Like most businesses, Indonesia’s fintech industry was sluggish in 2020. Indonesia’s fintech lending association, Asosiasi Fintech Pendanaan Bersama Indonesia (AFPI), reported that about half of the association's members had received loan restructuring applications from their clients in 2020 as a result of the impact of COVID-19. The AFPI added that the fintech lending market experienced an average 5% decline in loan disbursements from March to April 2020.

The authors found that some disputes were registered with Indonesian courts that involved peer-to-peer lending providers, borrowers and lenders. In the authors' understanding, all the disputes were mainly related to non-performing loan issues in the fintech lending sector.

COVID-19 was not the only problem experienced by fintech lending players. Throughout 2020, the AFPI frequently found inappropriate and illegal operations in fintech lending. They usually involved peer-to-peer lending providers not registered with Indonesia’s Financial Services Authority (OJK). Those providers were therefore unaware of the AFPI’s internal rules and consequently breached business restrictions, such as:

• personal data protection, by collecting contact data from borrowers’ smartphones;
• charging interest of more than 0.8% per day, which is above the AFPI’s standard; and
• adopting inappropriate methods when collecting payments from borrowers.

To address this, the OJK, together with the Investment Awareness Task Force (IATF), took preventative measures against negligent providers.

In addition to fintech lending, the e-money market was also sluggish in 2020. This is supported by a statement from Bank Indonesia (BI) that indicated a decline in the volume of e-money transactions from February 2020. BI stated that e-money issuers greatly impacted by COVID-19 provided e-money services for the payment of toll road fees.

Economic uncertainties are likely to lead to the continued incidence of disputes over non-performing loans in 2021. A greater challenge to the industry is that the OJK is now preparing a new regulation on fintech lending that incorporates major changes in comparison to Regulation No 77 of 2016 on Information Technology-based Money Lending Services (“OJK Reg. 77”). This will cover issues that include an increase in core capital, the simplification of authorisation, and mandatory funding to productive sectors.

Fintech lending dominates Indonesia’s fintech industry, with more players than other fintech sectors. At the time of writing, the OJK has recognised more than 140 companies that provide peer-to-peer lending provider services and has regulated this business sector through OJK Reg. 77. This is likely to be superseded soon, as the OJK is preparing a new regulation on fintech lending. The draft is more comprehensive compared with OJK Reg. 77 and incorporates some major changes, such as:

• an increase in the minimum issued and paid-up capital of a peer-to-peer lending provider from IDR2.5 billion to IDR15 billion;
• foreign shareholding requirements for new peer-to-peer lending providers – a foreign shareholder entity must be engaged in financial services, while individuals may only acquire shares in a peer-to-peer lending company through capital market transactions;
• simplification of licence authorisation from two phases to one; and
• mandatory funding to productive sectors.

Once the draft regulation has been enacted by the OJK, these requirements must be fulfilled by existing and new players (assuming the provisions survive).

Indonesia’s fintech industry is supervised by two discrete regulators: BI and the OJK. Whilst BI supervises fintech and payment systems (e-money, e-wallets and other unclassified payment system fintech providers), the OJK supervises non-payment fintech (peer-to-peer lending, equity crowdfunding and digital financial innovation (DFI)).

The regulations that serve as the legal basis for the fintech models described above are:

• BI Regulation No 20/6/PBI/2018 on Electronic Money as e-money;

• BI Regulation No 18/40/PBI/2016 on the Implementation of Payment Transaction Processing for e-wallets;

• BI Regulation No 19/12/PBI/2017 on the Implementation of Financial Technology for unclassified payment system fintech providers (“BI Reg. 19”);
• BI Regulation No 22/23/PBI/2020 on Payment Systems (effective 1 July 2021);
• OJK Reg. 77 on fintech lending;
• OJK Regulation No 57/POJK.04/2020 on Securities Offerings via Information Technology-based Equity Crowdfunding Services (“OJK Reg. 57”) for equity crowdfunding; and
• OJK Regulation No 13/POJK.02/2018 on DFI in the Financial Services Sector (“OJK Reg. 13”) for DFI.

There are no specific requirements; compensation depends on the contractual arrangements between fintech providers and their customers.

The fintech regulations apply to both existing and new fintech providers.

Indonesia has a regulatory sandbox that aims to assess the reliability of business processes, business models and financial instruments, and for the governance of unrecognised or unregulated fintech providers. BI maintains a regulatory sandbox for payment system fintech providers, whilst the OJK has one for providers of non-payment system fintech.

BI Regulatory Sandbox

The legal basis for the BI regulatory sandbox is set out in BI Reg. 19. All unclassified and unregulated fintech providers that fall within the payment system sector must apply to BI to be registered with the central bank. Once registered, BI will set up a regulatory sandbox for the fintech provider. Based on its outcome, BI may instruct a provider to apply to it to continue its operations, cease them, or hand the result to another regulator (should the provider’s business not fall within the payment system category).

