consultative paper open api standards and banks ...€¦ · aim to encourage acceleration and to...
TRANSCRIPT
1
CONSULTATIVE PAPER
OPEN API STANDARDS AND BANKS INTERLINKAGE WITH FINTECHS FOR PAYMENT SERVICE PROVIDERS
The deadline for submitting responses is extended to May 30, 2020
2
Consultative Paper Open API Standards and Banks Interlinkage with Fintechs for Payment Service Providers BANK INDONESIA Jalan M.H. Thamrin No. 2 Jakarta – 10350 Indonesia Jakarta, 30 March 2020 ©Bank Indonesia 2020. All rights reserved It is forbidden to quote, reproduce, and translate part or all of the contents of this book without written permission from the Publisher.
3
Consultative Paper in a Glance
Bank Indonesia publishes Consultative Paper (CP) regarding Open API Standards in association
with open banking and banks interlinkage with fintechs for Payment Services Provider (PSP)
as the implementation of the 2nd and 3rd vision of Indonesia’s 2025 Payment System Blueprint
(IPSB 2025).1 This CP publication is one of Bank Indonesia’s communication and consultation
to the public with regard to the implementation plan of the Open API Standards for PSP, which
orchestrate services on API payment transactions, both for PSP as API providers and for PSP
as API users.
This CP elaborates on the implementation of the Open API Standards, focusing on the
payment system, which includes data standards, technical standards, security standards, and
governance standards. The Standards proposed in this CP have considered the result of
benchmarking from the best practices conducted in several countries, such as the UK, Hong
Kong, Japan, Australia, India, and Singapore, from a survey conducted on the banking
industry, and also including suggestions from various stake holders.
Regarding those matters mentioned above, Bank Indonesia invites the public to provide
inputs or opinions towards this CP to ensure the implementation effectiveness of the
Standard. Suggestions or opinions submitted are to be complemented by detailed
explanations and/or supporting information.
1 https://www.bi.go.id/en/publikasi/sistem-pembayaran/riset/Pages/Blueprint-Sistem-Pembayaran-Indonesia-2025.aspx
4
Questions Summary for Public Consultation
1. The purpose and scope of the Open API Standards. The Open API Standards are required
to encourage the adoption of open banking that supports the achievement of payment
services that are efficient, safe, and reliable; support innovation and competition; and
fosters the integrity of the Open API ecosystems. The Open API Standards on payment
transactions cover the Open API cooperation agreement on payment transactions, both
domestic and cross-border. What is the industry's view of the intended purpose and
scope of the Open API Standards?
2. Data standards and their application. What is the industry's view on the proposed
minimum data standards for the Open API on payment transactions? Are the proposed
minimum data standards proposed in paragraph 22.d (Table 1) applicable to all entities in
the API ecosystems as in the illustration in appendix 1? Are there other data that require
to be added as minimum data standard requirements for the Open API on payment
transaction?
3. Technical standards and their application. What is the industry's view of the technical
standards for the Open API on payment transactions, as proposed in paragraph 23.e
(Table 2), which includes standard for communication protocols, architecture types, and
data formats? Can the proposal be applied to all entities in the API ecosystems, as
illustrated in appendix 1? Are there other aspects that require to be added as technical
standard requirements?
4. Security standards and their application. What is the industry's view of the proposed
security standards for the Open API o n payment transactions as described in
paragraphs 24.f (Table 3), 24.g and 24.i? Are there other aspects that require to be added
as minimum security standard requirements?
5
5. The technical guidelines of Open API Standards. To ensure consistency in the
implementation of the Open API Standards, a set of technical guidelines will be issued
which contains detailed API specifications, which include data standards, technical
standards, and security standards for the Open API on payment transactions. Apart from
the aspects proposed in paragraph 25, are there other aspects of data standards,
technical standards, and security standards that require to be detailed in the technical
guidelines of the Open API Standards?
6. Establishing the standard governing body. In implementing the Open API Standards, the
authority has the role of ensuring that the implementation of the Open API Standards is
in line with the policy context and setting the minimum requirements of the Open API
Standards. Furthermore, to support the implementation effectiveness of the Standards,
the authority may appoint an entity that will act as the standard governing body, as
proposed in paragraph 26.a.5). What is the industry's view on this matter?
7. The role of the standard governing body. In addition to formulating Open API Standards
on payment transactions, the role of the standard governing body also includes managing
the Open API directory, as well as facilitating the handling and resolution of disputes as
proposed in paragraph 26.a.5). What is the industry's view on the proposed scope of roles
of the standard governing body? Is there any input on the scope of roles of the standard
governing body?
8. Governance standards - Open API contract standard. What is the industry view regarding
the comprehensiveness of the Open API contract standard, as proposed in paragraph
26.b.3)? Are there other clauses that require to be included in the Open API contract
standard?
6
9. Governance standards - consumer protection. What is the industry's view of the
consumer protection clauses in the Open API governance standards that include
proposed consumer consent, data protection, and the handling and resolution of disputes
as proposed in paragraph 26.c? Are there other aspects that require to be covered in
Open API governance standards to support consumer protection goals?
10. Governance standards - requirements for third parties. What is the industry's view of
the proposed minimum requirements for third parties in the Open API cooperation
agreement, as proposed in paragraph 26.d? Are there other aspects that require to be
included as minimum requirements for third parties in the Open API cooperation?
Submission of written inputs/views can be directed to Bank Indonesia no later than May 30,
2020 with the subject:
"Responses to Consultative Paper Regarding Open Application Programming Interface
(Open API) Standards in the Context of Open Banking and Banks Interlinkage with Fintech
for Payment System Service Providers"
to:
- Via email to: Open API Standards Working Group ([email protected])
- Via letter to: Departemen Kebijakan Makroprudensial
Menara Syafruddin Prawiranegara, Lantai 4
Jl. MH Thamrin No. 2
Jakarta 10350
7
This page is intentionally left blank
8
TABLE OF CONTENT Consultative Paper in a Glance ....................................................................................................... 3
Questions Summary for Public Consultation ................................................................................... 4
EXECUTIVE SUMMARY .................................................................................................................... 9
I. BACKGROUND, POLICY CONTEXT, AND PURPOSES .............................................................. 12
1.1 Background ................................................................................................................. 12
1.2 Policy Context of the Open Banking and Bank Interlinkage with Fintech ...................... 15
1.3 Purposes of Open API Standards .................................................................................. 16
II. SCOPE OF APPLICATION ...................................................................................................... 19
III. OPEN API STANDARDS IN OPEN BANKING AND BANKS INTERLINKAGE WITH FINTECHS ...... 23
3.1 Data Standards ............................................................................................................ 23
3.2 Technical Standards ..................................................................................................... 25
3.3 Security Standards ....................................................................................................... 27
3.4 Governance Standards ................................................................................................. 32
a. Standard Governing Body ....................................................................................... 32
b. Open API Contract Standard ................................................................................... 34
c. Consumer protection .............................................................................................. 37
d. The Minimum Requirements for Third Parties in Implementing Open API Cooperation ............................................................................................................ 40
IV. TIMELINE AND COVERAGE OF IMPLEMENTATION ............................................................... 40
V. FOLLOW-UP ........................................................................................................................ 42
VI. APPENDIX ........................................................................................................................... 43
9
EXECUTIVE SUMMARY
The implementation of open banking initiatives is intended to encourage digital
transformation by banks and interlinkage between banks and fintechs. In the midst of rapid
economic and financial digitalization, open banking implementation is a necessity to maintain
an equal level of playing field between banks and fintechs, while encouraging innovation and
competition, and expanding public access to finance. Bank Indonesia initiatives to support the
implementation of open banking, as part of the digital transformation of the banking sector,
aim to encourage acceleration and to optimize the digital financial economy. The open
banking service strategy enables banks and fintechs to open financial data and information
related to payment transactions from consumers reciprocally (the principle of equality)
supported by a contractual collaboration in the use of API technology (Open API).
