1

CONSULTATIVE PAPER

OPEN API STANDARDS AND BANKS INTERLINKAGE WITH FINTECHS FOR PAYMENT SERVICE PROVIDERS

The deadline for submitting responses is extended to May 30, 2020

2

Consultative Paper Open API Standards and Banks Interlinkage with Fintechs for Payment Service Providers BANK INDONESIA Jalan M.H. Thamrin No. 2 Jakarta – 10350 Indonesia Jakarta, 30 March 2020 ©Bank Indonesia 2020. All rights reserved It is forbidden to quote, reproduce, and translate part or all of the contents of this book without written permission from the Publisher.

3

Consultative Paper in a Glance

Bank Indonesia publishes Consultative Paper (CP) regarding Open API Standards in association

with open banking and banks interlinkage with fintechs for Payment Services Provider (PSP)

as the implementation of the 2nd and 3rd vision of Indonesia’s 2025 Payment System Blueprint

(IPSB 2025).1 This CP publication is one of Bank Indonesia’s communication and consultation

to the public with regard to the implementation plan of the Open API Standards for PSP, which

orchestrate services on API payment transactions, both for PSP as API providers and for PSP

as API users.

This CP elaborates on the implementation of the Open API Standards, focusing on the

payment system, which includes data standards, technical standards, security standards, and

governance standards. The Standards proposed in this CP have considered the result of

benchmarking from the best practices conducted in several countries, such as the UK, Hong

Kong, Japan, Australia, India, and Singapore, from a survey conducted on the banking

industry, and also including suggestions from various stake holders.

Regarding those matters mentioned above, Bank Indonesia invites the public to provide

inputs or opinions towards this CP to ensure the implementation effectiveness of the

Standard. Suggestions or opinions submitted are to be complemented by detailed

explanations and/or supporting information.

1 https://www.bi.go.id/en/publikasi/sistem-pembayaran/riset/Pages/Blueprint-Sistem-Pembayaran-Indonesia-2025.aspx

4

Questions Summary for Public Consultation

1. The purpose and scope of the Open API Standards. The Open API Standards are required

to encourage the adoption of open banking that supports the achievement of payment

services that are efficient, safe, and reliable; support innovation and competition; and

fosters the integrity of the Open API ecosystems. The Open API Standards on payment

transactions cover the Open API cooperation agreement on payment transactions, both

domestic and cross-border. What is the industry's view of the intended purpose and

scope of the Open API Standards?

2. Data standards and their application. What is the industry's view on the proposed

minimum data standards for the Open API on payment transactions? Are the proposed

minimum data standards proposed in paragraph 22.d (Table 1) applicable to all entities in

the API ecosystems as in the illustration in appendix 1? Are there other data that require

to be added as minimum data standard requirements for the Open API on payment

transaction?

3. Technical standards and their application. What is the industry's view of the technical

standards for the Open API on payment transactions, as proposed in paragraph 23.e

(Table 2), which includes standard for communication protocols, architecture types, and

data formats? Can the proposal be applied to all entities in the API ecosystems, as

illustrated in appendix 1? Are there other aspects that require to be added as technical

standard requirements?

4. Security standards and their application. What is the industry's view of the proposed

security standards for the Open API o n payment transactions as described in

paragraphs 24.f (Table 3), 24.g and 24.i? Are there other aspects that require to be added

as minimum security standard requirements?

5

5. The technical guidelines of Open API Standards. To ensure consistency in the

implementation of the Open API Standards, a set of technical guidelines will be issued

which contains detailed API specifications, which include data standards, technical

standards, and security standards for the Open API on payment transactions. Apart from

the aspects proposed in paragraph 25, are there other aspects of data standards,

technical standards, and security standards that require to be detailed in the technical

guidelines of the Open API Standards?

6. Establishing the standard governing body. In implementing the Open API Standards, the

authority has the role of ensuring that the implementation of the Open API Standards is

in line with the policy context and setting the minimum requirements of the Open API

Standards. Furthermore, to support the implementation effectiveness of the Standards,

the authority may appoint an entity that will act as the standard governing body, as

proposed in paragraph 26.a.5). What is the industry's view on this matter?

7. The role of the standard governing body. In addition to formulating Open API Standards

on payment transactions, the role of the standard governing body also includes managing

the Open API directory, as well as facilitating the handling and resolution of disputes as

proposed in paragraph 26.a.5). What is the industry's view on the proposed scope of roles

of the standard governing body? Is there any input on the scope of roles of the standard

governing body?

8. Governance standards - Open API contract standard. What is the industry view regarding

the comprehensiveness of the Open API contract standard, as proposed in paragraph

26.b.3)? Are there other clauses that require to be included in the Open API contract

standard?

6

9. Governance standards - consumer protection. What is the industry's view of the

consumer protection clauses in the Open API governance standards that include

proposed consumer consent, data protection, and the handling and resolution of disputes

as proposed in paragraph 26.c? Are there other aspects that require to be covered in

Open API governance standards to support consumer protection goals?

10. Governance standards - requirements for third parties. What is the industry's view of

the proposed minimum requirements for third parties in the Open API cooperation

agreement, as proposed in paragraph 26.d? Are there other aspects that require to be

included as minimum requirements for third parties in the Open API cooperation?

Submission of written inputs/views can be directed to Bank Indonesia no later than May 30,

2020 with the subject:

"Responses to Consultative Paper Regarding Open Application Programming Interface

(Open API) Standards in the Context of Open Banking and Banks Interlinkage with Fintech

for Payment System Service Providers"

to:

- Via email to: Open API Standards Working Group (WG1_BSPI@bi.go.id)

- Via letter to: Departemen Kebijakan Makroprudensial

Menara Syafruddin Prawiranegara, Lantai 4

Jl. MH Thamrin No. 2

Jakarta 10350

7

This page is intentionally left blank

8

TABLE OF CONTENT Consultative Paper in a Glance ....................................................................................................... 3

Questions Summary for Public Consultation ................................................................................... 4

EXECUTIVE SUMMARY .................................................................................................................... 9

I. BACKGROUND, POLICY CONTEXT, AND PURPOSES .............................................................. 12

1.1 Background ................................................................................................................. 12

1.2 Policy Context of the Open Banking and Bank Interlinkage with Fintech ...................... 15

1.3 Purposes of Open API Standards .................................................................................. 16

II. SCOPE OF APPLICATION ...................................................................................................... 19

III. OPEN API STANDARDS IN OPEN BANKING AND BANKS INTERLINKAGE WITH FINTECHS ...... 23

3.1 Data Standards ............................................................................................................ 23

3.2 Technical Standards ..................................................................................................... 25

3.3 Security Standards ....................................................................................................... 27

3.4 Governance Standards ................................................................................................. 32

a. Standard Governing Body ....................................................................................... 32

b. Open API Contract Standard ................................................................................... 34

c. Consumer protection .............................................................................................. 37

d. The Minimum Requirements for Third Parties in Implementing Open API Cooperation ............................................................................................................ 40

IV. TIMELINE AND COVERAGE OF IMPLEMENTATION ............................................................... 40

V. FOLLOW-UP ........................................................................................................................ 42

VI. APPENDIX ........................................................................................................................... 43

9

EXECUTIVE SUMMARY

The implementation of open banking initiatives is intended to encourage digital

transformation by banks and interlinkage between banks and fintechs. In the midst of rapid

economic and financial digitalization, open banking implementation is a necessity to maintain

an equal level of playing field between banks and fintechs, while encouraging innovation and

competition, and expanding public access to finance. Bank Indonesia initiatives to support the

implementation of open banking, as part of the digital transformation of the banking sector,

aim to encourage acceleration and to optimize the digital financial economy. The open

banking service strategy enables banks and fintechs to open financial data and information

related to payment transactions from consumers reciprocally (the principle of equality)

supported by a contractual collaboration in the use of API technology (Open API).

