The Financial Services Authority (Otoritas Jasa Keuangan, OJK) issued OJK Regulation No 10/POJK.05/2022 on Information Technology-based Joint Funding Services (OJK Reg 10) on 4 July 2022. OJK Reg 10 has become the main regulation on peer-to-peer lending (P2P) services, replacing OJK Regulation No 77/POJK.01/2016 on Information Technology-Based Money Lending Services (OJK Reg 77).

OJK Reg 10 sets forth more comprehensive provisions compared with OJK Reg 77 and has made some major changes, including:

• the increase in minimum issued and paid-up capital of a P2P company, from IDR2.5 billion to IDR25 billion;
• that P2P companies are now required to maintain equity (total assets minus total liabilities) of IDR12.5 billion;
• the responsibility for the controlling shareholding of a P2P company for any loss suffered by the company;
• the requirement for foreign national directors of a P2P company to be able to speak the Indonesian language; and
• the requirement for all directors to be domiciled within the territory of Indonesia.

Furthermore, the OJK issued OJK Circular Letter No 19/SEOJK.06/2023 (OJK CL 19) on 8 November 2023 to complement the provisions in OJK Reg 10, one of which concerns the maximum limit of economic benefits that P2Ps can receive from their users, including the percentage of the interest rate or profit-sharing (for Sharia-compliant P2P companies).

In addition, the government of Indonesia issued Law No 4 of 2023 on Development and Strengthening of the Financial Sector (Law 4/2023) on 12 January 2023, which serves as an omnibus law for all legislation related to the financial sector in Indonesia. Under Law 4/2023, the government of Indonesia emphasises that all technological innovation in the financial sector (including financial technology) is subject to OJK and Bank Indonesia (BI) supervision.

The fintech lending sector has a significant number of players in Indonesia. The OJK has recognised 101 P2P companies that obtained P2P business licences from the OJK. Nevertheless, at the time of writing, P2P companies have been outnumbered by fintech players in the payment systems sector. It has been reported that 495 payment service providers have been licensed by BI.

Indonesia’s fintech industry is supervised by two discrete regulators: BI and the OJK. While BI supervises fintech and payment systems (e-money, e-wallets and other unclassified payment system fintech providers), the OJK supervises non-payment fintech (P2P, equity crowdfunding and financial sector technology innovation, or FSTI).

The regulations that serve as the main legal basis for the aforementioned fintech models are:

• BI Regulation No 23/6/PBI/2021 on Payment System Providers (BI Reg 23/6);
• BI Regulation No 23/7/PBI/2021 on Payment System Infrastructure Providers;
• BI Regulation No 22/23/PBI/2020 on Payment Systems; and
• BI Regulation No 14/23/PBI/2012 on Fund Transfers as partially revoked by BI Reg 23/6 (BI Reg 14/2012) for Payment Service Providers;
• OJK Reg 10 for P2P Lending as partially revoked by OJK Regulation No 22 of 2023 on Consumers and Community Protection in the Financial Services Sector (OJK Reg 22);
• OJK Regulation No 57/POJK.04/2020 on Securities Offerings via Information Technology-based Equity Crowdfunding Services as amended by OJK Regulation No 16/POJK.04/2021 (OJK Reg 57) for Equity Crowdfunding; and
• OJK Regulation No 3 of 2004 on the implementation of FSTI (OJK Reg 3).

There are no specific requirements, and compensation depends on the contractual arrangements between fintech providers and their customers.

The fintech regulations apply to both existing and new fintech providers.

Indonesia has a regulatory sandbox that aims to assess the reliability of business processes, business models and financial instruments, and for the governance of unrecognised or unregulated fintech providers. BI maintains a regulatory sandbox for payment system fintech providers, while the OJK has a regulatory sandbox for providers of non-payment system fintech.

BI Regulatory Sandbox

The legal basis for the BI regulatory sandbox is set out in BI Reg 23/6 in conjunction with Law 4/2023. A regulatory sandbox is conducted by BI to test the development of technological innovation (which includes products, activities, services and business models) against prevailing policies or provisions on payment systems.

OJK Regulatory Sandbox

Under OJK Reg 3, a fintech provider in the non-payment systems sector – such as an aggregator, a financial planner or an innovative credit assessor – is mandated to apply to the OJK for participating in the OJK’s FSTI regulatory sandbox. Once the OJK issues the approval to participate in the sandbox, the provider will be assessed by the OJK while in the regulatory sandbox. Within a year, the OJK will issue the result of the assessment, which will determine whether the provider passes or fails the regulatory sandbox. If the provider passes the regulatory sandbox, the OJK will require the provider to apply to the OJK for a business licence, and may request the provider to apply for registration with the OJK before submitting the business licence application.

Indonesian regulators may co-ordinate with each other to confirm the boundaries of their respective regulatory authority. In 2019, the OJK decided to transfer its regulatory authority over crypto-assets and digital gold trading to Bappebti (a government agency under the Ministry of Trade that regulates futures trading, and, in this case, oversees crypto-assets trading). With the enactment of Law 4/2023, the regulatory authority over crypto-assets will transfer to the OJK by 12 January 2025.

In addition, a joint task force of Indonesian regulators is also a concrete example of how such regulators co-operate with each other. In 2016, the Investment Awareness Task Force (IATF) was established by the following Indonesian regulators and law enforcement institutions:

• the OJK;
• the Ministry of Trade;
• the Investment Co-ordinating Board;
• the Ministry of Communications and Informatics (MCI);
• the Public Prosecution Service of Indonesia; and
• the National Police.

OJK Reg 10 allows P2P companies to outsource certain work to third parties by virtue of an outsourcing agreement, provided that the work is not related to funding feasibility assessment; also, information technology cannot be outsourced. OJK Reg 10 emphasises that P2P companies are responsible for work outsourced to third parties.