In line with the 2nd and 3rd Vision of the Indonesia Payment System Blueprint (IPSB) 2025,
Bank Indonesia applies open banking in the payment system area through the
implementation of the Open API Standards. The Open API Standards developed by Bank
Indonesia are focused on the payment system transactions involving Payment Service
Providers (PSPs), both banks and non-banks. By considering the large share of payment
transactions in all digital transactions, the application of the Open API Standards in payment
transactions is expected to create the integrity of data opening in the framework of open
banking. The application of the Open API Standards aims to improve the efficiency, security,
and reliability of payment systems; increase innovation and competition; encourage financial
inclusion including financing to MSMEs; and reduce the risk of shadow banking, while it
remains taking into account risk mitigation efforts through the application of adequate
standards.
Open API Standards include data standards, technical standards, security standards, and
10
governance standards. The application of data standards is intended to increase
interoperability and efficiency for Open API players, as well as to ensure the adequacy and
quality of data for analysis and innovation needs. In the implementation of the data
standards, the exchange of data between the Open API players adheres to the principle of
consumer consent, whereby the data can be opened provided that the players obtain
approval from the consumers as the data owner. In addition, to ensure security, data
confidentiality, system integrity, and ease of implementation or adoption, the implementation
of the Open API Standards will also include the application of technical standards that covers
communication protocol, architecture type, and data format. The technical standards are
intended to support the compatibility and interoperability of the Open API of each industry
player.
Furthermore, the implementation of the security standards is aimed at ensuring the security
of transactions by consumers, which include aspects of authentication, authorization,
encryption, and the continuity of services.
Meanwhile, governance standards include arrangements regarding standard governing body,
contract standard, principles of consumer protection, as well as minimum requirements for
third parties that will collaborate with Open API providers. The establishment of governance
standards is required to foster the integrity of the Open API ecosystems, ensuring compliance
with applicable regulations, including ensuring consumer protection, as well as dispute
handling and resolution.
Open API Standards will be implemented in stages, taking into consideration the diversity
of PSPs. The issuance of Consultative Paper (CP) in the 1st Quarter of 2020 became a series of
Bank Indonesia communications with regard to the implementation plan of the Open API
Standards required by Bank Indonesia. The CP issuance is intended to obtain views from the
11
industry and the public, as input for the authority in the formulation of the Open API
Standards, and on the other hand to provide clarity for the industry and other stakeholders
regarding the direction of open banking development within the framework of Indonesia's
payment system.
The Open API Standards will be applied to licensed PSPs in Indonesia that carry out activities
on transaction initiation, and/or transaction forwarding, and/or authorization in the
implementation of Open API cooperation agreement on payment transactions, both domestic
and cross-border.
The Open API Standards will be phased in and prioritized for PSPs that meet criteria in terms
of size (e.g., PSP market share in the retail payment system industry) and business complexity
(e.g., the scope of PSP business groups' activities). Classifications and criteria for
implementation prioritization of the Standard will be harmonized with the provisions of the
Payment System to be issued by the Bank of Indonesia.
The phase-in implementation arrangement of the Open API Standards will begin with the
preparation and development stages of the Open API in the 4th Quarter of 2020, then followed
by the trial and application phase of the Open API Standards starting in the 1st Quarter of
2021. The phasing of the implementation will also be supported by the presence of the
developer site of the Open API Standards.
With this gradual application, it is expected that the industry will have the capacity to
undertake the necessary preparations in line with the implementation plan of the Open API
Standards required by Bank Indonesia.
12
I. BACKGROUND, POLICY CONTEXT, AND PURPOSES
1.1 Background
1. Globalization and the rapid development of technology have led to a digital revolution
in the economic sector and financial system. Consumer demands for the availability of
financial services—including payment transaction services—that are fast, easy,
convenient, and safe, has driven the financial system to remodel conventional services
into technology-based and mobile services. The financial services are also expected to
bring greater consumers’ experiences and consumers’ satisfaction levels, both in terms
of quality and convenience.
2. In the digitalization era, the role of non-bank players is increasing and disrupting the
role of banks. Meanwhile, in terms of financial sector service providers, the disruption
has given rise to new non-bank players as digital financial service providers, from start-
ups in the technology-based financial sector (fintech) to domestic/global and large-scale
technology companies (big tech). Supported by the mastery of technology, these non-
bank players are slowly starting to expand into the financial services business, which
has so far been dominated by formal financial institutions (banks) by providing digital
services, both in the area of payments and financing.
3. These developments disrupted the role of banks, which were gradually replaced by
non-bank financial service providers (shadow banking) with the different levels of
regulation and supervision as that of the banking industry. In this case, the role of the
banks in payment services starts to diminished/disrupted by the development of
payment services provided by non-banks. The emergence and the strengthened role of
non-banks in the provision of digital payment services have begun to change the market
structure, both in terms of market concentration and competition among financial
13
service providers. However, on the other hand, it is recognized that innovation arises
from the use of digital technology is seen as vast opportunities for the achievement of
financial inclusion for the whole community, not only for individuals who have not yet
been reached by banking services (unbanked) but also MSMEs.
4. Banks need to transform to improve competitiveness. The development of financial
digitalization, as well as the increasing role of non-bank players (including fintech),
requires the banks to fully transform (end-to-end) in order to maintain their role and
position as the central intermediary institutions in the financial system, as well as the
media for monetary policy transmission in the digital economic era. This transformation
is a necessity in order to improve the ability of the banks to provide digital financial
services that can enhance the consumers’ experiences so as to maintain the consumers’
loyalty and the banks’ competitiveness.
5. Technology support in the digital transformation of the banking industry enables
consumers to access banking services through platforms that eliminate distance and
time barriers. In the digital era, banking services to consumers are demanded to be
offered through various means, media, or channels (omni banking), agile infrastructure
architecture that is nimble and reliable (modular banking), service interactions with
third parties (open banking), and efficient optimization of resources based on data.