In line with the 2nd and 3rd Vision of the Indonesia Payment System Blueprint (IPSB) 2025,

Bank Indonesia applies open banking in the payment system area through the

implementation of the Open API Standards. The Open API Standards developed by Bank

Indonesia are focused on the payment system transactions involving Payment Service

Providers (PSPs), both banks and non-banks. By considering the large share of payment

transactions in all digital transactions, the application of the Open API Standards in payment

transactions is expected to create the integrity of data opening in the framework of open

banking. The application of the Open API Standards aims to improve the efficiency, security,

and reliability of payment systems; increase innovation and competition; encourage financial

inclusion including financing to MSMEs; and reduce the risk of shadow banking, while it

remains taking into account risk mitigation efforts through the application of adequate

standards.

Open API Standards include data standards, technical standards, security standards, and

10

governance standards. The application of data standards is intended to increase

interoperability and efficiency for Open API players, as well as to ensure the adequacy and

quality of data for analysis and innovation needs. In the implementation of the data

standards, the exchange of data between the Open API players adheres to the principle of

consumer consent, whereby the data can be opened provided that the players obtain

approval from the consumers as the data owner. In addition, to ensure security, data

confidentiality, system integrity, and ease of implementation or adoption, the implementation

of the Open API Standards will also include the application of technical standards that covers

communication protocol, architecture type, and data format. The technical standards are

intended to support the compatibility and interoperability of the Open API of each industry

player.

Furthermore, the implementation of the security standards is aimed at ensuring the security

of transactions by consumers, which include aspects of authentication, authorization,

encryption, and the continuity of services.

Meanwhile, governance standards include arrangements regarding standard governing body,

contract standard, principles of consumer protection, as well as minimum requirements for

third parties that will collaborate with Open API providers. The establishment of governance

standards is required to foster the integrity of the Open API ecosystems, ensuring compliance

with applicable regulations, including ensuring consumer protection, as well as dispute

handling and resolution.

Open API Standards will be implemented in stages, taking into consideration the diversity

of PSPs. The issuance of Consultative Paper (CP) in the 1st Quarter of 2020 became a series of

Bank Indonesia communications with regard to the implementation plan of the Open API

Standards required by Bank Indonesia. The CP issuance is intended to obtain views from the

11

industry and the public, as input for the authority in the formulation of the Open API

Standards, and on the other hand to provide clarity for the industry and other stakeholders

regarding the direction of open banking development within the framework of Indonesia's

payment system.

The Open API Standards will be applied to licensed PSPs in Indonesia that carry out activities

on transaction initiation, and/or transaction forwarding, and/or authorization in the

implementation of Open API cooperation agreement on payment transactions, both domestic

and cross-border.

The Open API Standards will be phased in and prioritized for PSPs that meet criteria in terms

of size (e.g., PSP market share in the retail payment system industry) and business complexity

(e.g., the scope of PSP business groups' activities). Classifications and criteria for

implementation prioritization of the Standard will be harmonized with the provisions of the

Payment System to be issued by the Bank of Indonesia.

The phase-in implementation arrangement of the Open API Standards will begin with the

preparation and development stages of the Open API in the 4th Quarter of 2020, then followed

by the trial and application phase of the Open API Standards starting in the 1st Quarter of

2021. The phasing of the implementation will also be supported by the presence of the

developer site of the Open API Standards.

With this gradual application, it is expected that the industry will have the capacity to

undertake the necessary preparations in line with the implementation plan of the Open API

Standards required by Bank Indonesia.

12

I. BACKGROUND, POLICY CONTEXT, AND PURPOSES

1.1 Background

1. Globalization and the rapid development of technology have led to a digital revolution

in the economic sector and financial system. Consumer demands for the availability of

financial services—including payment transaction services—that are fast, easy,

convenient, and safe, has driven the financial system to remodel conventional services

into technology-based and mobile services. The financial services are also expected to

bring greater consumers’ experiences and consumers’ satisfaction levels, both in terms

of quality and convenience.

2. In the digitalization era, the role of non-bank players is increasing and disrupting the

role of banks. Meanwhile, in terms of financial sector service providers, the disruption

has given rise to new non-bank players as digital financial service providers, from start-

ups in the technology-based financial sector (fintech) to domestic/global and large-scale

technology companies (big tech). Supported by the mastery of technology, these non-

bank players are slowly starting to expand into the financial services business, which

has so far been dominated by formal financial institutions (banks) by providing digital

services, both in the area of payments and financing.

3. These developments disrupted the role of banks, which were gradually replaced by

non-bank financial service providers (shadow banking) with the different levels of

regulation and supervision as that of the banking industry. In this case, the role of the

banks in payment services starts to diminished/disrupted by the development of

payment services provided by non-banks. The emergence and the strengthened role of

non-banks in the provision of digital payment services have begun to change the market

structure, both in terms of market concentration and competition among financial

13

service providers. However, on the other hand, it is recognized that innovation arises

from the use of digital technology is seen as vast opportunities for the achievement of

financial inclusion for the whole community, not only for individuals who have not yet

been reached by banking services (unbanked) but also MSMEs.

4. Banks need to transform to improve competitiveness. The development of financial

digitalization, as well as the increasing role of non-bank players (including fintech),

requires the banks to fully transform (end-to-end) in order to maintain their role and

position as the central intermediary institutions in the financial system, as well as the

media for monetary policy transmission in the digital economic era. This transformation

is a necessity in order to improve the ability of the banks to provide digital financial

services that can enhance the consumers’ experiences so as to maintain the consumers’

loyalty and the banks’ competitiveness.

5. Technology support in the digital transformation of the banking industry enables

consumers to access banking services through platforms that eliminate distance and

time barriers. In the digital era, banking services to consumers are demanded to be

offered through various means, media, or channels (omni banking), agile infrastructure

architecture that is nimble and reliable (modular banking), service interactions with

third parties (open banking), and efficient optimization of resources based on data.

