OJK Reg 40

The Indonesian Financial Services Authority (Otoritas Jasa Keuangan, or OJK) issued OJK Regulation No 40 of 2024 on Information Technology-based Joint Funding Services (“OJK Reg 40”) on 27 December 2024. OJK Reg 40 has become the main regulation on peer-to-peer (P2P) lending services, replacing OJK Regulation No 10/POJK.05/2022 on Information Technology-Based Joint Funding Services (“OJK Reg 10”).

OJK Reg 40 sets forth more comprehensive provisions compared with OJK Reg 10 and has made some major changes, including:

• permission to establish P2P lending companies in the form of co-operatives (koperasi);
• that the shares in P2P lending companies may now be held not only by Indonesian citizens, Indonesian legal entities, foreign legal entities, and/or foreign citizens but also by the Republic of Indonesia and/or regional government authorities;
• that the selection of a mandatory partner for foreign shareholders has been broadened to include not only Indonesian citizens and/or Indonesian legal entities but also the central and/or regional government;
• that the existing 85% limitation on direct and indirect foreign ownership in a P2P lending company remains in effect until the government issues a specific regulation modifying this limitation;
• that licensed P2P lending companies with foreign ownership exceeding the prescribed limit prior to and up to the enactment of OJK 40 are exempt from currently applicable ownership restrictions, provided there is no change in ownership;
• the change of generally applicable funding limit from IDR2 billion to maximum consumption funding limit of IDR2 billion and maximum productive funding limit of IDR5 billion;
• that P2P lending companies wishing to engage in productive funding of between IDR2 billion IDR5 billion shall ensure that their non-performing loans do not exceed 5% over the previous six months, and must not currently be subject to any OJK sanctions in the form of business restrictions or suspensions;
• that P2P lending companies shall maintain a financial soundness rank of at least composite rating of 3, which is assessed based on (i) equity, (ii) funding, (iii) profitability, (iv) liquidity and (v) management aspects;
• that all P2P lending companies, including those that obtained their business licences before OJK 40 comes into effect, shall achieve a minimum equity (total assets minus total liabilities) of IDR12.5 billion by 4 July 2025;
• new mandates on implementation of anti-fraud strategy and the application of anti-money-laundering and prevention of terrorism and proliferation of weapons of mass destruction funding programmes; and
• that a P2P lending company which operates based on conventional principle may form a Sharia Business Unit (Unit Usaha Syariah, or UUS) which operates based on Sharia principle under its management.

Nonetheless, OJK Reg 40 still maintains some provisions from OJK Reg 10, including:

• that the minimum issued and paid-up capital of a P2P lending company remains IDR25 billion;
• the responsibility for the controlling shareholding of a P2P lending company for any loss suffered by the company;
• the requirement for foreign national directors of a P2P lending company to be able to speak the Indonesian language; and
• the requirement for all directors to be domiciled within the territory of Indonesia.

The implementing regulations of OJK Reg 10, including OJK Circular Letter No 19/SEOJK.06/2023 (“OJK CL 19”) which was issued by the OJK on 8 November 2023, will remain in force, as long as they do not contradict OJK Reg 40 and the OJK has yet to enact new implementing regulation. OJK CL 19 concerns, among other things, the maximum limit of economic benefits that P2P lending companies can receive from their users, including the percentage of the interest rate or profit-sharing (for Sharia-compliant P2P lending companies).

Law 4/2023

In addition, the government of Indonesia issued Law No 4 of 2023 on Development and Strengthening of the Financial Sector (“Law 4/2023”) on 12 January 2023 as lastly amended by the Decision of Constitutional Court No 85/PUU-XXII/2024 dated 3 January 2025, which serves as an omnibus law for all legislation related to the financial sector in Indonesia. Under Law 4/2023, the government of Indonesia emphasises that all technological innovation in the financial sector (including financial technology) is subject to OJK and Bank Indonesia (“BI”) supervision.

AI

The OJK and several prominent fintech associations in Indonesia are proactively anticipating the use of artificial intelligence (AI) in fintech products and services by introducing the Code of Ethics Guidelines for Responsible and Trustworthy Artificial Intelligence in the Financial Technology Industry. These guidelines are designed to be a foundational reference for fintech associations in Indonesia to assemble their own AI code of conduct in the future. The document incorporates basic principles of AI utilisation, including beneficial use, fairness and accountability, transparency and explicability, as well as robustness and security. These principles are based on studies conducted on globally recognised AI frameworks, such as the OECD AI Principles and the National Institute of Standards and Technology AI Risk Management Framework.