6. A collaboration with non-banks (including fintech) is one approach that can be
pursued by banks in responding to the demands of transformation in the digital age.
In this case, with the growth and strengthening role of fintech in providing payment
services, it can open up opportunities for banks to collaborate with fintech through
open banking cooperation to improve their digital services. Open banking allows banks,
based on their consumers’ consent, to open the consumers’ data to third parties
14
(including fintech) reciprocally through Open API. With this collaboration, third parties
can develop new products and services which meet the consumers’ needs and facilitate
easier transactions. In addition, the banks can also use the consumers’ digital
transaction information obtained from fintech, based on the consumers’ consent, to
improve the banks’ products and services.
7. Bank Indonesia plays a role in maintaining the right balance between opportunity
optimization and risk mitigation. In the digital age, the policy challenge for Bank
Indonesia as the central bank is to strike a balance between efforts to optimize the
opportunities from digital innovation and efforts to mitigate risks that arise along with
digitalization trends. Therefore, open banking cooperation in providing payment
services has to be directed within a regulatory framework to maintain the level of
playing field of all players. The framework is expected to balance the benefits of
innovation and the potential risks arising from the digital payment services, in order to
maintain monetary stability, financial system stability, and the smooth functioning of
payment systems that are mandated to Bank Indonesia, as well as to bring benefits to
promote consumer protection.
8. Open API Standards are essential to attain the integrity of the Open API ecosystems.
Bank Indonesia, as the authority, considers the trend of digital financial services through
open banking increasingly shows the importance of stipulating the Open API Standards,
supported by the presence of a public infrastructure that encourages data openness,
transparency, and market discipline, as well as supported by a sufficient data protection
framework. The results of a survey conducted by Bank Indonesia show that, currently,
several banks in Indonesia have adopted the use of API on payment transactions.
However, in general, the API specifications used are varied that require adjustments in
15
every collaboration with different parties. The Open API Standards are expected to
support interoperability between the Open API players and the ease of the Open API
adoption to attain the integrity of the Open API ecosystems on payment transactions.
9. The best practices of the Open API Standards, which are applied by several countries,
become references for formulating the Open API Standards that are in accordance
with Indonesia’s context. The implementation of open banking in various countries
differ in terms of development stages, approach, and implementation scope, depending
on each country’s policy context. However, in general, each country seeks to support
innovation and attain the integrity of the digital ecosystem, while it remains to balance
between prudential and consumer protection aspects. The benchmarking results also
show that the implementation of open banking in several countries generally starts
from the area of payment transactions, especially by players that serve as data
aggregators and payment service providers, as those are the majority of parties
accessing individual data on payment transactions for open banking services. Aside from
considering other countries’ best practices on open banking, the implementation of the
Indonesian Open API Standards also requires considering the general practices of
domestic industry players.
1.2 Policy Context of the Open Banking and Bank Interlinkage with Fintech
10. Bank Indonesia responds to the challenges faced by central banks in the digital era
and industry 4.0 through the Indonesia Payment System Blueprint (IPSB) 2025. The
Blueprint was formulated with an orientation towards building a sound digital economic
and financial ecosystem, and it was built on the foundation of the five IPSB Vision 2025,
which is also the end target (end-state) of the long-term policy direction of Bank
16
Indonesia in the digital era. The main objective of the IPSB 2025 vision is to ensure the
integration of digital economic and finance in assuring the implementation of central
bank mandate in money supply, monetary policy, and financial stability, as well as
financial inclusion.
1.3 Purposes of Open API Standards
11. The 2nd Vision and the 3rd Vision of IPSB 2025 lead to the reciprocal openness of data
and information between banks and fintechs within the open banking framework.
These visions are addressed through the implementation of the Open API Standards to
maintain the level of playing field of banks and fintechs. The open banking framework
can be seen as a strategic approach to promote the digital transformation of the banking
industry in a directed manner and encourage banks and fintechs interlinkage. The
openness of data through open banking allows the development of new applications,
new products, as well as opening up business opportunities more broadly, which are
expected to lead to economic efficiency. The open banking will require banks to
transform digitally and collaborate with fintechs to maintain their role and position as
the main intermediary institutions in the financial system as well as the channel of
monetary policy transmission.
12. In open banking collaboration, various mitigation measures are applied to control the
risks that often arise in the digital age. These mitigation measures include ensuring
national interests in cross border transactions and ensuring that data as one of the main
assets in the digital economy is not controlled by certain parties but as public goods or
managed by public infrastructure. Through this approach, the granularity of digital data
and information can be optimized for a more inclusive economy and financial system.
17
The formulation and implementation of the Open API Standards on payment
transactions serve as efforts to lead to that goal.
13. Players in the financial sector have begun to utilize the use of API technology in the
provision of digital financial services. Current developments indicate that several
banks, fintech, and other players in the financial sector have adopted API technology as
part of the development and innovation of their products or services. However, the API
applied by the financial institutions is still varied or unstandardized. The API adoption
and Open API collaboration are also part of strategies implemented by the banks to
anticipate tighter competition and faster technological developments that require the
banks to innovate faster and offer better products that meet their consumers’ needs.
For the banks, these strategies are pursued by considering the benefits of adopting the
Open API, especially in the area of payment transactions, which include:
a. expanding innovation opportunities, as well as increasing and expanding product
or service offerings with API as one of the business channels;
b. meeting the needs of consumers thereby increasing the attractiveness of the
banks and the loyalty of their consumers (consumers’ experiences);
c. increasing revenue from digital activities through the use of API as a new business
channel; and
d. speeding up the time to launch new products.
14. The Open API Standards reflect an effort by Bank Indonesia to encourage the adoption
of open banking for more efficient, safe, and reliable payment transactions. Open API
players will be directed to open up each other's financial service data in a standardized
contractual partnership to deliver an open banking strategy. The most critical and
18
fundamental aspect in open banking is that access and exchange of consumer
transaction data can only be conducted based on consumers’ consent.
15. As a logical consequence, the adoption of Open API may expose risks both in terms of
infrastructure and business risks. These risks are mainly related to:
a. Cyber risk. The cyber risk may threaten as the Open API technology provides greater access to consumer data. Increasing data transmission of payment transactions through the Open API may also trigger cyber incidents deriving from the technical weaknesses of connected parties in the Open API.
b. Reputation risk. The reputation risk may arise due to leakage and/or misuse of the consumers’ individual data exchanged through the Open API. In addition, reputation risk may also arise if third parties as partners in the Open API collaboration have not applied the principles of consumer protection and Know Your Customer.
c. Operational risk. The operational risk may emerge from high reliance on third- party information technology providers, system complexity, and limitations on human resources expertise and experience.
