The Financial Technology Law Review: Indonesia
Fintech activities in Indonesia are mainly regulated by the two most prominent financial regulatory bodies in Indonesia, namely the Indonesian central bank, or Bank Indonesia, and the Indonesian Financial Services Authority (OJK). If a fintech activity is specifically regulated, companies engaging in that activity must abide by that regulation. Noting the exponential progression of the fintech sector in Indonesia, the Indonesian government tries to monitor and simultaneously facilitate the development of fintech activities that have yet to be specifically regulated. This is done by way of sandbox mechanisms provided by Bank Indonesia and the OJK. The coverage of each authority's sandbox differs, with Bank Indonesia focusing on payment systems related to fintech and the OJK focusing on financial services related to fintech. The latter includes innovations in the field of banking, capital markets, insurance, pension funds and financing institutions. By requiring unclassified industry players to abide by the sandbox mechanism, the government of Indonesia seeks to ensure that Indonesian consumers are protected while simultaneously supporting innovation in the fintech sector. Both Bank Indonesia and OJK have issued regulations on this sandbox mechanism, as well as other regulations pertaining to fintech. These regulations can be accessed on the websites of each institution.
Generally, there are no special tax incentives for fintech companies. However, companies conducting business in a pioneer industry may receive certain tax facilities in the form of reduction in corporate income tax. Capital Investment Coordinating Board Regulation No. 7 of 2020 regarding Description of Business Activities and Pioneer Industry Production and Procedures for Granting Corporate Income Tax Deduction Facilities defines a pioneer industry as being highly relevant, providing added value and high externalities, introducing new technologies, and having strategic value for the national economy. This includes, among others, data processing activities, hosting activities and related activities.
i Licensing and marketing
Fintech companies are generally regulated by Bank Indonesia and the OJK. The scope of the fintech licence provided by each authority is different. Bank Indonesia, through Bank Indonesia Regulation No. 19/12/PBI/2017 regarding Organisation of Financial Technology, dated 30 November 2017 (BI Reg 19) regulates that the following fintech activities, which relate to monetary stability, financial system stability and payment systems, trigger a registration or licensing requirement in Indonesia:
- Payment system: payment system activities, including authorisation, clearing, final settlement and implementation of payment, such as blockchain or distributed ledgers for the provision of fund transfers, electronic money, electronic wallet and mobile payments;
- Market support: activities that use information or electronic technology to facilitate the faster and more cost-efficient provision of information to the public with regard to financial products and services, such as the provision of information comparing available products or services within the financial services sector;
- Investment management and risk management: the provision of online investment and online insurance; and
- Lending, financing or funding, and capital raising: peer-to-peer lending (P2P lending) or information technology-based fundraising (crowdfunding).
Fintech activities related to financial services are regulated by the OJK. OJK Regulation No. 13/POJK.02/2018 regarding Digital Financial Innovation in the Financial Services Sector, dated 16 August 2018 (OJK Reg 13), requires companies carrying out the following digital financial innovation activities to register or obtain a licence (unless otherwise exempted):
- Transaction settlement: focuses on, among other things, investment settlement;
- Capital raising: includes equity crowdfunding, virtual exchange, smart contracts and alternative due diligence;
- Investment management: includes advanced algorithms, cloud computing, capability sharing, open-source information technology, automated advice and management, social trading and retail algorithmic trading;
- Fundraising and fund disbursement: includes P2P lending, alternative adjudication and third-party application programming interface;
- Insurance: includes sharing economy, autonomous vehicles, digital distribution, securitisation and hedge funds;
- Market support: includes artificial intelligence or machine learning, machine readable news, big data, social sentiment, market information platforms, automated data collection and analysis;
- Other digital finance supporting activities: includes social and eco-crowdfunding, sharia digital financing, e-waqf, e-zakat, automated digital advisory and credit scoring; and
- Other financial services activities: includes invoice trading, vouchers and products using blockchain-based applications.