There are a significant number of players in the Indonesian fintech lending sector. The OJK has recognised 97 P2P lending companies that obtained P2P lending business licences from the OJK. Nevertheless, at the time of writing (March 2025), P2P lending companies are outnumbered by fintech players in the payment systems sector. It has been reported that 427 payment service providers have been licensed by the BI.

Indonesia’s fintech industry is supervised by two discrete regulators: the BI and the OJK. While the BI supervises fintech and payment systems (e-money, e-wallets and other unclassified payment system fintech providers), the OJK supervises non-payment fintech (P2P lending, equity crowdfunding and financial sector technology innovation (FSTI)).

The regulations that serve as the main legal basis for the aforementioned fintech models are:

• BI Regulation No 23/6/PBI/2021 on Payment System Providers (“BI Reg 23/6”);
• BI Regulation No 23/7/PBI/2021 on Payment System Infrastructure Providers;
• BI Regulation No 22/23/PBI/2020 on Payment Systems; and
• BI Regulation No 14/23/PBI/2012 on Fund Transfers as partially revoked by BI Reg 23/6 (BI Reg 14/2012) for Payment Service Providers;
• OJK Reg 40 for P2P Lending
• OJK Regulation No 57/POJK.04/2020 on Securities Offerings via Information Technology-based Equity Crowdfunding Services as amended by OJK Regulation No 16/POJK.04/2021 (“OJK Reg 57”) for Equity Crowdfunding;
• OJK Regulation No 3 of 2024 on the implementation of FSTI (“OJK Reg 3” ),
• OJK Regulation No 29 of 2024 on Alternative Credit Scoring; and
• OJK Regulation No 27 of 2024 on the implementation of Financial Digital Asset Trading Including Crypto Assets (“OJK Reg 27”).

There are no specific requirements, and compensation depends on the contractual arrangements between fintech providers and their customers.

Banks, as traditional financial institutions, are subject to a robust regulatory regime designed to ensure financial stability and protect depositors. This includes strict capital adequacy norms, liquidity requirements, and comprehensive risk management frameworks.

While some fintechs, such as P2P lending, and payment system providers, must meet minimum capital and governance standards, others, like aggregators and funding or financing agents, face fewer financial requirements. Fintechs supervised by the OJK (as opposed to those under BI supervision) are subject to consumer protection, anti-money laundering (AML), and governance requirements, including fit and proper tests where applicable (eg, P2P lending and digital banks). Meanwhile, BI-regulated fintechs (such as payment system providers) are also subject to AML obligations under BI regulations.

While fintech firms initially enjoyed a more lenient regime intended to spur innovation in the sector, regulatory convergence is occurring, particularly in areas of AML, capital requirements and governance standards. Law 4/2023 marks a shift toward a more harmonised regulatory framework, where fintech players, especially those handling systemic transactions, face prudential and risk management expectations more akin to traditional financial institutions.

Indonesia has a regulatory sandbox that aims to assess the reliability of business processes, business models and financial instruments, and for the governance of unrecognised or unregulated fintech providers. BI maintains a regulatory sandbox for payment system fintech providers, while the OJK has a regulatory sandbox for providers of non-payment system fintech.

BI Regulatory Sandbox

The legal basis for the BI regulatory sandbox is set out in BI Reg 23/6 in conjunction with Law 4/2023. A regulatory sandbox is conducted by the BI to test the development of technological innovation (which includes products, activities, services and business models) against prevailing policies or provisions on payment systems.

OJK Regulatory Sandbox

Under OJK Reg 3, a fintech provider in the non-payment systems sector – such as an aggregator, a financial planner or an innovative credit assessor – is mandated to apply to the OJK to participate in the OJK’s FSTI regulatory sandbox. Once the OJK issues the approval to participate in the sandbox, the provider will be assessed by the OJK while in a regulatory sandbox. Within a year, the OJK will issue the result of the assessment that will determine whether the provider passes or fails the regulatory sandbox. If it passes, the OJK will require the provider to apply for a business licence and may request the provider to apply for registration before submitting the business licence application.

