Workspace for technical documentary requirements for EMI/EPFS license application
- Additional information requested for EMI/EPFS Ion Mudreac
List of third-party integrations (eg ECPay, Bayad, etc)
Euronet
Paynamics
EsyPay
DigiPay
Visa/Mastercard > TBD
instaPay
PESONet
Decision on telecommunication channels whether to use Wireguard VPN, Cloudflare Zerotrust or OKTA. This is relative to the system or service being offered (or being applied with EMI license)
TBD> Wireguard VPN/ Cloudflare Zerotrust is currently under testing
This is to allow secure access to the bank’s internal resources Ex. Cloud resources, Backoffice Pages, etc.
Okta as SSO and IDM for internal employee Auth and Access Management propagation.
Details on the edge facility (or cloud instance) will be used to interface with third parties.
Google Cloud is located in the Singapore region for computing and data resources.
Cloudflare as CDN/WAF/Firewall for incoming traffic.
Tyk API Gateway that allows traffic only from Cloudflare
Description of transactional data flow (this should be distinct from the infrastructure diagram)
Decision on which application monitoring (APM) to use (New Relic, Datadog, home brewed, etc?)
Google Cloud Native Stackdriver
K8s Specific Grafana/Prometheus
Istio
Details on authentication: Full flow
Authentication that establishes the identities of both the sender and the receiver;
We are intending to use “Public key infrastructure” for Auth and Authorization. For reference
Authentication that verifies identities when integrating with third parties
Yes based on the Private key generated on the device and signed all communications to the backend, and the public key
Details and process flow
Access to Figma for functional and transactional diagrams (screen design), view-only access is fine
List of feature sets of the mobile app
List of feature sets of the back office
Access to the technical diagram (infrastructure diagram, the one shared during the first meeting)
Access to software provider maintenance agreements relative to Disaster Recovery.
DR is part of cloud design as we do not have a dedicated provider that provides DR capabilities.
Based on design we are using GCP cloud and GKE with a multi-AZ setup
Available details for the following Sections 18 and 19
Section 18. What security controls/measures are installed. This refers to the security controls and measures relative to the system being offered (or being applied with EMI)
Three failed to log in attempts will freeze the account and trigger CS
Idle time is set to 5 minutes before auto-signoff. Parameter is configurable
The fraud system will monitor every single transaction and activity with the ability to block transactions or freeze account/card
The elevated authorization method is facial recognition of the client based on the previously submitted client picture with a backup manual method of a video call with a real operator
The back-office manager has the capability to enforce administrator functions (suspend users, activate users, create and delete users, etc)
Back-office system will mask personal details which are not essential for most of the use-cases with the ability to unmask - this action to be recorded
The system has an audit trail facility of all back-office user activities
Section 19. A list of software and hardware components indicates the purpose of the electronic banking infrastructure. This is also relative to the system being offered or being applied with EMI.
Cloudflare > DNS/WAF/Firewall/CDN
Confluent Kafka > pub/sub managed services
PostgresSQL > DB
TyK > API Gateway
Redis > cache
Hishicorp Vault > Secure key storage
Kubernetes GKE > container orchestrator
Kotlin > Development JVM based language
Micronout > Development framework
Flatter/Dart > Mobile cross-platform development
Sample List of Hardware (on-prem)
We will give only HWD for call centre Ex. Genesys Edge, Do we need to include call centre HWD?
Additional Documentation added
