Bank Indonesia’s payment standard, which includes a balance inquiry standard, allowing real time balance information, transaction histories and bank statements.
Indonesia Payment System Association (ASPI)
There are two schemas for the Balance Inquiry API.
The first involves the consumer accessing their account balance information through a data recipient connected to a data provider where a consumer account is registered. This uses an authorisation code obtained from the card registration or account binding process by going through the authorization / authentication process to ensure the correctness of consumer information by using the OAuth 2.0 mechanism.
Alternatively, account balance information is accessed directly at a data provider where the user is registered.
For the Transaction History API, consumers through data recipients can access transaction history list information and their details for their accounts held by data providers.
The Bank Statement API allows consumers and data recipients access to their bank statements through the use of data recipients or directly, respectively.
Users must be registered to access the sandpit, and obtain a licence from the Bank Indonesia.
The Balance inquiry allows a consumer or third part provider to access the latest balance information from accounts owned in real time.
The API Transaction History is required so that consumers or third party providers can access transaction history information from accounts owned in real time. Transaction history information contains details about credit and debit transactions, account balances, and some other information.
The Bank Statement API is an API used to access the complete financial transaction history of a bank account, both accounts belonging to the individual account owner.
The Balance Inquiry and Transaction History APIs are part of a set of standards for Open Banking, including a registration, transaction history, credit transfer and the transfer of debit.
Credit transfer (payment initiation)
When accessing the transaction history, a consumer consent request (authorization/authentication) is required to explicitly use the OAuth 2.0 mechanism to ensure the correctness of consumer information and so that there is no misuse of data and rights from consumers.
For periodic payments, the customer gives consent to debit his account in the form of an e-mandate.
OAuth2.0 as per RFC674
Bearer token as per RFC6750
Client Authentication Method is an authentication method for validating consumers. The Two-Factor Authentication standards used are:
The encryption model for messages used is asymmetric and symmetrical encryption, using a combination of Private Key and Public Key, with the following standards:
1. Standard Asymmetric Encryption Signature:
1. SHA256withRSA with Private Key (Kpriv) and Public Key (Kpub) (256 bits)
2. Standard Symmetric Encryption Signature
1. HMAC_SHA512 (512 bits)
3. Standard Symmetric Encryption
1. AES-256 with client secret as the encryption key.
A sandbox is available to current and prospective service providers, developers and service users of the API. The developer resources have more information.
Indonesia’s banking system has been reliant on local switching companies for transactions that are performed between different banks, for a fee. It is a healthy ecommerce market, although a significant proportion of transactions are paid for with cash or bank transfers.
A Payment Systems Blueprint for 2025 was published in 2019 to set out the path to Open Banking. It considered the 51% of Indonesians who don’t use banking services as well as the protection of those who do use digital banking services. Open Banking APIs were part of this vision, and SNAP was developed by Bank Indonesia in cooperation with payment system industry representatives and enacted with BI Governor Decree No. 23/10/KEP.GBI/2021, dated 16th August 2021.
In August 2022 it is expected that 16 banks will adopt the APIs, with the remaining bank adopting them by 2025.
The governance guidelines are printed online in Indonesian.
The guidelines were compiled by ASPI as part of a sub-working group with 16 Indonesian financial institutions. The governance outlines consumer data protection, handling complaints, and data protection protocols. Within the governance guidelines, it states precautionary requirements for data providers and users and principles for the contracts.
With regards to consumer protection, the laws and regulations implemented by the Bank of Indonesia should be adhered to.
The Personal Data Protection Act was submitted in a draft state in January 2020.