OJK Regulatory Sandbox

Under OJK Reg. 13, a fintech provider in the non-payment system sector – such as an aggregator, financial planner or innovative credit assessor – must apply for recordation at the OJK as a DFI provider. Once recorded, the provider will be assessed by the OJK while in a regulatory sandbox, and can be recommended for registration with the OJK.

Indonesian regulators may co-ordinate with each other to confirm the boundaries of their respective regulatory authority. In 2019, the OJK’s DFI group decided to transfer its regulatory authority over crypto-assets and digital gold trading to BAPPEBTI (a government agency under the Ministry of Trade that regulates futures trading, and, in this case, oversees crypto-asset trading). In addition, a joint task force of Indonesian regulators is also a concrete example of how Indonesian regulators co-operate with each other. In 2016, the IATF was established by the following Indonesian regulators and law enforcement institutions:

• the OJK;
• the Ministry of Trade;
• the Investment Coordinating Board;
• the Ministry of Communications and Informatics (MCI);
• the Public Prosecution Service of Indonesia; and
• the National Police.

Unlike some other financial sectors that specify outsourcing, fintech regulations are silent on whether a function of a fintech provider can be outsourced to a third party. Generally, the types of work appropriate are non-core activities pursuant to Law No 13 of 2003 on Labour (the “Labour Law”). However, the majority of the provisions on outsourcing under the Labour Law were removed by Law No 11 of 2020 on Job Creation; this has created a perception that any type of work, whether core or non-core, may be outsourced.

The authors are of the view that the business association of each fintech sector may have an internal code of conduct or rules on whether certain functions of a provider may be outsourced.

Fintech providers are fully responsible for their platforms and other services provided to their customers and cannot abdicate their responsibility to any party (with reference to Law No 8 of 1999 on Consumer Protection, or the “Consumer Protection Law”), also adopted by OJK Regs. 77 and 57.

The OJK has deregistered many fintech players, especially peer-to-peer companies. The most significant reasons for deregistration are late filing of licence applications (or passing of the deadline) and illicit conduct.

Through its IATF, the OJK regularly receives reports from the public on a variety of unlicensed investments, including cross-border investments. The OJK updates a list of entities that allegedly offer "illegal" investments and are potentially fraudulent. In performing its duties, the IATF co-operates with the MCI to block access to websites or apps of the operators concerned.

Obtaining an Electronic System Operator (ESO) Certificate

Fintech providers must comply with regulations on the use of electronic platforms in Indonesia. Whether applications or websites, these are classified as electronic systems pursuant to Government Regulation No 71 of 2019 on the Implementation of Electronic Systems and Transactions (“Reg. 71”). An ESO and its electronic system must be registered with the MCI in accordance with Reg. 71. The MCI will issue an ESO Certificate to an ESO that has successfully registered its platform with it.

Personal Data Management and Handling

In addition to a requirement to obtain an ESO Certificate, implementation of an electronic system must accord with personal data protection principles. Nonetheless, all stages of personal data processing by an ESO (including the collection, processing and analysis, storage, disclosure and deletion of user data) must maintain data privacy and comply with the law, in this case, Law No 11 of 2008, as last amended by Law No 19 of 2016 on Electronic Information and Transactions (the “EIT Law”) in conjunction with Reg. 71 and MCI Regulation No 20 of 2016 on Personal Data Protection in Electronic Systems.

Prohibition on Pornographic Content

The EIT Law prohibits the intentional and unauthorised distribution of, transmission of, creation of, or action resulting in accessibility to electronic information or data with immoral content. This is also in line with the Pornography Law, which prohibits anyone from producing, creating, copying, multiplying, distributing, broadcasting, importing, exporting, offering, selling and purchasing, leasing, or providing pornography that explicitly shows:

• sexual intercourse, including deviant sexual activity;
• sexual exploitation;
• masturbation;
• nudity or displays of exotic nudity;
• sex organs; or
• child pornography.

Implementation of Anti-money Laundering (AML) and Counter-Terrorism Financing (CTF)

OJK Regulation No 12/POJK.01/2017 on the Implementation of AML and CTF (“OJK Reg. 12”) applies to fintech providers that receive fees from customers in return for their services as peer-to-peer lenders and equity crowdfunding providers. These providers must have a policy, supervisory protocol and procedure to mitigate the risk of money laundering and financing of terrorism related to their customers, report the implementation thereof to the OJK and suspicious transactions to the Financial Transaction Reports and Analysis Centre (PPATK).

Business associations in fintech sectors play a significant role in overseeing fintech players. Currently, two business associations are recognised by the OJK: the Indonesia FinTech Association (AFTECH) and the AFPI. Both associations have tried to supervise those aspects of fintech activities that are not yet stipulated in the regulation by issuing a code of conduct for each fintech sector. It has also been a mandate of the OJK to the associations to ensure the compliance of fintech players with the prevailing regulation as well as to supervise the way the fintech players conduct their business.

