DPFedBank: Crafting a Privacy-Preserving Federated Learning Framework for Financial Institutions with Policy Pillars

Among various privacy-preserving techniques, Federated Learning (FL) has emerged as a potential solution for secure collaborative modeling in finance. FL allows multiple institutions to train a shared model without requiring the transfer of raw data to a central server. By enabling data holders to contribute to model development while keeping their data local, FL reduces privacy risks, making it suitable for sectors like finance where data confidentiality is critical [1]. The DPFedBank framework extends this capability by incorporating LDP mechanisms tailored for financial data, ensuring that privacy is maintained even during collaborative processes.

FL aims to achieve core privacy objectives such as decentralized data storage, secure data communication, and data confidentiality. In a federated learning system, each financial institution acts as an independent worker, analogous to a distributed computing environment with enhanced privacy protections. Through encrypted communication between the central server and participating institutions, machine learning can be conducted without exposing sensitive records [2]. However, despite its advantages, FL still encounters specific challenges in practical applications.

A major challenge in applying FL to financial institutions is balancing privacy, performance, and regulatory compliance. While encryption-based methods provide robust privacy, they can introduce computational inefficiencies, increasing latency. To mitigate this, techniques like differential privacy (DP) have been employed, where noise is introduced at the client level before model updates. The NbAFL method proposed by Wei et al. [3] demonstrates the benefits of client-side noise addition for protecting privacy while maintaining model accuracy. This approach is particularly beneficial for financial institutions with diverse data distributions.

However, DP presents fairness concerns as privacy guarantees may vary for clients with unique or rare data characteristics. Clients with such data may receive weaker privacy protection, raising ethical and regulatory issues regarding equal privacy guarantees across the system.

The federated learning process in financial institutions exposes several vulnerabilities across different stages, including client selection, global model distribution, local training, aggregation, and model updates [4]. These vulnerabilities can compromise privacy and integrity if not addressed adequately:

1) Malicious Clients: Financial institutions could encounter clients that intentionally modify model parameters or introduce misleading updates, thereby degrading the global model’s quality or extracting sensitive information from other participants.

2) Aggregator Threats: If an adversary gains control of the aggregation role, they could manipulate or selectively ignore updates from legitimate institutions, resulting in a biased or corrupted global model.

3) Compromised Server: A compromised central server could interfere with model updates or perform unauthorized data analysis, potentially violating data protection regulations.

4) External Adversaries: External threats, such as cyberattacks on communication channels, could expose sensitive financial data during transmission or alter the model updates.

To address these vulnerabilities, the DPFedBank framework adopts a holistic and policy-driven approach that includes multiple security layers and privacy-enhancing techniques. The policy pillars within DPFedBank focus on protecting data confidentiality, model integrity, and regulatory compliance across all stages of federated learning [5]. These pillars encompass strategies for securing client interactions, server operations, output models, and stakeholder responsibilities, ensuring that privacy is preserved throughout the federated learning process.

This paper introduces DPFedBank, a policy-driven federated learning framework that enhances privacy protection in financial institutions through tailored privacy-preserving techniques. By addressing critical vulnerabilities and integrating adaptive LDP mechanisms, DPFedBank ensures a balance between data privacy, model utility, and regulatory requirements. The proposed framework includes advanced security measures such as cryptographic protocols, secure data exchange, and continuous monitoring to detect and respond to threats in real-time. Our evaluations demonstrate that DPFedBank significantly improves the resilience of federated learning in the financial sector, fostering more secure and effective collaboration among financial institutions.

Federated learning is a decentralized machine learning technique that trains a model across multiple devices by sending data to a central server. The architecture of this system has every device processes its local data to then update based on that date. Afterwards, this is aggregated by a central server to enhance the performance of the globally shared model. This differs from traditional centralized machine learning which stores and collects data in one location. With this difference federated learning inherently maintains user privacy, by storing data locally, while allowing collaborative model development [6]. Differential privacy can be used to further preserve user privacy by introducing statistical noise into an individual model before transmission to the server. This then enhances an individual’s privacy because changes cannot be linked to any particular individual’s data, allowing for accurate global model training while still offering a mathematical guarantee of privacy. [7] Additionally, the field has be been improve on this model to protect individual privacy. A recent implementation of differential privacy provides a privacy budget in order to regulate the amount of information that can be disclosed about any individual within a datase[8]t. This regulation is place to enforce strict data access to protect individual privacy.

