20 Sep 2018
OJK Issues Umbrella Regulation for Fintech Development, Establishes Regulatory Sandbox Regime


A. Introduction


The financial technology (“fintech”) sector in Indonesia is regulated by two separate institutions: (i) the central bank (Bank Indonesia / “BI”) for fintech related to the payments system, such as payment gateways, e-money, e-wallet, etc.) and (ii) the Financial Services Authority (“OJK”) for fintech related to lending and all other aspects of fintech.


Following in the footsteps of BI in the payments arena, the OJK has gradually moved to exert control over its sphere of responsibility in the fintech sector, with peer-to-peer lending being regulated through OJK Regulation No. 77/POJK.01/2016 and OJK Circular No. 18/SEOJK.02/2017. However, until recently, the OJK had never issued an overarching regulation governing the development of the sector as a whole or replicating the sandbox regime and pre-audit mechanism (i.e. all documents and systems must be ready prior to applying for a license) established by BI for fintech in the payments arena.


This gap has now been filled by OJK Regulation No. 13/POJK.02/2018 (on Digital Financial Innovation in the Financial Services Sector) (“Reg. 13”), which entered into effect on 16 August 2018.


Unfortunately, Reg. 13 eschews the usual Bahasa Indonesia equivalents for the international term “financial technology/fintech” (namely teknologi finansial and teknologi keuangan) and instead opts for the term “digital financial innovation” (Inovasi Keuangan Digital / “DFI”). This could prove somewhat confusing for the uninitiated, especially given that the relevant BI regulations all employ the term “financial technology” (teknologi keuangan).[i]


B. Key Features of Reg. 13


1. Scope of DFI


Reg. 13 defines DFI as “any form of innovation in business processes, business models or financial instruments that provides added value in the financial-services sector through participation in a digital ecosystem.” It further provides that DFI encompasses a variety of fintech services, as described below:


Business Operation

Business Model

a) Transactional Settlements

e.g., investment settlement

b) Capital Accumulation

e.g., equity crowdfunding, virtual exchanges and smart contracts, alternative due diligence

c) Investment Management

e.g., advanced algorithms, cloud computing, capability sharing, open-source information technology, automated advice and management, social trading and algorithmic retail trading

d) Fund Accumulation and Distribution

e.g., peer-to-peer lending, alternative adjudication, virtual technologies, mobile 3.0, and third-party application programming interfaces

e) Insurance

e.g. sharing economies, autonomous vehicles, digital distribution, and securitization and hedge funds

f) Market Support

e.g., artificial intelligence/machine learning, machine-readable news, social sentiment, big data, market information platforms and automated data collection and analysis

g) Other Digital Supporting Services

e.g., social/eco-crowdfunding, Islamic digital banking, e-waqf, e-zakat, robo advice and credit scoring

h) Other Financial Services Operations

e.g., invoice trading, vouchers, tokens and blockchain-related products


2. Recordation, Regulatory Sandbox and Registration


Reg. 13 essentially establishes a DFI regime that consists of three separate but mutually related aspects, i.e., recordation, regulatory sandbox and registration.




Reg. 13 requires all existing and prospective DFI providers in Indonesia, whether in the form of financial services institutions or other financial services providers, to be recorded with the OJK as DFI providers.


The business-scope classifications set out in the table above appear to be an initial attempt by the OJK to identify financial-services providers and other institutions in the DFI arena that are subject to OJK regulation and should thus be recorded as DFI providers, and to differentiate them from fintech-based business models that fall under the regulatory authority of BI, which has commenced regulatory sandboxing for financial technology providers in the payments sector, e.g., providers that employ fintech for clearing, final settlement and payment realization operations that come within the regulatory authority of Bank Indonesia, as stipulated in Bank Indonesia Regulation No. 19/12/PBI/2017 (on the Application of Financial Technology).


It should be noted that the recordation requirements under Reg. 13 are not applicable to a DFI provider that previously registered with or obtained its business license from the OJK. For example, a peer-to-peer operator  / P2p lending services provider is exempt from the recordation obligation if it has registered with or obtained its business license from the OJK under OJK Regulation No. 77/POJK.01/2016 (on Technology-Based Lending).


Regulatory Sandbox


Once a DFI provider has been recorded, the OJK will then review whether it is qualified to participate in the regulatory sandbox process. This is defined by Reg. 13 as “a testing mechanism established by the OJK to assess the reliability of the business processes and models, financial instruments and management processes of a provider.”


A selected DFI provider is permitted to participate in the regulatory sandbox process for the purpose of testing their DFI for a period of one year, which period may be extended for a further 6 months.


After completing the sandbox process, the OJK will then issue a “recommendation status” determination for the provider under which the provider either: (i) receives a recommendation for registration; (ii) is required to make improvements to its DFI, in which case the OJK will extend the sandbox for a period of six months subsequent to the making of the required improvements; or (iii) is denied a recommendation meaning that the provider will lose its recordation and will be prohibited from having the same DFI sandboxed again.




Within 6 months of the issuance of a recommendation, a DFI provider should apply to the OJK for registration (pendaftaran), which will be granted within 30 days of receipt of the completed application.


Besides being subject to OJK supervision, a registered DFI provider is required to conduct self-assessment by recording the main risks (strategic, cyber and liquidity) that relate to its business model.


C. Sanctions


Reg. 13 sets out an ascending scale of administrative sanctions for non-compliant DFI providers. These consist of (i) written warnings; (ii) fines; (iii) cancelation of approval; and (iv) deregistration.


D. Concluding Note


As the regime established by Reg. 13 is entirely new, the OJK is currently working on the necessary technical guidelines and the establishment of an online system for the registration of DFI providers. We will continue to liaise closely with the OJK going ahead and to provide regular updates on the latest developments in the DFI arena.


By Elsie F. Hakim (, Rully Hidayat (, and Fauzan Permana (



[i] See BI Regulation No. 19/12/PBI/2017, BI Board of Governors Regulation No 19/15/PADG/2017 and BI Board of Governors Regulation No. 19/14/PADG/2017.