16. As an effort to enhance benefits and mitigate risks from the use of Open API, Bank
Indonesia has formulated the Open API Standards which aim to:
a. Increase efficiency, security, and reliability in payment system transactions by facilitating the ease of adoption and the interoperability of the Open API as well as reducing associated costs;
b. Increase innovation and competitiveness through increasing banks interlinkage with fintech which will open up opportunities for the creation of innovative products;
c. Increase the interlinkage between banks and fintechs that will support financial
19
Question #1: The Purpose and Scope of the Open API Standards.
The Open API Standards are required to encourage the adoption of open banking that
supports the achievement of payment services that are efficient, safe, and reliable; support
innovation and competition; and fosters the integrity of the Open API ecosystems. The
Open API Standards on payment transactions cover the Open API cooperation agreement
on payment transactions, both domestic and cross-border. What is the industry's view of
the intended purpose and scope of the Open API Standards?
inclusion including financing to MSMEs;
d. Reduce the risk of shadow banking through the implementation of equivalent regulations and standards for banks and fintechs so as to attain the level of playing field;
e. Mitigate risks emerge from the Open API through the implementation of the adequate standard on data, technical, security, and governance.
II. SCOPE OF APPLICATION
17. What and how is Open API:
a. API is a set of protocols and instructions that allow interconnection between
applications and provide access, including the exchange of data/information
b. The Open API in the context of this CP is the use of API technology that provides
API users, as partners of API providers in the Open API collaboration, access into
the API providers’ system to access and/or use consumers data, based on the
consumers’ consent, for services approved by the consumers.
c. In general, an Open API ecosystem consists of 3 (three) entities, viz.:
1) API providers (data attribute providers) are entities that store consumers
data and/or offer services as well as provide API to facilitate third parties to
20
access and/or use consumers data and/or use the providers’ services
through the use of API that is carried out based on the consumers’ consent.
2) API users (third party provider - TPP) are third-party entities that access
and/or use consumers’ data stored by API providers and/or use the
providers’ services through the use of API that is carried out based on the
consumers’ consent.
3) Consumers are the owner of their data stored by the API providers and as
authorized parties to approve access to their data.
d. API can be categorized based on services as follows:
1) Product and/or service information API is an API that provides information
to API users regarding products and/or services offered by API providers.
2) Product and/or service subscription API is an API that allows consumers to
register/open products and/or services offered by API providers through
platforms provided by API users.
3) Account information API is an API that allows API users to access consumers’
data on the consumers’ accounts stored by API providers upon approval or
initiation from the consumers.
4) Payment transaction API (transaction - transfer and payment), is an API
that enables API users, based on the consent of consumers, to use the
consumers’ data stored by the API providers in the context of banking
transactions and/or payments that are initiated or performed by
authenticated consumers.
e. The level of API disclosure will determine the number of parties allowed to access
API functions and services. In principle, the API providers retain control in
21
determining API that will be opened and third parties that will be given access. In
this case, there are four levels of API openness, namely:
1) Partner API: API that is only open to certain parties based on API providers’
preferences and bilateral agreements.
2) Member API: API can only be accessed by parties that are formal members
of a community with a well-defined set of membership rules.
3) Acquaintance API: API can be accessed by parties that meet the defined set
of requirements.
4) Public API: API that is open for the public but typically with some form of
the registration process.
18. In line with the IPSB 2025 Vision, the Open API Standards in the CP are emphasized more
on the Open API on payment transactions considering the payment system currently
plays an important role in the digital financial ecosystem, and the payment transaction
data are important data for promoting innovation and further analysis. In this CP, the
Open API on payment transactions is the Open API that allows API users to access
payment services provided by API providers based on consumers’ consent. Considering
that the payment services for consumers must be held securely, the level of openness
of the Open API Standards on payment transactions in this CP is member API with a high
level of security.
19. In order to attain the integrity and the soundness of the Open API ecosystems, the Open
API Standards on Payment Transactions are set forth to at least meet the following
principles:
a. Openness. Open up opportunities for various parties to access the API for
transactions in accordance with the applicable contract.
22
b. Interoperability. Improve the more efficient connectivity of API.
c. Flexibility. Easily adapted to various business models or API categories and
technology types (such as API technical specifications, authorization,
authentication, or encryption).
d. Independence. Avoiding reliance on certain parties (such as a technology vendor).
e. Governance. Open API governance that is supervised by the standard governing
body appointed or designated by the relevant authority.
f. Consumer Protection & Consent. The Open API implementation should uphold
the protection of consumers’ interests, and the disclosure of data must be solely
based on the consumers’ consent.
g. Novelty. The adoption of the latest technology in Open API.
h. Security. Open API implementation that guarantees the security of payment
transactions as well as mitigates cyber and fraud risks.
20. The Open API Standards on payment transactions in this CP include data standards,
technical standards, security standards, and governance standards. The proposed Open
API Standards have considered the best practices at the international level as well as
the practices currently implemented at the domestic level by PSP in order to support
the development and the ease of the Open API adoption.
21. The Open API Standards in this CP are intended for PSPs licensed in Indonesia that hold
services on Open API payment transactions, namely as API providers on payment
transactions and as API users on payment transactions, that carry out activities on
transaction initiation, and/or forwarding transactions, and/or authorization in the Open
API cooperation agreement on payment transactions, both domestic and cross-border
payment transactions. The Open API Standards are also intended for supporting
23
providers if the supporting providers collaborate with PSP. The supporting providers are
those that directly support PSP activities.
III. OPEN API STANDARDS IN OPEN BANKING AND BANKS INTERLINKAGE WITH FINTECHS
3.1 Data Standards
22. Data Standards
a. The governing of data standards aims to ensure the uniformity and consistency of
payment transaction data in order to improve interoperability and efficiency for
Open API players. Uniformity and consistency of data will improve the quality and
adequacy of data to support innovation and analysis. Payment transactions in the
Open API Standards are domestic and cross-border payment transactions
initiated by consumers and merchants from domestic or abroad, which are carried
out using the Open API through licensed PSP in Indonesia.
b. The results of a Bank Indonesia survey show that currently, data sent via the API
on payment transactions were unstandardized. The scope and quality of payment
transaction data through the API currently do not support to analyze the needs of
consumers and merchants involved in the digital financial ecosystem.
c. Data standards for the API on payment transactions include data used to process
various domestic and cross-border payment transactions, including underlying
information related to the transactions, conducted through licensed PSP in
Indonesia.
d. The proposed data standards are the minimum data standards that are exchanged
through the API on payment transactions, which contain at least the following
data details:
24
Table 1 Data Standards
Data Type Data Details
Payee (Merchant/Biller/Consumer)
• Merchant/biller ID (business to business or business to consumer) or Consumer ID (consumer to consumer)
• Name of the merchant/biller/consumer • Merchant/biller category • Merchant/biller/consumer address • Cellphone Number • Electronic mail address
Payer (Merchant/Consumer) • Merchant ID (business to business)/Consumer ID (business to consumer)
• Name of the merchant/consumer • Merchant/consumer address • Cellphone Number • Electronic mail address
Product or Service (only for purchasing products or services)
• Product/service name • Product/service category • Product origin address • Delivery destination address (if
conducted through a merchant) Transaction • Transaction date
• Nominal and transaction rates • Transaction description • Payment channel • Payment instrument • Payment service • Fund source account • Beneficiary account
e. Data standards, as proposed in paragraph 22.d, are applied to:
25
Question #2: Data Standards and Their Application.