Fintech providers are fully responsible for their platforms and other services provided to their customers and cannot abdicate their responsibility to any party (with reference to Law No 8 of 1999 on Consumer Protection, or the “Consumer Protection Law”, and OJK Reg 22), also adopted by OJK Regs 10 and 57.

The OJK has deregistered many fintech players, especially P2P companies. The most significant reasons for deregistration are late filing of licence applications (or passing of the deadline) and illicit conduct.

Through its IATF, the OJK regularly receives reports from the public on a variety of unlicensed investments, including cross-border investments. The OJK updates a list of entities that allegedly offer “illegal” investments and that are potentially fraudulent. In performing its duties, the IATF co-operates with the MCI to block access to websites or apps of the operators concerned.

Obtaining an Electronic System Operator (ESO) Certificate

Fintech providers must comply with regulations on the use of electronic platforms in Indonesia. Whether applications or websites, these are classified as electronic systems pursuant to Government Regulation No 71 of 2019 on the Implementation of Electronic Systems and Transactions (Reg 71). An ESO and its electronic system must be registered with the MCI in accordance with Reg 71. The MCI will issue an ESO Certificate to an ESO that has successfully registered its platform with it.

Personal Data Management and Handling

In addition to a requirement to obtain an ESO Certificate, implementation of an electronic system must accord with personal data protection principles. Nonetheless, all stages of personal data-processing by an ESO (including the collection, processing and analysis, storage, disclosure and deletion of user data) must maintain data privacy and comply with the law – in this case, Law No 27 of 2022 on Personal Data Protection in conjunction with Law No 11 of 2008, as amended by Law No 19 of 2016 and Law No 1 of 2024 on Electronic Information and Transactions (the “EIT Law”), Reg 71, and MCI Regulation No 20 of 2016 on Personal Data Protection in Electronic Systems.

Prohibition on Pornographic Content

The law and regulations prohibit the intentional and unauthorised distribution of, transmission of, creation of or action resulting in accessibility to electronic information or data with immoral content. This is also in line with the Pornography Law, which prohibits anyone from producing, creating, copying, multiplying, distributing, broadcasting, importing, exporting, offering, selling and purchasing, leasing or providing pornography that explicitly shows:

• sexual intercourse, including deviant sexual activity;
• sexual exploitation;
• masturbation;
• nudity or displays of exotic nudity;
• sex organs; or
• child pornography.

Implementation of Anti-money Laundering (AML) and Counter-terrorism Financing (CTF)

OJK Regulation No 8 of 2023 on the Implementation of AML, CTF, and Prevention of Proliferation of Weapons of Mass Destruction Funding Programmes Within the Financial Services Sector (OJK Reg 8) applies to fintech providers that receive fees from customers in return for their services as P2P lenders and equity crowdfunding providers. These providers must have a policy, supervisory protocol and procedure to mitigate the risk of money laundering and financing of terrorism related to their customers, and must report the implementation thereof to the OJK and suspicious transactions to the Financial Transaction Reports and Analysis Centre (PPATK).

Business associations in fintech sectors play a significant role in overseeing fintech players. Currently, two business associations are recognised by the OJK: the Indonesia FinTech Association (AFTECH) and the AFPI. Both associations have tried to supervise those aspects of fintech activities that are not yet stipulated in the regulation by issuing a code of conduct for each fintech sector. The OJK is also mandated to ensure the compliance of fintech players with the prevailing regulation as well as to supervise the way fintech players conduct their business.

The AFPI has issued a code of conduct that prevails for all P2P companies, while the AFTECH issued codes of conduct in November 2020 for three business clusters: aggregators, innovative credit scorers and financial planners. In addition to the associations, the public can also participate in the review of illegal fintech-provider activities by submitting a report to the IATF.

Financial products and services are highly regulated in Indonesia, in the sense that all financial products and services offered should be supervised by either the OJK, Bappebti or BI. In the fintech sector, not all products and services are yet regulated. This is due to the rapid growth of innovation in digital financial services and because regulators are still playing catch-up with this development, particularly in formulating regulations that fit products and services offered by fintech players.

The OJK and BI have attempted to address the situation by introducing a regulatory sandbox as a testing mechanism aimed at accommodating all types of fintech products and services, while simultaneously assessing their “fit” with existing regulations; otherwise, new regulations would need to be prepared. This helps create a framework that accommodates innovation but also affords adequate protection to the public.

For those parts of the fintech industry already regulated, such as P2P and securities crowdfunding, entities engaged in these sectors must be single-purpose companies, and will not be permitted to offer other products or services beyond what their licences permit.

In general, the AML rules are applicable to all companies in Indonesia. However, specifically for banks and non-bank financial institutions that also include fintech companies that receive or bridge fund flows from their customers or users, both the OJK and BI have stipulated more specific AML rules that should be implemented by fintech companies categorised as non-bank financial institutions.

Although unregulated fintech companies are not bound by the AML rules under BI and the OJK as they have not been recognised as financial service providers by the laws and regulations, they are expected to adopt the general AML rules. This can be achieved by a business association issuing a policy on AML that is then adopted by the unregulated fintech companies.

Since Bappebti issued Regulation No 12 of 2022 on the Implementation of Delivery of Information Technology-based Advice in the Form of Expert Advisers in the Commodity Futures Trading Sector (Bappebti Reg 12/2022) on 2 September 2022, a party offering and providing an IT-based advisory service in the form of an expert adviser in commodity futures trading must obtain the prior approval of the head of Bappebti to carry out activities as a futures adviser providing IT-based advisory services. This way, Bappebti aims to eradicate fraudulent trading robots that were in the public spotlight in 2022.

In different asset classes (for example, mutual funds), several mutual fund sales agents (APERDs) have used robo-advisory services when operating their business. Robo-advisory services in this asset class have not yet been regulated. However, based on the authors’ observation, APERDs that provide robo-advisory services have secured approval from the OJK as financial advisers. In theory, if a specific stipulation does not exist for a given asset class, a robo-adviser for that class may fall within the regulatory sandbox scheme, specifically the OJK scheme.