Bank Indonesia and the OJK have the authority to regulate, register and issue licences for the above-listed fintech activities. These two authorities have set out their respective rules on conditions or requirements, which shall depend on the specific registration or licence to be held by the relevant company. As a matter of general principle, both Bank Indonesia and the OJK stipulate extensive criteria for regulated fintech activities (such as being innovative in nature, may have an impact on existing products, services, technologies or financial business models, and can be widely used), and require any provider whose services meet the criteria to register with the financial regulatory bodies.
Automated digital advisory
To date, there is no specific law or regulation that specifically addresses automated digital advisory in Indonesia. It is mentioned in OJK Reg 13 as an example of digital financial innovation in the investment management sector. Given that it falls under the purview of the OJK and is explicitly referred to in OJK Reg 13, companies providing automated digital advisory will need to comply with the provisions of OJK Reg 13, which include the obtaining of a registration or licence, as applicable.
Asset management company
Any party that wishes to establish an asset management company in Indonesia must refer to the activities of an investment manager (IM) company operating on the Indonesia Stock Exchange pursuant to Law No. 8 of 1995 regarding Capital Market, dated 10 November 1995 (Capital Market Law). Other than the requirement for this company to be established in the form of an Indonesian limited liability company (PT), as set out in Law No. 40 of 2007 regarding Limited Liability Company, dated 16 August 2007, as lastly amended by Law No. 11 of 2020 regarding Job Creation, dated 2 November 2020 (Omnibus Law), this company must also be registered as a securities company, specifically as an IM company, for which a licence must be obtained from the OJK, pursuant to Article 30, Paragraph (1) of the Capital Market Law. Other technology-based asset management activities not specifically regulated by the OJK are subject to the regulatory sandboxing programme under OJK Reg 13.
Credit information services
Credit information services are regulated in OJK Regulation No. 42/POJK.03/2019 regarding Credit Information Management Agencies, dated 31 December 2019, and Bank Indonesia Circular Letter No. 15/49/DPKL regarding Credit Information Management Agencies, dated 5 December 2013. Under these regulations, a credit bureau is permitted to collect and process credit data and other data to generate a credit report. A credit report is a product or service generated by a credit bureau in writing, verbally, or by some other method, sourced from credit data and other data owned by the credit bureau. As is the case with other fintech companies under the OJK's supervision, a credit bureau is required to obtain a business licence from the OJK to carry out its business activities in Indonesia.
Sales and marketing of financial products and services
Traditional sales and marketing of financial services, such as conventional banking, investment and insurance are regulated by the OJK. There are no specific regulations for the sale and marketing of unconventional financial services, such as initial coin offerings. Principally, fintech companies must ensure that when selling and marketing financial products, there is no misleading information that may cause losses for consumers.
ii Cross-border issues
Indonesia does not recognise the concept of passporting and Indonesian law does not permit regulated activities to be provided from offshore. Furthermore, under Indonesian law, a party providing any fintech services or products in the jurisdiction must establish a local presence and obtain the requisite licence from the Indonesian regulatory bodies as stipulated by the prevailing laws and regulations.
Certain limitations or restriction on foreign ownership of Indonesian companies may be applicable, depending on the business line of the company. For example, a company engaging in the provision of P2P lending activities can have a maximum foreign ownership of 85 per cent, which means that at least of 15 per cent ownership must be held by Indonesian shareholders.
If offshore products or services are actively marketed in Indonesia, there is a risk that the relevant authority will require the provider of those products or services to establish a local presence, as such entity will be considered to be carrying out business in Indonesia. However, if the provision of the product or service is done on a reverse enquiry basis, where the approach is made by potential clients on an unsolicited basis, it will not trigger a licensing requirement in relation to the fintech activities, provided that the company responds to the potential clients on a reach-in or fly-in basis.
With respect to currency controls in Indonesia, the Indonesian rupiah cannot be remitted outside Indonesian territory. Additionally, only an amount of less than 100 million rupiah can be freely taken physically out of Indonesia at any one time.