6. A collaboration with non-banks (including fintech) is one approach that can be

pursued by banks in responding to the demands of transformation in the digital age.

In this case, with the growth and strengthening role of fintech in providing payment

services, it can open up opportunities for banks to collaborate with fintech through

open banking cooperation to improve their digital services. Open banking allows banks,

based on their consumers’ consent, to open the consumers’ data to third parties

14

(including fintech) reciprocally through Open API. With this collaboration, third parties

can develop new products and services which meet the consumers’ needs and facilitate

easier transactions. In addition, the banks can also use the consumers’ digital

transaction information obtained from fintech, based on the consumers’ consent, to

improve the banks’ products and services.

7. Bank Indonesia plays a role in maintaining the right balance between opportunity

optimization and risk mitigation. In the digital age, the policy challenge for Bank

Indonesia as the central bank is to strike a balance between efforts to optimize the

opportunities from digital innovation and efforts to mitigate risks that arise along with

digitalization trends. Therefore, open banking cooperation in providing payment

services has to be directed within a regulatory framework to maintain the level of

playing field of all players. The framework is expected to balance the benefits of

innovation and the potential risks arising from the digital payment services, in order to

maintain monetary stability, financial system stability, and the smooth functioning of

payment systems that are mandated to Bank Indonesia, as well as to bring benefits to

promote consumer protection.

8. Open API Standards are essential to attain the integrity of the Open API ecosystems.

Bank Indonesia, as the authority, considers the trend of digital financial services through

open banking increasingly shows the importance of stipulating the Open API Standards,

supported by the presence of a public infrastructure that encourages data openness,

transparency, and market discipline, as well as supported by a sufficient data protection

framework. The results of a survey conducted by Bank Indonesia show that, currently,

several banks in Indonesia have adopted the use of API on payment transactions.

However, in general, the API specifications used are varied that require adjustments in

15

every collaboration with different parties. The Open API Standards are expected to

support interoperability between the Open API players and the ease of the Open API

adoption to attain the integrity of the Open API ecosystems on payment transactions.

9. The best practices of the Open API Standards, which are applied by several countries,

become references for formulating the Open API Standards that are in accordance

with Indonesia’s context. The implementation of open banking in various countries

differ in terms of development stages, approach, and implementation scope, depending

on each country’s policy context. However, in general, each country seeks to support

innovation and attain the integrity of the digital ecosystem, while it remains to balance

between prudential and consumer protection aspects. The benchmarking results also

show that the implementation of open banking in several countries generally starts

from the area of payment transactions, especially by players that serve as data

aggregators and payment service providers, as those are the majority of parties

accessing individual data on payment transactions for open banking services. Aside from

considering other countries’ best practices on open banking, the implementation of the

Indonesian Open API Standards also requires considering the general practices of

domestic industry players.

1.2 Policy Context of the Open Banking and Bank Interlinkage with Fintech

10. Bank Indonesia responds to the challenges faced by central banks in the digital era

and industry 4.0 through the Indonesia Payment System Blueprint (IPSB) 2025. The

Blueprint was formulated with an orientation towards building a sound digital economic

and financial ecosystem, and it was built on the foundation of the five IPSB Vision 2025,

which is also the end target (end-state) of the long-term policy direction of Bank

16

Indonesia in the digital era. The main objective of the IPSB 2025 vision is to ensure the

integration of digital economic and finance in assuring the implementation of central

bank mandate in money supply, monetary policy, and financial stability, as well as

financial inclusion.

1.3 Purposes of Open API Standards

11. The 2nd Vision and the 3rd Vision of IPSB 2025 lead to the reciprocal openness of data

and information between banks and fintechs within the open banking framework.

These visions are addressed through the implementation of the Open API Standards to

maintain the level of playing field of banks and fintechs. The open banking framework

can be seen as a strategic approach to promote the digital transformation of the banking

industry in a directed manner and encourage banks and fintechs interlinkage. The

openness of data through open banking allows the development of new applications,

new products, as well as opening up business opportunities more broadly, which are

expected to lead to economic efficiency. The open banking will require banks to

transform digitally and collaborate with fintechs to maintain their role and position as

the main intermediary institutions in the financial system as well as the channel of

monetary policy transmission.

12. In open banking collaboration, various mitigation measures are applied to control the

risks that often arise in the digital age. These mitigation measures include ensuring

national interests in cross border transactions and ensuring that data as one of the main

assets in the digital economy is not controlled by certain parties but as public goods or

managed by public infrastructure. Through this approach, the granularity of digital data

and information can be optimized for a more inclusive economy and financial system.

17

The formulation and implementation of the Open API Standards on payment

transactions serve as efforts to lead to that goal.

13. Players in the financial sector have begun to utilize the use of API technology in the

provision of digital financial services. Current developments indicate that several

banks, fintech, and other players in the financial sector have adopted API technology as

part of the development and innovation of their products or services. However, the API

applied by the financial institutions is still varied or unstandardized. The API adoption

and Open API collaboration are also part of strategies implemented by the banks to

anticipate tighter competition and faster technological developments that require the

banks to innovate faster and offer better products that meet their consumers’ needs.

For the banks, these strategies are pursued by considering the benefits of adopting the

Open API, especially in the area of payment transactions, which include:

a. expanding innovation opportunities, as well as increasing and expanding product

or service offerings with API as one of the business channels;

b. meeting the needs of consumers thereby increasing the attractiveness of the

banks and the loyalty of their consumers (consumers’ experiences);

c. increasing revenue from digital activities through the use of API as a new business

channel; and

d. speeding up the time to launch new products.

14. The Open API Standards reflect an effort by Bank Indonesia to encourage the adoption

of open banking for more efficient, safe, and reliable payment transactions. Open API

players will be directed to open up each other's financial service data in a standardized

contractual partnership to deliver an open banking strategy. The most critical and

18

fundamental aspect in open banking is that access and exchange of consumer

transaction data can only be conducted based on consumers’ consent.

15. As a logical consequence, the adoption of Open API may expose risks both in terms of

infrastructure and business risks. These risks are mainly related to:

a. Cyber risk. The cyber risk may threaten as the Open API technology provides greater access to consumer data. Increasing data transmission of payment transactions through the Open API may also trigger cyber incidents deriving from the technical weaknesses of connected parties in the Open API.

b. Reputation risk. The reputation risk may arise due to leakage and/or misuse of the consumers’ individual data exchanged through the Open API. In addition, reputation risk may also arise if third parties as partners in the Open API collaboration have not applied the principles of consumer protection and Know Your Customer.

c. Operational risk. The operational risk may emerge from high reliance on third- party information technology providers, system complexity, and limitations on human resources expertise and experience.