The implementation of solutions introduced by robo-advisers may vary, depending on the features provided by the providers. However, this must adhere to specific regulations, internal guidelines or rules that apply to those fintech providers.

For robo-adviser operators in stock trading, the actual trading of stocks should be carried out by securities companies. The robo-adviser platform should therefore co-operate with a securities company instead of replacing it. This issue arises owing to the absence of regulations on robo-advisers in stock trading in Indonesia, which might otherwise differentiate between robo-adviser services and conventional existing services.

OJK Reg 10 does not identify special treatment for individuals or small-business borrowers. OJK Reg 10 stipulates that Indonesian citizens, legal entities and business enterprises can all become borrowers in P2P.

P2P companies are required to mitigate risk in carrying out their business, pursuant to OJK Reg 10. Risk mitigation includes the activities of:

• analysing funding risk;
• verifying identity of users;
• collecting funding; and
• facilitating the transfer of risks.

Indonesian law only recognises one type of loan-based fundraising: P2P stipulated in OJK Reg 10. Equity-based fundraising is covered separately in OJK Reg 57.

OJK Reg 10 does not dictate a catch-all scheme for fintech lenders. However, a borrower that uses a P2P company’s platform may receive a loan from many lenders or from just one.

Payment processors may use existing payment rails or create/implement new ones if they have obtained the required licences from BI as a payment system, payment system infrastructure or payment system-supporting service provider. If newly created payment rails do not fall completely within the scope of existing payment system licences issued by BI, the fintech recordation regime must accommodate them.

As the activity relates to payment systems, fintech recordation should fall under the fintech regulation of BI, and for such recordation, payment processors must lay out details of their new payment rails. BI will then decide whether the new payment rails can be used in Indonesia until it issues a new regulation or policy. Alternatively, it may require payment processors to obtain a licence based on the existing regulations or order them to stop using the new payment rails.

Cross-border payments and remittances fall within the supervision of BI, and may be carried out both by banks and by non-bank entities. For licensing, only non-bank entities will need to obtain a remittance licence as a Category-3 payment service provider from BI before engaging in remittance activities. For banks, since remittance is one of their permitted activities, no separate licence is required to provide this service. However, both banks and non-bank entities will need to comply with reporting requirements to BI on their remittance services.

Cross-border remittance can only be done in co-operation with a provider that has obtained a remittance licence from the relevant authority in its home jurisdiction, and it must obtain BI approval. BI is also authorised to stipulate an upper limit for cross-border remittances. However, this will only apply to non-bank entities.

Banks and non-bank entities that provide cross-border remittance services also need to comply with the reporting requirements set out by the PPATK.

No specific regulation exists for fund administrators. The administration of funds in Indonesia is handled mostly by securities companies that act as investment managers, for which they must be licensed by the OJK. The main task of an investment manager is to manage the securities/investment portfolio of its customers, which may include:

• bonds;
• stocks;
• collective investment units; and
• futures contracts related to securities.

The administration of funds by banks, insurance companies and pension funds is subject to regulations applicable to those sectors.

Fund advisers are known as investment advisers and their activities are supervised by the OJK. Investment advisers may be companies or individuals and are subject to OJK licensing requirements. A fund adviser’s main role is to provide advice on the sale and purchase of securities; a fund adviser is not permitted to manage customers’ funds or forecast the performance of securities.

There is no strict prohibition on an investment adviser entering into a co-operation agreement with an investment manager, if the scope of co-operation is still within the permitted activities of both functions.

Securities Trading

The most common trading platforms in Indonesia are those that relate to securities (including scripless stock and mutual funds) trading. This platform must be operated by a licensed securities broker and may only be used by customers of that broker. Operation of such a trading platform is stipulated in OJK Regulation No 50/POJK.04/2020 on Internal Control of Securities Companies that act as Securities Brokers, which allows a securities company to use electronic communication – including the internet, short messaging services, wireless application protocol and other electronic media – to facilitate its securities transactions.

In addition to the trading feature, the platform must also provide information on:

• trading risk;
• the security and confidentiality of all data;
• how an order will be processed by the broker; and
• procedures for handling order delays or instructions for addressing disruption to the system.

In marketing securities, the securities broker can also engage another bank or non-bank financial institution (including a crowdfunding organiser) or a peer-to-peer lender to act as its marketing partner. The partner must be registered with the OJK as a partner of the securities broker.

The sale of mutual funds via a platform can also be performed by fintech companies licensed by the OJK to act as mutual fund sales agents.

Futures Commodities Trading

Bappebti, as futures trading supervisor, has not issued a specific regulation on the use of online platforms for futures trading. However, Bappebti allows futures commodities brokers to use online electronic media for customer onboarding processes, provided prior approval from Bappebti exists for an online feature. In practice, trading in commodities futures, which may also include digital gold, can be done via a platform as long as the platform is operated by a licensed commodities futures broker also connected to an online trading platform provided by the Indonesia Commodity and Derivatives Exchange (ICDX) and the Jakarta Futures Exchange (JFX).

Money Market

Under BI Board of Governors Regulation No 21/19/PADG/2019 on Providers of Electronic Trading Platforms, operators of electronic trading platforms that facilitate transactions within money and foreign exchange markets need to be licensed by BI. Initially, an operator can apply to BI for an in-principle licence. With this, the operator is allowed to start preparing the infrastructure of its platform, including a feasibility study of its business operation. Once preparation is complete and the operator is ready to start operating, it may apply for a business licence. Operations can only commence after a BI licence has been issued.

As previously discussed (see 7.1 Permissible Trading Platforms), each asset class will have its own regulatory regime. Securities trading falls under the supervision of the OJK, while futures commodities (including digital gold and crypto-assets) fall under the supervision of Bappebti. BI supervises the use of trading platforms within money and foreign exchange markets.

