The Financial Technology Law Review: Indonesia
Fintech activities in Indonesia are mainly regulated by the two most prominent financial regulatory bodies in Indonesia, namely the Indonesian central bank, or Bank Indonesia, and the Indonesian Financial Services Authority (OJK). If a fintech activity is specifically regulated, companies engaging in that activity must abide by that regulation. Noting the exponential progression of the fintech sector in Indonesia, the Indonesian government tries to monitor and simultaneously facilitate the development of fintech activities that have yet to be specifically regulated. This is done by way of sandbox mechanisms provided by Bank Indonesia and the OJK. The coverage of each authority's sandbox differs, with Bank Indonesia focusing on payment systems related to fintech and the OJK focusing on financial services related to fintech. The latter includes innovations in the fields of banking, capital markets, insurance, pension funds and financing institutions. By requiring unclassified industry players to abide by the sandbox mechanism, the government of Indonesia seeks to ensure that Indonesian consumers are protected while simultaneously supporting innovation in the fintech sector. Both Bank Indonesia and the OJK have issued regulations on this sandbox mechanism, as well as other regulations pertaining to fintech. These regulations can be accessed on the websites of each institution.
Generally, there are no special tax incentives for fintech companies. However, companies conducting business in a pioneer industry may receive certain tax facilities in the form of reduction in corporate income tax. Capital Investment Coordinating Board Regulation No. 7 of 2020 regarding description of business activities and pioneer industry production and procedures for granting corporate income tax deduction facilities defines a pioneer industry as being highly relevant, providing added value and high externalities, introducing new technologies and having strategic value for the national economy. This includes, among other things, data processing activities, hosting activities and related activities.
i Licensing and marketing
Fintech companies are generally regulated by Bank Indonesia and the OJK. The scope of the fintech licence provided by each authority is different. Bank Indonesia, through Bank Indonesia Regulation No. 22/23/PBI/2020 regarding payment systems, dated 30 December 2020 (BI Reg 22), Bank Indonesia Regulation No. 23/6/PBI/2021 regarding payment service providers, dated 1 July 2021 (BI Reg 23/6), and Bank Indonesia Regulation No. 23/7/PBI/2021 regarding payment system infrastructure providers, dated 1 July 2021 (BI Reg 23/7), regulates that fintech activities related to payment systems may undergo a development trial under Bank Indonesia supervision. Payment systems that utilise innovative technology, which covers products, activities, services and business models using innovative technology in their economic ecosystem and digital finances that can support the provision of payment systems, but are not yet regulated by the current regulations, may opt to undergo this development trial. Fintech activities regulated by Bank Indonesia are limited to the provision of source of fund information, payment initiation, acquiring services, source of fund administration, remittance services, clearing and final settlement.
Fintech activities related to financial services are regulated by the OJK. OJK Regulation No. 13/POJK.02/2018 regarding digital financial innovation in the financial services sector, dated 16 August 2018 (OJK Reg 13), requires companies carrying out the following digital financial innovation activities to register or obtain a licence (unless otherwise exempted):
- transaction settlement: focuses on, among other things, investment settlement;
- capital raising: includes equity crowdfunding, virtual exchange, smart contracts and alternative due diligence;
- investment management: includes advanced algorithms, cloud computing, capability sharing, open-source information technology, automated advice and management, social trading and retail algorithmic trading;
- fundraising and fund disbursement: includes P2P lending, alternative adjudication and third-party application programming interface;
- insurance: includes sharing economy, autonomous vehicles, digital distribution, securitisation and hedge funds;
- market support: includes artificial intelligence or machine learning, machine readable news, big data, social sentiment, market information platforms, automated data collection and analysis;
- other digital finance supporting activities: includes social and eco-crowdfunding, sharia digital financing, e-waqf, e-zakat, automated digital advisory and credit scoring; and
- other financial services activities: includes invoice trading, vouchers and products using blockchain-based applications.
Bank Indonesia and the OJK have the authority to regulate, register and issue licences for the above-listed fintech activities. These two authorities have set out their respective rules on conditions or requirements, which shall depend on the specific registration or licence to be held by the relevant company. As a matter of general principle, the OJK stipulates extensive criteria for regulated fintech activities (such as being innovative in nature and future-oriented, utilising information and communications technology as the main basis for providing financial services to consumers, supporting financial inclusion and literacy) and requires any provider whose services meet the criteria to register with the financial regulatory bodies.