Digital identity and onboarding
Digital identity in Indonesia generally is recognised as an electronic certificate that holds a person's electronic signature, as referred to under Law No. 11 of 2008 regarding Electronic Information and Transactions, dated 21 April 2008, as lastly amended by Law No. 19 of 2016, dated 25 November 2016 (ITE Law). Following the enactment of the ITE Law, Indonesian authorities have issued multiple regulations to support, improve and expand the safety of using digital identification to access financial services, among others:
- validation of certified e-signature and digital identity for electronic transactions as governed by Ministry of Communication and Informatics Regulation No. 11 of 2018 regarding Implementation of Electronic Certification, dated 6 September 2018; and
- use of e-KYC (electronic know-your-customer) guidelines, as governed by Law No. 8 of 2010 regarding Prevention and Eradication of Money Laundering, dated 22 October 2010, and OJK Regulation No. 12/POJK.01/2017 regarding Implementation of Anti-Money Laundering and Prevention of Terrorism Funding in the Financial Services Sector, dated 21 March 2017, as lastly amended by OJK Regulation No. 23/POJK.01/2019 dated 30 September 2019 (OJK Reg 12).
Indonesia, through the National Council for Financial Inclusion (DNKI) and its relevant partners, has been working to put in place the policies to implement a strong digital identity infrastructure for the inclusive delivery of financial services. There are currently several state and private enterprises that have registered with or obtained a licence from the Ministry of Communication and Informatics (MOCI) to issue electronic certificates in Indonesia.
Fully digitised onboarding of clients is permitted for financial services providers, under OJK Reg 12. The coverage of financial services providers under OJK Reg 12 is broad so as to include financial services providers in the banking sector, capital market sector and non-bank financial institution sector. The conditions to implement the fully digitised onboarding of clients, however, may vary across each regulation governing specific financial services activities. For example, banks intending to provide fully digitised onboarding may only do so once they have procured approval from the OJK for the provision of digital banking services. Third parties whose electronic facilities are used by financial services providers for the identity verification of prospective customers must also obtain OJK approval.
Digital markets, payment services and funding
i Digital marketplace
Digital marketplace is not regulated by either Bank Indonesia or the OJK. Rather, it is regulated by the Minister of Trade under Government Regulation No. 80 of 2019 regarding Trading through Electronic Systems, dated 25 November 2019, and its implementing regulation, Minister of Trade Regulation No. 50 of 2020 regarding Provisions of Business Licensing, Advertisements, Guidance and Supervision of Business Practitioners in Trade Through Electronic Systems, dated 19 May 2020. To operate a digital marketplace, a company must obtain a Trade through Electronic System Business Licence and other supporting licences as necessary. There is no special rule for digital marketplaces that facilitate the sale of digital assets.
The trading of cryptoassets is specifically regulated by the Commodity Futures Trading Regulatory Agency (Bappebti), an agency under the Ministry of Trade, and is subject to a different set of rules. These rules are laid out in Bappebti Regulation No. 5 of 2019 regarding Technical Provisions for the Implementation of the Crypto Asset Physical Market in Futures Exchange, dated 8 February 2019, as last amended by Bappebti Regulation No. 3 of 2020 dated 31 March 2020.
ii Collective investment schemes
Indonesian law does not regulate collective investment schemes in general. Instead, regulations are issued pertaining to specific finance products, such as equity crowdfunding platforms.
Companies are permitted to conduct securities crowdfunding if they obtain the requisite licence from the OJK. Pursuant to OJK Regulation No. 57/POJK.04/2020 regarding Security Crowdfunding, dated 11 December 2020 (OJK Reg 57), security crowdfunding is defined as the provision of security offerings by issuers to sell securities directly to investors through an open electronic system network. Under OJK Reg 57, securities are defined as promissory notes, commercial papers, shares, bonds, evidence of debt, collective investment contract participation units, futures contracts over securities and any derivative of securities. Crowdlending is not specifically regulated in Indonesia.
iii Peer-to-peer lending
Peer-to-peer (P2P) lending is under the purview of the OJK, regulated specifically by OJK Regulation No. 77/POJK.01/2016 regarding Information Technology-Based Money Lending Services, dated 29 December 2016 (OJK Reg 77). P2P lending is defined therein as the provision of financial services to bring together lenders and borrowers for the purpose of concluding lending agreements in rupiah directly through an electronic system using the internet. Companies providing P2P lending platforms are required to register and obtain a licence from the OJK upon the fulfilment of certain requirements.