16. As an effort to enhance benefits and mitigate risks from the use of Open API, Bank

Indonesia has formulated the Open API Standards which aim to:

a. Increase efficiency, security, and reliability in payment system transactions by facilitating the ease of adoption and the interoperability of the Open API as well as reducing associated costs;

b. Increase innovation and competitiveness through increasing banks interlinkage with fintech which will open up opportunities for the creation of innovative products;

c. Increase the interlinkage between banks and fintechs that will support financial

19

Question #1: The Purpose and Scope of the Open API Standards.

The Open API Standards are required to encourage the adoption of open banking that

supports the achievement of payment services that are efficient, safe, and reliable; support

innovation and competition; and fosters the integrity of the Open API ecosystems. The

Open API Standards on payment transactions cover the Open API cooperation agreement

on payment transactions, both domestic and cross-border. What is the industry's view of

the intended purpose and scope of the Open API Standards?

inclusion including financing to MSMEs;

d. Reduce the risk of shadow banking through the implementation of equivalent regulations and standards for banks and fintechs so as to attain the level of playing field;

e. Mitigate risks emerge from the Open API through the implementation of the adequate standard on data, technical, security, and governance.

II. SCOPE OF APPLICATION

17. What and how is Open API:

a. API is a set of protocols and instructions that allow interconnection between

applications and provide access, including the exchange of data/information

b. The Open API in the context of this CP is the use of API technology that provides

API users, as partners of API providers in the Open API collaboration, access into

the API providers’ system to access and/or use consumers data, based on the

consumers’ consent, for services approved by the consumers.

c. In general, an Open API ecosystem consists of 3 (three) entities, viz.:

1) API providers (data attribute providers) are entities that store consumers

data and/or offer services as well as provide API to facilitate third parties to

20

access and/or use consumers data and/or use the providers’ services

through the use of API that is carried out based on the consumers’ consent.

2) API users (third party provider - TPP) are third-party entities that access

and/or use consumers’ data stored by API providers and/or use the

providers’ services through the use of API that is carried out based on the

consumers’ consent.

3) Consumers are the owner of their data stored by the API providers and as

authorized parties to approve access to their data.

d. API can be categorized based on services as follows:

1) Product and/or service information API is an API that provides information

to API users regarding products and/or services offered by API providers.

2) Product and/or service subscription API is an API that allows consumers to

register/open products and/or services offered by API providers through

platforms provided by API users.

3) Account information API is an API that allows API users to access consumers’

data on the consumers’ accounts stored by API providers upon approval or

initiation from the consumers.

4) Payment transaction API (transaction - transfer and payment), is an API

that enables API users, based on the consent of consumers, to use the

consumers’ data stored by the API providers in the context of banking

transactions and/or payments that are initiated or performed by

authenticated consumers.

e. The level of API disclosure will determine the number of parties allowed to access

API functions and services. In principle, the API providers retain control in

21

determining API that will be opened and third parties that will be given access. In

this case, there are four levels of API openness, namely:

1) Partner API: API that is only open to certain parties based on API providers’

preferences and bilateral agreements.

2) Member API: API can only be accessed by parties that are formal members

of a community with a well-defined set of membership rules.

3) Acquaintance API: API can be accessed by parties that meet the defined set

of requirements.

4) Public API: API that is open for the public but typically with some form of

the registration process.

18. In line with the IPSB 2025 Vision, the Open API Standards in the CP are emphasized more

on the Open API on payment transactions considering the payment system currently

plays an important role in the digital financial ecosystem, and the payment transaction

data are important data for promoting innovation and further analysis. In this CP, the

Open API on payment transactions is the Open API that allows API users to access

payment services provided by API providers based on consumers’ consent. Considering

that the payment services for consumers must be held securely, the level of openness

of the Open API Standards on payment transactions in this CP is member API with a high

level of security.

19. In order to attain the integrity and the soundness of the Open API ecosystems, the Open

API Standards on Payment Transactions are set forth to at least meet the following

principles:

a. Openness. Open up opportunities for various parties to access the API for

transactions in accordance with the applicable contract.

22

b. Interoperability. Improve the more efficient connectivity of API.

c. Flexibility. Easily adapted to various business models or API categories and

technology types (such as API technical specifications, authorization,

authentication, or encryption).

d. Independence. Avoiding reliance on certain parties (such as a technology vendor).

e. Governance. Open API governance that is supervised by the standard governing

body appointed or designated by the relevant authority.

f. Consumer Protection & Consent. The Open API implementation should uphold

the protection of consumers’ interests, and the disclosure of data must be solely

based on the consumers’ consent.

g. Novelty. The adoption of the latest technology in Open API.

h. Security. Open API implementation that guarantees the security of payment

transactions as well as mitigates cyber and fraud risks.

20. The Open API Standards on payment transactions in this CP include data standards,

technical standards, security standards, and governance standards. The proposed Open

API Standards have considered the best practices at the international level as well as

the practices currently implemented at the domestic level by PSP in order to support

the development and the ease of the Open API adoption.

21. The Open API Standards in this CP are intended for PSPs licensed in Indonesia that hold

services on Open API payment transactions, namely as API providers on payment

transactions and as API users on payment transactions, that carry out activities on

transaction initiation, and/or forwarding transactions, and/or authorization in the Open

API cooperation agreement on payment transactions, both domestic and cross-border

payment transactions. The Open API Standards are also intended for supporting

23

providers if the supporting providers collaborate with PSP. The supporting providers are

those that directly support PSP activities.

III. OPEN API STANDARDS IN OPEN BANKING AND BANKS INTERLINKAGE WITH FINTECHS

3.1 Data Standards

22. Data Standards

a. The governing of data standards aims to ensure the uniformity and consistency of

payment transaction data in order to improve interoperability and efficiency for

Open API players. Uniformity and consistency of data will improve the quality and

adequacy of data to support innovation and analysis. Payment transactions in the

Open API Standards are domestic and cross-border payment transactions

initiated by consumers and merchants from domestic or abroad, which are carried

out using the Open API through licensed PSP in Indonesia.

b. The results of a Bank Indonesia survey show that currently, data sent via the API

on payment transactions were unstandardized. The scope and quality of payment

transaction data through the API currently do not support to analyze the needs of

consumers and merchants involved in the digital financial ecosystem.

c. Data standards for the API on payment transactions include data used to process

various domestic and cross-border payment transactions, including underlying

information related to the transactions, conducted through licensed PSP in

Indonesia.

d. The proposed data standards are the minimum data standards that are exchanged

through the API on payment transactions, which contain at least the following

data details:

24

Table 1 Data Standards

Data Type Data Details

Payee (Merchant/Biller/Consumer)

• Merchant/biller ID (business to business or business to consumer) or Consumer ID (consumer to consumer)

• Name of the merchant/biller/consumer • Merchant/biller category • Merchant/biller/consumer address • Cellphone Number • Electronic mail address

Payer (Merchant/Consumer) • Merchant ID (business to business)/Consumer ID (business to consumer)

• Name of the merchant/consumer • Merchant/consumer address • Cellphone Number • Electronic mail address

Product or Service (only for purchasing products or services)

• Product/service name • Product/service category • Product origin address • Delivery destination address (if

conducted through a merchant) Transaction • Transaction date

• Nominal and transaction rates • Transaction description • Payment channel • Payment instrument • Payment service • Fund source account • Beneficiary account

e. Data standards, as proposed in paragraph 22.d, are applied to:

25

Question #2: Data Standards and Their Application.

