2020 Sustainability Report | PT Bank Central Asia Tbk Inspiration for

75

Responsible Banking Inspiration for Sustainability Culture Inspiration for Social Value Creation

Customer Data Privacy and Security Protection

Data, transactions Security, and customer Data confidentiality

[418-1] [FN-CB-230a.2]

BCA has ISO 27001 certification covering the information security management system standards for its network and data center systems. In addition, BCA was one of the first private banks to receive the prestigious certification, PCI DSS 3.2.1, for all entities managing cardholder transactions and data, including the data centers.

With the rapid development of information technology, customer interactions with BCA digitally have also increased. However, this can also lead to a risk of technology crime, so BCA continues to improve its IT security system. BCA’s IT security system has been developed to protect data security and ensure the IT system’s availability to serve customer transactions, including preventing and anticipating cyber-crime and potential fraud.

For Data Loss Prevention (DLP), BCA’s ongoing data security strategy is to increase the security of important electronic information, and to prevent information theft and access by unauthorized parties. To ensure security in BCA’s internet-based internal applications, BCA has implemented a Two Factor Authentication security to ensure access to the database is carried out only by authorized personnel.

BCA ensures that all company data is classified according to the level of data confidentiality. BCA uses a Database Activity Monitoring solution to ensure that the database is accessed only by authorized people and applications.

This solution is equipped with machine learning and artificial intelligence features to ensure no anomalies occur. To further protect the security of confidential data in the database, BCA has implemented Database Masking technology to protect confidential data from being exposed to unauthorized parties.

BCA is one of the private banks that the first bank to received certification on Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 that intended for all entities that manage transactions and cardholder data, including Data Centers. In addition, BCA also obtained ISO 20000-1:2018 certification in order to improve the service management system (SMS).

To ensure service security for all customers, the Director of Information Technology also oversees through regular reports submitted by the Strategic IT Group Division. During 2020, BCA held training related to e-learning social engineering awareness for all BCA employees. BCA did not encounter any significant cases related to violations or misuse of customer data and privacy. In 2020, no customer data was lost. Therefore, there were no sanctions/fines imposed on BCA or its employees. [418-1][FN-CB-230a.1]

BCA provides banking solutions supported by a

reliable data security system.

2020 Sustainability Report | PT Bank Central Asia Tbk

76

Sustainability Governance Together through

Pandemic Challenges Sustainability Aspects Highlight

Fraud and Financial Crime Prevention

We have implemented an anti-corruption management system based on ISO 37001: 2016 that applies to all BCA employees and management, as well as our partners and vendors.

Our commitment to enforcing anti fraud refers to the four Anti Fraud Strategy Pillars. Fraud prevention efforts are carried out on an ongoing basis through an effective control system, and include prevention, detection, investigation and monitoring.

Pillars of anti Fraud Strategy

4 Pillars of anti Fraud Strategy

Guidance of Anti Fraud Implementation Published April 7,2015 No.064/SE/POL/2015 Prevention

reduce the potential for fraud Anti Fraud Awareness Identification of Vulnerability

Know Your Employee

Detection

identify and uncover fraud incidents Whistleblowing System

Surprise Audit Surveillance System

investigation, reporting, and Sanctions

extracting information, reporting system and imposing

sanctions on fraud Investigation

Reporting Sanctions

Monitoring evaluation &

Follow-up

Monitoring and evaluate fraud incidents ad well as their

necessary follow-up Monitoring

Evaluation Follow-Up

anti Fraud and anti corruption

[205-1, 205-2, 205-3]

BCA has an Anti Fraud Bureau that oversees the anti fraud strategies and evaluates their implementation. The Anti Fraud Bureau is also tasked with increasing the effectiveness of the anti fraud strategies, in accordance with OJK regulation No. 39/POJK.03/2019.

Anti Fraud enforcement efforts include optimizing the application of anti-gratification, disseminating anti fraud information, conducting internal audits, improving data security systems, and raising awareness of the whistleblowing system. BCA audits all branch offices, on a three-year basis with a priority scheme based on the audit results. If there is an indication of fraud, the BCA Internal Audit can immediately conduct an investigation at the Branch Office or related work unit. All regional offices, branch offices, and head office operational units have an internal control unit.

In 2020, BCA also updated its Anti Fraud Declaration, which was signed by the President Director, to commit to:

1. Conducting business fairly, honestly, and transparently;

2. Avoiding doing business with third parties who are not committed to the Company policies;

and/or

3. Sanctioning any violations of policies and commitments.