Automated digital advisory
To date, there is no specific law or regulation that specifically addresses automated digital advisory in Indonesia. It is mentioned in OJK Reg 13 as an example of digital financial innovation in the investment management sector. Given that it falls under the purview of the OJK and is explicitly referred to in OJK Reg 13, companies providing automated digital advisory will need to comply with the provisions of OJK Reg 13, which include the obtaining of a registration or licence, as applicable.
Asset management company
Any party that wishes to establish an asset management company in Indonesia must refer to the activities of an investment manager (IM) company operating on the Indonesia Stock Exchange pursuant to Law No. 8 of 1995 regarding capital markets, dated 10 November 1995 (the Capital Market Law). Other than the requirement for the company to be established in the form of an Indonesian limited liability company (PT), as set out in Law No. 40 of 2007 regarding limited liability companies, dated 16 August 2007, as last amended by Law No. 11 of 2020 regarding job creation, dated 2 November 2020 (the Omnibus Law), the company must also be registered as a securities company, specifically as an IM company, for which a licence must be obtained from the OJK, pursuant to Article 30, Paragraph (1) of the Capital Market Law. Other technology-based asset management activities not specifically regulated by the OJK are subject to the regulatory sandboxing programme under OJK Reg 13.
Credit information services
Credit information services are regulated in OJK Regulation No. 42/POJK.03/2019 regarding credit information management agencies, dated 31 December 2019, and Bank Indonesia Circular Letter No. 15/49/DPKL regarding credit information management agencies, dated 5 December 2013. Under these Regulations, a credit bureau is permitted to collect and process credit data and other data to generate a credit report. A credit report is a product or service generated by a credit bureau in writing, verbally or by some other method, sourced from credit data and other data owned by the credit bureau. As is the case with other fintech companies under the OJK's supervision, a credit bureau is required to obtain a business licence from the OJK to carry out its business activities in Indonesia.
Sales and marketing of financial products and services
Traditional sales and marketing of financial services, such as conventional banking, investment and insurance, are regulated by the OJK. There are no specific regulations for the sale and marketing of unconventional financial services, such as initial coin offerings. Principally, fintech companies must ensure that when selling and marketing financial products, there is no misleading information that may cause losses for consumers.
ii Cross-border issues
Indonesia does not recognise the concept of passporting, and Indonesian law does not permit regulated activities to be provided from offshore. Furthermore, under Indonesian law, a party providing any fintech services or products in the jurisdiction must establish a local presence and obtain the requisite licence from the Indonesian regulatory bodies as stipulated by the prevailing laws and regulations.
Certain limitations or restrictions on foreign ownership of Indonesian companies may be applicable, depending on the company's business line and whether that business line is subject to foreign shareholding limitations pursuant to the 'Investment List', which is contained in Presidential Regulation No. 10 of 2021 regarding capital investment lines of business, dated 4 March 2021, as amended by Presidential Regulation No. 49 of 2021, dated 25 May 2021, or applicable sectoral regulations issued by the government. For example, a company engaging in the provision of peer-to-peer (P2P) lending activities can have a maximum foreign ownership of 85 per cent, which means that at least 15 per cent of the ownership must be held by Indonesian shareholders.
If offshore products or services are actively marketed in Indonesia, there is a risk that the relevant authority will require the provider of those products or services to establish a local presence, as the entity will be considered to be carrying out business in Indonesia. However, if the provision of the product or service is done on a reverse-enquiry basis, where the approach is made by potential clients on an unsolicited basis, it will not trigger a licensing requirement in relation to the fintech activities, provided that the company responds to the potential clients on a reach-in or fly-in basis.
With respect to currency controls in Indonesia, the Indonesian rupiah cannot be remitted outside Indonesian territory. Additionally, only an amount of less than 100 million rupiah can be freely taken physically out of Indonesia at any one time.