Virtual currencies (including cryptocurrencies) are not recognised as a legitimate payment instrument in Indonesia. However, the increase in popularity of cryptocurrencies in Indonesia has pushed the Indonesian government to issue a legal framework for cryptocurrencies in the Indonesian market.

Cryptocurrencies in Indonesia are recognised as crypto-assets that can only be traded as futures commodities at a crypto-assets futures exchange approved by Bappebti. Trading can also be done through a crypto-asset traders’ platform connected with a crypto-assets futures exchange platform. Key players involved in crypto-assets transactions are:

• exchanges;
• clearing agencies;
• traders; and
• depository agencies for crypto-assets.

All of these need to be licensed by Bappebti.

Tradable crypto-assets are only those approved by Bappebti and listed for trading in a futures exchange. Currently, the list is stipulated in Bappebti Regulation No 11 of 2022 as amended by Bappebti Regulation No 4 of 2023 and Bappebti Regulation No 2 of 2024  (the “Bappebti List of 2024”). Under the Bappebti List of 2024, Bappebti has increased the number of types of crypto-assets that could be traded in a futures exchange from 229 to 545. Notable new entries that are popular with Indonesian retail investors include:

• Secret (SCRT);
• Ana Coin (ANA) (see 12. Blockchain for more detail on the criteria for crypto-assets);
• Luna Coin (LUNA);

• SushiSwap (SUSHI);
• PancakeSwap (CAKE);
• AAVE;
• Internet Computer (ICP);
• Axie Infinity (AXS);
• Ethereum Name Service (ENS);
• TROY;
• Reef;
• 1INCH;
• DYDX;
• THORchain (RUNE);
• The Graph (GRT);
• Apecoin (APE);
• Anchor Protocol (ANC); and
• Secret (SCRT).

There are also a number of locally issued coins or tokens on the Whitelist, such as:

• Kunci Coin (KUNCI);
• Toko Token (TKO); and
• Ana Coin (ANA).

See 12. Blockchain for more detail on the criteria for crypto-assets.

In addition to the above, with the enactment of Law 4/2023, the government is also formulating the country’s own central bank digital currency (CBDC), also known as Digital Rupiah (see again 12. Blockchain for more detail on Digital Rupiah).

In Indonesia, listing standards are relevant for products in the capital market sector, which include stocks and bonds. The listing must follow the rules of the Indonesian Stock Exchange (IDX). There are currently three listing boards on the IDX: the main, development and acceleration boards.

The main and development boards are designated for companies that have already started operations within a certain period and have a certain level of assets. For example, to list its stocks on the main board a company must have net tangible assets of more than IDR100 billion; while to be listed on the development board, it must have IDR5 billion and income of more than IDR40 billion. Most companies in Indonesia list their stocks on the main board.

The acceleration board is designated for small and medium-scale businesses with a range of assets from IDR50 billion to IDR250 billion. Small and medium-scale companies may list their stocks immediately upon establishment. The financial and accounting requirements and the offering structure for the acceleration board are relatively simple compared with those for the main and development boards.

In relation to stock trading, both the OJK and the IDX set out general rules on procedures that need to be implemented by securities brokers when handling their customers’ orders. In accepting orders, the OJK requires securities brokers to verify customer identity and record details of the order, such as the number, type and price of the stocks. The securities broker must also maintain a risk-management unit that is responsible for, among other things, verifying orders or instructions from customers to ensure the availability of funds or stocks for settlement of the transaction. Specifically, securities brokers that operate a trading platform must ensure that the platform provides information on procedures to handle delays to orders owing to an interruption of the online system.

The IDX also stipulates that a securities broker may only accept and execute a trading order from a board member or member of staff if the securities broker maintains a standard operating procedure that stipulates, among other matters, the prioritising of customer orders.

Recent developments on the order-handling rules are the introduction of an automated ordering feature in the securities-trading platform operated by securities brokers. With this feature, a user may order securities based on algorithms and parameters established in the platform, which may include volume, price, instrument, market and time. In order to be able to include this automated ordering feature in its trading platform, the securities broker must first obtain prior approval from the IDX.

Before the acknowledgment of cryptocurrency as crypto-assets, many players established peer-to-peer trading platforms to trade various cryptocurrencies. However, since the enactment of regulation on crypto-asset trading on futures and digital exchanges, trading was centralised to the crypto-assets futures exchange. Trading in crypto-assets needs to be carried out via a crypto-assets futures exchange approved by Bappebti. This marks the end of peer-to-peer trading platforms for cryptocurrencies in Indonesia.

For stock trading, all activities are centralised with the IDX and every party involved in stock trading needs to obtain a licence beforehand from the OJK and follow the IDX rules. The closest structure to a peer-to-peer trading platform is the securities crowdfunding platform stipulated in Reg 57. This regulation defines securities crowdfunding as an offering of securities by an issuer directly to an investor using a publicly accessible electronic system. The issuer will be exempted from the normal capital market rules on initial public offerings if the offer is through an OJK-licensed provider and only for a period of not more than 12 months; and should not raise more than IDR10 billion.

A securities crowdfunding platform provider may also provide a system that facilitates secondary market trading in securities that were distributed at least one year before the trade. A trade in the secondary market can only be conducted between investors that are registered with the platform, with no more than two trades within 12 months and a gap of six months between each trade.

Although the platform operates in a similar way to a peer-to-peer trading platform, all trading (including changes of securities ownership) made through the securities crowdfunding platform must be registered with the Indonesian Central Securities Depository (KSEI) as the agency in the Indonesian capital market that provides organised, standardised and efficient central custodian and securities transaction settlement services, in compliance with the Indonesian Capital Market Law.