The AFPI has issued a code of conduct that prevails for all peer-to-peer lending providers, while AFTECH issued codes of conduct in November 2020 for three business clusters: aggregator, innovative credit scorers and financial planners. In addition to the associations, the public can also participate in the review of illegal fintech provider activities by submitting a report to the IATF.

Financial products and services are highly regulated in Indonesia, in the sense that all financial products and services offered should be supervised by either the OJK, BAPPEBTI or BI. In the fintech sector, not all products and services are yet regulated. This is due to the rapid growth of innovation in digital financial services and because regulators are still playing catch-up with this development, particularly in formulating regulations that fit products and services offered by fintech players.

The OJK and BI have attempted to address the situation by introducing a regulatory sandbox as a testing mechanism aimed at accommodating all types of fintech products and services while simultaneously assessing their "fit" with existing regulations; otherwise, new regulations would need to be prepared. This helps them create a framework that both accommodates innovation, yet affords adequate protection to the public.

For those parts of the fintech industry already regulated, such as peer-to-peer lending and securities crowdfunding, entities engaged in these sectors must be single-purpose companies, and will not be permitted to offer other products or services beyond what their licences permit.

Indonesian law does not specifically regulate robo-advisers. However, in practice, several financial service providers have used robo-advisory services when operating their business, such as mutual fund sales agents (APERD) and financial planners. The use of robo-advisory services in these businesses must follow the requirements that prevail for each asset class. If a specific stipulation does not exist for a given asset class, a robo-adviser for that class may fall within the regulatory sandbox scheme, specifically the OJK scheme.

There is no specific regulation on robo-advisers. Thus, the implementation of solutions introduced by robo-advisers must adhere to specific regulations, internal guidelines or rules that apply to those fintech providers.

With regard to robo-adviser operators in stock trading, the actual trade of stocks should be carried out by securities companies. The robo-adviser platform should therefore co-operate with a securities company instead of replacing it. This issue arises due to the absence of regulations on robo-advisers in Indonesia, which might otherwise differentiate between robo-adviser services and conventional existing services.

OJK Reg. 77 does not identify special treatment for individuals or small-business borrowers. However, in the draft that will replace OJK Reg. 77, the OJK requires providers to facilitate funding to:

• productive sectors, accounting for at least 40% of total outstanding funding annually; and
• to fund recipients outside Java.

A provider that does not fulfil these obligations will be subject to a fine of IDR25 million, according to the draft.

Peer-to-peer lending providers are required to mitigate risk in carrying out their business, pursuant to OJK Reg. 77. This includes both operational and credit risks that may occur. In addition, peer-to-peer lending providers may also co-operate with other information technology-based supporting providers to improve their services, as OJK Reg. 77 further explains. In this regard, the authors understand that some peer-to-peer lending providers co-operate with credit scoring companies for improving the quality of their underwriting processes. This is in line with the draft regulation projected to replace OJK Reg. 77, as it refers to third-party agreements for risk mitigation and requires risk mitigation mechanisms to be used by providers in the event a loan does not perform.

Indonesian law only recognises one type of loan-based fundraising: peer-to-peer lending stipulated in OJK Reg. 77. Equity-based fundraising is covered separately in OJK Reg. 57.

OJK Reg. 77 does not dictate a catch-all scheme for fintech lenders. However, a borrower that uses a peer-to-peer lending provider’s platform may receive a loan from many lenders or just one.

Payment processors may use existing payment rails or create/implement new ones if they have obtained the required licences from BI as a payment system, payment system infrastructure or payment system supporting services provider. If newly created payment rails do not fall completely within the scope of existing payment system licences issued by BI, the fintech recordation regime must accommodate them.

As the activity relates to payment systems, fintech recordation should fall under the fintech regulation of BI, and for such recordation, payment processors must lay out details of their new payment rails. BI will then decide whether the new payment rails can be used in Indonesia until it issues a new regulation or policy. Alternatively, it may require payment processors to obtain a licence based on the existing regulations or order them to stop using the new payment rails.

Cross-border payments and remittances fall within the supervision of BI, and may be carried out by both banks and non-bank entities. For licensing, only non-bank entities will need to obtain a remittance licence from BI before engaging in remittance activities. For banks, since remittances is one of their permitted activities, no separate licence is required to provide this service. However, both banks and non-bank entities will need to comply with reporting requirements to BI on their remittance services.

Cross-border remittance can only be done in co-operation with a provider that has obtained a remittance licence from the relevant authority in its home jurisdiction, and it must obtain BI approval. BI is also authorised to stipulate an upper limit for cross-border remittances. However, this will only apply to non-bank entities.

