For about a decade, every fraud conference has ended on the same note: we would all be safer if institutions shared more. The fraud rings certainly do. One synthetic identity gets tested against a credit union in Ohio, a neobank in California, and a payments processor that technically competes with both, and the only party who sees the full pattern is the ring itself. Each defender sees a slice, scores it against their own history, and calls it a day. The asymmetry is structural: the attacker operates across the network, and the defense is organized by company.
We kept describing this as a willingness problem. If only banks trusted each other more. If only the culture were more collaborative. It was never a willingness problem. No risk team declines to share because it is precious about its data. They decline because handing a competitor their customers' faces and government documents is a regulatory and reputational event, and "we pooled the raw records and ran a model on them" is not a sentence anyone wants to read back to an examiner.
It was never a willingness problem. It was a data-exposure problem wearing a willingness costume.
So the industry built half-measures, and we mostly stopped noticing they were half-measures. Consortium blocklists share outcomes, the identities already known to be bad, which means they are always a step behind the patterns still forming. Hashing and anonymization sound reassuring until you remember that the signal you actually need in identity work is the biometric and the document, and there is no version of a face that is both anonymized and still useful for matching. Federated learning is the most serious of the options, training across data that never centralizes, but it still leaks information through model updates unless you layer differential privacy and secure aggregation on top, and it still asks everyone to trust whoever runs the aggregator. Clean rooms and trusted third parties do not remove the trust problem. They relocate it to a vendor and hand that vendor the keys.
Last week I sat on a panel at the Confidential Computing Summit and spent most of it discovering that the point of the technology was not to protect privacy but to move sensitive computation to places where the trust question changes shape. This is the fraud version of that insight.
Confidential computing moves the trust somewhere harder to argue with: the hardware. A shared model runs inside an enclave, a hardware-isolated environment where data is decrypted and used only in memory that the operating system, the cloud provider, and the machine's owner cannot read. Before anyone sends data in, the enclave can prove what code is running inside it through remote attestation, so participants are not trusting a promise about how their records will be handled. They are verifying it cryptographically. Several institutions can run one model across their combined data, and no party, including the one hosting the hardware, ever sees anyone else's raw inputs. The collaboration happens. The data never changes hands.
"An attacker needs a sophisticated hardware exploit" is a categorically different threat model from "we emailed a competitor a spreadsheet of faces."
For an identity company this is not abstract. Verification runs on the most sensitive data there is, and the whole reason cross-institutional defense has stayed theoretical is that nobody could share that data without becoming the headline. None of this makes the enclave unbreakable. Side-channel attacks exist, and anyone selling it as magic should be watched closely. But "an attacker needs a sophisticated hardware exploit" is a categorically different threat model from "we emailed a competitor a spreadsheet of faces," and most of the risk that kept institutions apart lived in the second sentence, not the first.
The network defense everyone has asked for at the end of every panel was never blocked by goodwill. It was blocked by the fact that someone had to be willing to leak the data, and no one sane volunteered. Take that requirement away, and the willingness was there the whole time. We were not waiting on trust. We were waiting on the infrastructure that made trust verifiable.
Shyam Menon is a product leader specializing in fraud and identity in financial services. This is one of a series of framework posts on how to think about fraud prevention, identity, and AI products in regulated industries. He writes at shyammenon.com.