# Information Security Policy

Maintained by	Fedor Tyurin, CTO
Reviewed by	Joonas Tomperi, CEO (24.01.2025) Joonas Tomperi, CEO (20.01.2025) Joonas Tomperi, CEO (7.10.2024) Joonas Tomperi, CEO (12.10.2023) Anatol Piachurkin, information security advisor (11.10.2023) Joonas Tomperi, CEO (06.01.2023) Fedor Tyurin, CTO (20.09.2022) Joonas Tomperi, CEO (28.12.2021) Joonas Tomperi, CEO (21.12.2021) Joonas Tomperi, CEO (4.6.2021) Joonas Tomperi, CEO (20.4.2021) Anatol Piachurkin, information security advisor (21.10.2020) Joonas Tomperi, CEO (25.9.2020)
Status	FINAL 1.6 (24.1.2025)
Readership	Senior Management, Company Employees, Business Partners, Subcontractors, Authorities, Customers
Revisions	24.1.2025, Fedor Tyurin People Policy has been added. 9.1.2025, Fedor Tyurin Added “Regulations and guidelines 8/2014: Management of operational risk in supervised entities of the financial sector” into the list of FIN-FSA Regulation and Guidelines in the Annex 1. Relevant Legislation 15.09.2024, Fedor Tyurin Added reference to the Cryptography Policy 11.09.2024, Fedor Tyurin Updated relevant legislation to reference EBA RTS on strong customer authentication and common and secure open standards of communication. 15.08.2024, Fedor Tyurin Updated relevant legislation to reference Digital Operational Resilience Act (DORA) and link mapping DORA requirements to ISO/IEC 27001. 15.02.2024, Anatol Piachurkin Updated to the new version of ISO/IEC standard (27001:2022). 05.10.2023 Fedor Tyurin Updated measurable objectives replacing overall cumulative deviation from the target risk rating with the highest deviation calculated for each asset. 03.01.2023, Fedor Tyurin Newly added policies and procedures are mentioned in the section Supporting policies, procedures and guidelines 20.12.2022, Fedor Tyurin Links to relevant legislation in Bulgaria, Croatia, Cyprus, Greece, Hungary, Ireland, Italy, Liechtenstein, Luxembourg and Malta 1.11.2022, Fedor Tyurin Links to relevant legislation in Portugal, Romania, Slovakia and Slovenia 07.09.2022, Kayode Asoro Relevant legislations regarding payment fraud prevention and PISP 25.05.2022, Fedor TyurinLinks to relevant legislation in Austria, France, Iceland and Czech Republic are added 22.12.2021, Fedor Tyurin Wording improvements 20.12.2021, Anatol Piachurkin Particular version of standard is used (27001:2013) 20.10.2021, Fedor Tyurin Reference to relevant legislation in Germany24.10.2021, Fedor Tyurin Reference to relevant legislation in Spain 28.05.2021, Fedor Tyurin Measures for ISMS objective have been defined 19.04.2021, Fedor Tyurin References to Anti Money Laundering Policy as well as to relevant legislation in Belgium, Denmark, Latvia, the Netherlands, Norway and Poland 29.10.2020, Fedor Tyurin Reference to Relevant legislation in Estonia 05.09.2020, Fedor Tyurin List of the supporting policies, procedures and guidelines have been extended with the newly added documents 26.08.2020, Fedor Tyurin Legislation section has been updated with the information about the need to comply with relevant legislation of the countries where AISP registration is being passported and references to the corresponding documents.

# Introduction

Security and compliance are top priorities for Enable Banking because they are fundamental to the financial industry. Enable Banking is committed to securing data, eliminating systems vulnerability, ensuring business continuity and complying with all statutory, regulatory and legal requirements.

This information security policy outlines Enable Banking’s approach to information security management and provides the guiding principles and responsibilities necessary to ensure the security of all company’s operations. Supporting policies, procedures and guidelines provide further detail on how to implement information security.

For its Information Security Management System (ISMS) Enable Banking uses ISO/IEC 27001:2022 standard and relies on methodologies, tools and technologies provided by OWASP, NIST and SANS to secure data from unauthorised access, disclosure, use, and loss.

# Purpose

The main purpose of this policy is to introduce structured, well organised and accountable processes for dealing with information security matters and to document best practices already used in the company. By implementing this information security policy Enable Banking is moving from ad hoc solutions and decisions towards governed, documented procedures.

The second purpose of this policy is to ensure that all employees, subcontractors and business partners understand their responsibilities for protecting the confidentiality and integrity of the data that they handle, including making them aware of relevant legislation and contractual requirements.