Banks and non-bank entities that provide cross-border remittance services also need to comply with the reporting requirements set out by the PPATK.

No specific regulation exists for fund administrators. The administration of funds in Indonesia is handled mostly by securities companies that act as investment managers, for which they must be licensed by the OJK. The main task of an investment manager is to manage the securities/investment portfolio of its customers, which may include bonds, stocks, collective investment units and futures contracts related to securities. The administration of funds by banks, insurance companies and pension funds is subject to regulations applicable to those sectors.

Fund advisers are known as investment advisers and their activities are supervised by the OJK. Investment advisers may be companies or individuals and are subject to OJK licensing requirements. A fund adviser’s main role is to provide advice on the sale and purchase of securities; a fund adviser is not permitted to manage a customers’ funds or forecast the performance of securities.

There is no strict prohibition on an investment adviser entering into a co-operation agreement with an investment manager, if the scope of co-operation is still within the permitted activities of both functions.

Securities Trading

The most common trading platforms in Indonesia are those that relate to securities (including scripless stock and mutual funds) trading. This platform must be operated by a licensed securities broker and may only be used by customers of that broker. Operation of such a trading platform is stipulated in OJK Regulation No 50/POJK.04/2020 on Internal Control of Securities Companies that act as Securities Brokers, which allows a securities company to use electronic communication, including the internet, short messaging services, wireless application protocol or other electronic media to facilitate their securities transactions.

In addition to the trading feature, the platform must also provide information on trading risk, the security and confidentiality of all data, and how an order will be processed by the broker, along with information on procedures for handling order delays or instructions for addressing disruption to the system.

The sale of mutual funds via a platform can also be done by fintech companies licensed by the OJK to act as mutual fund sales agents.

Futures Commodities Trading

BAPPEBTI, as futures trading supervisor, has not issued a specific regulation on the use of online platforms for futures trading. However, BAPPEBTI allows futures commodities brokers to use online electronic media for customer onboarding processes, provided prior approval from BAPPEBTI exists for an online feature. In practice, trading in commodities futures, which may also include digital gold, can be done via a platform as long as the platform is operated by a licensed commodities futures broker also connected to an online trading platform provided by the Indonesia Commodity and Derivatives Exchange (ICDX) and the Jakarta Futures Exchange (JFX).

Money Market

Under BI Board of Governors Regulation No 21/19/PADG/2019 on Providers of Electronic Trading Platforms, operators of electronic trading platforms that facilitate transactions within money and foreign exchange markets need to be licensed by the BI. Initially, an operator can apply to the BI for an in-principle licence. With this, the operator is allowed to start preparing the infrastructure of its platform, including a feasibility study of its business operation. Once preparation is complete and the operator is ready to start operating, it may apply for a business licence. Operations can only commence after a BI licence has been issued.

Each asset class will have its own regulatory regime, as described above. Securities trading falls under the supervision of the OJK, while futures commodities (including digital gold and crypto-assets) fall under the supervision of BAPPEBTI. BI supervises the use of trading platforms within money and foreign exchange markets.

Virtual currencies (including cryptocurrencies) are not recognised as a legitimate payment instrument in Indonesia. However, the increase in popularity of cryptocurrencies in Indonesia has pushed the Indonesian government to issue a legal framework for cryptocurrencies in the Indonesian market.

Cryptocurrencies in Indonesia are recognised as crypto-assets that can only be traded as futures commodities at a crypto-assets futures exchange approved by BAPPEBTI. Trading can also be done through a crypto-asset merchants’ platform connected with a crypto-assets futures exchange platform. Key players involved in crypto-assets transactions are exchanges, clearing agencies, merchants and depository agencies for crypto-assets. All of these need to be licensed by BAPPEBTI.

Crypto-assets that can be traded in a futures exchange must also fulfil the requirements set out by BAPPEBTI, such as inclusion in the top 500 crypto-asset market capitalisation (CoinMarketCap) list. As of December 2020, BAPPEBTI had stipulated 229 types of crypto-assets that could be traded in a futures exchange, including Bitcoin, Ethereum and XRP. (See 12 Blockchain for more detail on the criteria for crypto-assets.)

In Indonesia, listing standards are relevant for products in the capital market sector, which include stocks and bonds. The listing must follow the rules of the Indonesian Stock Exchange (IDX). There are currently three listing boards on the IDX: the main, development and acceleration boards. The main and development boards are designated for companies that have already started operations within a certain period and have a certain level of assets. For example, a company that can list its stocks on the main board must have net tangible assets of more than IDR100 billion, while to be listed on the development board, it is IDR5 billion and income of more than IDR40 billion. Most companies in Indonesia list their stocks on the main board.

The acceleration board is designated for small and medium-scale businesses with a range of assets from IDR50 billion to IDR250 billion. Small and medium-scale companies may list their stocks immediately upon establishment. The financial and accounting requirements and the offering structure for the acceleration board are relatively simple compared with those for the main and development boards.

