09 Mar 2026
Preparing for POJK 30/2025: OJK's New Governance and Risk Management Requirements for ITSK Organizers

1. Introduction 

   The Indonesian Financial Services Authority (Otoritas Jasa Keuangan or “OJK”) has issued Regulation No. 30 of 2025 (“POJK 30/2025”), establishing a comprehensive regulatory framework governing Governance and Risk Management for Financial Sector Technology Innovation (Inovasi Teknologi Sektor Keuangan or “ITSK”) Organizers.

   POJK 30/2025 introduces stricter governance standards and expanded risk management requirements for ITSK Organizers.  While the regulation does not take effect until 1 July 2026, its implications are immediate for firms currently licensed or operating within OJK’s regulatory sandbox. 

2. Key Areas of Change

   The new regulation represents a significant shift in OJK’s approach to financial technology supervision, with notable changes in the following areas:

   1. Board Composition and Qualification Standards

      POJK 30/2025 introduces significant changes to board governance, establishing stricter standards for technical expertise, domicile, and independence. ITSK Organizers with international ownership structures or cross-border management teams should anticipate the need for board restructuring to meet these new requirements ahead of the July 2026 deadline.

      The Board of Directors (“BOD”) of an ITSK Organizer must now include members with demonstrable technical knowledge in the ITSK sector, IT industry, or financial services, evidenced through professional certification or relevant work experience. In addition, the regulation imposes specific residency requirements: the President Director and at least 50% of members of the BOD must be domiciled in Indonesia.

      Independence standards have also been strengthened to prevent arrangements where Controlling Shareholders (Pemegang Saham Pengendali or "PSP") exercise undue influence over management, particularly with respect to the relationship between the PSP and the President Director. Furthermore, OJK's supervisory authority has been expanded to allow the regulator to intervene in BOD appointments, replacements, or resignations where conflicts of interest may arise.

   2. Proactive Cyber Resilience and the "Early Warning System" 

      POJK 30/2025 expands the scope of mandatory risk management to include six distinct risk categories. Notably, cyber risk is no longer treated merely as an IT issue, but is now elevated to a mandatory, standalone risk category, reflecting OJK’s firm expectation that  ITSK Organizers adopt a proactive approach to cyber resilience. 

      A key introduction under POJK 30/2025 is the mandatory implementation of an early warning system (“EWS”) across all six risk categories. The EWS is designed to function as a proactive monitoring mechanism, enabling organizers to detect security gaps or potential system failures before they escalate into material operational disruptions or financial losses. To reinforce this, Article 46 mandates periodic, comprehensive information system audits, ensuring that the EWS operates  as a functional component of the ITSK Organizer’s daily operations, rather than remaining a mere policy commitment. 

   3. Proactive Reporting Obligations

      POJK 30/2025 introduces a more proactive and rigorous reporting framework, designed to enable OJK to identify systemic risks before they manifest as actual financial failures. 

      A key feature of this framework is the "potential loss" trigger under Article 70, which requires ITSK Organizers to submit a specialized risk profile report to OJK whenever conditions arise that could give rise to significant financial losses. This obligation is proactive in nature, as the reporting requirement is activated by the potential for loss, not the occurrence of loss itself, and must be fulfilled within one month of the condition being identified. OJK also reserves the authority to independently request these reports where it identifies risk exposures that could jeopardize an ITSK Organizer’s financial stability.

      Beyond event-driven reporting, ITSK Organizers are required to submit semi-annual risk profile reports reflecting their positions as of June and December each year. OJK retains the right to require additional self-assessment risk profile reports at any time it deems necessary. 

      Organizers are also required to prepare an annual report on the implementation of good governance. At a minimum, this report must cover:

      1. a disclosure of how the principles of good governance have been implemented across the organization; 

      2. the results of the ITSK Organizer's self-assessment of its good governance practices; and

      3. where deficiencies are identified, a corrective action plan specifying the remedial steps to be taken, the expected timeline for completion, and any obstacles to implementation. 

3. Sanctions

   POJK 30/2025 adopts a multi-tiered enforcement approach, with sanctions ranging from corrective measures to the revocation of business licenses. Under Articles 48 and 73, violations of governance or risk management standards may result in:

   1. a written warning; 

   2. temporary suspension of some or all activities, including existing cooperation arrangements; 

   3. administrative fines; 

   4. inclusion of the relevant principal party (such as directors, commissioners, or shareholders) in OJK’s list of prohibited parties in the financial sector; and 

   5. revocation of business licenses. 

   With respect to reporting obligations specifically, delays in submitting mandatory reports, such as the annual good governance report or the semi-annual risk profile reports, incur a daily administrative fine of IDR100,000 per business day. A total failure to submit these reports attracts a heavier penalty of IDR3,000,000; importantly, the imposition of this fine does not extinguish the underlying obligation to submit the report.

4. ABNR Commentary

   POJK 30/2025 represents a significant regulatory shift for Indonesia’s financial technology sector, raising governance and risk management expectations well beyond what was previously required. The residency and technical expertise requirements for BOD members will likely necessitate management restructuring for many foreign-owned ITSK Organizers — a process that takes time and should not be left until the July 2026 deadline approaches. 

   Equally noteworthy is the proactive nature of the new reporting framework. The "potential loss" trigger under Article 70 places a premium on robust internal monitoring (the EWS): organizers must develop sufficiently sensitive early warning systems to detect and report risk conditions in a timely manner, while at the same time exercising sound judgement to avoid over-reporting that could attract unwarranted regulatory scrutiny.

   In light of these developments, ITSK Organizers are strongly advised to promptly assess their readiness across three key areas: (i) board composition and residency compliance, (ii) the adequacy of risk management frameworks, including EWS implementation; and (iii) reporting processes and internal triggers for the new proactive reporting obligations. Early preparation will be critical to achieving full compliance ahead of the 1 July 2026 effective date and avoiding administrative sanctions that non-compliance may attract.

By partner Ayik C. Gunadi (agunadi@abnrlaw.com) and associate Beverly Laza (blaza@abnrlaw.com)

This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.