What is the industry's view on the proposed minimum data standards for the Open API on
payment transactions? Are the proposed minimum data standards proposed in paragraph
22.d (Table 1) applicable to all entities in the API ecosystems as in the illustration in
appendix 1? Are there other data that require to be added as minimum data standard
requirements for the Open API on payment transaction?
1) payments made through various channels including proprietary channels
(internet banking and mobile banking), virtual accounts, offline payments
through outlets;
2) payments made through various instruments including electronic money,
electronic wallets, credit cards, debit cards; including if PSP licensed in
Indonesia cooperates with issuers of payment instruments that are
incorporated abroad; and
3) payments made for various services, including fund transfers, top-up,
payments for purchases of goods or services, payments for bills or utilities.
f. Detailed data standards for each service on various channels and instruments,
along with underlying information related to the transactions, will be further
governed in the technical guidelines for implementing the Open API Standards.
3.2 Technical Standards
23. Technical Standsrds
a. The governing of technical standards aims to support the compatibility and
interoperability of the Open API. The technical standards include communication
protocol, architecture type, and data format.
b. For standardization purposes, the Open API technical standards are proposed to
at least meet the following principles:
26
1) guarantee the integrity, security, and confidentiality of data;
2) guarantee the security of connections (secure connections) that are
transmitted through the communication protocol;
3) prioritize the ease of implementation by various parties; and
4) use a data format with easily defined structures.
c. Currently, the types of architecture commonly used at the international level for
Open API are Representational State Transfer (REST) and Simple Object Access
Protocol (SOAP). From these two types of architecture, the data formats that are
generally used are JavaScript Object Notation (JSON) and eXtensible Markup
Language (XML).
d. The results of a survey conducted by Bank Indonesia to the domestic banking
industry concluded that the majority of the communication protocol used was
HTTPS, the architecture mostly used was REST, and the majority of the data
format used was JSON.
e. Taking into account the international best practices, the domestic practices, and
the principles underlying the proposed standardization, the technical standards
proposed for the Open API payment transaction in Indonesia are as follows:
Table 2 Technical Standards
Technical Requirements Principle Standard
Communication Protocol • Ensure data integrity, security, and confidentiality.
• Ensure secure connections that are transmitted over the communication protocol.
HTTPS (minimum TLS 1.2)
27
Question #3: Technical Standards and Their Application.
What is the industry's view of the technical standards for the Open API on payment
transactions, as proposed in paragraph 23.e (Table 2), which includes standard for
communication protocols, architecture types, and data formats? Can the proposal be applied to
all entities in the API ecosystems, as illustrated in appendix 1? Are there other aspects that
require to be added as technical standard requirements?
Architectural Type Prioritizing the ease of implementation.
REST
Data Format • The ease of implementation and adoption.
• Use data format with easily defined structures.
JSON
f. The use of other architectures such as SOAP and data formats such as XML is
allowed provided that third parties have the tools to convert these technical
aspects safely into REST and JSON.
3.3 Security Standards
24. Security Standards
a. The governing of security standards aims to ensure data confidentiality, data and
system integrity, and service availability.
b. The Open API security standards for the authentication and authorization aspects
are proposed to at least meet the following principles:
1) guarantee the principle of non-repudiation;
28
2) ensure the validity/authenticity of the user identity (whether system or
human) who accesses/uses the system (strong authentication); and
3) guarantee the security of access (access control).
c. The Open API security standards for the encryption aspect are proposed to at least
meet the following principles:
1) guarantee the confidentiality of data; and
2) guarantee the integrity of the data.
d. The Open API security standards for the availability aspect are proposed to at least
meet the following principles:
1) guarantee the availability of main and supporting application systems that
affect to the availability of consumer services and business operations; and
2) guarantee the continuity of services and business operations due to
disruption or emergency situations (Business Continuity Plan).
e. The results of a survey conducted by Bank Indonesia to the domestic banking
industry concluded that the security standards used by the industry are still
varied; therefore, it requires a minimum reference to the security standard to
ensure data security and integrity.
f. Having due regard to the scope of services that can be provided by the API on
payment transactions, the proposed security or protection standards for the
aforementioned API category at least include:
Table 3 Security Standards
Security Standards
Scope
Underlying Principles
Technology
Authentication Ensure the validity of the user identity.
• X.509 digital certificate
29
Table 3 Security Standards
Security Standards
Scope
Underlying Principles
Technology
• PSP's authentication method, minimal techniques to be used are among others username/password and two- factor authentication
• OpenID Connect as consumer consent
Authorization • Ensure the security of access.
• Access to information and data elements is provided in accordance with the access’ authority within a predetermined time limit.
• Guarantee the principle of non-repudiation.
• Provision of access to information must be preceded by the consent from the owner of the information.
OAuth 2.0
30
Question #4: Security Standards and Their Application.
What is the industry's view of the proposed security standards for the Open API on payment
transactions as described in paragraphs 24.f (Table 3), 24.g and 24.i? Are there other aspects that
require to be added as minimum security standard requirements?
Table 3 Security Standards
Security Standards
Scope
Underlying Principles
Technology
Data integrity and confidentiality (encryption)
Ensure data confidentiality and integrity.
Secure Hash Algorithm 2 (SHA-2)/Advance Encryption Standard 256 (AES-256)
g. In addition to the aforementioned standards, the security standards for the
availability aspect is the presence of a Business Contingency Plan (BCP) to ensure
the availability of data and services and to ensure the sustainability of business
processes.
h. The above standards are the minimum standard; however, they are not as the
only standards that cover all security requirements. Therefore, comprehensive
control and protection of data are required to be taken into consideration with
the principle of protecting the Open API host system and consumers.
i. In addition to the minimum standards as proposed in paragraph 24.f, to improve
the management of information system security, mitigate system vulnerabilities,
and ensure ongoing monitoring to prevent possible fraud, it is advisable to adopt
international standards such as:
1) ISO 27001 and PCI DSS (Payment Card Industry - Data Security Standard).
2) Secure programming methodology.
3) Fraud detection system.
31
Question #5: The Technical Guidelines of Open API Standards.
To ensure consistency in the implementation of the Open API Standards, a set of technical
guidelines will be issued which contains detailed API specifications, which include data
standards, technical standards, and security standards for the Open API on payment transactions.
Apart from the aspects proposed in paragraph 25, are there other aspects of data standards,
technical standards, and security standards that require to be detailed in the technical guidelines
of the Open API Standards?
