected in this way, data flows downstream so that:
- Analytics systems receive usable datasets
- Fraud platforms can still analyze behavioral patterns
- Reporting systems can process transactions
- Integration layers can route and process events
In this scenario, sensitive values only appear in clear- text when strictly required (e.g., for AI model training). In cases where original values must be revealed for tightly defined purposes, that access should happen in controlled environments with clear governance, monitoring, and policy enforcement, such as confidential computing Trusted Execution Environments (TEEs).
What This Means for Data Teams
When sensitive data values are protected at source like this, analytics teams have the freedom to:
- Build models faster without fear of intervention by security/compliance teams
- Analyze larger datasets safely for richer insight
- Avoid manual approvals and data access workarounds
- Work with trusted datasets instead of restricted extracts
- Accelerate AI-driven, safe-by-design growth projects for the business
Data becomes reusable across the organization, reducing costs and empowering teams to add value, without expanding the attack surface or multiplying risk. Banks can run at top speed without inviting the unwanted attention of regulators or threat actors.
