Open Finance is believed to be an innovation that has a broad impact on the financial and banking industry world. As we know, an Open Finance business model manages individual financial data to be used in various business use cases. The flow of data exchange makes security and privacy aspects crucial. So, every service provider needs to pay attention to matters related to encryption systems, data protection, and other preventative measures.
Finantier is committed and serious about data security and privacy. A special division is tasked with implementing the strategy and architecture of the existing information system security in each of its business processes.
In this article, Head of Information Security of Finantier, Ricky Setiadi, provides an overview of how Finantier applies the safety standards in producing a secure financial product while still promoting a seamless user experience. Ricky has more than 6 years of experience as an information security engineer. Previously he led the security division in multiple technology companies. He has also achieved a number of certifications in the security sector, such as ISO 27001 Lead Auditor and Certified Chief Information Security Officer.
Open Finance Encryption and Security System
According to Ricky, when talking about the security system at Open Finance, there are two main highlights: business models and data management. Both have a level of risk categorized as “high,” so many standards organize their governance, both at the national and international levels. One of its main objectives is the protection of consumer data and information. It is undeniable that the financial sector has been the target of various cyber crimes since financial services began to enter the online realm decades ago.
NIST (National Institute of Standards and Technology), as one of the security standards widely adopted by various industries, issued a “Special Publication” which regulates the security of personal data, contained in SP 800–122. In the Special Publication, it is stated that personal data can provide information that can identify, differentiate, or track one individual against another, such as identity, name, or other personal data. Additionally, this publication states that data linked to someone will be personal data such as medical records, financial records, etc.
When referring to existing regulations in Indonesia, the Open Finance platform is included in the category of Electronic System Provider under the auspices of the Financial Services Authority. One of the requirements that must be done is to run the Information Security Management System (ISMS).
In its implementation, an Open Finance platform must be able to control a number of risks that may arise. Risk control can be carried out with several approaches; either acceptance, mitigation, or transfer approach.
Ricky also explained that risk control must be reviewed comprehensively by both an internal team and an independent third party. For each unacceptable risk, whether mitigated or transferred, a number of security controls are required. Implementing security controls cannot eliminate risks, but these risks can be controlled better.
“To reduce risk, control must be implemented comprehensively, including technical, physical, and administrative. In addition, control is implemented in the production area and must be implemented as early as possible during design, development, testing, and up to the maintenance phase, including maintenance for services that are no longer used,” Ricky added.
Risks That Can Occur Without A Strong System
Without a good risk control system, there are a number of consequences that can arise from the implementation of Open Finance. Of course, it can be detrimental to the business and its customers. From Ricky’s observation, there are at least three main risk categories:
1. Data Loss
Loss or disclosure of customer data is one of the most significant risks when an Open Finance provider does not take the right security measures. This can result in the loss of a good reputation from the perspective of customers and business partners. In addition, loss or disclosure of customer data to unauthorized parties will result in administrative and financial sanctions.
2. Inaccurate data
This inaccurate data can result from processing errors or changes to data by unauthorized parties. This will impact the occurrence of fraud and the possibility of high errors. As an example, an Open Finance issued a credit scoring service; if the managed data does not prioritize the integrity aspect, the calculation of a person’s ability will result in a score that is not in accordance with reality. Incorrect scoring calculations can contribute to a larger fraud vector.
3. Loss of platform access
Loss of platform access is another risk when an Open Finance platform is not properly managed according to information security standards. This loss of access is not limited to loss of access due to credential errors, but also the loss of availability of assets or services managed by the platform manager.
Finantier Applied Security Standards
As part of its seriousness in terms of information security, within one year of its operation, Finantier has obtained the ISMS Certification as stated in ISO 27001:2013. With this certification, it is generally recognized that the process carried out by Finantier has followed the security rules and standards.
The process is not only limited to the implementation of technical controls, but also includes other controls such as:
- Information security policy and organizational structure
- HR Security
- Asset and inventory management
- Access control
- Operation and communication security
- Physical security
- Development acquisition
- System maintenance
This is also strengthened through relationships with third parties, incident management, and compliance aspects.
“Open Finance is a dynamic business model, for that the security process must be able to keep up with business developments. The security certification process will of course also have a big influence on the development of this industry, so other security certifications will be used to improve the security posture at Finantier,” Ricky explained.
Finantier’s Commitment to Data Security and Privacy
Finantier, as an actor in the Open Finance industry, feels that it has a significant influence in the process of securing data, including personal data. Due to this, as a platform manager, it has a responsibility to its customers.
Finantier also feels responsible for the Open Finance ecosystem, part of the financial industry chain. One form of responsibility can be seen through various aspects of the security technology that is implemented, one of which is through the use of encryption as a branch of cryptography.
Ricky explained in detail that, at Finantier, encryption would apply the “three-state data protection” rule, which includes protection for Data At Rest Encryption (DARE), Data In-Transit Encryption (DITE), and Data in Use Encryption (DIEU).
1. Data At Rest Encryption
Data At Rest Encryption is a protection mechanism used to protect passively stored data in digital media. Digital media can be in the form of files, databases, disks, or cloud storage. Currently, DARE is still adopting commonly used encryption algorithms such as AES or RSA.
2. Data In-Transit Encryption
To support business needs, especially in collaborating with third parties, the managed data will not only be stored in a digital storage medium, but also has the potential to be transmitted. In the data transmission process, there are a number of potential risks that may occur. Transport Layer Security is one of the methods we use as part of securing data in transit. For that, Data In-Transit Encryption is carried out to reduce the risk of attacks such as the man in the middle attack (MITM).
3. Data in Use Encryption
To add security to the data being used, the implementation of enclave technology is one way of protecting Data in Use Encryption that is used in the Finantier environment.
Meanwhile, in terms of encryption to support business needs, Finantier uses two types of encryption to protect its data, information, and services, namely symmetric and asymmetric encryption. The use of tokenization is one approach that Finantier takes, in addition, to using encryption to protect data and information.