In relation to stock trading, both the OJK and the IDX set out general rules on procedures that need to be implemented by securities brokers when handling their customers' orders. In accepting orders, the OJK requires securities brokers to verify customer identity and record details of the order, such as the number, type and price of the stocks. The securities broker must also maintain a risk management unit that is responsible for, among other things, verifying orders or instructions from customers to ensure the availability of funds or stocks for settlement of the transaction. Specifically, securities brokers that operate a trading platform must ensure that the platform provides information on procedures to handle delays to orders due to an interruption of the online system.

The IDX also stipulates that a securities broker may only accept and execute a trading order from a board member or member of staff if the securities broker maintains a standard operating procedure that stipulates, among other matters, the prioritising of customer orders.

Before the acknowledgment of cryptocurrency as crypto-assets, many players established peer-to-peer trading platforms to trade various cryptocurrencies. However, since the enactment of regulation on crypto-asset trading on futures and digital exchanges, trading was centralised to the crypto-assets futures exchange. Trading in crypto-assets needs to be carried out via a crypto-assets futures exchange approved by BAPPEBTI. This marks the end of peer-to-peer trading platforms for cryptocurrencies in Indonesia.

For stock trading, all activities are centralised with the Indonesian stock exchange and every party involved in stock trading needs to obtain a licence beforehand from the OJK and follow the IDX rules. The closest structure to a peer-to-peer trading platform is the securities crowdfunding platform stipulated in OJK Regulation No 57/POJK.04/2020 on securities crowdfunding. This regulation defines securities crowdfunding as an offering of securities by an issuer directly to an investor using a publicly accessible electronic system. The issuer will be exempted from the normal capital market rules on initial public offerings if the offer is through an OJK-licensed provider and only for a period of not more than 12 months; and should not raise more than IDR10 billion.

A securities crowdfunding platform provider may also provide a system that facilitates secondary market trading in securities that were distributed at least one year before the trade. A trade in the secondary market can only be done between investors that are registered with the platform, with no more than two trades within 12 months and a gap of six months between each trade.

Although the platform operates in a similar way to a peer-to-peer trading platform, all trading (including changes of securities ownership) made through the securities crowdfunding platform must be registered with the Indonesian Central Securities Depository (KSEI) as the agency in the Indonesian capital market that provides organised, standardised and efficient central custodian and securities transaction settlement services, in compliance with the Indonesian Capital Market Law.

No specific rules exist in Indonesia for best execution of customer trades. The OJK and the IDX, however, stipulate general rules that require every securities company that acts as a broker to put the interest of customers ahead of their own interest when performing a transaction. In providing their buy and sell recommendations, brokers must also inform customers if they have an interest in the securities recommended to them.

No specific regulation on payment for order flow exists in Indonesia. In general, all securities brokers need to execute their trade orders themselves, and may only assign them to another broker if there is trouble in the trading system or if the stock exchange suspends them while an outstanding order needs to be executed. Further, the securities brokers must also disclose fees charged to customers when facilitating a trade, including their fee, and fees charged by the stock exchange.

A benchmark fee (or commission) that may be charged by a securities broker must be agreed and stipulated by members of the Indonesia Securities Company Association.

The fundamental principles of Indonesian capital market laws and regulations are:

• disclosure;
• efficiency;
• fairness; and
• protection of investors.

For investor protection, the Indonesian Capital Market Law stipulates two key areas of market abuse: insider trading and market manipulation. The Law stipulates that parties (which includes individuals, companies, partnerships, associations or organised groups) are prohibited from:

• deceiving or misleading other parties through the use of whatever means or methods;
• participating in a fraud or deception against another party;
• giving false statements on material facts; or
• failing to disclose material facts that are necessary in order to avoid a statement being misleading.

A violation of the market abuse prohibition is subject to imprisonment for up to ten years and a fine of up to IDR15 billion.

High-frequency and algorithmic trading are not yet specifically regulated in Indonesia, even though, in practice, many players already use these technologies in both securities and futures commodities trading. This practice is also acknowledged by both the OJK and the IDX.

The OJK, under its digital finance innovation rule, recognises the use of retail algorithmic trading as part of innovation that needs to be recorded at the OJK. Once recorded, the OJK will include a provider of retail algorithmic trading in a regulatory sandbox. The OJK will then further analyse the activities to determine whether the provider may continue their services in retail algorithmic trading. Additionally, in a press release on the IDX’s mission for 2018–21, one item is to increase securities transaction liquidity by perfecting the feature and capacity of the trading system (including to anticipate customers that use algorithmic trading and high-frequency trading as their trading methods).

One concern in the use of high-frequency and algorithmic trading is potential breach of the market manipulation rule under the Indonesian Capital Market Law, which prohibits action that is misleading about trading activity, and manipulation of securities prices.