# Scope

This policy is applicable, and will be communicated to all employees, subcontractors and business partners who interact with information held by the company and the information systems used to store and process it. The policy scope is described in detail in the ISMS Scope document.

# ISMS Objectives

The objectives of this policy is to define company targets regarding information security management, including:

1. Support business objectives in a flexible and effective way;
2. Maintain adequate regulatory compliance;
3. Protect information assets;
4. Maintain business continuity;
5. Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement of ISMS.

In order to be able to measure effectiveness of the information security system, the following measures for the objectives 3, 4 and 5 must be checked during internal audits:

• Highest cumulative deviation of the current risk rating from the target risk rating, calculated as described in the Risk Assessment Policy (expected to be under 20%);
• Uptime for Enable Banking API and other services provided by the company to its customers (expected to be over 99%);
• Number of resolved NCPARs from the previous audits, which were planned to be closed before the current audit (expected to be over 70%).

# Supporting policies, procedures and guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement and must be considered as substantial parts of this policy. These, along with associated procedures and guidelines are located in the ISMS folder inside the company's Google Drive. Below the most important policies, procedures and guidelines are listed together with short summaries and links to the target documents.

# Organisation of information security

The Board of Directors is ultimately accountable for corporate governance as a whole. The management and control of information security risks is an integral part of corporate governance. In practice, however, the board explicitly delegates executive responsibilities for most governance matters to the Executive Directors, led by Joonas Tomperi, Chief Executive Officer (CEO).

The Executive Directors give overall strategic direction by approving and mandating the information security principles and axioms but delegate operational responsibilities for physical and information security to the Security Committee (SC) chaired by the Fedor Tyurin, Chief Technology Officer (CTO) who is acting role of Information Security Manager (ISM).

Organisation of information security is described in detail in the Organization of information security document.

# Risk Assessment Policy

The purpose of the risk assessment policy is to establish the systematic approach of estimating the magnitude of risks (risk analysis) for different company assets (asset inventory) and the process of comparing the estimated risks against risk criteria to determine the significance of the risks (risk evaluation).

# Information Security Training and Awareness

Managers should ensure company employees, subcontractors and business partners working with company’s systems or granted access to some company’s data are formally aware of and educated on the policies and procedures they must be compliant with.

Information Security Training and Awareness policy contains detailed descriptions of how the information security training and awareness program should be conducted.

# People Policy

People Policy is designed to ensure the secure and compliant management of the employee lifecycle, from onboarding to offboarding, whilst promoting a positive and productive experience for all staff.

# Access Control Policy

Access control systems are in place to protect the interests of all authorised users of the company’s IT systems, as well as data provided by third parties, by creating a safe, secure and accessible environment.

Access Control Policy describes how the company implements physical and logical access controls across its IT systems and cloud services in order to provide authorised, granular, auditable and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability.

# Privacy and Personal Data Protection Policy

In collecting and using this data, the company is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it. Privacy and Personal Data Protection Policy sets out the relevant legislation and describes the steps the company is taking to ensure that it complies with it.

# Logging and Monitoring Policy

The detection of potential or actual information security incidents relies on timely and comprehensive event information being available from key security controls. These events are critical during forensic investigation in the event of a security incident. This policy on Logging and Monitoring sets out the baseline requirements for logging and monitoring security events within the company’s systems.

# Information Security Incident Management

It is necessary to take prompt action in the event of any actual or suspected breaches of
information security or confidentiality to avoid the risk of harm to individuals, damage to operational business and severe financial, legal and reputational costs to the organisation.

Information Security Incident Management policy contains guidelines on how information security incidents shall be reported, recorded, analysed and escalated.

# Mobile Device and Teleworking Policy

As most of the company data is stored in the cloud environments and most of the system can be accessed from anywhere it is extremely important and all devices used for accessing the systems and used to store the data are used in accordance with Mobile Device and Teleworking Policy.

# Change Management Policy

Applications and systems used and developed in the company are increasingly complex. Number of dependencies between resources, systems and applications constantly increases, which can negatively impact security if changes are not managed in an organised manner. The Policy on Change Management formulates how management and communication of updates, new features, maintenance, and regular releases help to minimise customer and business impacts.

# Outsourcing Policy

The commercial benefits of outsourcing non-core business functions must be balanced against the commercial and information security risks. The risks associated with outsourcing must be managed through the imposition of suitable controls, comprising a combination of legal, physical, logical, procedural and managerial controls.