No specific rules exist in Indonesia for best execution of customer trades. The OJK and the IDX, however, stipulate general rules that require every securities company that acts as a broker to put the interest of customers ahead of its own interest when performing a transaction. In providing their buy and sell recommendations, brokers must also inform customers if they have an interest in the securities recommended to them.

No specific regulation on payment for order flow exists in Indonesia. In general, all securities brokers need to execute their trade orders themselves, and may only assign them to another broker if there is trouble in the trading system or if the stock exchange suspends them while an outstanding order needs to be executed. Furthermore, the securities brokers must also disclose fees charged to customers when facilitating a trade (including their fee) and fees charged by the stock exchange.

A benchmark fee (or commission) that may be charged by a securities broker must be agreed and stipulated by members of the Indonesia Securities Company Association.

The fundamental principles of Indonesian capital market laws and regulations are:

• disclosure;
• efficiency;
• fairness; and
• protection of investors.

For investor protection, the Indonesian Capital Market Law stipulates two key areas of market abuse: insider trading and market manipulation. The Law stipulates that parties (which includes individuals, companies, partnerships, associations or organised groups) are prohibited from:

• deceiving or misleading other parties through the use of whatever means or methods;
• participating in a fraud or deception against another party;
• giving false statements on material facts; or
• failing to disclose material facts that are necessary in order to avoid a statement being misleading.

A violation of the market abuse prohibition is subject to imprisonment for up to ten years and a fine of up to IDR15 billion.

Aside from the IDX rule on the use of the automated ordering feature in the securities trading platform, high-frequency and algorithmic trading are not yet specifically regulated in Indonesia. In practice, many players already use these technologies in both securities and futures commodities trading. This practice is also acknowledged by both the OJK and the IDX.

The OJK, under its digital finance innovation rule, recognises the use of retail algorithmic trading as part of innovation that needs to be recorded at the OJK. Once recorded, the OJK will include a provider of retail algorithmic trading in a regulatory sandbox. The OJK will then further analyse the activities to determine whether the provider may continue their services in retail algorithmic trading. Additionally, in a press release on the IDX’s mission for 2018–21, one item was to increase securities transaction liquidity by perfecting the feature and capacity of the trading system (including to anticipate customers that use algorithmic trading and high-frequency trading as their trading methods). The mission was then implemented with the introduction of an automated ordering feature in the securities trading platform operated by securities brokers that allows users to order securities through the platform based on algorithms and parameters in the platform.

One concern with the use of high-frequency and algorithmic trading is the potential breach of the market manipulation rule under the Indonesian Capital Market Law, which prohibits action that is misleading about trading activity and manipulation of securities prices.

Market makers in Indonesia are only recognised for trading in commodities futures. A market maker is defined as a party continuously quoting sell or purchase orders during trading hours. The futures exchange and futures clearing house will jointly determine parties appointed as market makers with the approval of the head of Bappebti. However, there are no specific registration requirements for market makers within the context of high-frequency and algorithmic trading in commodities futures.

For securities trading, the OJK is still preparing a regulation that will require the registration of market makers at the stock exchange.

This is not applicable in Indonesia. See 8.1 Creation and Usage Regulations.

There is still no specific regulation in Indonesia on the development and creation of trading algorithms. To the extent that programmers are only involved in the creation of the system but not actual trades, it is unlikely that they would fall under the supervision of the OJK, Bappebti, BI or the IDX. However, if the activities progress to involvement in actual trades, they may fall within the ambit of the OJK’s digital finance innovation rule and would thus need to be recorded with the OJK.

There are no regulations governing decentralised finance (DeFi) in Indonesia at the time of writing. See also 12.8 Impact of Regulation on “DeFi” Platforms.

To date, a financial research platform is:

• regarded as a fintech business model;
• often regarded as an “aggregator” cluster; and
• classified as an FSTI under the supervision of the OJK.

A financial research platform, in this case, should be limited to a digital platform offering information on financial products and services of financial institutions, but should not be undertaking activities that may trigger the need for a licence under the OJK (ie, investment broker or investment adviser licensing).

Financial research platforms operate as limited liability companies (PTs). Note that for FSTIs participation in the OJK’s regulatory sandbox is voluntary and is not licensing per se. The participants should undergo the recordation process following their PT’s incorporation. Furthermore, digital platform providers are ESOs and must also be registered at the MCI.

The spreading of rumours or unverified information in the electronic information and transactions field is under the authority of the MCI. The EIT Law prohibits distribution of, transmission of, or access to electronic information or electronic documents that contain, among other matters, fake news (hoaxes) and misleading information that may result in consumers suffering losses in electronic transactions.

As a sign of strong governmental commitment to the country’s digital agenda, the MCI and law enforcement authorities are more aware of the need to combat fake news and misleading or unverified information across the internet in recent years. Under the EIT Law, any person who deliberately and unlawfully disseminates a hoax or misleading news that causes losses for consumers in an electronic transaction may incur criminal sanctions, with imprisonment for up to six years or a fine of up to IDR1 billion.

In the capital market, the spreading of rumours or unverified information may lead to market manipulation restrictions under the Indonesian Capital Market Law, which was recently amended by Law 4/2023: a person is prohibited from making false or misleading statements that affect the price of securities on the stock exchange if, at the time the statement is made or the information is disclosed, the person failed to exercise due care in determining the truth of the statement or information. A violation of the market manipulation prohibition is subject to imprisonment of up to 15 years and a fine of up to IDR150 billion.

Although specific regulation on the curation of conversation on the internet remains largely unregulated, a financial research platform would typically be expected to establish internal rules to ensure safeguards and oversight over conversation within its platform.

In fact, it is common in the market for digital platforms as over-the-top service providers to maintain:

• active filtering features on their platforms whereby the operator can actively monitor and filter any false or misleading information/content or other types of unacceptable behaviour within its forum; and
• a feature whereby users can report content within the platform, and, subsequently, platform operators will take action against a report (such as taking down the content).

