Indonesian Customs began working on the electronic exchange of passenger data between airlines and Customs in early 2008, as part of their implementation of an Advance Passenger Information (API) transmission system. At that time, passenger processing techniques consisted of screening API data transmitted from airlines’ departure control systems via the existing Société Internationale de Télécommunication Aéronautiques (SITA) communication network, and requesting Passenger Name Record (PNR) data for specific flights to be provided by email or on paper.

The new API system, which took almost two years to complete, was formally launched in December 2009. It was a non-interactive batch-style system built according to the API guidelines developed by the WCO, the International Air Transport Association (IATA) and the International Civil Aviation Organization (ICAO). As most airlines were not ready to transmit data on baggage and seat numbers, only 12 of the 14 data elements were requested at the beginning to give them time to comply.

The new passenger screening system allowed for more efficient checks of all inbound and outbound passengers and crew. However, the rapid growth in the number of air passengers entering or leaving Indonesian territory, and the need to facilitate travel and protect the border from emerging risks, led to the Customs authority’s decision to begin considering a more systematic use of PNR data stored within airlines’ Computer Reservation Systems (CRS) in order to enhance Customs’ capacity to deliver on its security mandate.

Implementing API and PNR transmission and processing systems will prove to be very different:

• First, in terms of the volume of data to be processed – up to 76 data elements for PNR compared to only 14 basic data elements for API;
• Second, as regards the degree of data standardization – the API data standard is almost the same across airlines whereas PNR data differs widely;
• Third, vis-à-vis the frequency and timing of data transfer – data is provided only once for API, but five times for PNR;
• Last but not least, in terms of the communication solutions used to exchange data – most airlines in Indonesia use the SITA Network for API while different global distribution services (GDS) are used for PNR.

At a series of meetings of the Asia-Pacific Economic Cooperation (APEC) forum held in Indonesia in 2013, Indonesian Customs took the opportunity to raise the PNR issue at a higher level and in the context of encouraging international collaboration. Indonesia had already begun looking into ways in which to introduce the PNR issue in APEC in June 2012. After long discussions with the APEC Secretariat and within meetings of the APEC Sub-Committee on Customs Procedures, an initiative called “Support for Standardization of PNR Data among Airlines in the Asia-Pacific Region” was approved and fully supported by APEC member economies.

To maintain the momentum, Indonesia held an APEC workshop on Passenger and Airline Data Interchange Standards and PNRGOV Message Standards under the theme: “Securing Travel Facilitation through PNRGOV” in Bali, in October 2013. Through this workshop, Indonesian Customs obtained the support of airlines, information technology (IT) providers, GDS providers which host travel records, and are also known as CRS companies, national transportation, immigration and law enforcement agencies, as well as international organizations such as the WCO, IATA and ICAO.

Indonesia then moved into a preparation phase – establishing the legal provision governing its PNR transfer and processing system, as recommended in ICAO Guidelines on Passenger Name Records Data [Doc. 9944] – which it completed in September 2014. In parallel, Indonesia developed PNRGOV data requirements for airlines, and started working on the business process, the analytical application, and network connectivity between airlines’ GDS and the Customs Data Centre, the most crucial issues identified.

Creating an analysis system based on PNR data is complicated. Faced with this task, and realizing that it lacked sufficient knowledge in this area, Indonesian Customs turned to the Australian Customs and Border Protection Service (ACBPS) for assistance and support in the early stage of the project.

The next challenge came from the fact that each airline uses different data standards in their systems. Indonesian Customs tackled this challenge by introducing the standard PNR message recommended by the WCO, IATA and ICAO – called PNRGOV – at the above APEC PNRGOV workshop, in order to make the airlines and relevant stakeholders aware of the message standard, thereby gaining their support for the use of a uniform, internationally recognized standard for PNR data transmission to the government.

Another issue which came to light in implementing a PNR system in Indonesia was the lack of financial resources. IT was at the heart of the system, and acquiring the necessary tools was extremely costly – in fact, so costly that funds allocated to the project were insufficient to meet the technology requirements. Establishing network connectivity and a communication protocol – i.e. a defined set of rules and regulations that determine how data is transmitted – was another key phase in the project.

The project team did not allow itself to be beaten. Instead, it sought assistance from the ACBPS. In April 2013, members of the team travelled to Australia to meet the ACBPS expert team which was organized by Michael Odgers, Director of Passenger and Industry Engagement at the time, and Nathan Chamberlain, Manager of Passenger Information. Empowered by the knowledge gained during the visit, the PNR development team decided to create the system in-house, without hiring an external provider.

Two methods of PNR data transfer are currently available: the “pull” method, whereby authorities access the aircraft operator’s system and extract, or “pull”, the required data from its database; and the “push” method, whereby aircraft operators transmit, or “push”, the required PNR data elements to the database of the requesting authority.