Outsourcing Policy mandates the assessment and management of commercial and information security risks associated with business process outsourcing.

# Cloud Computing Policy

Cloud computing services are extensively used by the company in the delivery of its core business systems. The nature of these services is such that data is stored outside of the company’s internal network and is subject to access and management by a third party. The cloud computing policy sets out the company's policy in the area of cloud computing.

# Secure Software Development Policy

Secure development contributes to the reliability of the IT environment by ensuring that as many vulnerabilities as possible are designed and tested out of software before it is deployed into the live environment.

The policy on secure software development sets out the precautions that must be taken during the software development lifecycle to minimise the risk to the company whilst ensuring that the benefits set out in the original business case for the software are still realised.

# Standard for Information Security Documents

The use of documented information is an essential part of the Information Security Management System (ISMS) in order to set out management intentions, provide clear guidance about how things should be done and provide evidence of activities that have been performed. The company’s Standard for Information Security Documents is dedicated to this.

# Backup Policy and Procedure

The backup of important information is often the last line of defence in the event of either accidental or malicious loss or modification of the company’s data such as the source code and SDK builds. The purpose of the company’s Backup Policy and Procedure is to set out the baseline requirements for the backup of the company’s data.

# Business Continuity Plan

The purpose of the company’s Business Continuity Plan is to minimise negative impact on the business, organise effective communication inside the company and with customers, provide alternative ways to deliver services to customers while fixing or recovering the systems and return to normal operations as soon as possible.

# Internal Audit Policy and Procedure

The purpose of the company’s Internal Audit Policy and Procedure are to ensure that the company continually operates in accordance with the specified policies, procedures and external requirements in meeting company goals and objectives in relation to information security. Also to ensure that improvements to the Information Security Management System (ISMS) are identified, implemented and suitable to achieve objectives.

# Roles and Responsibilities Policy

The purpose of the company’s policy on roles and responsibilities is to identify, define, and clarify roles and responsibilities at the company with respect to the security and protection of the company’s Information Assets (e.g. the company’s data, cloud infrastructure etc). The company is too small to have full segregation of duties, but the policy is developed in order to outline areas of responsibility and to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets.

# Anti Money Laundering Policy

Traceability of financial information has an important deterrent effect, thus the legislation obliged gatekeepers (banks and other entities) to apply measures to prevent money laundering and terrorist financing. In some jurisdictions account information service providers are seen as obliged entities and companies like Enable Banking have to implement AML controls. The purpose of the company’s policy on anti money laundering is to establish the general framework for the fight against money laundering and to oversee compliance with the relevant legislation.

# AML Transaction Monitoring Procedure

The purpose of the company’s AML Transaction Monitoring Procedure is to establish a robust risk-based procedure for ongoing background AML monitoring of transactions being accessed or initiated using the company’s software (i.e. Enable Banking APIs, provided under the company’s AISP registration or PISP licence) in order to be able to detect suspicious activity and create alerts.

# Payment Fraud Prevention Policy

The company’s Payment Fraud Prevention Policy sets out practical steps to be taken in response to either reported or suspected payment fraud, as well as measures that will be taken to prevent or reduce the risk of payment fraud. On the one hand, it is hoped that this policy will help prevent its occurrence, however, where (and if) it does happen, to help reduce the impact of payment fraud to all stakeholders across board.

Consequently, the objective is that the company will continually try to ensure that all its activities and processes are carried out and reported honestly, accurately, transparently and accountably.

# Payment Transaction Monitoring Procedure

The purpose of the company’s Payment Transaction Monitoring Procedure is to provide guidance to the company’s employees implementing and operating the company’s automated transaction monitoring system used for prevention of money laundering and fraud through Enable Banking Payments API.

# KYC Procedure

The purpose of the company’s KYC Procedure is to establish KYC processes for identifying the company's customers as well as, when applicable, payment service users (PSUs), and verifying information provided by them in order to support customer due diligence, evaluate associated risks and be able to make AML regulatory reporting.

# Cryptography Policy

The company's Cryptography Policy aims to protect its information assets by establishing guidelines for implementing and managing cryptographic mechanisms. It mandates encryption for data in transit and at rest using industry-standard protocols, ensuring sensitive information remains secure. The policy outlines requirements for cryptographic key management, including generation, storage, distribution, rotation, backup, and revocation, following best practices and standards. Digital certificates must be obtained from trusted authorities, validated, renewed, and revoked as necessary.

