The fintech sector in Indonesia is regulated by two separate institutions:

  • the central bank (Bank Indonesia) for fintech relating to the payments system (eg, payment gateways, e-money and e-wallets); and
  • the Financial Services Authority (OJK) for fintech relating to lending and all other aspects of fintech.

Following in Bank Indonesia's footsteps in the payments arena, the OJK has gradually moved to exert control over its sphere of responsibility in the fintech sector, with peer-to-peer lending being regulated through OJK Regulation 77/POJK.01/2016 and OJK Circular 18/SEOJK.02/2017. However, until recently, the OJK had never issued an overarching regulation governing the development of the sector as a whole or replicating the sandbox regime and pre-audit mechanism (ie, all documents and systems must be ready before applying for a licence) established by Bank Indonesia for fintech in the payments arena.

This gap has now been filled by OJK Regulation 13/POJK.02/2018 on Digital Financial Innovation in the Financial Services Sector ('Regulation 13'), which entered into effect on 16 August 2018.

Unfortunately, Regulation 13 eschews the usual Indonesian equivalents for the international term 'financial technology' or 'fintech' and instead opts for the term 'digital financial innovation' (DFI). This could prove somewhat confusing for the uninitiated, especially given that the relevant Bank Indonesia regulations all employ the term 'financial technology'.(1)

Key features of Regulation 13

Scope of DFI Regulation 13 defines DFI as "any form of innovation in business processes, business models or financial instruments that provides added value in the financial services sector through participation in a digital ecosystem". It further provides that DFI encompasses a variety of fintech services, as described below.

Business operation

Business model

Transactional settlements

For example, investment settlement

Capital accumulation

For example, equity crowdfunding, virtual exchanges and smart contracts and alternative due diligence

Investment management

For example, advanced algorithms, cloud computing, capability sharing, open-source information technology, automated advice and management, social trading and algorithmic retail trading

Fund accumulation and distribution

For example, peer-to-peer lending, alternative adjudication, virtual technologies, mobile 3.0 and third-party application programming interfaces


For example, sharing economies, autonomous vehicles, digital distribution and securitisation and hedge funds

Market support

For example, artificial intelligence and machine learning, machine-readable news, social sentiment, big data, market information platforms and automated data collection and analysis

Other digital supporting services

For example, social or eco-crowdfunding, Islamic digital banking, e-waqf, e-zakat, robo-advice and credit scoring

Other financial services operations

For example, invoice trading, vouchers, tokens and blockchain-related products

Recordation, regulatory sandbox and registration Regulation 13 essentially establishes a DFI regime consisting of three separate but mutually related aspects:

  • recordation;
  • regulatory sandbox; and
  • registration.

Recordation Regulation 13 requires all existing and prospective DFI providers in Indonesia – whether in the form of financial services institutions or other financial services providers – to be recorded with the OJK as DFI providers.

The business scope classifications set out in the table above appear to be an initial attempt by the OJK to:

  • identify financial services providers and other institutions in the DFI arena that are subject to OJK regulation and should thus be recorded as DFI providers; and
  • differentiate these from fintech-based business models that fall under the regulatory authority of Bank Indonesia.

Bank Indonesia has commenced regulatory sandboxing for financial technology providers in the payments sector (eg, providers that employ fintech for clearing, final settlement and payment realisation operations that come within the regulatory authority of Bank Indonesia) as stipulated in Bank Indonesia Regulation 19/12/PBI/2017 on the Application of Financial Technology.

It should be noted that the recordation requirements under Regulation 13 are not applicable to a DFI provider that previously registered with or obtained its business licence from the OJK. For example, a peer-to-peer operator or lending services provider is exempt from the recordation obligation if it has registered with or obtained its business licence from the OJK under OJK Regulation 77/POJK.01/2016 on Technology-based Lending.

Regulatory sandbox Once a DFI provider has been recorded, the OJK will review whether it is qualified to participate in the regulatory sandbox process. This is defined by Regulation 13 as "a testing mechanism established by the OJK to assess the reliability of the business processes and models, financial instruments and management processes of a provider".

A selected DFI provider can participate in the regulatory sandbox process for the purpose of testing their DFI for a period of one year, which may be extended for a further six months.

After completing the sandbox process, the OJK will issue a 'recommendation status' determination for the provider, under which the provider either:

  • receives a recommendation for registration;
  • is required to make improvements to its DFI, in which case the OJK will extend the sandbox for a period of six months subsequent to the making of the required improvements; or
  • is denied a recommendation, meaning that the provider will lose its recordation and be prohibited from having the same DFI sandboxed again.

Registration Within six months of the issuance of a recommendation, a DFI provider should apply to the OJK for registration, which will be granted within 30 days of receipt of the completed application.

Besides being subject to OJK supervision, a registered DFI provider must conduct self-assessment by recording the main risks (strategic, cyber and liquidity) that relate to its business model.


Regulation 13 sets out an ascending scale of administrative sanctions for non-compliant DFI providers. These consist of:

  • written warnings;
  • fines;
  • cancellation of approval; and
  • deregistration.


As the regime established by Regulation 13 is entirely new, the OJK is still working on the necessary technical guidelines and the establishment of an online system for the registration of DFI providers.

For further information on this topic please contact Elsie F Hakim or Rully Hidayat at Ali Budiardjo, Nugroho, Reksodiputro by telephone (+62 21 250 5125) or email ( or The Ali Budiardjo, Nugroho, Reksodiputro website can be accessed at


(1) See Bank Indonesia Regulation 19/12/PBI/2017, Bank Indonesia Board of Governors Regulation 19/15/PADG/2017 and Bank Indonesia Board of Governors Regulation 19/14/PADG/2017.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.