Bearing in mind the lessons learnt by ACBPS in this domain, the team decided that the best way of developing a PNR transmission system which would best respond to Indonesian conditions was by using the “push” rather than the “pull” method, requiring the use of a single PNRGOV standard message rather than accepting different standards, thereby optimizing development, maintenance and troubleshooting.

ICAO Doc. 9944 states that “States, when requiring PNR data transfer, should take into account the issues affecting other States and aircraft operators in their territories, especially with respect to the cost and the potential impact on existing infrastructure.” States that require passenger data from an airline should therefore ensure connectivity with the systems which airlines are using to store PNR data.

The system’s IT setup requirements are described in the PNRGOV Data Requirement Document. These include the types of computer networking protocols that manage the security of message transmission via the Internet. The system allows for three different protocols: Internet Protocol Virtual Private Networks (IP VPN); Internet Protocol Security (IP Sec); and Secure Sockets Layer (SSL).

During a communication session, both the source and destination devices use what are called “Application Layer Protocols”. For the communications to be successful, the Application Layer Protocols used by the source and destination hosts must match. Applications provide people with a way of creating messages, application layer services establish an interface to a network, and protocols lay down the rules and formats that govern how data is handled.

When it comes to Application Layer Protocols, the PNR system allows the use of many types of protocols, including IBM WebSphere MQ, Hypertext Transport Protocol Secure (HTTPS), and the Simple Mail Transfer Protocol (SMPT).

Another step was finalizing the regulation to cover aspects including:

• the meaning of API and PNR;
• the data elements required for API, PNR, and data processing;
• the filtering and storage of PNR data;
• the methods for API/PNR data transfer;
• the frequency and timing of data transfer;
• transparency and passenger redress;
• conflicts between national legislation;
• the obligation of airlines to provide data;
• the protection, security and integrity of data;
• privacy protection;
• compliance and penalties;
• force majeure;

The regulation governing these different aspects follows ICAO guidelines and is attached to the PNRGOV Data Requirement Document. It also addresses some sensitive issues such as privacy protection, data protection, security, and integrity of data.

In this regard, Indonesian Customs has to comply with the Indonesian Law on Information and Electronic Transactions, which protects against unlawful use of private data. PNR data will be stored within the Customs Data Centre, part of the Ministry of Finance’s Data Centre which complies with the ISO 27001-Information Security Management Standard.

Data transfer will be required 48 hours, 24 hours, 2 hours and 1 hour in advance, and at time of departure. Airline operators that do not comply with the mandatory timeframes will be notified by Indonesian Customs in the 48 hours that follow the last data submission. Upon receiving such notification, airline operators will have to respond and submit the data within 48 hours.

Penalties will be imposed by Indonesian Customs if the airline fails to respond to the notification, following a step-by step approach:

(1)     The Director General of Customs and Excise or an official will issue a sanction in the form of a written warning to the operator with a copy to the Director General of Air Transportation. This will affect the airline’s reputation and credibility with the government.

(2)     If, after receiving the written warning, the operator continues to be non-compliant, an examination will be conducted and, based on the results thereof, the operator may receive a sanction in the form of:

• a deferment of unloading operations for 30 minutes beginning from the time the aircraft is ready for unloading;
• a deferment of unloading operations for an additional 30 minutes if the operator has a history of non-compliance;
• a deferment of loading operations for 30 minutes beginning from the time the aircraft is ready for loading;
• a deferment of loading operations for an additional 30 minutes if the operator has a history of non-compliance.

(3)     In the event that the operator still does not comply with its data submission obligations upon receiving a sanction in the form of a deferment of unloading and loading operations as regulated in point (2), Customs shall undertake a further examination. If it is found that the violation is deliberate, the operator will receive a sanction in the form of a suspension of import or export clearance services by Customs;

(4)     In addition, a fine of five million Indonesian rupiah (around 500 US dollars) may be imposed for each case of non-compliance.

However, the penalties and/or sanctions will be withdrawn if the airline operator is able to put forward reasonable arguments. Customs will review the airline’s arguments taking into account any relevant considerations, such as the significance of the case, the airline’s effort/attempt to comply, the compliance history of the airline, a reliance of the airline on Customs’ recommendation or advice, and reasons beyond the airline’s control.

Conclusion

The PNR project is scheduled to become operational at the end of September 2015. So far, network connectivity has been set up with two major GDS providers, and a pilot project involving two airlines is currently underway. The PNR system has also been connected to the Indonesian Immigration Authority’s Border Management Control System.

Indonesian Customs believes that easier access to, and processing of, PNR data is indispensable to efficient passenger risk assessment, and will allow better targeting of high-risk passengers while facilitating travel. Indeed, the analysis of API and of PNR data has already been instrumental in unveiling some criminal and fraud cases. The implementation of the PNR data electronic transmission system will make Indonesia’s border protection system stronger and travel facilitation smoother.

More information
pnrgov@customs.go.id