What is the industry's view on the proposed minimum data standards for the Open API on

payment transactions? Are the proposed minimum data standards proposed in paragraph

22.d (Table 1) applicable to all entities in the API ecosystems as in the illustration in

appendix 1? Are there other data that require to be added as minimum data standard

requirements for the Open API on payment transaction?

1) payments made through various channels including proprietary channels

(internet banking and mobile banking), virtual accounts, offline payments

through outlets;

2) payments made through various instruments including electronic money,

electronic wallets, credit cards, debit cards; including if PSP licensed in

Indonesia cooperates with issuers of payment instruments that are

incorporated abroad; and

3) payments made for various services, including fund transfers, top-up,

payments for purchases of goods or services, payments for bills or utilities.

f. Detailed data standards for each service on various channels and instruments,

along with underlying information related to the transactions, will be further

governed in the technical guidelines for implementing the Open API Standards.

3.2 Technical Standards

23. Technical Standsrds

a. The governing of technical standards aims to support the compatibility and

interoperability of the Open API. The technical standards include communication

protocol, architecture type, and data format.

b. For standardization purposes, the Open API technical standards are proposed to

at least meet the following principles:

26

1) guarantee the integrity, security, and confidentiality of data;

2) guarantee the security of connections (secure connections) that are

transmitted through the communication protocol;

3) prioritize the ease of implementation by various parties; and

4) use a data format with easily defined structures.

c. Currently, the types of architecture commonly used at the international level for

Open API are Representational State Transfer (REST) and Simple Object Access

Protocol (SOAP). From these two types of architecture, the data formats that are

generally used are JavaScript Object Notation (JSON) and eXtensible Markup

Language (XML).

d. The results of a survey conducted by Bank Indonesia to the domestic banking

industry concluded that the majority of the communication protocol used was

HTTPS, the architecture mostly used was REST, and the majority of the data

format used was JSON.

e. Taking into account the international best practices, the domestic practices, and

the principles underlying the proposed standardization, the technical standards

proposed for the Open API payment transaction in Indonesia are as follows:

Table 2 Technical Standards

Technical Requirements Principle Standard

Communication Protocol • Ensure data integrity, security, and confidentiality.

• Ensure secure connections that are transmitted over the communication protocol.

HTTPS (minimum TLS 1.2)

27

Question #3: Technical Standards and Their Application.

What is the industry's view of the technical standards for the Open API on payment

transactions, as proposed in paragraph 23.e (Table 2), which includes standard for

communication protocols, architecture types, and data formats? Can the proposal be applied to

all entities in the API ecosystems, as illustrated in appendix 1? Are there other aspects that

require to be added as technical standard requirements?

Architectural Type Prioritizing the ease of implementation.

REST

Data Format • The ease of implementation and adoption.

• Use data format with easily defined structures.

JSON

f. The use of other architectures such as SOAP and data formats such as XML is

allowed provided that third parties have the tools to convert these technical

aspects safely into REST and JSON.

3.3 Security Standards

24. Security Standards

a. The governing of security standards aims to ensure data confidentiality, data and

system integrity, and service availability.

b. The Open API security standards for the authentication and authorization aspects

are proposed to at least meet the following principles:

1) guarantee the principle of non-repudiation;

28

2) ensure the validity/authenticity of the user identity (whether system or

human) who accesses/uses the system (strong authentication); and

3) guarantee the security of access (access control).

c. The Open API security standards for the encryption aspect are proposed to at least

meet the following principles:

1) guarantee the confidentiality of data; and

2) guarantee the integrity of the data.

d. The Open API security standards for the availability aspect are proposed to at least

meet the following principles:

1) guarantee the availability of main and supporting application systems that

affect to the availability of consumer services and business operations; and

2) guarantee the continuity of services and business operations due to

disruption or emergency situations (Business Continuity Plan).

e. The results of a survey conducted by Bank Indonesia to the domestic banking

industry concluded that the security standards used by the industry are still

varied; therefore, it requires a minimum reference to the security standard to

ensure data security and integrity.

f. Having due regard to the scope of services that can be provided by the API on

payment transactions, the proposed security or protection standards for the

aforementioned API category at least include:

Table 3 Security Standards

Security Standards

Scope

Underlying Principles

Technology

Authentication Ensure the validity of the user identity.

• X.509 digital certificate

29

Table 3 Security Standards

Security Standards

Scope

Underlying Principles

Technology

• PSP's authentication method, minimal techniques to be used are among others username/password and two- factor authentication

• OpenID Connect as consumer consent

Authorization • Ensure the security of access.

• Access to information and data elements is provided in accordance with the access’ authority within a predetermined time limit.

• Guarantee the principle of non-repudiation.

• Provision of access to information must be preceded by the consent from the owner of the information.

OAuth 2.0

30

Question #4: Security Standards and Their Application.

What is the industry's view of the proposed security standards for the Open API on payment

transactions as described in paragraphs 24.f (Table 3), 24.g and 24.i? Are there other aspects that

require to be added as minimum security standard requirements?

Table 3 Security Standards

Security Standards

Scope

Underlying Principles

Technology

Data integrity and confidentiality (encryption)

Ensure data confidentiality and integrity.

Secure Hash Algorithm 2 (SHA-2)/Advance Encryption Standard 256 (AES-256)

g. In addition to the aforementioned standards, the security standards for the

availability aspect is the presence of a Business Contingency Plan (BCP) to ensure

the availability of data and services and to ensure the sustainability of business

processes.

h. The above standards are the minimum standard; however, they are not as the

only standards that cover all security requirements. Therefore, comprehensive

control and protection of data are required to be taken into consideration with

the principle of protecting the Open API host system and consumers.

i. In addition to the minimum standards as proposed in paragraph 24.f, to improve

the management of information system security, mitigate system vulnerabilities,

and ensure ongoing monitoring to prevent possible fraud, it is advisable to adopt

international standards such as:

1) ISO 27001 and PCI DSS (Payment Card Industry - Data Security Standard).

2) Secure programming methodology.

3) Fraud detection system.

31

Question #5: The Technical Guidelines of Open API Standards.

To ensure consistency in the implementation of the Open API Standards, a set of technical

guidelines will be issued which contains detailed API specifications, which include data

standards, technical standards, and security standards for the Open API on payment transactions.

Apart from the aspects proposed in paragraph 25, are there other aspects of data standards,

technical standards, and security standards that require to be detailed in the technical guidelines

of the Open API Standards?