Under OJK Reg 77, P2P lending platform providers are prohibited from:
- carrying out other business activities;
- acting as a lender or borrower;
- issuing security in any form for the fulfilment of another party's obligation;
- issuing bonds;
- providing recommendation to users;
- publishing fictional or misleading information;
- offering services to users or the public through private communication facilities without the consent of the users; and
- charging any fee to users for any submission of complaints.
iv Trading of loans in secondary market
There is no specific restriction on the trading of loans in the secondary market, nor is it regulated in Indonesia.
v Payment services
A company providing payment services is required to obtain a licence from Bank Indonesia. Bank Indonesia Regulation No. 22/23/PBI/2020 regarding Payment Systems, dated 30 December (BI Reg 22), divides payment system providers into payment service providers and payment system infrastructure providers. Payment system providers are defined as banks or non-bank institutions that provide services to facilitate payment transactions to service users. They may carry out the following activities: (1) provision of information on fund source; (2) payment initiation or acquiring services; (3) administration of fund source; and (4) remittance services. Payment system infrastructure providers are defined in BI Reg 22 as parties providing infrastructure that may be used to conduct the transfer of funds for the interest of their members. Payment system infrastructure providers may provide clearing or final settlement services for the interest of members.
vi Mandated accessibilities to client or product data
Minister of Communication and Informatics Regulation No. 5 of 2020 regarding Private Electronic System Providers (MOCI Reg 5), dated 24 November 2020, requires private electronic system providers (private ESPs) to grant access to their electronic systems or electronic data to (1) authorised institutions for supervisory purposes; and (2) law enforcement officers for the purpose of law enforcement, in particular criminal investigations, prosecutions and trials conducted in Indonesia. A private ESP is defined in MOCI Reg 5 as an individual, business entity or the public that operates an electronic system. Electronic system is further defined therein as a series of electronic devices and procedures that serve to prepare, collect, process, analyse, store, display, publish, transmit or disseminate electronic information. Therefore, there is an obligation for private ESPs to provide their electronic client or product data to authorities, as relevant third parties.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
i Blockchain technology
While there is no specific rule or regulation in Indonesia for blockchain technology, blockchain technology is referred to in two different regulations issued by Bank Indonesia and the OJK. Both regulations were issued for the purpose of facilitating and supporting innovative industry players in the field of financial services and payment systems. Specifically, blockchain technology is referred to in Bank Indonesia Regulation No. 19/12/PBI/2017 regarding Provision of Financial Technology, dated 30 November 2017 (BI Reg 19). BI Reg 19 provides that the use of blockchain technology or distributed ledger for the provision of fund transfers, electronic money, electronic wallet or mobile payments shall be considered the provision of financial technology in the payment system sector. Under BI Reg 19, the payment system includes authorisation, clearing, final settlement and implementation of payment. As mentioned above, blockchain technology is also mentioned in OJK Reg 13 in the context of the scope of digital financial innovation related to other financial services activities. OJK Reg 13 provides other examples of other financial services activities, such as invoice trading, voucher and tokens.
ii Tokens as securities
Securities are defined in Law No. 8 of 1995 regarding Capital Market, dated 10 November 1995, as promissory notes, commercial papers, shares, bonds, evidence of debt, collective investment contract participation units, futures contracts over securities and any derivative of securities. Based on this definition, taking a conservative approach, tokens would not qualify as securities under Indonesian law.