By combining federated learning and differential privacy a framework for preserving user privacy in machine learning starts to form, which can be crucial in domains like healthcare and finance.This allows organizations to leverage machine learning without jeopardizing individual privacy by limiting the centralization of raw data and implementing these privacy-preserving methods for model changes. Additionally, this strategy aligns with current data privacy laws like GDPR and HIPAA, which place a strong emphasis on limiting data exposure and giving individuals control over their personal data.

While implementing differential privacy in federated learning represents a significant advancement, it still presents challenges that should be addressed. In federated learning the effectiveness of communication is a challenge; updating the model often from several devices can be resource-intensive.This can be strenuous for mobile devices with constrained bandwidth and battery life[9]. Additionally, heterogeneous data can impact the model performance, the non-IID (Independent and Identically Distributed) distribution of data across devices might make model training more challenging. Since the variability of the data is necessary to ensure a mathematical guarantee of privacy the aggregated model must function well even with variations in the local data distributions[10]. Another challenge for these systems is model security, federated learning systems can be targeted for attacks like inference attacks and model poisoning. In an inference attack is when attackers analyze the machine learning model’s outputs or parameters, to retrieve private information about specific individuals. Model Poisoning is an attack where attackers purposefully provide misleading data into the training process of a machine learning model. This allows attackers to degrade the integrity of the model by changing the training data or model updates. Which can be used to control the model’s behavior, reduce performance, or provide biased outputs[11]. These attacks have the ability to compromise user privacy by disclosing information about the training data even within federated learning systems that implement differential privacy.

Protecting personal information from unauthorized access, misuse, or disclosure is referred to as data privacy. This concept is crucial, as any weaknesses in these protections can lead to harm to individuals[12]. Privacy policies help dictate how organizations uphold data privacy based on rules to gather, store, and use personal data. These policies aid in setting standards for protecting user’s rights when organizations are handling user data.

A prominent example of one of the data privacy enhancing policies is through regulations that are set in the European Union’s General Data Protection Regulation (GDPR). This piece of policy sets rules for user data protection for organizations . The GDPR mandates that companies must receive users’ explicit consent before processing their personal data and then explain to them how their data will be used [13]. This law provides privacy safeguards and makes organizations responsible for their data practices. Solove has shown that these legal frameworks are necessary to manage the intricacies of data privacy[14]. In the changing digital environment, we need strong regulations that put user rights and data security first even with evolving technologies.

To complement privacy laws like the GDPR, technical frameworks like IBM’s Federated Learning aim to provide privacy-enhancing strategies to safeguard sensitive data in systems that utilize federated learning. IBM’s Federated Learning employs secure multiparty computation (SMC) and differential privacy to improve privacy in federated learning systems through a hybrid approach. SMC employs encrypted communication between users, this prevents raw data from being exposed during training. Differential privacy guarantees that individual data points cannot be identified by introducing noise into the model updates. By implementing these two strategies they can reduce the risk of data inference attacks while maintaining the functionality of the trained models [15].This hybrid model shows how technical advancements can support privacy laws such as GDPR to offer privacy protections for sensitive information.

In the rapidly evolving landscape of financial technology, the DPFedBank framework emerges as a pivotal solution for enabling secure and privacy-preserving collaborative machine learning among financial institutions. At the heart of the DPFedBank framework lie several critical assets, including sensitive financial data, global model parameters $\theta_{g}$, and locally perturbed model updates $\tilde{\theta}_{n}$ transmitted from clients to the aggregator. These assets are highly attractive targets for various threat actors, including malicious clients, honest-but-curious servers, external adversaries, and insider threats. Malicious clients may attempt to manipulate the federated learning process by submitting poisoned or biased model updates, thereby degrading the performance or skewing the outcomes of the global model. Honest-but-curious servers, while ostensibly following protocol, may seek to infer sensitive information from the aggregated data or individual model updates. External adversaries might exploit vulnerabilities in communication channels to intercept or tamper with data transmissions, while insider threats pose risks from within the organizations involved, where authorized personnel might misuse their access privileges to extract or compromise sensitive information. Understanding the motivations and capabilities of these threat actors is crucial in designing effective countermeasures [16].