Market makers in Indonesia are only recognised for trading in commodities futures. A market maker is defined as a party continuously quoting sell or purchase orders during trading hours. The futures exchange and futures clearing house will jointly determine parties appointed as market makers with the approval of the head of BAPPEBTI. However, there are no specific registration requirements for market makers within the context of high-frequency and algorithmic trading in commodities futures.

For securities trading, the OJK is still preparing a regulation that will require the registration of market makers at the stock exchange.

This is not applicable in Indonesia. See 8.1 Creation and Usage Regulations.

There is still no specific regulation in Indonesia on the development and creation of trading algorithms. To the extent that programmers are only involved in the creation of the system but not actual trades, it is unlikely that they would fall under the supervision of the OJK, BAPPEBTI, BI or the IDX. However, if the activities evolve to involvement in actual trades, they may fall within the ambit of the OJK’s digital finance innovation rule and thus need to be recorded with the OJK.

To date, a financial research platform is regarded as a fintech business model, is often regarded as an “aggregator” cluster and is classified as a DFI under the supervision of the OJK. A financial research platform, in this case, should be limited to a digital platform offering information on financial products and services of financial institutions but should not be undertaking activities that may trigger the need for a licence under the OJK (ie, investment broker or investment adviser licensing).

Financial research platforms operate as limited liability companies (PTs). Note that for DFIs, recordation or registration with the OJK is voluntary and is not licensing per se. The participants should undergo the recordation process following their PT’s incorporation. Furthermore, digital platform providers are ESOs and must also be registered at the MCI.

The spreading of rumours or unverified information in the electronic information and transactions field is under the authority of the MCI. The EIT Law prohibits distribution of, transmission of, or access to electronic information or electronic documents that contain, among other matters, fake news (hoaxes) and misleading information that may result in consumers suffering losses in electronic transactions.

As a sign of strong government commitment to the country's digital agenda, the MCI and law enforcement authorities are more aware of the need to combat fake news and misleading or unverified information across the internet in recent years. Under the EIT Law, any person who deliberately and unlawfully disseminates a hoax or misleading news that causes losses for consumers in an electronic transaction may lead to criminal sanctions with imprisonment for up to six years or a fine of up to IDR1 billion.

In the capital market, the spreading of rumours or unverified information may lead to market manipulation restrictions under the Indonesian Capital Market Law: a person is prohibited from making false or misleading statements that affect the price of securities on the stock exchange if, at the time the statement or information is made, the person failed to exercise due care in determining the truth of the statement or information. A violation of the market manipulation prohibition is subject to imprisonment for up to ten years and a fine of up to IDR 15 billion.

Although specific regulation on the curation of conversation on the internet at present remains largely unregulated, a financial research platform would typically be expected to establish internal rules to ensure safeguards and oversight over conversation within its platform.

In fact, it is common in the market for digital platforms as over-the-top service providers to maintain:

• active filtering features on their platforms whereby the operator can actively monitor and filter any false or misleading information/content or other types of unacceptable behaviour within its forum; and
• a feature whereby users can report content within the platform, and, subsequently, platform operators will take action against a report, such as taking down the content.

At the time of writing, insurtech is yet to be covered by a comprehensive regulatory regime. The business is largely unregulated; it is still classified as a fintech cluster, hence it is categorised as a DFI under the OJK.

While the traditional underwriting model is regulated under the "incumbent" insurance sector, insurtech remains unregulated. Where insurtech enters into partnership with insurance companies in offering their traditional products, the insurance companies underwrite the products; hence, the underwriting process would follow the traditional underwriting model. Use of big data and other innovative data-driven approaches in the underwriting process of innovative insurance products may vary, as insurtech players set their own rules for better pricing and risk assessment of products.

Under the insurance regulatory landscape, insurance products in Indonesia are generally grouped in two categories: life insurance and general insurance products.

Insurance companies are limited to doing business tailored to their licences; this means that the offer of overlapping services – ie, life insurance and general insurance at the same time – is not permitted.

Business expansion for insurance companies, however, is possible in that life insurance companies can expand their business to investment-related insurance products and fee-based activities (these include marketing other non-insurance products; eg, mutual funds or other products of financial institutions licensed by the OJK), credit insurance and suretyship, or other activities assigned by the government. Sharia-compliant general insurance companies can expand into these activities, except for credit insurance and suretyship, whereas general insurance companies are only allowed to add fee-based activities to their expanding business.

Life insurance and general insurance products, including those that are sharia-compliant, are subject to different regulatory treatment.

Like insurtech, at the time of writing, regtech is unregulated and classified as a fintech cluster, and players qualify as DFIs under the OJK. Regtech solutions in the market today are spread into several clusters under the OJK:

• regtech (automates the collection and storage of customer due diligence (CDD) data to comply with AML and CTF regulations);
• E-KYC (solutions for digital identity and digital signature);
• verification technology (identification and non-CDD verification platforms); and
• tax and accounting (tax and accounting reporting solutions).