Cryptocurrencies are not recognised as a payment instrument in Indonesia. However, they may be traded if they have been so approved by the head of Bappebti. To be approved for trading in Indonesia, a cryptocurrency must fulfil several requirements, which include (1) being based on distributed ledger technology; (2) being a utility crypto or a crypto-backed asset; and (3) having had its associated risks evaluated, including the risk of money laundering and terrorism funding, as well as the proliferation of weapons of mass destruction. Furthermore, cryptoasset traders must have in place standard operating procedures that, at the minimum, cover the following:
- marketing and receipt of cryptoasset customers;
- transaction implementation;
- internal controls and supervision;
- dispute settlement for cryptoasset customers; and
- implementation of anti-money laundering, terrorism financing and proliferation of weapons of mass destruction policies.
Any transaction mechanism implemented by cryptoasset traders must undergo similar evaluation for risks of money laundering, terrorism funding and proliferation of weapons of mass destruction.
In addition, any income arising from the sale of cryptocurrencies will be imposed with income tax, but any other tax treatment as to cryptocurrencies has yet to be specifically regulated. It is currently unclear whether tokens may be offered to Indonesian residents from abroad.
Other new business models
i Smart contracts
Smart contracts are referred to in OJK Reg 13 but are not specifically regulated. Under OJK Reg 13, smart contracts are categorised as digital financial innovation in the equity collecting sector, along with equity crowdfunding, virtual exchange and alternative due diligence. Therefore, the provisions of smart contracts would be generally governed by OJK Reg 13. Because there is no specific legal framework for self-executing contracts, there is currently no correction mechanism implemented by the law.
ii Automated investment
OJK Reg 13 also generally covers the provision of automated investment advice and investment management as part of digital financial innovation in the investment management sector. It is unclear, however, the extent to which such automation may be implemented. Included within the same sector is the use of advance algorithm, cloud computing, capabilities sharing, open-source information technology, social trading and retail algorithmic trading.
iii Artificial intelligence
There is no special rule applicable to the use of artificial intelligence in financial products. However, artificial intelligence is mentioned in OJK Reg 13 as part of digital financial innovation in the market support sector, along with machine readable news, social sentiment, big data, market information platforms and automated data collection and analysis. Thus, the use of artificial intelligence in financial products is allowed, subject to the limitations provided in OJK Reg 13 as well as any regulation for the specific financial product offered.
Third-party websites that compare products or provide information on financial products are considered aggregators and are required to comply with OJK Reg 13 with regard to the conduct of their businesses. Aggregators are also required to abide by the Data Protection Regulations (as defined below) as well as any other data protection requirement imposed under OJK Reg 13. They will also be subject to competition rules set out in Law No. 5 of 1999 regarding Prohibition of Monopolistic Practices and Unfair Competition, dated 5 March 1999, as lastly amended by Law No. 11 of 2020 regarding Job Creation, dated 2 November 2020, as well as its implementing regulations.
v Other fintech business models
From our observations, there is no new fintech business model that has been on the rise. With the occurrence of the covid-19 pandemic, end-consumers have been encouraged to adopt digital means of payment and as a result the financial sector has received a push to digitalise their products.
Intellectual property and data protection
i Intellectual property
Under Indonesian intellectual property regulations, fintech business models and related software are categorised as computer programs, which are protected by copyrights. The granting of copyrights for computer programs does not rely on prior registration by the creator and as such copyrights shall be automatically attached to computer programs once they are created. Patent protection is also available, provided that the invention fulfils the following three requirements: (1) it is new (i.e., the invention is not the same as previously disclosed technologies); (2) it is inventive (i.e., it cannot be imagined by an individual having expertise in the technical sector); and (3) it can be used in the industry.