25. Data, technical, and security standards for API on payment transactions will be further
detailed in the form of API specifications that will be governed in the technical
guidelines for Open API Standards on payment transactions. The technical guidelines
contain at least API versions, API endpoints, data models, data dictionaries, and
examples of use in the form of API requests and API responses to ensure consistency
and effectiveness of the Open API implementation.
32
3.4 Governance Standards
26. Open API governance standards constitute elements of the standard governing body,
contract standard, consumer protection, and minimum requirements for third parties
in the Open API cooperation agreement. Each element requires to be considered in
every Open API implementation as a foundation to establish the integrity of the Open
API ecosystems. The Open API ecosystems that uphold integrity are the ecosystems that
carry out their functions efficiently, reliably, accurately, comprehensively, consistently,
and safely.
a. Standard Governing Body
1) In the implementation of Open API, the role of the standard governing body
is among others to contribute in developing Open API Standards and its
technical guidelines as the references for every Open API player to
accomplish the integrity of the Open API ecosystems. In addition, best
practices show that the standard governing body's tasks also include
managing the Open API directory and facilitating the handling and
resolution of disputes.
2) The implementation of Open API in various countries shows that the role of
the standard governing body can be carried out by:
a) a relevant authority; or
b) an entity designated by the relevant authority. If a designated entity
performs the role of the standard governing body, the standard
governing body will work independently by upholding the
professionalism principle under the supervision of the relevant
authority.
33
3) Best practices in several countries also show that there are two options of
institutional forms of the standard governing body if the authority
designates an entity to carry out the body’s role. The two alternatives are:
d) an entity that is a legal association or a self-regulatory organization
(SRO) formed by the relevant authority; or
e) a working group of industrial players.
4) In the context of the Open API Standards on payment transactions in
Indonesia, Bank Indonesia, as the payment system authority, may appoint
an entity to carry out the role as the standard governing body. Considering
the increasingly diverse and the number of industry players, the growing
participation of industry in digital payment activities, as well as the
achievement target of financial inclusion, the form of the standard
governing body most suitable for the circumstances in Indonesia is an entity
with legal standing as an SRO.
5) Provided that Bank Indonesia designates an SRO as the standard governing
body in Indonesia, the designated SRO will play a role among others to
participate in setting forth binding standards and technical guidelines, to
manage the Open API directory, and to facilitate the handling and resolution
of disputes.
Question #6: Establishing the Standard Governing Body.
In implementing the Open API Standards, the authority has the role of ensuring that the
implementation of the Open API Standards is in line with the policy context and setting the
minimum requirements of the Open API Standards. Furthermore, to support the implementation
effectiveness of the Standards, the authority may appoint an entity that will act as the standard
governing body, as proposed in paragraph 26.a.5). What is the industry's view on this matter?
34
b. Open API Contract Standard
1) Open API contract standard is part of the Open API governance that aims to
set minimum clauses that must be included in cooperation contracts
between parties involved in the Open API cooperation, including the rights
and obligations of the parties. The Open API contract standard is expected
to protect the rights and obligations of the parties in the Open API
collaboration and encourage the compliance of the Open API players with
relevant provisions, including the provisions on consumer protection as
well as anti-money laundering and the prevention of terrorism financing.
2) The results of a survey by Bank Indonesia show that the scope of the Open
API cooperation contract on payment transactions requires to be
standardized and complemented with the protection of rights and
obligations of the Open API players and the critical aspects of consumer
protection, namely consumer consent and consumer data protection.
3) Considering the above, the Open API contract standard on payment
transactions is proposed to contain at least:
Table 4 Open API Contract Standard
Clauses Explanation
a) Juridical requirements Requirements regarding the comprehensiveness of a cooperation
Question #7: The Role of Standard Governing Body.
In addition to formulating Open API Standards on payment transactions, the role of the standard
governing body also includes managing the Open API directory, as well as facilitating the handling
and resolution of disputes as proposed in paragraph 26.a.5). What is the industry's view on the
proposed scope of roles of the standard governing body? Is there any input on the scope of roles of
the standard governing body?
35
Table 4 Open API Contract Standard
agreement with other parties, including but not limited to definition, the identity of the parties, rights and obligations of the parties, term and termination of the agreement, legal domicile and dispute resolution, and force majeure.
b) Types of services and fees Requirements regarding the types of data exchanged and the shared use of other services along with the nominal rates per service charged to the cooperating parties (could be attached to the cooperation agreement).
c) Data exchange mechanism • The description of the mechanism and method of data exchange.
d) Technical and security requirements
• The description of the technical and security requirements applied in data exchange.
• Requirements to inform the cooperating parties regarding any development of the API system, including indirect parties of the API system.
e) Data confidentiality Requirements regarding the obligations of the cooperating parties to maintain the confidentiality of data held by the cooperating parties.
f) Consumer protection that covers consumers’ data confidentiality, security, and protection, including consumers’ consent and the right to be forgotten or right to erasure clause
Requirements regarding the obligations of the cooperating parties to uphold consumer protection, especially with regard to the confidentiality, security, and protection of consumers’ data including the obligation to obtain consumers’ consent for the disclosure of their data to third parties, as well as the willingness to revoke consumers’ data stored by the
36
Table 4 Open API Contract Standard
cooperating parties at the request of their consumers (right to be forgotten or right to erasure), in accordance with requirements stipulated in the provisions concerning Electronic System and Transaction.
g) Obligations to comply with the applicable laws and regulations
Requirements regarding the obligations of the cooperating parties to comply with the applicable laws and regulations issued by relevant authorities that include the provisions on consumer protection, anti-money laundering and prevention of terrorism financing, payment systems, and other provisions.
h) Right to audit A clause stating that the authorized authority is entitled to obtain information and conduct an audit to PSP as the API players. This clause applies to PSP that cooperates with merchants/e-commerce, either those originated from domestic or from other countries.
i) Another clauses Covers other clauses that require to be included in the cooperation (for example, the source of exchange rate references for cross-border transactions).
Question #8: Governance Standards - Open API Contract Standard.
What is the industry view regarding the comprehensiveness of the Open API contract standard,
as proposed in paragraph 26.b.3)? Are there other clauses that require to be included in the Open
API contract standard?
37
c. Consumer protection
1) In the implementation of Open API, it is necessary to strike a balance
between supporting innovation development and consumer protection. In
this case, the parties cooperate in the Open API contract require to uphold
the principles of consumer protection as stipulated in the legislation in force
in Indonesia.
2) The principle of consumer protection.
The principles of consumer protection in the implementation of the Open
API at least include:
a) equality and fair treatment;
b) openness and transparency;
c) education and literacy;
d) responsible business behavior;
e) protection of consumer assets against misuse;
f) data and/or consumer information protection; and
g) effective handling and resolution of disputes.
3) Access to consumer data
In order to protect consumers concerning access by the Open API players
to the consumers’ data, it is necessary to regulate access to the
consumers’ personal data which at least include:
a) approval to transfer or store the consumers’ data;
b) restrictions to access, use, and store the consumers’ data;
c) information or notification to the consumers regarding their orders
on fund transfer; and
d) the presence of the retention policy on the consumers’ data.