By virtue of the new OJK Regulation No 28 of 2022, which is an amendment to its predecessor, OJK Regulation No 70/POJK.05/2016 on Business Operations of Insurance Brokers, Reinsurance Brokers and Insurance Loss Assessor Companies (OJK Reg 28), insurtech is finally covered by a comprehensive regulatory regime. Previously, the insurtech business was largely unregulated, classified as a fintech cluster, and categorised as an FSTI under the OJK.

OJK Reg 28 defines the concept of “insurtech” as a digital insurance brokerage service, which is one of the activities carried out by an insurance broker company with prior approval from the OJK. A party that can carry out such activities includes either a duly licensed insurance broker or one that has not secured a business licence as an insurance broker at that time but is in the process of filing an application for an insurance broker business licence. Certain requirements are imposed by the OJK for an insurance broker to secure approval, including meeting equity requirements – ie, by submitting:

• the last two-quarters of the company’s financial statements for a licensed insurance broker; or
• an audited financial statement by a public accountant for a party that has not been licensed as an insurance broker.

As regards the underwriting process, OJK Reg 28 clarifies that the underwriting of a digital insurance broker must be minimal – ie, a process that does not require a direct or face-to-face survey over risks, a health check, etc. For example, in motor vehicle insurance, there is no requirement for physical checking of the vehicle, and no medical examination would be required for life insurance for underwriting within guaranteed acceptance criteria.

Under the insurance regulatory landscape, insurance products in Indonesia are generally grouped into two categories: life insurance and general insurance products.

Insurance companies are limited to doing business tailored to their licences; this means that the offer of overlapping services – ie, life insurance and general insurance at the same time – is not permitted.

Business expansion for insurance companies, however, is possible in that life insurance companies can expand their business to investment-related insurance products and fee-based activities (these include marketing other non-insurance products – eg, mutual funds or other products of financial institutions licensed by the OJK), credit insurance and suretyship, or other activities assigned by the government. Sharia-compliant general insurance companies can expand into these activities, except for credit insurance and suretyship; whereas general insurance companies are only allowed to add fee-based activities to their expanding business.

Life insurance and general insurance products, including those that are Sharia-compliant, are subject to different regulatory treatment.

At the time of writing, regtech is unregulated and classified as a fintech cluster, and players qualify as FSTIs under the OJK. It was reported in 2022 that the regulator was preparing a regulatory framework for regtech. Regtech solutions in the market today are spread into several clusters under the OJK:

• regtech (automates the collection and storage of customer due diligence (CDD) data to comply with AML and CTF regulations);
• e-KYC (solutions for digital identity and digital signature);
• verification technology (identification and non-CDD verification platforms); and
• tax and accounting (tax and accounting reporting solutions).

Subcontracts between duly licensed financial service entities and third parties are generally dictated by regulations. For example, this is the case in banks (commercial and rural banks, including those that are Sharia-compliant) for outsourcing their IT systems.

While not specifically applicable to regtech, the OJK mandates specific provisions that must be included for banks to outsource their IT activities, and the contract must contain standard clauses as prescribed by OJK regulations (eg, OJK Regulation No 11/POJK.03/2022 on the Implementation of IT by Commercial Banks, and its implementing regulation, OJK Circular Letter No 21/SEOJK.03/2017). Among the most significant provisions are those concerning:

• data protection;
• confidentiality;
• human resources;
• IP rights and licences;
• systems security standards;
• data centres; and
• disaster-recovery centres.

Service-level agreements (SLAs) are also mandatory, containing performance standards such as promised service levels and performance targets.

The use of blockchain by incumbent players in Indonesia’s financial sector is indeed emerging. In fact, BI is also among the pioneers in leveraging blockchain technology by formulating the country’s own central bank digital currency (CBDC) or Rupiah Digital pilot programme – ie, Project Garuda. This is further discussed in 12.2 Local Regulators’ Approach to Blockchain.

Some major banks have paved the way for blockchain adoption: Bank Permata, Bank Negara Indonesia (BNI) and Bank Rakyat Indonesia (BRI) deploy blockchain for trade finance and remittance products. Bank Central Asia (BCA) initiated a financial hackathon for start-ups to drive blockchain’s growth in use. Some other major banks are reportedly pursuing routes to blockchain adoption, including the potential to use blockchain for know-your-customer (KYC) shared storage on blockchain.

The authors believe that the leveraging of blockchain technology by traditional players – particularly in some aspects of settlements, KYC and financial inclusion – will become more prevalent to keep up with blockchain technology.

There has yet to be a specific rule proposal, let alone legislation, that governs blockchain adoption, although the government continues to welcome this with its technology-neutral approach in general. Within the financial sector, as mentioned in 12.1 Use of Blockchain in the Financial Services Industry, BI formulated Project Garuda, for which a White Paper was released on 30 November 2022. Digital Rupiah will be developed in three stages – immediate state, intermediate and end-state – and will run on a permitted blockchain network. The three-stage approach will create Digital Rupiah as a wholesale CBDC (w-CBDC or w-Digital Rupiah cash ledger), a more-advanced w-CBDC (w-Digital Rupiah cash and securities ledger) and retail Digital Rupiah (r-CBDC).

W-Digital Rupiah (initial stage) will include CBDC issuance, redemption and transfer, including integration with the BI RTGS system. The second stage – ie, a more-advanced w-CBDC – will take the Digital Rupiah as a means of settlement of securities transactions via Central Counterparties (CCP) as well as tokenisation of securities. In the final stage, the Digital Rupiah will become an r-CDBC to be distributed to retail users, including distribution and collection, peer-to-peer (P2P) transfer, and payments.