One of the foremost threats to the DPFedBank framework is data inference attacks, wherein adversaries aim to reconstruct sensitive client data from the global model or the aggregated updates. Techniques such as model inversion and membership inference can potentially extract proprietary financial information, undermining the privacy guarantees the framework seeks to uphold [17]. To mitigate this risk, the implementation of Local Differential Privacy (Local-DP) is instrumental. By introducing carefully calibrated noise into the local model updates before transmission, Local-DP ensures that the contribution of any single data point is obfuscated, thereby preventing precise inference attacks [18]. Additionally, employing robust cryptographic protocols, such as secure multi-party computation and homomorphic encryption, can further enhance data privacy by enabling computations on encrypted data without exposing the underlying information [19].

Another significant threat vector is model poisoning attacks, where malicious clients inject misleading or adversarial updates into the federated learning process with the intent of degrading model performance or embedding backdoors [20]. These attacks can be particularly insidious as they exploit the inherent trust in the federated learning paradigm, where the central aggregator relies on the integrity of client-submitted updates. To counteract model poisoning, the DPFedBank framework incorporates server-side verification mechanisms, including cryptographic proofs and anomaly detection algorithms, to authenticate and validate the integrity of incoming model updates [21]. Techniques such as robust aggregation methods (e.g., median or trimmed mean) can also be employed to minimize the influence of outlier updates, thereby ensuring that the aggregated global model remains resilient against malicious perturbations [22]. Furthermore, implementing client reputation systems can help in identifying and isolating clients that consistently submit suspicious or suboptimal updates, thereby maintaining the overall health of the federated learning ecosystem.

Insider threats, wherein authorized personnel within client institutions or the central server exploit their access privileges, pose a unique challenge to the DPFedBank framework. These threats are particularly pernicious as insiders often possess legitimate access to sensitive components of the system, making malicious activities harder to detect and prevent. To mitigate insider threats, the framework enforces strict access control policies [23, 24], ensuring that individuals have the minimum necessary privileges to perform their roles.

In conclusion, the threat modeling of the DPFedBank framework underscores the multifaceted security challenges inherent in deploying federated learning within the highly regulated and sensitive domain of financial institutions. By meticulously identifying potential threats such as data inference attacks, model poisoning, MitM attacks, and insider threats, and by implementing a comprehensive suite of mitigation strategies—including Local-DP, secure communication protocols, server-side verification, and stringent access controls—the framework can achieve a robust security posture. Continuous evaluation and adaptation of these measures are essential to address the evolving threat landscape and to maintain the confidentiality, integrity, and availability of both the data and the machine learning models. Ultimately, the DPFedBank framework exemplifies a balanced approach to harnessing the benefits of federated learning while steadfastly safeguarding against its attendant security risks.

The proposed DPFedBank framework enables multiple financial institutions to collaboratively train a machine learning model without sharing raw data [25], ensuring strong privacy guarantees through Local Differential Privacy (Local-DP) [26, 27, 28, 18]. Each institution perturbs its model updates locally before sending them to a central aggregator, which computes the global model. This design addresses the unique privacy and regulatory challenges in the financial sector. Refer to Fig. 1

for a representation of the DPFedBank architecture. Our DPFedBank framework considers each client as a financial institution, (eg. bank, credit union, etc.), these types of institutions usually have sensitive data, and store their clients’ personal information, and that information is typically present as non-IID data [29, 30, 31], which poses a privacy risk as it can create imbalances in local datasets, making it easier to infer individual users’ information. This imbalance leads to the potential leakage of sensitive attributes, since patterns unique to certain groups may be overrepresented. As a result, adversaries can exploit these patterns to identify or extract private details such as the data poisoning attack [32] or the label-flipping attack [33] from specific clients, undermining the effectiveness of privacy-preserving mechanisms like differential privacy.