Indonesian regulators may co-ordinate with each other to confirm the boundaries of their respective regulatory authority. In 2019, the OJK decided to transfer its regulatory authority over crypto-assets and digital gold trading to Bappebti (a government agency under the Ministry of Trade that regulates futures trading, and, in this case, oversees crypto-assets trading). With the enactment of Law 4/2023, the regulatory authority over crypto-assets has been transferred to the OJK since 10 January 2025.

In addition, a joint task force of Indonesian regulators is also a concrete example of how such regulators co-operate with each other. In 2016, the Investment Awareness Task Force (IATF) was established by the following several Indonesian regulators and law enforcement institutions. However the IATF was modified as the Eradication of Illegal Financial Activities Task Force (the “EIFA Task Force”) in 2023 and through the addition of four governmental institutions into the composition, thus currently the task force consists of:

• the OJK;
• the Ministry of Trade;
• the Investment Co-Ordinating Board;
• the Ministry of Communication and Digital Affairs (MCD);
• the Public Prosecution Service of Indonesia;
• the National Police;
• the Ministry of Social Affairs;
• the Ministry of Foreign Affairs;
• the Ministry of Law; and
• the State Intelligence Agency.

As discussed in 2.2 Regulatory Regime, while the OJK and BI both have regulatory and supervisory roles in the financial services sectors, their authorities differ. The BI is responsible for formulating and implementing monetary policies (including those related to exchange rate stability and inflation), maintaining the stability of the payments system, and regulating the stability of the financial system by supervising macro-economic conditions and enacting macroprudential policy to prevent financial crises. On the other hand, the OJK oversees the banking and non-banking industry (including ensuring compliance with regulations through licensing and reporting obligations) and protects consumers within the financial services sectors.

Pursuant to OJK Regulation No 31 of 2024 on Written Orders (“OJK Reg 31”), the OJK is authorised to issue a written order to financial services institutions and/or certain parties to implement, or not, certain activities. The purpose of this issuance is to ensure compliance with the laws and regulations in the financial services sector and/or to minimise or prevent losses to consumers, the public and the financial services system.

The written orders can be issued to both financial services institutions and/or certain other parties, such as:

• the shareholders, board of directors, and board of commissioners of the financial services institution;
• parties that have affiliation with the institution;
• other financial services actors; and
• issuers or public companies.

OJK Reg 31 does not explicitly define the scope of the written order, therefore it is possible to include “no-action” letters within the scope since OJK is also authorised to issue any legal product on a discretionary basis.

OJK Reg 40 allows P2P lending companies to outsource certain work to third parties by virtue of an outsourcing agreement, provided that the work is not related to a funding feasibility assessment; also, information technology operating, specifically regarding the user management activities and database management, cannot be outsourced.

Nevertheless, outsourcing of information technology-related tasks is permissible when it involves the development of information technology and meets the following requirements:

• the P2P lending company owns the digital application’s source code and access to the production server;
• information technology development is carried out on behalf of the P2P lending company; and
• information technology development is not conducted during the deployment and production maintenance stages.

The eligible vendor for outsourcing must fulfil the following requirements:

• the vendor is in the form of a legal entity in Indonesia;
• the vendor is a registered member in associations of similar companies recognised in Indonesia or internationally;
• it does not affect the reputation of the P2P lending company who outsources the work; and
• the outsourcing is implemented in accordance with the provisions of laws and regulations in the field of employment.

OJK Reg 40 emphasises that P2P lending companies are responsible for work outsourced to third parties. P2P lending companies that sign co-operation agreements on outsourcing with vendors shall report the co-operation to the OJK within five days as of the execution of the co-operation agreement.

Fintech providers are fully responsible for their platforms and other services provided to their customers and cannot abdicate their responsibility to any party (with reference to Law No 8 of 1999 on Consumer Protection, or the “Consumer Protection Law”, and OJK Reg 22, and also adopted by OJK Regs 40 and 57).

The OJK has deregistered many fintech players, especially P2P lending companies. The most significant reasons for deregistration are late filing of licence applications (or passing of the deadline) and illicit conduct.