Digital identity and onboarding
Digital identity in Indonesia is generally recognised as an electronic certificate that holds a person's electronic signature, as referred to under Law No. 11 of 2008 regarding electronic information and transactions, dated 21 April 2008, as last amended by Law No. 19 of 2016, dated 25 November 2016 (the ITE Law). Following the enactment of the ITE Law, Indonesian authorities have issued multiple regulations to support, improve and expand the safety of using digital identification to access financial services, including:
- validation of certified e-signature and digital identity for electronic transactions, as governed by Ministry of Communication and Informatics Regulation No. 11 of 2018 regarding implementation of electronic certification, dated 6 September 2018; and
- use of electronic know-your-customer guidelines, as governed by Law No. 8 of 2010 regarding prevention and eradication of money laundering, dated 22 October 2010, and OJK Regulation No. 12/POJK.01/2017 regarding implementation of anti-money laundering and prevention of terrorism funding in the financial services sector, dated 21 March 2017, as last amended by OJK Regulation No. 23/POJK.01/2019, dated 30 September 2019 (OJK Reg 12).
Indonesia, through the National Council for Financial Inclusion and its relevant partners, has been working to put in place policies to implement a strong digital identity infrastructure for the inclusive delivery of financial services. There are currently several state and private enterprises that have registered with or obtained a licence from the Ministry of Communication and Informatics (MOCI) to issue electronic certificates in Indonesia.
Fully digitised onboarding of clients is permitted for financial services providers, under OJK Reg 12. The coverage of financial services providers under OJK Reg 12 is broad so as to include financial services providers in the banking sector, capital market sector and non-bank financial institution sector. The conditions to implement the fully digitised onboarding of clients, however, may vary across each regulation governing specific financial services activities. For example, banks intending to provide fully digitised onboarding may only do so once they have procured approval from the OJK for the provision of digital banking services. Third parties whose electronic facilities are used by financial services providers for the identity verification of prospective customers must also obtain OJK approval.
Digital markets, payment services and funding
i Digital marketplace
Digital marketplaces are not regulated by either Bank Indonesia or the OJK. Rather, they are regulated by the Minister of Trade under Government Regulation No. 80 of 2019 regarding trading through electronic systems, dated 25 November 2019, and its implementing regulation, Minister of Trade Regulation No. 50 of 2020 regarding provisions of business licensing, advertisements, guidance and supervision of business practitioners in trade through electronic systems, dated 19 May 2020. To operate a digital marketplace, a company must obtain a Trade through Electronic System Business Licence and other supporting licences as necessary. There is no special rule for digital marketplaces that facilitate the sale of digital assets.
The trading of cryptoassets is specifically regulated by the Commodity Futures Trading Regulatory Agency (Bappebti), an agency under the Ministry of Trade, and is subject to a different set of rules. These rules are laid out in Bappebti Regulation No. 8 of 2021 regarding guidance for the implementation of the cryptoasset physical market in futures exchange, dated 29 October 2021.
ii Collective investment schemes
Indonesian law does not regulate collective investment schemes in general. Instead, regulations are issued pertaining to specific finance products, such as equity crowdfunding platforms.
Companies are permitted to conduct securities crowdfunding if they obtain the requisite licence from the OJK. Pursuant to OJK Regulation No. 57/POJK.04/2020 regarding security crowdfunding, dated 11 December 2020, as amended by OJK Regulation No. 16/POJK.04/2021, dated 26 August 2021 (OJK Reg 57), security crowdfunding is defined as the provision of security offerings by issuers to sell securities directly to investors through an open electronic system network. Under OJK Reg 57, securities are defined as promissory notes, commercial papers, shares, bonds, evidence of debt, collective investment contract participation units, futures contracts over securities, and any derivative of securities. Crowd-lending is not specifically regulated in Indonesia.
iii Peer-to-peer lending
P2P lending is under the purview of the OJK, regulated specifically by OJK Regulation No. 77/POJK.01/2016 regarding information technology-based money lending services, dated 29 December 2016, as amended by OJK Regulation No. 4/POJK.05/2021 regarding risk management implementation in the use of information technology by non-bank financial services institutions, dated 9 March 2021 (OJK Reg 77). P2P lending is defined therein as the provision of financial services to bring together lenders and borrowers for the purpose of concluding lending agreements in rupiah directly through an electronic system using the internet. Companies providing P2P lending platforms are required to register and obtain a licence from the OJK upon the fulfilment of certain requirements.