DPFedBank Workflow. The DPFedBank framework operates through an iterative process consisting of several well-defined steps. Each iteration aims to refine the global model while preserving the privacy of individual clients’ data. All clients in the network perform forward propagation on their client-side model in parallel, although each client has different levels of sensitive information, they can train their model locally without sharing raw data. Suppose client $n$ trains its data using dataset $D_{n}$, the trained model passes through the LDP mechanism, the LDP is carefully tuned, balancing the trade-offs for model accuracy and privacy budgets. Then the noise version of the local model is transferred to the aggregator, waiting for aggregating all the clients’ models, and processes to the central server, the central server distributes the updated model as a one-round global model to all the clients, and all the clients can choose to use the global model or carry on training.

Variants of DPFedBank Framework. There can be developed a variety of DPFedBank architecture, here we only discuss the Vallina DPFedBank framework.

System components. The system includes several components:

• •

  Clients (Financial Institutions), these are entities with local datasets $D_{n}$, where $n$ denotes the client index. Clients have varying levels of sensitive information, and clients perform local model training.

• •

  Local Model Training Module: Allows clients to train models on local data without sharing raw data, training using local forward propagation function $F$, where $\ell(\cdot)$ is the loss function.

  $$\min_{\theta_{n}}F_{n}(\theta_{n})=\frac{1}{|D_{n}|}\sum_{(x_{i},y_{i})\in D_{n}}\ell(\theta_{n};x_{i},y_{i})$$

  (1)

• •

  Local Differential Privacy Mechanism (LDP Mechanism): Perturbs the trained local models to ensure privacy. Here we choose to add Gaussian noise to the local model parameters:

  $$\tilde{\theta}_{n}=\theta_{n}+\mathcal{N}(0,\sigma^{2}I)$$

  (2)

  where $\sigma$ is the standard deviation calibrated to satisfy ($\epsilon-\delta$)-Local DP. An algorithm $\mathcal{M}$ satisfies $\epsilon-\delta$-Local DP if for all possible outputs $y$ and any two inputs $x$ and $x{\prime}$:

  $$\Pr[\mathcal{M}(x)=y]\leq e^{\epsilon}\Pr[\mathcal{M}(x{\prime})=y]+\delta$$

  (3)

  If the privacy budgets surpass the threshold $\delta$, the LDP mechanism will be considered broken. Then the noise calibration is important, we set the noise scale $\sigma$ to $\sigma\geq\frac{\Delta}{\epsilon}$, where $\Delta$ is the sensitivity of the local model. The sensitivity $\Delta$ of the local model $\theta_{n}$ is defined as:

  $$\Delta=\max_{D_{n},D_{n}{\prime}}\|\theta_{n}(D_{n})-\theta_{n}(D_{n}{\prime})\|_{2}$$

  (4)

  where $D_{n}$ and $D_{n}{\prime}$ differ by one data point. By the properties of the Gaussian distribution [34], the probability density function satisfies the required privacy condition.

• •

  Aggregator: Collects the perturbed models from clients and performs aggregation. The aggregator computes:

  $$\theta_{\text{agg}}=\frac{1}{N}\sum_{n=1}^{N}\tilde{\theta}_{n}$$

  (5)

  where N is the number of clients in the networks.

• •

  Central Server: Processes the aggregated model $\theta_{\text{agg}}$, updates the global model $\theta_{g}$ and Distributes $\theta_{g}$ to clients.

DPFedBank Framework Construction. In Algorithm 1 and Algorithm 2, we define all clients (financial institutions) $n$ in the network to perform forward propagation [35] on their local models using their datasets $D_{n}$ containing sensitive data. Each client computes the local model parameters $\theta_{n}$. Clients pass their trained models $\theta_{n}$ through the LDP mechanism [28, 18] to get the perturbed model: $\tilde{\theta}_{n}$ = $\mathcal{M}(\theta_{n})$. The LDP mechanism is carefully tuned to balance model accuracy and privacy budgets. Then, clients transfer the noisy versions of the local models $\tilde{\theta}_{n}$ to the aggregator. The aggregator waits to collect all clients’ perturbed models, aggregates models using $\theta_{\text{agg}}=\mathcal{A}(\{\tilde{\theta}n\}{n=1}^{N})$ [36]. Then the aggregated model $\theta_{\text{agg}}$ is processed by the central server, and the server updates the global model $\theta_{g}$ based on $\theta_{\text{agg}}$. The central server distributes the updated global model $\theta_{g}$ to all clients, clients can choose to use the global model or continue training their local models. Note that, we should be careful that the expected error (difference) between the aggregated model and the true model without noise:

where $\theta^{*}$ is the true aggregated model without noise.