Subcontracts between duly licensed financial services entities and third parties are generally dictated by regulations. For example, this is the case in banks (commercial and rural banks, including sharia-compliant ones) for outsourcing their IT systems.

While not specifically applicable to regtech, the OJK mandates specific provisions that must be included for banks to outsource their IT activities, and the contract must contain standard clauses as prescribed by OJK regulations (eg, OJK Regulation No 38/POJK.03/2016 on the Application of Risk Management in the Use of IT by Commercial Banks, last amended by Regulation No 13/POJK.03/2020, and its implementing regulation, OJK Circular Letter No 21/SEOJK.03/2017). Among the most significant provisions are data protection, confidentiality, human resources, IP rights and licences, systems security standards, data centres, or disaster recovery centres. Service-level agreements (SLAs) are also mandatory, containing performance standards such as promised service levels and performance targets.

The use of blockchain by incumbent players in the country's financial sector, although small, is indeed emerging. Some major banks have paved the way for blockchain adoption: Bank Negara Indonesia (BNI) and Bank Rakyat Indonesia (BRI) deploy blockchain for trade finance and remittance products. Bank Central Asia (BCA) initiated a financial hackathon for start-ups to drive blockchain's growth in use. Some other major banks are reportedly pursuing routes to blockchain adoption, including the potential to use blockchain for KYC shared storage on the blockchain.

The authors believe that the leveraging of blockchain technology by traditional players – particularly in some aspects of settlements, KYC and financial inclusion – will become more prevalent, especially with digitisation playing an even bigger role, moving forward.

There has yet to be a specific rule proposal, let alone legislation, that governs blockchain adoption, although the government continues to welcome it with its technology-neutral approach in general. Within the financial sector, particularly, the OJK embraces the use of blockchain, as seen in the identification of blockchain-based fintech companies as a fintech cluster. Also, the OJK anticipates blockchain-based technology as one of the aids for securities crowdfunding (previously termed "equity crowdfunding") in data exchange.

Notwithstanding the absence of rules, however, some recent notable government and industry projects have involved blockchain, as follows.

• Indonesia’s Customs and Excise Department (within the Ministry of Finance) aimed to leverage blockchain technology in the logistics sector, via a blockchain-based global trading platform, TradeLens (developed by Maersk and powered by IBM’s cloud and blockchain). The platform provides container tracking and information sharing between platform members (importers, exporters, logistics operators) and government authorities. With the blockchain-based platform, the government takes aim at minimising shipping costs and reducing the disorganisation of traditional paper-based practices in logistics to enable a seamless and efficient supply chain in the long run.
• The Directorate General of Taxation (DGT) – deploying a private Ethereum network

Blockchain or crypto-assets are only recognised as futures trading commodities; however, Indonesian law does not specify blockchain assets as a form of regulated financial instrument. With crypto-assets classified as tradable commodities, the Indonesian government allows trading in crypto-asset commodities. Therefore, they fall under the authority of BAPPEBTI, which has issued several regulations entailing futures trading of crypto-assets.

A crypto-asset may only be traded through a futures exchange if it is approved by BAPPEBTI and listed in a BAPPEBTI regulation, which will be updated from time to time (currently, in BAPPEBTI Regulation No 7 of 2020, dated 17 December 2020, there are 229 registered crypto-assets at BAPPEBTI). To be eligible as tradable crypto-assets in the local market, they must meet, at a minimum, the following criteria:

• they must employ distributed ledger technology (DLT);
• they must be asset-backed or utility-based;
• utility-based crypto-assets must be among the top 500 (listed in CoinMarketCap) in terms of market capitalisation;
• they must be traded on the largest crypto-asset exchange in the world;
• they must offer economic benefit; and
• they must have successfully passed a risk assessment, including AML, CTF and proliferation of weapons of mass destruction regulations.

The issuance of crypto-assets today is unregulated; the same sentiment also applies to initial coin offerings (ICOs) and the main regulation of crypto-assets (BAPPEBTI Regulation No 5 of 2019 on Technical Provisions Governing Physical Futures Trading of Crypto Assets, amended several times, lastly on its third amendment by Regulation No 3 of 2020, dated 31 March 2020) explicitly stated that it excluded ICOs from the scope of its regulatory scheme.

Blockchain asset trading platforms are regulated in Indonesia. These are defined in the regulation as “crypto-asset merchants”; crypto-asset merchants (commonly known as crypto-asset trading/exchange platforms) are defined as parties that have secured approval from BAPPEBTI to carry out crypto-asset trading transactions in their own right and on behalf of customers. While the authors understand that the term “cryptocurrency exchanges” is more welcome and commonly used internationally for crypto-asset merchants, it is important to point out here that the term “exchanges” is used in the regulation to define a futures exchange that has secured approval from BAPPEBTI to facilitate the trading of crypto-assets.