Under OJK Reg 77, P2P lending platform providers are prohibited from:
- carrying out other business activities;
- acting as a lender or borrower;
- issuing security in any form for the fulfilment of another party's obligation;
- issuing bonds;
- providing recommendations to users;
- publishing fictional or misleading information;
- offering services to users or the public through private communication facilities without the consent of the users; and
- charging any fee to users for any submission of complaints.
iv Trading of loans in secondary market
There is no specific restriction on the trading of loans in the secondary market, nor is it regulated in Indonesia.
v Payment services
A company providing payment services is required to obtain a licence from Bank Indonesia. BI Reg 22 divides payment system providers into payment service providers and payment system infrastructure providers. Payment system providers are defined as banks or non-bank institutions that provide services to facilitate payment transactions to service users. They may carry out the following activities: (1) provision of information on fund source; (2) payment initiation or acquiring services; (3) administration of fund source; and (4) remittance services. Payment system infrastructure providers are defined in BI Reg 22 as parties providing infrastructure that may be used to conduct the transfer of funds for the interest of their members. Payment system infrastructure providers may provide clearing or final settlement services for the interest of members. Details on licensing requirements are further elaborated in BI Reg 23/6 for payment service providers and BI Reg 23/7 for payment system infrastructure providers.
BI Reg 22, BI Reg 23/6 and BI Reg 23/7 now limit foreign ownership of payment system providers. This restriction was previously limited to e-money issuers, principals, switching providers, clearing providers and final settlement providers. Non-bank payment service providers are required to have a minimum of 15 per cent of total shares, with a minimum of 51 per cent of those shares having voting rights, owned by a domestic party or parties. Payment system infrastructure providers are required to have a minimum of 80 per cent of total shares and shares with voting rights held by a domestic party or parties. These foreign ownership restrictions are waived for existing payment service providers and payment system infrastructure providers (i.e., Bank Indonesia licence holders prior to the enactment of the new Bank Indonesia regulations). However, existing payment service providers and payment system infrastructure providers are required to adjust their foreign shareholding composition if there are any future changes to their shareholding composition.
BI Reg 23/6 and BI Reg 23/7 also raise the minimum capital requirement for new entities applying for payment service provider or payment system infrastructure provider licences. The minimum capital requirement for payment service providers differs according to the licence category. Licence category 1, which encompasses account information services, payment initiation, acquiring services, account issuance services and remittance services, has a minimum initial paid-up capital of 15 billion rupiah. The minimum initial paid-up capital for licence category 2, encompassing account information services and payment initiation and acquiring services, is 5 billion rupiah, and licence category 3, covering remittance services and other activities as determined by Bank Indonesia, has a minimum initial paid-up capital of 500 million rupiah for licence holders that do not provide a system that can be used by other payment service providers, and 1 billion rupiah for licence holders that provide a system that can be used by other payment service providers. Despite the foregoing, all foreign investment companies are still required to have a minimum initial paid-up capital of 10 billion rupiah.
For payment system infrastructure providers, the minimum initial paid-up capital is 100 billion rupiah.
In addition, BI Reg 22, along with BI Reg 23/6 and BI Reg 23/7, introduced the concept of ongoing capital. Ongoing capital must be fulfilled by payment system providers for as long as they carry out payment system activities. The calculation of the ongoing capital differs from one provider to another and is not specifically stated in the Bank Indonesia regulations. Payment system providers are expected to conduct self-assessments for the calculation of ongoing capital, but Bank Indonesia will make the final determination of the ongoing capital requirement for the specific payment system provider.