Client-Side Privacy Protection. In the DPFedBank framework, client-side privacy protection is paramount, as each participating financial institution holds sensitive and proprietary data that must remain confidential. The primary mechanism employed to ensure client-side privacy is Local Differential Privacy (Local-DP). Local DP allows clients to add noise to their data or model updates before any information leaves their local environment, ensuring that the central server or any other external entity cannot infer sensitive details from the shared data. As we can refer to Eq. 2, the noise scale $\sigma$ is determined based on the desired privacy parameter $\epsilon$ and the sensitivity $\Delta$ of the model updates. By adding this noise, the client’s update becomes differentially private, meaning that any single data point’s influence on the model update is obscured. This mechanism ensures that even if an adversary gains access to the perturbed updates, they cannot accurately infer any individual data point from the client’s dataset. Clients perform a sensitivity analysis to determine the maximum change in the model update that could result from the addition or removal of a single data point.This sensitivity $\Delta$ is crucial for calibrating the noise scale $\sigma$:

Here, $\epsilon$ controls the privacy-utility trade-off, and $\delta$ is a small parameter representing the probability of the privacy guarantee being breached. By carefully selecting $\epsilon$ and $\delta$ , clients can balance the level of privacy protection with the utility of the model updates.

Server-Side Privacy Protection. On the server side, the DPFedBank framework focuses on safeguarding the aggregated model and preventing any potential leakage of sensitive information during the aggregation and distribution processes. The server plays a critical role in updating the global model while ensuring that individual clients’ contributions remain confidential. The server employs secure aggregation protocols to combine the perturbed model updates $\tilde{\theta}_{n}$ received from clients. Since each client’s update is already differentially private due to the Local-DP mechanism, the aggregation process further obscures individual contributions. The server computes the aggregated update as referred to Eq. 5. By averaging the noisy updates, the server reduces the variance introduced by the noise, enhancing the utility of the global model without compromising privacy. The law of large numbers ensures that as the number of clients $N$ increases, the aggregated noise diminishes, improving model accuracy.

1) Implement a stringent authentication mechanism using digital certificates and multi-factor authentication to verify the identity of each participating financial institution. This reduces the risk of unauthorized entities joining the network. Similar authentication practices are discussed in [36], emphasizing secure aggregation protocols in federated learning. 2) Inside the system, deploying real-time monitoring tools to analyze the statistical properties of clients’ model updates is crucial. Any deviations from expected patterns, such as abnormal parameter distributions or inconsistent training behaviors, can indicate malicious activity. This approach is inspired by techniques in [5], which emphasize monitoring and robustness in federated learning systems. 3) For each institution, establishing a reputation system where clients accumulate trust scores based on their compliance with protocols and contribution to model accuracy should be required. Clients exhibiting suspicious behavior may have reduced privileges or be subject to additional scrutiny. This concept extends the ideas presented in [35] regarding fairness and accountability in federated learning. 4) Also, to create a secure execution environment [37], clients should be required to perform local computations within secure enclaves, such as Intel SGX [38], to prevent tampering with code or data. This ensures the integrity of the local training process, aligning with practices outlined in [39] exploring privacy-preserving machine learning using secure hardware.

1) Conduct regular third-party security audits that include formal verification methods to mathematically prove the correctness and security properties of the LDP mechanisms and aggregation functions. This proactive approach aims to identify and mitigate inherited vulnerabilities from existing DP-FL frameworks, building upon principles from [19] who emphasize rigorous analysis in differential privacy implementations. 2) Design the DPFedBank framework with a modular architecture that allows individual components to be updated independently. This facilitates quick responses to discovered flaws without disrupting the entire system. The importance of modular design in secure systems is highlighted in [40]. 3) Establish a platform for secure and anonymous reporting of vulnerabilities by users and developers. Incentivize responsible disclosure through recognition or rewards, encouraging active participation in the framework’s security enhancement. This extends practices from open-source security communities as discussed in [41].