Notwithstanding the above, by virtue of the consolidated law within the financial sector, Law 4/2023, Indonesia now permits smart contracts as a form of contract for transactions in capital markets, money markets and foreign exchange (forex) markets, including derivatives transactions. Law 4/2023 further clarifies that smart contracts, or their printouts, can be used as legal evidence, as will be further stipulated in the law on information and electronic transactions.

The use of smart contracts must be followed by storage of the contract, which must at least contain terms and conditions concerning the automation of rights and obligations performance based on a smart contract; such a contract is used as a framework agreement that contains natural language to underpin automation of rights and obligations performance in smart contracts. In other words, the use of smart contracts in the financial sector is an alternative to traditional contracts, since the contract is agreed upon in natural language, but the obligations are performed by code (program).

Law 4/2023 further states that smart contracts will be subject to the OJK implementing regulations in accordance with the law on information and electronic transactions.

The OJK has been embracing the use of blockchain, as seen in the identification of blockchain-based fintech companies as a fintech cluster. Also, the OJK envisages blockchain-based technology as an aid for securities crowdfunding in data exchange.

Law 4/2023, which was issued earlier this year, mandates the shift of authority and supervisory duties over digital financial assets (including crypto-assets), as well as other financial derivatives, from Bappebti to the OJK. The transition is to be completed within 24 months, and will be subject to an implementing regulation mandated to be completed within six months after the enactment of Law 4/2023.

Until there are any legitimate changes in view of the shift from Bappebti to the OJK, blockchain or crypto-assets are only recognised as futures trading commodities. With crypto-assets being classified as tradable commodities, the Indonesian government allows trading in crypto-asset commodities.

Crypto-assets may only be traded through a futures exchange if approved by Bappebti and listed in a Bappebti regulation, which will be updated from time to time (currently, in the Bappebti List, there are 545 registered crypto-assets at Bappebti). To be eligible as tradable crypto-assets in the local market, they must meet, at a minimum, the following criteria.

• Employ distributed ledger technology (DLT).
• Be asset-backed or utility-based.
• Have been assessed via the analytical hierarchy process (AHP) method as determined by Bappebti, which also considers the market cap value of the crypto-assets, and whether they:
1. are traded on the largest crypto-asset exchange in the world;
2. offer economic benefit; and
3. have successfully passed a risk assessment, including regulations on AML, CTF and proliferation of weapons of mass destruction.

The issuance of crypto-assets remains unregulated despite their rising popularity among local “issuers” in the country; the same sentiment also applies to initial coin offerings (ICOs), and the main regulation of crypto-assets (Bappebti Regulation No 8 of 2021 on Guidelines for the Operation of Physical Crypto-Asset Markets in Futures Exchanges, dated 29 October 2021, as amended by Regulation No 13 of 2022 on this, or Reg 8/2021) explicitly stated that it excluded ICOs and/or initial token offerings from the scope of its regulatory scheme. One may, however, expect changes following the shift of authority from Bappebti to the OJK per Law 4/2023 as discussed in 12.3 Classification of Blockchain Assets.

Blockchain asset-trading platforms are regulated in Indonesia. These are defined in the regulation as “crypto-asset traders”. Crypto-asset traders (commonly known as crypto-asset trading/exchange platforms) are defined as parties that have secured approval from Bappebti to carry out crypto-asset trading transactions in their own right and on behalf of customers.

While the authors understand that the term “cryptocurrency exchanges” is more welcome and commonly used internationally for crypto-asset traders, it is important to point out here that the term “exchange” is used in the regulation to define a futures exchange that has secured approval from Bappebti to facilitate the trading of crypto-assets; hence, the government of Indonesia is introducing a rather different approach as regards the crypto-asset ecosystem in Indonesia.

In general, the key players involved in the physical crypto-asset futures market are:

• Bappebti;
• crypto-asset exchanges;
• clearing agencies;
• traders; and
• depository agencies.

A crypto-asset trader must be:

• incorporated as a limited liability company;
• a member of a crypto-asset exchange and a crypto-asset clearing agency; and
• designated as a trader by the crypto-asset exchange.

Separate Bappebti approval is required for each type of transaction mechanism deployed by crypto-asset traders.

Crypto-asset traders must meet certain criteria as specified in the regulation, including:

• different financial requirements (paid-up capital and equity) at the time of registration and post-registration;
• specific good corporate governance; and
• some technical requirements – ie, having a reliable online system to facilitate trading transactions that connects to all the other players in the market.

The above, however, is subject to changes following the shift of authority from Bappebti to the OJK per Law 4/2023 as discussed in 12.3 Classification of Blockchain Assets.

Currently, fund investing in blockchain assets is not regulated, although, per the prevailing regulation, only individuals are allowed to become crypto-asset customers trading in the Indonesian physical/spot crypto-assets market.

Virtual currencies and blockchain assets are treated differently, in that virtual currencies are prohibited from use as legitimate means of payment in Indonesia, except for Digital Rupiah (see also 12.2 Local Regulators’ Approach to Blockchain). Per Law 4/2023, in a move to keep up with the fast-changing crypto landscape, Indonesia has now paved the way for CBDC through Digital Rupiah; it is now a legitimate form of legal tender. Digital Rupiah will have the same role as Fiat Rupiah.

In contrast, blockchain assets or crypto-assets, as discussed previously, are recognised as commodities that can be traded on the country’s futures exchange, which is subject to changes following the shift of authority from Bappebti to the OJK as discussed in 12.3 Classification of Blockchain Assets.

Decentralised finance (DeFi) is not yet regulated in Indonesia. Nonetheless, some local players have tested the water, as listed below. The following are still in their early stages, although the market is expected to evolve.

• Litedex Protocol, a decentralised exchange (DEX), is a protocol that will serve as a meta finance blockchain developer for local players; the protocol develops elements of DeFi, including staking, yield farming, swapping, liquidity pool and borrowing and lending, as well as non-fungible token (NFT) marketplace and bridge features. Litedex Protocol is also developing its native token, the LDX token.
• tokocrypto, the first registered crypto-asset trader (crypto-exchange), initiated a DeFi utility project through its platform token, Toko Token (TKO). The TKO ecosystem promotes some DeFi elements, such as borrowing and lending, and staking and savings. On another note, tokocrypto (and some other traders) also lists native DeFi tokens available for trading purposes on its platform.