25. Data, technical, and security standards for API on payment transactions will be further

detailed in the form of API specifications that will be governed in the technical

guidelines for Open API Standards on payment transactions. The technical guidelines

contain at least API versions, API endpoints, data models, data dictionaries, and

examples of use in the form of API requests and API responses to ensure consistency

and effectiveness of the Open API implementation.

32

3.4 Governance Standards

26. Open API governance standards constitute elements of the standard governing body,

contract standard, consumer protection, and minimum requirements for third parties

in the Open API cooperation agreement. Each element requires to be considered in

every Open API implementation as a foundation to establish the integrity of the Open

API ecosystems. The Open API ecosystems that uphold integrity are the ecosystems that

carry out their functions efficiently, reliably, accurately, comprehensively, consistently,

and safely.

a. Standard Governing Body

1) In the implementation of Open API, the role of the standard governing body

is among others to contribute in developing Open API Standards and its

technical guidelines as the references for every Open API player to

accomplish the integrity of the Open API ecosystems. In addition, best

practices show that the standard governing body's tasks also include

managing the Open API directory and facilitating the handling and

resolution of disputes.

2) The implementation of Open API in various countries shows that the role of

the standard governing body can be carried out by:

a) a relevant authority; or

b) an entity designated by the relevant authority. If a designated entity

performs the role of the standard governing body, the standard

governing body will work independently by upholding the

professionalism principle under the supervision of the relevant

authority.

33

3) Best practices in several countries also show that there are two options of

institutional forms of the standard governing body if the authority

designates an entity to carry out the body’s role. The two alternatives are:

d) an entity that is a legal association or a self-regulatory organization

(SRO) formed by the relevant authority; or

e) a working group of industrial players.

4) In the context of the Open API Standards on payment transactions in

Indonesia, Bank Indonesia, as the payment system authority, may appoint

an entity to carry out the role as the standard governing body. Considering

the increasingly diverse and the number of industry players, the growing

participation of industry in digital payment activities, as well as the

achievement target of financial inclusion, the form of the standard

governing body most suitable for the circumstances in Indonesia is an entity

with legal standing as an SRO.

5) Provided that Bank Indonesia designates an SRO as the standard governing

body in Indonesia, the designated SRO will play a role among others to

participate in setting forth binding standards and technical guidelines, to

manage the Open API directory, and to facilitate the handling and resolution

of disputes.

Question #6: Establishing the Standard Governing Body.

In implementing the Open API Standards, the authority has the role of ensuring that the

implementation of the Open API Standards is in line with the policy context and setting the

minimum requirements of the Open API Standards. Furthermore, to support the implementation

effectiveness of the Standards, the authority may appoint an entity that will act as the standard

governing body, as proposed in paragraph 26.a.5). What is the industry's view on this matter?

34

b. Open API Contract Standard

1) Open API contract standard is part of the Open API governance that aims to

set minimum clauses that must be included in cooperation contracts

between parties involved in the Open API cooperation, including the rights

and obligations of the parties. The Open API contract standard is expected

to protect the rights and obligations of the parties in the Open API

collaboration and encourage the compliance of the Open API players with

relevant provisions, including the provisions on consumer protection as

well as anti-money laundering and the prevention of terrorism financing.

2) The results of a survey by Bank Indonesia show that the scope of the Open

API cooperation contract on payment transactions requires to be

standardized and complemented with the protection of rights and

obligations of the Open API players and the critical aspects of consumer

protection, namely consumer consent and consumer data protection.

3) Considering the above, the Open API contract standard on payment

transactions is proposed to contain at least:

Table 4 Open API Contract Standard

Clauses Explanation

a) Juridical requirements Requirements regarding the comprehensiveness of a cooperation

Question #7: The Role of Standard Governing Body.

In addition to formulating Open API Standards on payment transactions, the role of the standard

governing body also includes managing the Open API directory, as well as facilitating the handling

and resolution of disputes as proposed in paragraph 26.a.5). What is the industry's view on the

proposed scope of roles of the standard governing body? Is there any input on the scope of roles of

the standard governing body?

35

Table 4 Open API Contract Standard

agreement with other parties, including but not limited to definition, the identity of the parties, rights and obligations of the parties, term and termination of the agreement, legal domicile and dispute resolution, and force majeure.

b) Types of services and fees Requirements regarding the types of data exchanged and the shared use of other services along with the nominal rates per service charged to the cooperating parties (could be attached to the cooperation agreement).

c) Data exchange mechanism • The description of the mechanism and method of data exchange.

d) Technical and security requirements

• The description of the technical and security requirements applied in data exchange.

• Requirements to inform the cooperating parties regarding any development of the API system, including indirect parties of the API system.

e) Data confidentiality Requirements regarding the obligations of the cooperating parties to maintain the confidentiality of data held by the cooperating parties.

f) Consumer protection that covers consumers’ data confidentiality, security, and protection, including consumers’ consent and the right to be forgotten or right to erasure clause

Requirements regarding the obligations of the cooperating parties to uphold consumer protection, especially with regard to the confidentiality, security, and protection of consumers’ data including the obligation to obtain consumers’ consent for the disclosure of their data to third parties, as well as the willingness to revoke consumers’ data stored by the

36

Table 4 Open API Contract Standard

cooperating parties at the request of their consumers (right to be forgotten or right to erasure), in accordance with requirements stipulated in the provisions concerning Electronic System and Transaction.

g) Obligations to comply with the applicable laws and regulations

Requirements regarding the obligations of the cooperating parties to comply with the applicable laws and regulations issued by relevant authorities that include the provisions on consumer protection, anti-money laundering and prevention of terrorism financing, payment systems, and other provisions.

h) Right to audit A clause stating that the authorized authority is entitled to obtain information and conduct an audit to PSP as the API players. This clause applies to PSP that cooperates with merchants/e-commerce, either those originated from domestic or from other countries.

i) Another clauses Covers other clauses that require to be included in the cooperation (for example, the source of exchange rate references for cross-border transactions).

Question #8: Governance Standards - Open API Contract Standard.

What is the industry view regarding the comprehensiveness of the Open API contract standard,

as proposed in paragraph 26.b.3)? Are there other clauses that require to be included in the Open

API contract standard?

37

c. Consumer protection

1) In the implementation of Open API, it is necessary to strike a balance

between supporting innovation development and consumer protection. In

this case, the parties cooperate in the Open API contract require to uphold

the principles of consumer protection as stipulated in the legislation in force

in Indonesia.

2) The principle of consumer protection.

The principles of consumer protection in the implementation of the Open

API at least include:

a) equality and fair treatment;

b) openness and transparency;

c) education and literacy;

d) responsible business behavior;

e) protection of consumer assets against misuse;

f) data and/or consumer information protection; and

g) effective handling and resolution of disputes.

3) Access to consumer data

In order to protect consumers concerning access by the Open API players

to the consumers’ data, it is necessary to regulate access to the

consumers’ personal data which at least include:

a) approval to transfer or store the consumers’ data;

b) restrictions to access, use, and store the consumers’ data;

c) information or notification to the consumers regarding their orders

on fund transfer; and

d) the presence of the retention policy on the consumers’ data.