1) Transition from a centralized aggregator to a decentralized aggregation protocol utilizing secure multi-party computation (SMPC). This approach eliminates single points of failure and enhances security, as described in [36], who explore practical SMPC for privacy-preserving machine learning. 2) Implement robust security measures on servers, including intrusion detection systems, regular security updates, and adherence to best practices for server hardening. Regular penetration testing helps identify and address vulnerabilities. [42] provides guidelines on server hardening practices. 3) Utilize homomorphic encryption to allow the server to perform aggregation on encrypted model updates without accessing the underlying data. This ensures that even if the server is compromised, sensitive information remains protected, as explored in [43], which surveys homomorphic encryption schemes. 4) Develop and maintain a detailed incident response plan that outlines procedures for detecting, reporting, and responding to server compromises. This includes immediate isolation of affected systems and communication protocols to inform clients. Guidelines for incident response are detailed in [44].

1) Mandate the use of strong encryption protocols, such as TLS 1.3 with AES-256 encryption, for all communications between clients and servers. This protects data in transit from interception and tampering, following guidelines from [45]. 2) Implement protocols that provide forward secrecy and resistance to replay attacks, such as the Noise Protocol Framework. This enhances the security of communications against sophisticated external adversaries, as recommended in [46]. 3) Deploy intrusion detection systems and integrate threat intelligence feeds to monitor for and respond to emerging threats. Regular updates based on current threat landscapes help maintain robust defenses. Strategies for threat intelligence are discussed in [47]. 4) Conduct regular training sessions for personnel involved in the operation of the DPFedBank framework to ensure awareness of security best practices and protocols for handling potential security incidents. [48] highlights the importance of ongoing security awareness training.

Ensure that the DPFedBank framework complies with relevant data protection laws such as GDPR, CCPA, and other applicable regulations. This includes conducting Data Protection Impact Assessments (DPIAs), as recommended by the [49]. 2) Implement mechanisms to monitor and control the cumulative privacy loss ($\epsilon$) over time for each client. This prevents excessive data exposure and aligns with privacy accounting methods discussed in [18], who elaborate on differential privacy foundations. 3) Clearly communicate the privacy guarantees and data handling practices to all participating institutions, ensuring transparency and building trust among collaborators. Transparency is emphasized in [50], discussing fairness and accountability in AI systems.

1) Establish comprehensive legal agreements that define the rights, responsibilities, and liabilities of each participating institution. These agreements should cover data usage policies, confidentiality obligations, and dispute resolution mechanisms. Similar frameworks are used in blockchain consortia, as noted by [51]. 2) Create a governance structure comprising representatives from participating institutions to oversee the operation of the DPFedBank framework. This body would be responsible for making decisions on policy changes, security practices, and handling incidents. Governance models in collaborative networks are discussed in [52]. 3) Develop and adopt standardized protocols for data formats, encryption methods, and communication interfaces to ensure seamless interoperability among different institutions’ systems. This approach is recommended by [53] for information security management systems.

1) Mandate the adjustment of noise levels in the LDP mechanism within the DPFedBank framework to address privacy risks associated with non-IID data, where unique patterns at individual institutions pose a threat. Institutions must fine-tune noise levels based on the data distribution characteristics at each client, thereby reducing the risk of exposing distinctive patterns. For instance, financial institutions with distinct customer behaviors must apply higher noise levels when perturbing local model updates to ensure these unique patterns are less detectable during aggregation, strengthening privacy guarantees across all clients.

2) Require the application of gradient compression in DPFedBank, where clients (e.g., banks or credit unions) locally train their models and transmit perturbed updates. Institutions must implement gradient compression techniques, such as quantization or sparsification [54], to reduce the amount of data transferred and lower the risk of exposing sensitive patterns in local model updates. This practice is essential for handling non-IID data, where overrepresented patterns could lead to data leakage. For example, a credit union should compress gradients before applying Local Differential Privacy (LDP) to minimize information leakage during transmission and enhance privacy-preserving mechanisms across clients with varying data distributions.