At the time of writing, NFTs are not yet regulated, although it is to be noted that, by virtue of the definition of “crypto-assets” under Reg 8/2021, NFTs may fall under the regulatory regime. Crypto-assets are defined in the regulation as intangible commodities in digital form that use cryptography, an IT network and distributed ledger to create new units, and that verify and secure transactions without the involvement of other parties. Nonetheless, Bappebti has recently clarified that NFTs are yet to be regulated, indicating that NFTs do not fall within the existing regulatory framework.

However, given the skyrocketing number of local industry players as well as NFT collectors and their communities, NFT popularity and the growing concerns as regards taxation and intellectual property aspects (not to mention that the government is also aware of the growing market), one may expect some efforts from the government to clear up regulatory uncertainties in the local NFT space, especially given the supervisory shift from Bappebti to the OJK as discussed in 12.3 Classification of Blockchain Assets.

Open banking in Indonesia has yet to be comprehensively implemented, although such notion is included in BI’s new strategic framework, the 2025 Indonesia Payment Systems Blueprint (the “BI Blueprint”). The BI Blueprint specifies five initiatives for the next five years to create a more effective and streamlined system for payments:

• open banking;
• retail payment systems (and a Quick Response Code Indonesia Standard (QRIS) code system);
• market infrastructure;
• data; and
• regulatory licensing and supervision.

These initiatives are implemented by five working units under BI, which has now launched the National Open API Payment Standard (SNAP) as well as sandbox trials of QRIS and Thai QR payment interconnectivity. These measures are crucial for accelerating open banking in the payment systems space.

Before the BI Blueprint, the OJK cued the open banking drive by virtue of OJK Regulation No 21 of 2023 on the Digital Services by Commercial Banks (OJK Reg 21). OJK Reg 21 accommodates the needs of various integrated IT-based banking services and carries elements of open banking – ie, banks’ co-operation with their partners (financial institutions and/or non-financial institutions) as a means of banking product innovation. OJK Reg 21 also addresses matters relating to customer protection and risk management for banks running IT-based banking services.

Data collection, use and disclosure within the financial services sector mirrors the EIT regime. Under the Banking Law (Law No 7 of 1992, as last amended by Law 4/2023), banks are prohibited from disclosing information on their customers to third parties, except in specific circumstances as mandated by law – ie, for:

• taxation purposes;
• debt settlement;
• criminal proceedings;
• civil lawsuits between banks and customers;
• interbank information exchange; and
• inheritance.

Moreover, banks and other financial institutions (players in capital markets, insurance, pension funds, finance companies and others) are prohibited from providing third parties with data or information on their own customers except where:

• customers provide written consent; or
• the provision of the data or information is required by law.

In light of bank secrecy, banks, in particular, are challenged to implement open banking. Some major banks have launched an application programming interface (API), while others are still adapting to customer behaviour that is moving towards less of a cash and more of a digital economy culture. The market has seen some collaborative approaches between banks and fintechs; there are numerous instances of banks that have opened up their APIs to allow their systems to be integrated with technology providers and to facilitate financial transactions.

As stated previously, in light of open banking, BI prioritises standardisation and implementation of the open API to enable the interlinking of payment service providers and other players; this is implemented under Regulation of the Board of Governors No 23/15/PADG/2021 on the Implementation of the National Standard for Open Application Programming Interface in Payments (BI Reg 23/15). BI developed SNAP along with the industry stakeholders to cover:

• the technical and security standards, data standards and technical specifications, as published on the developer’s site; and
• the SNAP governance guidelines for interconnected and interoperable open API payments.

In implementing open banking, customer data is the main concern. BI addresses customer data protection (including customer consent and dispute resolution), risk management and technical aspects as issued under Regulation of the Board of Governors No 20 of 2023 on Procedures for the Implementation of BI Consumer Protection: BI Regulation No 3 of 2023 on BI Consumer Protection (BI Reg 3).

Currently, only the banking and insurance sectors already have umbrella laws pertaining to fraud – namely:

• OJK Regulation No 39/POJK.03/2019 on the Implementation of Anti-Fraud Strategies for Commercial Banks (OJK Reg 39), and OJK Circular Letter No 46/SEOJK.05/2017 Concerning Fraud Control; and
• implementation of anti-fraud strategies and anti-fraud strategy reports for insurance companies, Sharia insurance companies, reinsurance companies, Sharia reinsurance companies or Sharia units (OJK CL 46).

Both OJK Reg 39 and OJK CL 46 share identical elements, as indicated by the definition of fraud itself as being:

“[a]n act of retention or omission that is intentionally carried out to deceive, cheat, scam or manipulate banks or insurance/reinsurance companies, customers/policyholders/insured parties/participants, or other parties so that they suffer losses and/or the fraudster obtains financial benefits either directly or indirectly.”

Furthermore, the OJK is currently preparing a regulation for the implementation of anti-fraud strategy, which will apply to all financial service sectors, including fintechs. However, there is no indication from public sources as to when the regulation will be issued. Predicting the timeline for the issuance of implementing regulations is challenging, given the observed inconsistency in practice.

In practice, regulators are likely to focus on any sort of fraud that is reported by the public. As the primary regulator of Indonesia’s financial services sector, the OJK, through the Investment Awareness Task Force, is increasingly more active in overseeing and monitoring this sector. It also receives reports from the public on investments and updates on a regular basis, and will place these on a list of companies (including foreign companies) that allegedly offer “illegal” investments and which do not hold any required local licences and/or are deemed to be potentially fraudulent – this list is available to the public.