38

4) Consumer consent

a) Consumer consent is fundamental in the Open API framework to grant

access to the Open API players on consumers’ data and the exchange

of the consumers’ data to the Open API players that are approved by

the consumers to be used according to the consumers’ demand.

b) The Open API implementation in a number of countries shows that

the underlying principles to open or exchange data are as follows: i)

the consumers are the owner of their data, ii) the consumers are the

parties grant their approval to share their data with other parties, and

iii) the consumers have the right to request their personal data be

deleted and not be used by other parties (right to be forgotten or right

to erasure).

c) To guarantee consumer protection, Open API players must request

valid approval from consumers, including under business to business

cooperation contracts, as referred to in paragraph 26.b. A legal

agreement is an agreement that is explicitly conveyed, may not be

hidden, or based on omission, negligence, or coercion, as referred to

in the provisions of the legislation governing Electronic Systems and

Transaction.

5) Data Protection

a) Consumer protection in the Open API implementation must include

the protection of processing consumers’ personal data.

b) The processing of consumers’ personal data requires having due

regard to the provisions of the legislation governing Electronic

Systems and Transaction.

39

6) Dispute Handling and Resolution

a) Open API players are required to have a mechanism or procedure for

handling and resolving disputes that include:

i. between consumers and the Open API players; and

ii. between the Open API players.

b) Mechanisms or procedures for handling and resolving disputes refer

to:

i. the provisions in force in Indonesia if the parties originate from

Indonesia; or

ii. agreement on one of the parties' legal jurisdiction to be a

reference in the dispute resolution process if the parties

originate from two different jurisdictions.

c) The role of the standard governing body is to facilitate disputes

between the Open API players. The effort of the standard governing

body to facilitate dispute is carried out by observing the principles of

justice, confidentiality, and volunteerism.

d) The disputes facilitated by the standard governing body are civil

matters that are not in process or have never been decided by

arbitration or judicial authority or have not yet reached an agreement.

Question #9: Governance Standards - Consumer Protection.

What is the industry's view of the consumer protection clauses in the Open API governance

standards that include proposed consumer consent, data protection, and the handling and

resolution of disputes as proposed in paragraph 26.c? Are there other aspects that require to be

covered in Open API governance standards to support consumer protection goals?

40

d. The Minimum Requirements for Third Parties in Implementing Open API Cooperation

1) Third parties that are allowed to cooperate with PSP in providing the Open

API services on payment transactions are:

i) licensed PSP that has obtained approval from Bank Indonesia; and

ii) other parties who have obtained permission or approval from the

relevant authorities.

2) Third parties cooperate with PSP are required to meet the minimum

requirements of the Open API Standards.

IV. TIMELINE AND COVERAGE OF IMPLEMENTATION

27. The implementation of the Open API Standards by PSP that holds the Open API services

on payment transactions will follow the predetermined phase-in arrangement.

28. For the purpose of the phase-in arrangement on the implementation of the Open API

Standards, PSP will be classified as follows:

a. PSP that meets certain criteria, including the size (among others: market share,

transaction share, scalability and growth of business and transactions, etc.) and

business complexity (e.g., business scope, PSP business activities); and

b. Other PSP.

Question #10: Governance Standards - Requirements for Third Parties.

What is the industry's view of the proposed minimum requirements for third parties in the

Open API cooperation agreement, as proposed in paragraph 26.d? Are there other aspects

that require to be included as minimum requirements for third parties in the Open API

cooperation?

41

The classification and criteria applied will be harmonized with the Payment System

provisions to be issued by Bank Indonesia.

29. The implementation timeline of the Open API Standards for PSP is as follows:

a. The preparation and development phase:

The preparation and development phase of API in accordance with the

requirements on the Open API Standards by PSP as the providers and as the users

of the API on payment transactions is started on:

1) The fourth quarter of 2020 for PSP that meets certain criteria.

2) The first quarter of 2021 for other PSP.

b. The testing phase:

The testing phase by PSP as users of the API on payment transactions at the

developer site of the Open API Standards, to be certified and registered at the

directory list of the Open API Standards, is started on:

1) The first quarter of 2021 for the API users cooperate with PSP that meet

certain criteria.

2) The second quarter of 2021 for the API users who cooperate with other PSP.

c. The full implementation phase:

The full implementation phase of the Open API Standards is started on:

1) The second quarter of 2021 for PSP that meet certain criteria.

2) The third quarter of 2021 for other PSP.

From this phase onwards, the developer site of the Open API Standards will

continue to serve as a medium for PSP as the users of API on payment transactions

to test their API’s compliance with the Open API Standards on payment

transactions.

42

V. FOLLOW-UP

30. A Working Group on the Open API Standards will be formed and tasked for deliberating

the proposed Open API Standards and setting forth the Standards’ technical guidelines

to support the adoption of the Open API Standards. Members of the Working Group will

consist of parties designated by Bank Indonesia as the standard governing body,

representatives from the industry, and other related parties.

31. Bank Indonesia will finalize the proposed Open API Standards on payment transactions

by taking into account input received from the industry and other stakeholders during

the consultation period to ensure the implementation effectiveness of the Open API

Standards.

43

VI. APPENDIX APPENDIX 1

Use Case Purchases & Remittances

Illustration I

• Consumers conduct the following transactions

i. Purchase products or services online through marketplaces or e-

commerce or offline, or

ii. Remittance/transfer funds through remittance service.

Consumers will be given various payment channel options in the form of payment

by transfer via Virtual Account, payment by Direct Debit/Internet Banking/Debit &

Credit Card/Paylater, payment by Electronic Money (EM), and payment via offline

outlets.

• In this case, the marketplace or e-commerce or remittance service partner

may work with PSP Payment Gateway to provide various payment options

where the exchange of data between the two parties for transaction

processing is performed through the Open API.

• Payment Gateway is connected through the Open API with payment

counterparties such as banks, pay later providers, EM providers, or offline

outlets, for transaction processing. However, the API currently used between

various connected parties is unstandardized in terms of data, technical,

security, or governance. Therefore, it requires the Open API Standards that

will improve the efficiency of payment systems, promote banks and fintechs

interlinkage, as well as ensure the quality of data that will support innovation

and analysis.

Illustration II Consumers may top up Electronic Money through applications provided by EM

providers and directly connect to banks through the Open API. Likewise, the API used

by each bank is varied and unstandardized.

