The ENPAY platform has been built using a modern Software-as-a-Service (SaaS) setup hosted on EBRC’s virtualisation environment located in redundant Tier IV-certified Luxembourg data centres. It encompasses segregated environments for the platform’s front-end and back-end and the SWIFT connectivity stack.
This setup provides inherent scalability and best-in-class security guarantees. The hardware, the virtualisation environment management and the network layers are operated by Luxembourg’s prime hosting provider EBRC. Finologee provides the software product operations and service framework with its
DevSecOps team that also run the other business-critical platforms that Finologee manages: the Payconiq/Digicash issuing platform (mobile payments), Mpulse (high-performance SMS routing/clearing), as well as the regulatory compliance platforms PSD2 for Banks, CEDRS and KYCManager.
As one of the critical financial industry platforms that Finologee is operating, the ENPAY system has been designed to meet both Finologee’s own security standards and the requirements of its (mostly financial industry-regulated) clients. Therefore, state-of-the-art intrusion prevention and detection mechanisms have been implemented at multiple levels and in all layers of the operational framework on which ENPAY is built.
Both platform components and client environments are adequately segregated, substantially lowering the level of risk-spreading and avoiding the risk of compromising multiple layers/environments or whole systems in case of access to a single context.
The platform’s access, authentication and e-signature management component relies on selected third party providers: According to the ENPAY customer’s choice, user authentication can be performed using a) Luxtrust certificates, b) Finologee’s own Authenticator mobile App relying on INCERT-issued certificates or c) the client’s own authentication framework (via OAuth2 or SAMLv2 link). In addition to using third-party certificates for user authentication, all ENPAY transactions are also signed Luxtrust or INCERT certificates with FinologeeAuthenticator. The validity of the certificate is checked again before the actual transmission of the transaction to the SWIFT network, meeting the requirements of an end-to-end security model in this regard.
As a Luxembourg-regulated ‘Support PFS’ holding article 29-1 (‘Client communications agent’) and 29-3 (‘IT systems and communication networks operators of the financial sector’) licences from the Ministry of Finance, Finologee is subject to the full set of financial industry requirements and regulation, such as CSSF Circulars 2017/656, 20/750 and others, and facilitates the implementation of CSSF Circular 12/552 as amended and the EBA Guidelines on Outsourcing Arrangements applicable to many of Finologee’s clients by complying with all their requirements.
As a regulated financial industry professional, Finologee is also subject to internal and external audit obligations supervised by the financial industry regulator. Besides, the company is ISO/IEC 27001-certified by Bureau VERITAS for its Information Security Management System (ISMS) and is thus subject to regular audit requirements. SWIFT Customer Security Programme (CSP) requirements are also met. In addition to this, Finologee’s IT operations infrastructure is subject to penetration testing by an external provider at regular intervals.
Users: web browser connection
HTTPS connection using standard web browsers (Chrome, Firefox, Edge)
with 2-factor authentication – FinologeeAuthenticator, Luxtrust or client’s own OAuth2 / SAMLv2 compatible system
User authentication & signature: FinologeeAuthenticator
To be installed on an iOS or Android smartphone
alternatively: Luxtrust certificate-compatible token/App, or clients’ own OAuth2 / SAMLv2 compatible system (for authentication only)
Systems interconnection: API access
Finologee API portal
As part of Finologee’s API environment – hosted and operated by Finologee
Specifications available on request
Banks: SWIFT Connection
Over Finologee’s BIC Code: FNLGLU22
SWIFT RMA/POA to be established/signed
The FinologeeENPAY platform is hosted with Luxembourg’s leading data centre and hosting operator EBRC, a subsidiary of POST Luxembourg, the incumbent postal operator. EBRC also holds a ‘Support PFS’ licence by the Ministry of Finance and is subject to financial industry-specific operations, security, risk management, AML/CFT and professional secrecy requirements. The company is furthermore certified for ISO 27001, ISO 20000, ISO 22301, ISO 27017 and ISO 9001 compliance.
BRC operates several Tier IV-certified data centres on Luxembourg soil that fully comply with the requirements applying to critical financial industry platform hosting. The company has an outstanding expertise in managing virtualisation environments, which Finologee relies on for the infrastructure operations of its platform, with state-of-the-art service levels and operational guarantees.
The ENPAY platform is hosted in a redundant environment spread across different physical locations and connected via multiple Internet backbone links, maximising uptime and accessibility levels.
Note: Public cloud outsourcing requirements do not apply to the operational setup that the ENPAY platform is running on.
The core components of Finologee’s technical infrastructure and environment:
A selection of ingredients that contribute to Finologee’s operational excellence commitments:
Multiple levels available, with strong availability commitments
Financial industry outsourcing arrangements compliance, including audit rights
Experienced in-house team
24/7 service operations and critical incident management
Advanced monitoring & analytics setup and tools
ZenDesk-based customer care portal
Ticket opening, management & follow-up and SLA compliance monitoring
Dedicated in-house customer care/operations team (through portal & phone support)
Availability and other key metrics reports (intervals & content depending on the selected SLA Level)
Account manager at Finologee supervising the relation and in charge of organising account & reporting meetings
Proven customer requirements and existing processes/setup/environment analysis process
Comprehensive deployment process for ENPAY platform implementation and adoption, detailing steps, acceptance in UAT environment, tests on live accounts, reports/sign-off and go live process
The EBA Guidelines on Outsourcing Arrangements and EIOPA’s Solvency II regulation require a thorough setup for the sub-contracting and operating financial industry infrastructures and services, as do the Luxembourg-specific rules and requirements as published by regulators CSSF and CAA in their circulars and regulations.
As a licensed financial industry IT provider focused on serving Luxembourg’s financial industry players, Finologee has created a framework consisting of technical and operational components, processes and policies with the aim of enabling its clients to fully comply with the IT Outsourcing requirements applicable to them. This framework also encompasses service level agreements with different options, commitments and targets, a comprehensive agreement framework including addenda such as an adequate DPA, cascading outsourcing details, a financial services compliance addendum, etc.
Custom reports are also available as an option to facilitate clients’ compliance with outsourcing regulation when monitoring its outsourcing providers.
‘Support PFS’ license
Finologee holds a double ‘Support PFS’ licence by the Luxembourg Minister of Finance since January 2019, as a ‘Client communications agent’ and ‘IT systems and communication networks operators of the financial sector’. This substantially eases the IT outsourcing process by Luxembourg-regulated financial industry players to Finologee.
Finologee has appointed Deloitte for its internal auditor function and EY as its statutory external auditor.
ISO/IEC 27001:2013 certification
Finologee also chose to undergo an ISO/IEC 27001:2013 certification for its information security management framework (ISMS) that has been carried out and delivered by Bureau VERITAS in 2020, and was renewed in 2021.
SWIFT CSP Compliance
With its own connector to the SWIFT network, SWIFT CSP compliance is part of the mandatory security and certification framework that Finologee has put in place.
ICT Outsourcing Provider of the Year award
In December 2021, Finologee was awarded the ICT Outsourcing Services Provider of the Year prize by a jury of representatives of the Luxembourg IT industry.
Get in touch and we will evaluate how we may help you.