# Enforcement

This Policy forms part of the company’s set of policies every employee needs to understand and follow. Failure to follow the policy may lead to disciplinary action, led by an employee's manager. This policy and supporting policies, procedures and guidelines are enforceable, from the effective date stated at the beginning of each document. Transition periods, where applicable, would be stated in each document or at each article to which the periods should be applied. This policy, including supporting policies, procedures and guidelines, does not apply retrospectively.

All contracts and agreements with the company's subcontracts and business partners must comply with this policy and explicitly state obligation to follow it and define enforcement rules.

# Legislation

Enable Banking must comply with certain legislation and associated regulations in relation to the use, storing and handling of information, as well as in provisioning of the account information services. Key legislation concerning company operations and particularly information security aspects are listed in the Annex 1.

As the company acts as an Account Information Service Provider also in countries other than where its offices are located, relevant legislation of the countries where AISP registration is being passported shall be taken into account. Once the company starts operating as a Payment Initiation Service Provider, relevant legislation of the countries where PISP licence is being passported shall be reviewed and corresponding documents are to be updated. The following list contains references to the documents naming the relevant legislation by country:

• Relevant legislation in Austria
• Relevant legislation in Belgium
• Relevant legislation in Bulgaria
• Relevant legislation in Croatia
• Relevant legislation in Cyprus
• Relevant legislation in Czech Republic
• Relevant legislation in Denmark
• Relevant legislation in Estonia
• Relevant legislation in France
• Relevant legislation in Germany
• Relevant legislation in Greece
• Relevant legislation in Hungary
• Relevant legislation in Iceland
• Relevant legislation in Ireland
• Relevant legislation in Italy
• Relevant legislation in Latvia
• Relevant legislation in Liechtenstein
• Relevant legislation in Lithuania
• Relevant le­gis­la­tion in Luxembourg
• Relevant legislation in Malta
• Relevant legislation in the Netherlands
• Relevant legislation in Norway
• Relevant legislation in Poland
• Relevant legislation in Portugal
• Relevant legislation in Romania
• Relevant legislation in Slovakia
• Relevant legislation in Slovenia
• Relevant legislation in Spain
• Relevant legislation in Sweden

# Monitoring and Review

This information security policy and relevant legislation shall be continually monitored and shall be subject to a regular review which shall take place annually, or when a significant change is made. The same monitoring and review practice shall be used for supporting policies, procedures and guidelines unless otherwise stated in the document itself.

Reviews, as well as internal audit, training sessions and other regular and ad hoc activities related to the company’s information security, are planned in the ISMS calendar organised in the company's Google Calendar (part for Google Workspace). All interested parties shall be invited to the review sessions at least one week before the session. Participation can be on-site or using the company communication tools (Slack (opens new window) or Google Meet (opens new window)).

# Annex 1. Relevant Le­gis­la­tion

# Criminal Code (39/1889) (opens new window)

The Criminal Code acts as a basis for other legislation by describing the criminal offences and their punishments; chapter 38 describes crimes related to information and communication.

# Limited Liability Companies Act (624/2006) (opens new window)

This Act applies to all limited liability companies registered in accordance with Finnish law, unless otherwise provided in this Act or some other Act.

# Personal Data Act (523/1999) (opens new window)

The Personal Data Act covers gathering, processing, and storing of personal data. Due to the nature of its operations, the university has to process a great deal of personal data, which is why the Personal Data Act is used as a guideline in several operations. The obligations of the Personal Data Act are the reason why user accounts cannot be granted and forgotten passwords cannot be changed without confirming the ID of the account holder.

# Information Society Code (917/2014) (opens new window)

The objective of the Act is to foster the supply and use of electronic communications services and to ensure that everyone across Finland has access to communications networks and services at reasonable conditions.

# Act on the Protection of Privacy in Working Life (759/2004) (opens new window)

Act on the Protection of Privacy in Working Life covers the privacy of individuals in relation to their employer. The issues covered by the act also apply to students in some degree due to their close connection to the university.

# Data Protection Act (1050/2018) (opens new window)

This Act specifies and supplements Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter the Data Protection Regulation, and its national application.

# Act on the Protection of Privacy in Electronic Communications (516/2004) (opens new window)

The objective of the Act is to ensure confidentiality and protection of privacy in
electronic communications and to promote information security in electronic
communications and the balanced development of a wide range of electronic
communications services.

# Decree of the Ministry of Finance on the Information to be Appended to the Authorisation Application of a Payment Institution (1040/2017) (opens new window)

This Decree lays down provisions on the information to be appended to the application when
applying for authorisation of a payment institution referred to in section 11, subsection 1 of the Act on Payment Institutions (297/2010) or for authorisation to establish a branch in a State outside the European Economic Area referred to in section 44, subsection 1 of the Act.