Illustration I

• Consumers conduct the following transactions

iii. Purchase products or services online through

marketplaces or e-commerce or offline, or

* Transaction flow may differ depending on the parties connected to the API

* Transaction flow may differ depending on the parties connected to the API

* Transaction flow may differ depending on the parties connected to the API

* Transaction flow may differ depending on the parties connected to the API

PSP(Payment

Gateway)*

Bank

E-moneyissuer

Bank, Paylaterprovider

Payment by Direct Debit / Internet Banking / Debit Card / Credit Card / Paylater

Payment using e-Money

Payment by Transfer via Virtual Account (VA)

Offlinemerchant

Payment via offline merchant

Transaction Initiation & Transaction Forwarding Authorization

API

API

API

API

API

API

API

API

Marketplace/Remittance

Service

API

Customer (Domestic)

Merchant/Biller/Recipient of

Funds (Domestic)

Use Case Purchases & Remittances

Customer (Overseas)

Merchant/Biller/Recipient of

Funds (Overseas)

E-moneyissuer

Bank 1

Bank 2

E-money top up

API

API

API

API

API

The currently varying API will be standardized according to data, technical, security & governance standards as proposed by this Consultative Paper

OPEN API StandardData standard Technical standard Security standard Governance standard

44

APPENDIX 2

Best Practices of Standard Governing Body Duties

Duties Explanation

a) Design and set forth API

standard specifications

Design and set forth API standard specifications that

consist of technical documentation such as read/write

specifications, open data API, directory, dynamic client

registration, and management information reporting.

b) Set forth data, technical

and security standard

Establish a minimum design standard for data (data

scope), technical (communication protocol, type of

architecture, data format, data application structure),

and security (authentication, authorization, encryption).

c) Set forth technical

guidelines for Open API

players

Establish the technical guidelines of the Open API

Standards that are mandatory, conditional, and optional

for the Open API players on payment transactions.

d) Set forth contract standard Set forth a minimum contract standard.

e) Encourage banks and third

parties to use Open API

Standards

Conducting dissemination and education on an ongoing

basis to the industry in order to encourage banks and

third parties to use the Open API Standards as well as to

disseminate and educate the public regarding the Open

API Standard.

f) Manage Open API directory

that allows Open API

players that meet criteria

to easily join the Open API

ecosystems

Manage the Open API directory in the form of a website

portal that can be accessed online by banks and third

parties that will join the Open API ecosystems. In addition

to the directory, the website portal can be equipped with

a sandbox as a trial media for API.

45

Duties Explanation

g) Handling and resolving

disputes

The process of handling and resolving disputes and

complaints isconducted through an online and/or offline

service system that is reliable, fast, efficient, and

transparent.

APPENDIX 3

Glossary

2-factor-authentication Two-step verification process.

API A set of routines, protocols, and tools to build software

applications that determine/specifie the procedures for the

interaction of the software components.

Biller ID A collection of data (including telephone numbers,

biometrics) and/or other credentials (including digital

signatures) that are collected and stored electronically to

uniquely identify service providers that charge fees to

consumers who are using their services periodically such as

National Electricity Company, Water Supply Utility Company,

Indonesia Telecommunication Company, etc.

Consumer Consent Information and approval were given by individual data

owners to provide their data to other parties that are free,

46

specific, and informative for further processing by the parties

other than individual data owners.

Fintech Technology-enabled innovation in financial services that

result in new business models, applications, processes,

and/or products.

HTTPS Hypertext Transfer Protocol Secure is an internet

communication protocol that protects the integrity and

confidentiality of user data between the user's computer

and the site. Data sent using HTTPS is secured using

Transport Layer Security which provides three layers of

security protection, namely:

• Encryption, namely, to encrypt the exchange

data to maintain security from eavesdroppers.

• Integrity, namely, data cannot be changed or

damaged during a transfer, either intentionally or

undetected.

• Authentication, namely, to prove that the user

communicates with the desired website in order

to protect from man-in-the-middle attacks and

build the user’s trust.

JSON (Java Script Object

Notation)

The data format with the .json extension is text lines with the

column name identifier in front of the data content

(example: "transfer value": "1000"). This format tends to be

chosen because it is relatively lighter and simpler.

47

Merchant ID A collection of data (including telephone numbers,

biometrics) and/or other credentials (including digital

signatures) that are collected and stored electronically to

uniquely identify the seller of goods/services either the seller

that owns a physical store or an online store.

Modular Banking The bank has a modular architecture with functionality that

is adaptive to consumer changes.

OAuth 2.0 The protocol that allows users to permit third-party

applications to access data or services from other

applications without opening the user credentials in other

applications to third-party applications.

Omni Banking The bank has various channels that can be accessed anytime

and anywhere through various devices.

OpenID Connect The authentication protocol is based on OAuth 2.0 and uses

the REST/JSON format, which has interoperability

capabilities in various types of clients, both Javascript-based

web browsers and mobile applications.

Open API Ecosystem A system that is built from the reciprocal and inseparable

relationship between the Open API players through the use

of API technology.

Payment ID A collection of data (including telephone numbers,

biometrics) and/or other credentials (including digital

signatures) that are collected and stored electronically to

48

identify individuals involved in digital payment transactions

uniquely.

Proprietary Channel Payment channels developed and owned exclusively by

banks for the benefit of consumers themselves, which

include using technology based on short message service,

mobile, web, subscriber identity module tool kit, and/or

unstructured supplementary service data.

REST Representational State Transfer (REST) is a software

architecture used to define a web service. REST can use

various types of data formats such as text, HTML, XML, JSON

(currently, the most widely used is JSON). REST has several

advantages that make it quite popular among web service

developers because it is lightweight, requires fewer

resources and bandwidth, and is easy to implement.

Smart Banking Banks that use smart technology (such as machine learning,

artificial intelligence) to collect, conduct analysis, and clarify

data.

Self-Regulatory

Organization (SRO)

A forum or institution that is an Indonesian legal entity that

can issue provisions for its members regarding technical and

micro subjects in the area of Payment System, which has not

been regulated and/or is a further elaboration of Bank

Indonesia provisions in the Payment System area.

SOAP Simple Object Access Protocol is a protocol specification for

exchanging messages/structured information through web

49

services in a computer network. SOAP allows developers to

carry out the process of authenticating, authorizing, and

sending messages from a variety of different operating

systems (including Windows, macOS, or Linux) using XML and

is cross-platform and programming language.

The Advanced Encryption

Standard (AES)

Electronic data encryption methodology and has three block

sizes, namely 128, 192, and 256 bits, which implement the

same key in doing encryption and decryption so that the

sender and receiver must have the same key.

The Secure Hash Algorithm

2 (SHA-2)

A cryptographic algorithm for hashing that produces a fixed

size string and is one-way so that when a hash has been done

on the data, then the data cannot be returned to its original

form.

Virtual Account Banking services that aim to identify the receipt and

disbursement of funds from and/or to an account.

X.509 A digital certificate that is accepted internationally and is

able to verify keys stored in the digital certificate.

XML Extensible Markup Language is a markup language created

by the World Wide Web Consortium (W3C) to define the

syntax for encoding data or documents that can be read by

humans and machines. XML uses tags to determine the

structure of data or documents, as well as how documents

must be stored and transmitted.

50

51