Until very recently, the Financial Services Authority (OJK) only regulated peer-to-peer fintech lending platforms (P2P firms). A recently issued OJK regulation (POJK 13/2018) increases its regulatory mandate over fintech firms in a bid to prevent financial sector stability, promote consumer protection, and improve non-competitive practices. POJK13/2018 is effective as of 16 September 2018.

On quick review, POJK 13/2018 is similar to Bank Indonesia regulation No. 19/12/PBI/2017 (PBI 19/2017), which was issued a year earlier. Both regulations aim to enhance and support the digital financial ecosystem that is currently flourishing. PBI 19/2017 more specifically covers the payment system for fintech that would affect monetary and financial stability, while POJK 13/2018 covers more generic digital financial innovation. There is still some uncertainty at this point on the practical implementation, in particular for areas such as market support, where the regulations overlap.

Some highlights of POJK13/2018 are:

Regulated fintech

Fintech firms engaged in financial service activities (a non-exhaustive list comprising transaction settlements, capital accumulation, investment management, fund distribution and collection, insurance, and market support services) must register with the OJK. The OJK also has the authority to compel fintech firms to register. Fintech firms must either be (i) financial services institutions, or (ii) other institutions performing activities in financial services (which could be limited liability companies or cooperatives). Fintech firms submit a registration application to the OJK, who will evaluate if the fintech firm falls within its jurisdiction.

The following fintech criteria will be considered:

  • level of innovation
  • utilization of information and communications technology
  • support of financial inclusion and literacy
  • public benefit and accessibility
  • ability to be integrated into existing financial services
  • collaborative approach
  • consumer and data protection

Fintech firms already registered with or licensed by the OJK (i.e., P2P Firms, commercial banks, insurance firms, etc.) are not obligated to renew their status under POJK13/2018.

OJK regulatory sandbox

Regulatory sandboxes are generally a closed testing environment designed for the safe experimentation of new technologies which are not subject to current legislative protection. One benefit of participating in the OJK regulatory sandbox is the temporary exemption from nonprudential OJK regulations.

Once the OJK determines that it has jurisdiction to regulate the fintech firm under POJK13/2018, it will decide if the fintech used by the fintech firm qualifies for the OJK regulatory sandbox (qualifying fintech). A qualifying fintech must, among others, be attempting to implement a new business model, have wide market coverage, and be a member of the Indonesian Fintech Association (Aftech).

To participate, the qualifying fintech must commit to full transparency with the OJK (and any other involved authority), collaborate with financial services authorities, and participate in programs aimed at developing the financial services sector. Under the regulation, the OJK regulatory sandbox period is one year, extendable for a further six months.

OJK v. BI sandbox

The OJK sandbox is separate to the Bank Indonesia (BI) regulatory sandbox applicable to fintech firms providing various services (e.g., payment systems, market support, investment management and risk management services, loans, financing, capital allocation, etc.). The BI regulatory sandbox process is generally similar to the OJK's, save for time frames. The BI regulatory sandbox period is six months, extendable once for a further six months.

Though there are overlaps between BI's and OJK's jurisdiction (most notably market support services and investment management services), current legislation provides that BI registration (and consequently participation in the BI regulatory sandbox) will not be required where the fintech is registered with the OJK, although no such provision applies vice versa. It is likely that BI and OJK coordinate amongst themselves where a fintech qualifies for both regulatory sandboxes to prevent double testing.

After the OJK regulatory sandbox testing is completed, the OJK will determine if the fintech (i) is recommended; (ii) requires improvement; or (iii) is not recommended. Where the fintech is recommended, the fintech firm may proceed with OJK registration within six months. Where the technology requires improvement, the fintech firm will have six months to improve the fintech and re-submit for OJK determination, should the OJK determine that no improvements have been made, the fintech will receive a "not recommended" determination, and the fintech firm will not be able to register using the same (tested) fintech.

It remains to be seen what type of fintech will be subject to the OJK regulatory sandbox, and if the program will reduce the time and cost of getting innovative fintech to market.

OJK registration

Where fintech firms receive an OJK recommendation, or where a fintech firm uses "recommended" fintech, they must register with the OJK. The fintech firm's deed of establishment, management identification, fintech product information and business plans will be required. OJK registration processing should take a maximum of 30 days.

After registration, fintech firms will receive a registration certificate with a serial number. Fintech firms which are non-financial services institutions will be permitted to display the serial number on their offerings and advertising materials.

Reporting obligations

Fintech firms with fintech in the OJK sandbox are required to submit quarterly performance reports.

Fintech firms registered with the OJK are required to submit monthly risk self-assessment reports. The firms must also disclose performance and investment reports to relevant fintech firm service users, which must also be made available to the OJK when requested.

Data protection

Fintech firms are required to obtain consent from service users to use their personal data and explain how such data will be used. The distribution of personal data by fintech firms to third parties is permitted, provided that it is covered by a consent.

Fintech firms are also required to locate data and disaster recovery centers within Indonesia.

Consumer protection

Fintech firms

  • must implement activities which improve the public's financial literacy and inclusion;
  • must have a customer services center with dedicated staff, although outsourcing is permissible; and
  • must explain why services are being withheld or delayed.

Aftech

POJK13/2018 provides Aftech with the authority to set standards using a market-discipline approach. Notably, POJK13/2018 provides that Aftech will set industry standards and ethics, will be the liaison between OJK and fintech firms, and will engage in training and consumer protection activities both domestically and internationally.

Cooperation

Fintech firms that cooperate with financial services institutions should be registered with the OJK. Note that existing unregistered cooperation is permitted, provided that it does not extend beyond 16 August 2021.

Sanctions

Fintech firms who do not comply with POJK13/2018 will be subject to written warnings, fines, revocation of fintech "recommended" status, and even revocation of fintech firm registration.

Implementation and Indonesia practice

It is encouraging to see the regulators take an active part in regulating the digital financial sector to support the growing ecosystem. It remains to be seen exactly how OJK shall implement POJK 13/2018. We will provide further updates as they become available.

Our Indonesia Banking and Finance team has the capability to assist our clients in navigating through the ambiguities and complexities of the regulatory framework in Indonesia. We understand that commercially and legally viable solutions are important to our clients, and we provide the best.