3) Implement Secure Multiparty Computation (SMC) as a standard to enable collaborative model training across financial institutions without revealing individual datasets. In the DPFedBank framework, SMC must be used to securely aggregate locally perturbed model updates, providing stronger privacy guarantees than relying solely on LDP. Institutions should adopt SMC-based protocols such as Chain-PPFL [55] to facilitate the exchange of masked gradients and mitigate data leakage risks. Advances in SMC protocols [56] should be leveraged to ensure scalable secure computation, even in cases of non-IID data distributions.

1) Enforce the integration of blockchain technology into the DPFedBank framework as a defense against model poisoning attacks. Institutions must leverage blockchain’s immutable nature to ensure that updates to the global model are transparent, verified, and securely stored, making tampering attempts easily traceable and detectable [57]. This policy is crucial for safeguarding models used in anti-money laundering (AML), credit risk assessments, and fraud detection. If anomalous or potentially poisoned updates are detected, blockchain-based records should facilitate immediate investigation and rejection of compromised data, ensuring that only valid updates are incorporated into the global model.

2) Adopt the Biscotti system for decentralized federated learning within DPFedBank. Institutions should utilize the Biscotti system [58] to coordinate model updates using a blockchain-based approach, eliminating the need for a central aggregator. The Biscotti system must incorporate Proof-of-Federation (PoF), Multi-Krum (for filtering out anomalous updates), differentially private noise, and Shamir secret sharing to secure model updates and log the aggregation process on the blockchain. This decentralized approach is especially suited for financial institutions that prefer not to rely on centralized infrastructure due to privacy and regulatory concerns.

3) Implement Byzantine-resilient stochastic gradient descent (SGD) methods to defend against adversarial manipulation in federated learning. Financial institutions must integrate Byzantine-resilient SGD methods, such as HoldOut SGD [59] and Generalized Byzantine-tolerant SGD [60], to filter out outliers and poisoned gradients, ensuring the integrity of the global model. For instance, trusted branches within DPFedBank should evaluate gradient updates to confirm that only legitimate updates are accepted. These methods are particularly important for high-stakes applications like high-frequency trading and fraud detection, where data integrity is critical.

1) Establish role-based access controls (RBAC) to restrict potential insiders’ access to financial information in models used for federated learning. The risk of insider misuse should be greatly decreased by limiting access to particular datasets and model parameters to those who have received explicit approval [61]. 2) Implement continuous auditing in the federated learning environment.To conduct ongoing audits to monitor all model interactions and data access. By monitoring potential patterns, audit trails can detect potential insider threats. [62]. 3) Automate the differential privacy (DP) noise injection process in order to potentially prevent insider manipulation of the differential privacy (DP) noise injection process. By automating this process it guarantees that any insider cannot change the noise settings to potentially weaken this privacy protection.[63] 4) Conduct insider risk assessments to evaluate potential vulnerabilities that can be exploited by insiders. To limit the risk of insiders, periodic assessments can incorporate analysis of the system’s performance, employee behavior, and access patterns. [64]

1)Implement a Data Encryption Strategy, this can be achieved by implementing by using a combination of homomorphic and end-to-end encryption to protect private financial information during federated learning. Homomorphic encryption permits calculations on encrypted data without disclosing its contents, and end-to-end encryption guarantees that data is protected during transit between organizations. This is a dual-layer approach where private financial data is not exposed during interception or during the collaborative model training[65] 2)Implement secure multiparty computation (SMPC) to prevent meet-in-the-middle attacks by allowing several organizations to collaborate on compute functions without disclosing their personal inputs. [36]. 3)Randomize model updates to introduce variance into the updates shared during model training. This unpredictability reduces the possibility of meet-in-the-middle attacks by preventing attackers from comparing communications between parties. 4)Implement integrity verification protocols, such as cryptographic hash algorithm. This is to guarantee the integrity of all data including model updates sent across organizations. Hash-based integrity verification techniques offer a barrier against possible meet-in-the-middle attackers and detect if there is any tampering during data transfer.[66]