38
4) Consumer consent
a) Consumer consent is fundamental in the Open API framework to grant
access to the Open API players on consumers’ data and the exchange
of the consumers’ data to the Open API players that are approved by
the consumers to be used according to the consumers’ demand.
b) The Open API implementation in a number of countries shows that
the underlying principles to open or exchange data are as follows: i)
the consumers are the owner of their data, ii) the consumers are the
parties grant their approval to share their data with other parties, and
iii) the consumers have the right to request their personal data be
deleted and not be used by other parties (right to be forgotten or right
to erasure).
c) To guarantee consumer protection, Open API players must request
valid approval from consumers, including under business to business
cooperation contracts, as referred to in paragraph 26.b. A legal
agreement is an agreement that is explicitly conveyed, may not be
hidden, or based on omission, negligence, or coercion, as referred to
in the provisions of the legislation governing Electronic Systems and
Transaction.
5) Data Protection
a) Consumer protection in the Open API implementation must include
the protection of processing consumers’ personal data.
b) The processing of consumers’ personal data requires having due
regard to the provisions of the legislation governing Electronic
Systems and Transaction.
39
6) Dispute Handling and Resolution
a) Open API players are required to have a mechanism or procedure for
handling and resolving disputes that include:
i. between consumers and the Open API players; and
ii. between the Open API players.
b) Mechanisms or procedures for handling and resolving disputes refer
to:
i. the provisions in force in Indonesia if the parties originate from
Indonesia; or
ii. agreement on one of the parties' legal jurisdiction to be a
reference in the dispute resolution process if the parties
originate from two different jurisdictions.
c) The role of the standard governing body is to facilitate disputes
between the Open API players. The effort of the standard governing
body to facilitate dispute is carried out by observing the principles of
justice, confidentiality, and volunteerism.
d) The disputes facilitated by the standard governing body are civil
matters that are not in process or have never been decided by
arbitration or judicial authority or have not yet reached an agreement.
Question #9: Governance Standards - Consumer Protection.
What is the industry's view of the consumer protection clauses in the Open API governance
standards that include proposed consumer consent, data protection, and the handling and
resolution of disputes as proposed in paragraph 26.c? Are there other aspects that require to be
covered in Open API governance standards to support consumer protection goals?
40
d. The Minimum Requirements for Third Parties in Implementing Open API Cooperation
1) Third parties that are allowed to cooperate with PSP in providing the Open
API services on payment transactions are:
i) licensed PSP that has obtained approval from Bank Indonesia; and
ii) other parties who have obtained permission or approval from the
relevant authorities.
2) Third parties cooperate with PSP are required to meet the minimum
requirements of the Open API Standards.
IV. TIMELINE AND COVERAGE OF IMPLEMENTATION
27. The implementation of the Open API Standards by PSP that holds the Open API services
on payment transactions will follow the predetermined phase-in arrangement.
28. For the purpose of the phase-in arrangement on the implementation of the Open API
Standards, PSP will be classified as follows:
a. PSP that meets certain criteria, including the size (among others: market share,
transaction share, scalability and growth of business and transactions, etc.) and
business complexity (e.g., business scope, PSP business activities); and
b. Other PSP.
Question #10: Governance Standards - Requirements for Third Parties.
What is the industry's view of the proposed minimum requirements for third parties in the
Open API cooperation agreement, as proposed in paragraph 26.d? Are there other aspects
that require to be included as minimum requirements for third parties in the Open API
cooperation?
41
The classification and criteria applied will be harmonized with the Payment System
provisions to be issued by Bank Indonesia.
29. The implementation timeline of the Open API Standards for PSP is as follows:
a. The preparation and development phase:
The preparation and development phase of API in accordance with the
requirements on the Open API Standards by PSP as the providers and as the users
of the API on payment transactions is started on:
1) The fourth quarter of 2020 for PSP that meets certain criteria.
2) The first quarter of 2021 for other PSP.
b. The testing phase:
The testing phase by PSP as users of the API on payment transactions at the
developer site of the Open API Standards, to be certified and registered at the
directory list of the Open API Standards, is started on:
1) The first quarter of 2021 for the API users cooperate with PSP that meet
certain criteria.
2) The second quarter of 2021 for the API users who cooperate with other PSP.
c. The full implementation phase:
The full implementation phase of the Open API Standards is started on:
1) The second quarter of 2021 for PSP that meet certain criteria.
2) The third quarter of 2021 for other PSP.
From this phase onwards, the developer site of the Open API Standards will
continue to serve as a medium for PSP as the users of API on payment transactions
to test their API’s compliance with the Open API Standards on payment
transactions.
42
V. FOLLOW-UP
30. A Working Group on the Open API Standards will be formed and tasked for deliberating
the proposed Open API Standards and setting forth the Standards’ technical guidelines
to support the adoption of the Open API Standards. Members of the Working Group will
consist of parties designated by Bank Indonesia as the standard governing body,
representatives from the industry, and other related parties.
31. Bank Indonesia will finalize the proposed Open API Standards on payment transactions
by taking into account input received from the industry and other stakeholders during
the consultation period to ensure the implementation effectiveness of the Open API
Standards.
43
VI. APPENDIX APPENDIX 1
Use Case Purchases & Remittances
Illustration I
• Consumers conduct the following transactions
i. Purchase products or services online through marketplaces or e-
commerce or offline, or
ii. Remittance/transfer funds through remittance service.
Consumers will be given various payment channel options in the form of payment
by transfer via Virtual Account, payment by Direct Debit/Internet Banking/Debit &
Credit Card/Paylater, payment by Electronic Money (EM), and payment via offline
outlets.
• In this case, the marketplace or e-commerce or remittance service partner
may work with PSP Payment Gateway to provide various payment options
where the exchange of data between the two parties for transaction
processing is performed through the Open API.
• Payment Gateway is connected through the Open API with payment
counterparties such as banks, pay later providers, EM providers, or offline
outlets, for transaction processing. However, the API currently used between
various connected parties is unstandardized in terms of data, technical,
security, or governance. Therefore, it requires the Open API Standards that
will improve the efficiency of payment systems, promote banks and fintechs
interlinkage, as well as ensure the quality of data that will support innovation
and analysis.
Illustration II Consumers may top up Electronic Money through applications provided by EM
providers and directly connect to banks through the Open API. Likewise, the API used
by each bank is varied and unstandardized.