# Act on Payment Institutions (297/2010) (opens new window)

Including amending act 890/2017 (opens new window) (PSD2) and Decree of the Ministry of Finance on the Information to be Appended to the Authorisation Application of a Payment Institution (1040/2017) (opens new window).

# Act on Payment Services (290/2010) (opens new window)

Including amending act 898/2017 (opens new window) (PSD2).

# FIN-FSA Regulations and Guidelines

• Maksulaitokset ja maksupalvelua ilman toimilupaa tarjoavat henkilöt (8/2016) (opens new window)
• Reporting instructions for payment and fraud data (MAPE) (opens new window)
• Regulations and guidelines 8/2014: Management of operational risk in supervised entities of the financial sector (opens new window)

# Directive on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (EU 2015/2366) (opens new window)

This Directive establishes the rules in accordance with which Member States shall distinguish between the following categories of payment service provider:

1. credit institutions as defined in point (1) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council (28), including branches thereof within the meaning of point (17) Article 4(1) of that Regulation where such branches are located in the Union, whether the head offices of those branches are located within the Union or, in accordance with Article 47 of Directive 2013/36/EU and with national law, outside the Union;

2. electronic money institutions within the meaning of point (1) of Article 2 of Directive 2009/110/EC, including, in accordance with Article 8 of that Directive and with national law, branches thereof, where such branches are located within the Union and their head offices are located outside the Union, in as far as the payment services provided by those branches are linked to the issuance of electronic money;

3. post office giro institutions which are entitled under national law to provide payment services;

4. payment institutions;

5. the ECB and national central banks when not acting in their capacity as monetary authority or other public authorities;

6. Member States or their regional or local authorities when not acting in their capacity as public authorities.

This Directive also establishes rules concerning:

1. the transparency of conditions and information requirements for payment services; and

2. the respective rights and obligations of payment service users and payment service providers in relation to the provision of payment services as a regular occupation or business activity.

# Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (opens new window)

Regulation (EU) No 1093/2010 is a European Union (EU) regulation that establishes the European Supervisory Authorities (ESAs), namely the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), the European Insurance and Occupational Pensions Authority (EIOPA), which are three permanent EU bodies responsible for the supervision of the financial services sector in the EU. The regulation aims to enhance the stability and integrity of the financial system by improving the supervision of financial institutions and financial markets within the EU. It also aims to ensure the consistent application of supervisory rules and standards across the EU, and to promote cooperation and coordination among national supervisory authorities. The ESAs have the power to adopt binding technical standards and guidelines, and to conduct investigations and enforcement proceedings in relation to alleged breaches of EU law.

# Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) (opens new window)

DORA aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.

The company needs to comply with the regulation both, because it provides services to obliged (regulated) entities and is an obliged entity itself.

The applicability of DORA requirements with references to relevant policies and procedures as well as mapping to ISO/IEC 27001 standard are provided in the DORA requirements (opens new window) document.

# Commission Delegated Regulations

• COMMISSION DELEGATED REGULATION (EU) 2017/2055 of 23 June 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for the cooperation and exchange of information between competent authorities relating to the exercise of the right of establishment and the freedom to provide services of payment institutions (opens new window)
• COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (opens new window)

# ECB Regulations

• Regulation (EU) No 1409/2013 of the European Central Bank of 28 November 2013 on payments statistics (ECB/2013/43) (opens new window)

# EBA's Regulatory Technical Standards

• EBA RTS on strong customer authentication and common and secure open standards of communication (opens new window)
• EBA RTS on the supervision of PIs on a cross-border basis under Art 29(6) (opens new window)
• EBA RTS on Central Contact Points under Art. 29(5) PSD2 (opens new window)
• EBA RTS on Technical Requirements for Central Register under Art. 15(4) (opens new window)

# EBA's Guidelines

• Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee under Article 5(4) of Directive (EU) 2015/2366 (opens new window)
• Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers under Article 5(5) of Directive (EU) 2015/2366 (opens new window)
• Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (opens new window)
• Guidelines on procedures for complaints of alleged infringements of Payment Services Directive 2 (opens new window)
• Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) (opens new window)
• Guidelines on fraud reporting under PSD2 (opens new window)
• EBA guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC) (opens new window)

# EBA's opinions

• EBA opinion on the implementation of the RTS on SCA and CSC 13 June 2018 (opens new window)
• Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC 10 December 2018 (opens new window)
• Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2 21 June 2019 (opens new window)