vi Mandated accessibilities to client or product data
MOCI Regulation No. 5 of 2020 regarding private electronic system providers, dated 24 November 2020, as amended by MOCI Regulation No. 10 of 2021, dated 21 May 2021 (MOCI Reg 5), requires private electronic system providers (ESPs) to grant access to their electronic systems or electronic data to (1) authorised institutions for supervisory purposes and (2) law enforcement officers for the purpose of law enforcement, in particular criminal investigations, prosecutions and trials conducted in Indonesia. A private ESP is defined in MOCI Reg 5 as an individual, business entity or member of the public that operates an electronic system. Electronic system is further defined therein as a series of electronic devices and procedures that serve to prepare, collect, process, analyse, store, display, publish, transmit or disseminate electronic information. Therefore, there is an obligation for private ESPs to provide their electronic client or product data to authorities as relevant third parties.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
i Blockchain technology
While there is no specific rule or regulation in Indonesia for blockchain technology, it is referred to in two different regulations issued by Bank Indonesia and the OJK. Both regulations were issued for the purpose of facilitating and supporting innovative industry players in the field of financial services and payment systems. Specifically, blockchain technology is referred to in BI Reg 23/6, which provides that the use of blockchain technology or distributed ledger technology for the provision of fund transfers, electronic money, electronic wallet or mobile payments shall be considered as the provision of financial technology in the payment system sector. Blockchain technology is also mentioned in OJK Reg 13 in the context of the scope of digital financial innovation related to other financial services activities. OJK Reg 13 provides examples of other financial services activities, such as invoice trading, vouchers and tokens.
ii Tokens as securities
Securities are defined in the Capital Market Law, as promissory notes, commercial papers, shares, bonds, evidence of debt, collective investment contract participation units, futures contracts over securities and any derivative of securities. Based on this definition, taking a conservative approach, tokens would not qualify as securities under Indonesian law.
Cryptocurrencies are not recognised as a payment instrument in Indonesia. However, they may be traded if they have been so approved by the head of Bappebti. To be approved for trading in Indonesia, a cryptocurrency must fulfil several requirements, which include: (1) being based on distributed ledger technology; (2) being a utility crypto or a crypto-backed asset; and (3) having had its associated risks evaluated, including the risk of money laundering and terrorism funding, as well as the proliferation of weapons of mass destruction. Furthermore, cryptoasset traders must have in place standard operating procedures that, at the minimum, cover the following:
- marketing and receipt of cryptoasset customers;
- transaction implementation;
- internal controls and supervision;
- dispute settlement for cryptoasset customers; and
- implementation of anti-money laundering, terrorism financing and proliferation of weapons of mass destruction policies.
Any transaction mechanism implemented by cryptoasset traders must undergo similar evaluation for risks of money laundering, terrorism funding and proliferation of weapons of mass destruction.
In addition, any income arising from the sale of cryptocurrencies will be imposed with income tax, but any other tax treatment as to cryptocurrencies has yet to be specifically regulated. It is currently unclear whether tokens may be offered to Indonesian residents from abroad.
Other new business models
i Smart contracts
Smart contracts are referred to in OJK Reg 13 but are not specifically regulated. Under OJK Reg 13, smart contracts are categorised as digital financial innovation in the equity collecting sector, along with equity crowdfunding, virtual exchange and alternative due diligence. Therefore, the provisions of smart contracts would be generally governed by OJK Reg 13. Because there is no specific legal framework for self-executing contracts, there is currently no correction mechanism implemented by the law.
ii Automated investment
OJK Reg 13 also generally covers the provision of automated investment advice and investment management as part of digital financial innovation in the investment management sector. However, the extent to which this automation may be implemented is unclear. Included within the same sector is the use of advanced algorithms, cloud computing, capabilities sharing, open-source information technology, social trading and retail algorithmic trading.
iii Artificial intelligence
There is no special rule applicable to the use of artificial intelligence in financial products. However, artificial intelligence is mentioned in OJK Reg 13 as part of digital financial innovation in the market support sector, along with machine readable news, social sentiment, big data, market information platforms and automated data collection and analysis. Thus, the use of artificial intelligence in financial products is allowed, subject to the limitations provided in OJK Reg 13 as well as any regulation for the specific financial product offered.
Third-party websites that compare products or provide information on financial products are considered aggregators and are required to comply with OJK Reg 13 with regard to the conduct of their businesses. Aggregators are also required to abide by the Data Protection Regulations (as defined below) as well as any other data protection requirement imposed under OJK Reg 13. They are also subject to competition rules set out in Law No. 5 of 1999 regarding prohibition of monopolistic practices and unfair competition, dated 5 March 1999, as last amended by Law No. 11 of 2020 regarding job creation, dated 2 November 2020, as well as its implementing regulations.
v Other fintech business models
From our observations, there are no new fintech business models on the rise. The covid-19 pandemic has encouraged end consumers to adopt digital means of payment and, as a result, the financial sector has received a push to digitalise its products.
