Choose the Right Encryption Configuration

Claro is onboarding a major US banking partner. The bank has a non-negotiable compliance requirement: they must control the encryption keys used to protect their data in Snowflake, such that even Snowflake staff cannot decrypt it without the bank's authorisation. Claro's CTO is evaluating whether this requirement can be met and what it would take.

Which encryption configuration meets this requirement, and what does it require?