Brainysoft Docs

English

Русский

English

Русский

Appearance

FinCERT

TIP

FinCERT description in the BrainySoft StopList service:

"Developers""Integrations""FinCERT".

FinCERT (Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector) is a division of the Bank of Russia that ensures information security of the country's financial sector.

From September 1, 2025, when making a decision to provide a consumer loan, MFOs are required to verify the information about the recipient of funds specified in the consumer loan application and/or the borrower's order to transfer borrowed funds to a third party's account for the presence of information about the recipient of funds in the database of cases and attempts to transfer funds without the client's voluntary consent.

Fulfillment of this obligation is carried out by connecting the MFO to the Automated Incident Processing System of the Bank of Russia ASOI FinCERT.

Methods of Information Exchange Between FinCERT and MFO

Information exchange between FinCERT and the Participant is carried out in two main ways:

First method - through messages in the personal account (PA): The Participant can send a message to FinCERT about an incident, threat, vulnerability, publication, a message in summary form, or changes to data in the participant's card, attaching the corresponding electronic form and/or file to the message.

Second method - through the application programming interface (API) in JSON format: For automated interaction, the Participant can use the REST API.

Access to the MFO Personal Account in ASOI FinCERT

The MFO needs to obtain access to the FinCERT Automated Incident Processing System, which ensures interaction with the Bank of Russia's information security system. Information on organizing connection to ASOI FinCERT is posted on the official website of the Central Bank of the Russian Federation and information portal.

Access to the FinCERT API

Obtaining access for interaction with ASOI FinCERT through the API is only possible for participants who already have personal accounts in ASOI FinCERT and interact with the system in "manual mode". To organize interaction with ASOI FinCERT using the API, you need to review the official instructions: Instructions for organizing interaction with ASOI FinCERT using the API

For conducting test interaction with the system and debugging software, ASOI FinCERT provides two working zones:

TEZ (Test Exploitation Zone)

A test environment for software development and debugging, where MFOs can safely test all API functions without the risk of sending incorrect data to the production system. Contains resources:

PEZ (Permanent Exploitation Zone)

The main working environment where MFOs carry out real interaction with the FinCERT system for processing information security incidents and obtaining up-to-date data. Contains resources:

Organizing API Interaction Between MFO and FinCERT

Step 1: Appointing a Responsible Employee

  • Identify an employee of the organization who will be responsible for API interaction with FinCERT.
  • Specify their full name, position, department, and phone number.

Step 2: Creating Two User Accounts

  • First account: a regular user with a work email (for example: manager@mfo.ru) for access to the ASOI FinCERT personal account and the test exploitation zone (TEZ).
  • Second account: a special account for API interaction with an email like api_fincert@organizationdomain.ru for working in the permanent exploitation zone (PEZ).

Step 3: Obtaining a TLS Certificate

  • Contact the territorial institution of the Bank of Russia.
  • Obtain a user TLS certificate for the responsible employee.
  • The certificate will be used for both user accounts.

TLS certificates are issued at the BR TI in accordance with the document Key Information Obtaining Regulations

Step 4: Obtaining Authentication Data

  • Obtain login and password for the first entry through the person responsible for information exchange in the organization.
  • Install the TLS certificate in the cryptographic protection tool.

Step 5: Connection Setup

  • Set up an encrypted connection channel to ASOI FinCERT.
  • Use the TLS certificate for authentication during API interaction.

Integration of BrainySoft StopList Service with ASOI FinCERT

In BrainySoft, integration with FinCERT is implemented in the StopList service through API interaction. This allows automatic receiving and processing of data about fraudulent transfers in real time.

Main Checks (Feeds)

• Passport data - hash sums of passport numbers and series.

• SNILS - hash sums of SNILS of individuals.

• INN - taxpayer identification numbers.

• Phone numbers - contact details of suspicious persons.

• Payment cards - card numbers associated with suspicious operations.

• Bank accounts - account numbers involved in suspicious operations.

• Electronic wallets - wallets used for suspicious operations.

• SWIFT accounts - international bank accounts.

• Fast Payment System - FPS numbers associated with suspicious operations.

Automatic Data Loading

4 times a day (08:00, 12:00, 16:00, 22:00) the service automatically downloads updated FinCERT lists.

• All types of data are checked: passport data, INN, SNILS, phone numbers, bank cards.

• Data is loaded into a secure database for quick access.

Integration into the Credit Pipeline

• A special step has been created in the Decision Making System (DMS) for automatic client verification.

• When an application is created, the system automatically runs a check against the FinCERT database.

• The verification result can affect the final decision on loan approval.

Example: Match Found in FinCERT

After creating a new application and passing the FinCERT data verification step in the decision making system, if the specified parameter (for example, mobile phone) is found in the FinCERT stop lists, a corresponding notification about the verification result appears in the application information window with a note on which feed the match was found in the database.

If a blocking function was selected for this step in the settings, the system will automatically block the application and assign it the status "Rejected".

If you go to the lead card, information about the FinCERT data verification result will also be displayed. If a match is found and the verification step was blocking, the lead status will be marked as "Denied".

Example: No Match Found in FinCERT

If no match is found in the FinCERT data, a positive verification result is displayed in the application — a green checkmark appears next to the verification step and a message that the FinCERT data verification was successful.

The system user sets the application status to "Ready for Disbursement", and the "Create Contract" button becomes available. This means that the application has passed all checks and can be approved for further processing.

When navigating to the lead card where no match was found in the FinCERT data, a positive verification result is also displayed. The lead status changes to "Approved".

Advantages of Integration for MFOs

Automation: Checks are performed without operator involvement.

Speed: Fast processing of verification in automatic mode.

Reliability: Automatic data loading 4 times a day ensures always up-to-date information from the FinCERT database.

Compliance: Full compliance with Bank of Russia legislation.