Intellectual property and data protection
i Intellectual property
Under Indonesian intellectual property regulations, fintech business models and related software are categorised as computer programs, which are protected by copyright. The granting of copyright for computer programs does not rely on prior registration by the creator and, as such, copyright shall be automatically attached to computer programs once they are created. Patent protection is also available, provided that the invention fulfils the following three requirements: (1) it is new (i.e., the invention is not the same as previously disclosed technologies); (2) it is inventive (i.e., it cannot be easily created by another individual with expertise in the technical sector); and (3) it can be used in the industry.
If a software or business model is developed by an employee or a contractor for a client, the economic rights over the intellectual property shall remain with that employee or contractor as its creator, unless otherwise transferred to the client (for example, under the employment agreement or service agreement). Employers in Indonesia normally include a clause in employment agreements concluded with employees or contractors that explicitly states that the employer has economic rights over any creations by its employees and contractors. Compensation for the transfer of economic rights is not required but commonly provided.
ii Data protection
The main instruments regulating data protection in Indonesia are as follows:
- Law No. 11 of 2008 regarding electronic information and transaction, dated 21 April 2008, as amended by Law No. 19 of 2016, dated 25 November 2016;
- Government Regulation No. 71 of 2019 regarding the provision of electronic systems and transactions, dated 10 October 2019 (GR 71); and
- Minister of Communication and Informatics Regulation No. 20 of 2016 regarding personal data protection in electronic systems, dated 1 December 2016 (MOCI Reg 20) (together, the Data Protection Regulations).
Insofar as client data falls under the definitions of personal data provided by GR 71 and MOCI Reg 20, it will be granted the protection provided within the above instruments. GR 71 defines personal data as 'certain personal data which is stored, maintained, and guarded of its accuracy and protected of its confidentiality'. MOCI Reg 20 defines personal data as 'every data regarding a person, whether identified or identifiable independently or in combination with other information directly or indirectly through electronic system or non-electronically'.
Protection afforded under the Data Protection Regulations includes but is not limited to protection of confidentiality and data accuracy and minimisation (i.e., prior to collecting the data, the data owners must be given the reason for the collection as well as details of how their data may be handled, and the data collection shall be limited where possible to the extent necessary for the collection). Certain regulations for specific types of financial services providers, such as P2P lending platform operators and companies deemed to be providing innovative digital finance services, also require client data to be protected but do not provide for a higher threshold of data protection than what is already provided in the Data Protection Regulations. Aside from the aforementioned, there are no special rules on the digital profiling of clients.
Year in review
Following the issuance of BI Reg 22 in late 2020, Bank Indonesia issued two implementing regulations, effective since 1 July 2021, namely BI Reg 23/6 and BI Reg 23/7. Existing payment system providers are undergoing licence conversion based on the new payment system regime under these regulations.
The OJK has issued OJK Regulation No. 12/POJK.03/2021 on commercial banks, dated 30 July 2021 (OJK Reg 12/2021), which replaces and amends several previous regulations on banking issued by Bank Indonesia and the OJK. OJK Reg 12/2021 addresses conventional banks as well as digital banks. However, it does not classify digital banks in their own category. Under OJK Reg 12/2021, banks are still categorised into two types: commercial banks and public credit banks. This lack of clear categorisation allows industry players more flexibility in determining their business model, whether as a traditional bank, a bank with digital banking facilities, hybrid digital bank, etc. The issuance of OJK Reg 12/2021 appears to be in response to the steep rise in digital banking in Indonesia over the past five years.
Outlook and conclusions
Legal and regulatory initiatives related to financial technology are rarely made public and, as a consequence, it is difficult to predict forthcoming initiatives by the government. Typically, the regulators will only provide draft regulations to certain associations related to the industry to obtain feedback and to allow association members to hedge their business decisions.
BI Reg 22 and its implementing regulations (i.e., BI Reg 23/6 and BI Reg 23/7) overhaul the previous regulatory framework for payment system providers. As Bank Indonesia is still in the midst of navigating the practical implementation of these regulations, we do not foresee any significant regulations – that is, regulation that would have a significant impact on the licensing requirements for industry players – being issued in the near future.
1 Winnie Yamashita Rolindrawan is a partner and Asri Rahimi and Sabrina Wirawendra Kusumoprojo are associates at SSEK Legal Consultants.