In general, the key players involved in the physical crypto-asset futures market are BAPPEBTI, crypto-asset exchanges, clearing agencies, merchants and depository agencies.

A crypto-asset merchant must be incorporated as a limited liability company, be a member of a crypto-asset exchange and a crypto-asset clearing agency, and be designated as a merchant by the crypto-asset exchange. Separate BAPPEBTI approval is required for each type of transaction mechanism deployed by crypto-asset merchants.

Crypto-asset merchants must meet certain criteria as specified in the regulation; this includes different financial requirements (paid-up capital and equity) at the time of registration and post-registration, specific good corporate governance, and some technical requirements; ie, having a reliable online system to facilitate trading transactions that connects to all the other players in the market.

Currently, fund investing in blockchain assets is not regulated; although, per the regulation, only individuals are allowed to become crypto-asset customers trading in the Indonesian physical crypto-assets market.

Virtual currencies and blockchain assets are treated differently, in that virtual currencies are prohibited from use as legitimate means of payment in Indonesia. In contrast, blockchain assets or crypto-assets, as discussed previously, are recognised as commodities that can be traded on the country’s futures exchange.

At the time of writing, decentralised finance (DeFi) is not regulated in Indonesia. Nonetheless, some local players have tested the water, as listed below, which are still in their early stages.

• tokocrypto, which is the first registered crypto-asset merchant (crypto-exchange), initiated DeFi through its platform token; ie, Toko Token (TKO). The TKO ecosystem promotes some DeFi elements, such as borrowing and lending, and staking and savings. TKO is a reward system for its platform users/customers using referral codes. On another note, tokocrypto (and some other merchants) also make DeFi tokens available on their platforms.
• Tokoin, a blockchain technology company, launched the Blockchain Innovative Smart Savings (BISS) DeFi programme, a movement to accelerate growth in micro, small and medium-sized entities (MSMEs) with staking and savings using its main utility token in the Tokoin ecosystem; ie, TOKO. The investors are paid in stablecoin USDT. The platform helps MSMEs to connect with suppliers, financial intermediaries and service providers.

Open banking in Indonesia has yet to be comprehensively implemented, although the notion is included in the BI’s new strategic framework, the 2025 Indonesia Payment Systems Blueprint (the "BI Blueprint"). The BI Blueprint specifies five initiatives for the next five years to create a more effective and streamlined system for payments:

• open banking;
• retail payment systems (and a Quick Response Code Indonesia Standard (QRIS) code system);
• market infrastructure;
• data; and
• regulatory licensing and supervision.

These initiatives are to be implemented by five working units under the BI.

Before the BI Blueprint, the OJK cued the open banking drive by virtue of OJK Regulation No 12/POJK.03/2018 on the Organization of Digital Banking Services by Commercial Banks ("OJK Reg. 12"). OJK Reg. 12 accommodates the needs of various integrated IT-based banking services and carries elements of open banking; ie, banks' co-operation with their partners (financial institutions and/or non-financial institutions) as a means of banking product innovation. OJK Reg. 12 also addresses matters relating to customer protection and risk management for banks running their IT-based banking services.

Data collection, use and disclosure within the financial services sector mirrors the EIT regime. Under the Banking Law (Law No 7 of 1992, as amended by Law No 10 of 1998 and Law No 11 of 2020), banks are prohibited from disclosing information on their customers to third parties, except in specific circumstances as mandated by law; ie, for taxation purposes, debt settlement, criminal proceedings, civil lawsuits between banks and customers, interbank information exchange, and inheritance. Moreover, banks and other financial institutions (players in capital markets, insurance, pension funds, finance companies and others) are prohibited from providing third parties with data or information on their own customers except where (i) customers provide written consent to it, or (ii) the provision of the data or information is required by law.

In light of bank secrecy, banks, in particular, are challenged to implement open banking. Some major banks have launched an application programming interface (API), while others are still adapting to customer behaviour that is moving toward a less-cash and more-digital economy culture. The market has seen some collaborative approaches between banks and fintechs; there are numerous instances of banks that have opened up their APIs to allow their systems to be integrated with technology providers and facilitate financial transactions.

As stated before, given the open banking, API-enabled environment, OJK Reg. 12 provides customer protection. With the BI Blueprint, the BI is to prioritise the standardisation and implementation of open APIs to allow for the interlinking of banks and fintech players in tackling risks from shadow banking.

In implementing open banking, customer data will be the main concern, and the BI aims to address customer data protection (including customer consent and dispute resolution), risk management and technical aspects. At the time of writing, the BI is still collecting input from market players to develop system-wide open banking and formulate relevant regulations.