Illustration I
• Consumers conduct the following transactions
iii. Purchase products or services online through
marketplaces or e-commerce or offline, or
* Transaction flow may differ depending on the parties connected to the API
* Transaction flow may differ depending on the parties connected to the API
* Transaction flow may differ depending on the parties connected to the API
* Transaction flow may differ depending on the parties connected to the API
PSP(Payment
Gateway)*
Bank
E-moneyissuer
Bank, Paylaterprovider
Payment by Direct Debit / Internet Banking / Debit Card / Credit Card / Paylater
Payment using e-Money
Payment by Transfer via Virtual Account (VA)
Offlinemerchant
Payment via offline merchant
Transaction Initiation & Transaction Forwarding Authorization
API
API
API
API
API
API
API
API
Marketplace/Remittance
Service
API
Customer (Domestic)
Merchant/Biller/Recipient of
Funds (Domestic)
Use Case Purchases & Remittances
Customer (Overseas)
Merchant/Biller/Recipient of
Funds (Overseas)
E-moneyissuer
Bank 1
Bank 2
E-money top up
API
API
API
API
API
The currently varying API will be standardized according to data, technical, security & governance standards as proposed by this Consultative Paper
OPEN API StandardData standard Technical standard Security standard Governance standard
44
APPENDIX 2
Best Practices of Standard Governing Body Duties
Duties Explanation
a) Design and set forth API
standard specifications
Design and set forth API standard specifications that
consist of technical documentation such as read/write
specifications, open data API, directory, dynamic client
registration, and management information reporting.
b) Set forth data, technical
and security standard
Establish a minimum design standard for data (data
scope), technical (communication protocol, type of
architecture, data format, data application structure),
and security (authentication, authorization, encryption).
c) Set forth technical
guidelines for Open API
players
Establish the technical guidelines of the Open API
Standards that are mandatory, conditional, and optional
for the Open API players on payment transactions.
d) Set forth contract standard Set forth a minimum contract standard.
e) Encourage banks and third
parties to use Open API
Standards
Conducting dissemination and education on an ongoing
basis to the industry in order to encourage banks and
third parties to use the Open API Standards as well as to
disseminate and educate the public regarding the Open
API Standard.
f) Manage Open API directory
that allows Open API
players that meet criteria
to easily join the Open API
ecosystems
Manage the Open API directory in the form of a website
portal that can be accessed online by banks and third
parties that will join the Open API ecosystems. In addition
to the directory, the website portal can be equipped with
a sandbox as a trial media for API.
45
Duties Explanation
g) Handling and resolving
disputes
The process of handling and resolving disputes and
complaints isconducted through an online and/or offline
service system that is reliable, fast, efficient, and
transparent.
APPENDIX 3
Glossary
2-factor-authentication Two-step verification process.
API A set of routines, protocols, and tools to build software
applications that determine/specifie the procedures for the
interaction of the software components.
Biller ID A collection of data (including telephone numbers,
biometrics) and/or other credentials (including digital
signatures) that are collected and stored electronically to
uniquely identify service providers that charge fees to
consumers who are using their services periodically such as
National Electricity Company, Water Supply Utility Company,
Indonesia Telecommunication Company, etc.
Consumer Consent Information and approval were given by individual data
owners to provide their data to other parties that are free,
46
specific, and informative for further processing by the parties
other than individual data owners.
Fintech Technology-enabled innovation in financial services that
result in new business models, applications, processes,
and/or products.
HTTPS Hypertext Transfer Protocol Secure is an internet
communication protocol that protects the integrity and
confidentiality of user data between the user's computer
and the site. Data sent using HTTPS is secured using
Transport Layer Security which provides three layers of
security protection, namely:
• Encryption, namely, to encrypt the exchange
data to maintain security from eavesdroppers.
• Integrity, namely, data cannot be changed or
damaged during a transfer, either intentionally or
undetected.
• Authentication, namely, to prove that the user
communicates with the desired website in order
to protect from man-in-the-middle attacks and
build the user’s trust.
JSON (Java Script Object
Notation)
The data format with the .json extension is text lines with the
column name identifier in front of the data content
(example: "transfer value": "1000"). This format tends to be
chosen because it is relatively lighter and simpler.
47
Merchant ID A collection of data (including telephone numbers,
biometrics) and/or other credentials (including digital
signatures) that are collected and stored electronically to
uniquely identify the seller of goods/services either the seller
that owns a physical store or an online store.
Modular Banking The bank has a modular architecture with functionality that
is adaptive to consumer changes.
OAuth 2.0 The protocol that allows users to permit third-party
applications to access data or services from other
applications without opening the user credentials in other
applications to third-party applications.
Omni Banking The bank has various channels that can be accessed anytime
and anywhere through various devices.
OpenID Connect The authentication protocol is based on OAuth 2.0 and uses
the REST/JSON format, which has interoperability
capabilities in various types of clients, both Javascript-based
web browsers and mobile applications.
Open API Ecosystem A system that is built from the reciprocal and inseparable
relationship between the Open API players through the use
of API technology.
Payment ID A collection of data (including telephone numbers,
biometrics) and/or other credentials (including digital
signatures) that are collected and stored electronically to
48
identify individuals involved in digital payment transactions
uniquely.
Proprietary Channel Payment channels developed and owned exclusively by
banks for the benefit of consumers themselves, which
include using technology based on short message service,
mobile, web, subscriber identity module tool kit, and/or
unstructured supplementary service data.
REST Representational State Transfer (REST) is a software
architecture used to define a web service. REST can use
various types of data formats such as text, HTML, XML, JSON
(currently, the most widely used is JSON). REST has several
advantages that make it quite popular among web service
developers because it is lightweight, requires fewer
resources and bandwidth, and is easy to implement.
Smart Banking Banks that use smart technology (such as machine learning,
artificial intelligence) to collect, conduct analysis, and clarify
data.
Self-Regulatory
Organization (SRO)
A forum or institution that is an Indonesian legal entity that
can issue provisions for its members regarding technical and
micro subjects in the area of Payment System, which has not
been regulated and/or is a further elaboration of Bank
Indonesia provisions in the Payment System area.
SOAP Simple Object Access Protocol is a protocol specification for
exchanging messages/structured information through web
49
services in a computer network. SOAP allows developers to
carry out the process of authenticating, authorizing, and
sending messages from a variety of different operating
systems (including Windows, macOS, or Linux) using XML and
is cross-platform and programming language.
The Advanced Encryption
Standard (AES)
Electronic data encryption methodology and has three block
sizes, namely 128, 192, and 256 bits, which implement the
same key in doing encryption and decryption so that the
sender and receiver must have the same key.
The Secure Hash Algorithm
2 (SHA-2)
A cryptographic algorithm for hashing that produces a fixed
size string and is one-way so that when a hash has been done
on the data, then the data cannot be returned to its original
form.
Virtual Account Banking services that aim to identify the receipt and
disbursement of funds from and/or to an account.
X.509 A digital certificate that is accepted internationally and is
able to verify keys stored in the digital certificate.
XML Extensible Markup Language is a markup language created
by the World Wide Web Consortium (W3C) to define the
syntax for encoding data or documents that can be read by
humans and machines. XML uses tags to determine the
structure of data or documents, as well as how documents
must be stored and transmitted.
50
51