In the event a software or business model is developed by an employee or a contractor for a client, the economic rights over the intellectual property rights shall remain with that employee or contractor as its creator unless otherwise transferred to the client (for example, under the employment agreement or service agreement). Employers in Indonesia normally include a clause in employment agreements concluded with employees or contractors that explicitly states that it has economic rights over any creations by its employees and contractors. Compensation for such transfer of economic rights is not required but commonly provided.
ii Data protection
The main instruments regulating data protection in Indonesia are as follows:
- Law No. 11 of 2008 regarding Electronic Information and Transaction, dated 21 April 2008, as amended by Law No. 19 of 2016, dated 25 November 2016;
- Government Regulation No. 71 of 2019 regarding the Provision of Electronic Systems and Transactions, dated 10 October 2019 (GR 71); and
- Minister of Communication and Informatics Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems, dated 1 December 2016 (MOCI Reg 20) (together, the Data Protection Regulations).
Insofar as client data falls under the definition of personal data within the definition provided by GR 71 and MOCI Reg 20, such data will be granted the protection provided within the above instruments. GR 71 defines personal data as 'certain personal data which is stored, maintained, and guarded of its accuracy and protected of its confidentiality'. MOCI Reg 20 defines personal data as 'every data regarding a person, whether identified or identifiable independently or in combination with other information directly or indirectly through electronic system or non-electronically'.
Protection afforded under the Data Protection Regulations includes but is not limited to protection of confidentiality and data accuracy and minimisation (i.e., prior to collecting the data, the data owners must be given the reason for such collection as well as how their data may be handled, and the data collection shall be limited where possible to the extent necessary for such collection). Certain regulations for specific types of financial services providers, such as P2P lending platform operators and companies deemed to be providing innovative digital finance services, also require client data to be protected but do not provide for a higher threshold of data protection than what is already provided in the Data Protection Regulations. Aside from the aforementioned, there are no special rules on the digital profiling of clients.
Year in review
The most significant regulatory development in the fintech sector in Indonesia over the past year was the issuance of BI Reg 22. BI Reg 22 completely reforms the previous categorisation of payment system providers and reconstructs the licensing regime, parts of which have been effective for as long as 12 years. BI Reg 22 cements the notion that has been circulating for several years that the government of Indonesia intends to strengthen local players in the payment system sector. It appears that the government will do this by imposing a more restrictive foreign shareholding limitation on companies in the sector and ensuring that control via special rights remains in the hands of local investors.
Outlook and conclusions
Legal and regulatory initiatives related to financial technology are rarely made public and, as a consequence, it is difficult to predict forthcoming initiatives by the government. Typically, the regulators will only provide draft regulations to certain associations related to the industry to obtain feedback and to allow association members to hedge their business decisions. At the moment, given the newly issued BI Reg 22, an umbrella regulation that significantly reconstructs the regulatory framework for the payment system industry, we expect the issuance of further regulations to clarify and implement the provisions of BI Reg 22. In particular, we would expect to see additional regulations on how front-end and back-end payment system services shall operate and the legal requirements to which they will be subject for the provision of their services. Additionally, Bank Indonesia plans to issue an update to its current sandbox mechanism, as currently regulated in BI Reg 19. It appears that this update will come into force in April 2021.
Given the rapid development of fintech in Indonesia, we anticipate a more proactive approach by the government of Indonesia with respect to regulating the sector. At this juncture, it appears the government of Indonesia intends to overhaul the current regulatory framework, beginning with the complete restructuring of the licensing system in 2018 and then the recently issued Omnibus Law. The Omnibus Law is a legal instrument intended to bolster investments by improving the ease of doing businesses in Indonesia, by streamlining many laws across numerous sectors and simplifying the licensing process. Bank Indonesia appears to be following suit with the issuance of BI Reg 22. We note that regulations in certain sectors related to fintech could benefit from more effective implementation. For example, Indonesia has had a draft Personal Data Protection Law in the works for several years but it is still unclear when this law might actually be issued. It remains to be seen whether the issuance of fintech regulations by the authorities in Indonesia can match the swift pace at which fintech is developing in the country, and whether such regulations, when issued, will provide the much-needed space for fintech innovation and inclusivity.
1 Winnie Yamashita Rolindrawan is a partner and Asri Rahimi and Callista Putri Mayari are associates at SSEK Legal Consultants.