Through its EIFA Task Force, the OJK regularly receives reports from the public on a variety of unlicensed investments, including cross-border investments. The OJK updates a list of entities that allegedly offer “illegal” investments and that are potentially fraudulent. In performing its duties, the EIFA Task Force co-operates with the MCD to block access to websites or apps of the operators concerned.

Obtaining an Electronic System Operator (ESO) Certificate

Fintech providers must comply with regulations on the use of electronic platforms in Indonesia. Whether applications or websites, these are classified as electronic systems pursuant to Government Regulation No 71 of 2019 on the Implementation of Electronic Systems and Transactions (“Reg 71”). An ESO and its electronic system must be registered with the MCD in accordance with Reg 71. The MCD will issue an ESO Certificate to an ESO that has successfully registered its platform with it.

Personal Data Management and Handling

In addition to a requirement to obtain an ESO Certificate, implementation of an electronic system must accord with personal data protection principles. All stages of personal data processing by an ESO (including the collection, processing and analysis, storage, disclosure and deletion of user data) must maintain data privacy and comply with the law – in this case, Law No 27 of 2022 on Personal Data Protection in conjunction with Law No 11 of 2008, as amended by Law No 19 of 2016 and Law No 1 of 2024 on Electronic Information and Transactions (the “EIT Law”), Reg 71, and Ministry of Communication and Informatics Regulation No 20 of 2016 on Personal Data Protection in Electronic Systems.

Prohibition on Pornographic Content

The law and regulations prohibit the intentional and unauthorised distribution of, transmission of, creation of or action resulting in accessibility to electronic information or data with immoral content. This is also in line with the Pornography Law, which prohibits anyone from producing, creating, copying, multiplying, distributing, broadcasting, importing, exporting, offering, selling and purchasing, leasing or providing pornography that explicitly shows:

• sexual intercourse;
• sexual exploitation;
• masturbation;
• nudity or displays of exotic nudity;
• sex organs; or
• child pornography.

Implementation of Anti-money Laundering (AML) and Counter-terrorism Financing (CFT)

OJK Regulation No 8 of 2023 on the Implementation of AML, CFT, and Prevention of Proliferation of Weapons of Mass Destruction Funding Programmes Within the Financial Services Sector (“OJK Reg 8”) applies to fintech providers that receive fees from customers in return for their services as P2P lenders and equity crowdfunding providers. These providers must have a policy, supervisory protocol and procedure to mitigate the risk of money laundering and financing of terrorism related to their customers, and must report the implementation thereof to the OJK and suspicious transactions to the Financial Transaction Reports and Analysis Centre (PPATK).

Business associations in fintech sectors play a significant role in overseeing fintech players. Currently, two business associations are recognised by the OJK: the Indonesia FinTech Association (AFTECH) and the Perkumpulan Fintech Pendanaan Bersama Indonesia (AFPI). Both associations have tried to supervise those aspects of fintech activities that are not yet stipulated in the regulation by issuing a code of conduct for each fintech sector. The OJK is also mandated to ensure the compliance of fintech players with the prevailing regulation as well as to supervise the way fintech players conduct their business.

The AFPI has issued a code of conduct that prevails for all P2P lending companies, while the AFTECH issued codes of conduct in November 2020 for three business clusters: aggregators, innovative credit scorers and financial planners. In addition to the associations, the public can also participate in the review of illegal fintech-provider activities by submitting a report to the EIFA Task Force.

Financial products and services are highly regulated in Indonesia, in the sense that all financial products and services offered should be supervised by either the OJK, Bappebti or BI. In the fintech sector, not all products and services are yet regulated. This is due to the rapid growth of innovation in digital financial services and because regulators are still playing catch-up with this development, particularly in formulating regulations that fit products and services offered by fintech players.

The OJK and BI have attempted to address the situation by introducing a regulatory sandbox as a testing mechanism aimed at accommodating all types of fintech products and services, while simultaneously assessing their “fit” with existing regulations; otherwise, new regulations would need to be prepared. This helps create a framework that accommodates innovation but also affords adequate protection to the public.

For those parts of the fintech industry already regulated, such as P2P lending and securities crowdfunding, entities engaged in these sectors must be single-purpose companies, and will not be permitted to offer products or services beyond what their licences permit.

In general, the AML rules are applicable to all companies in Indonesia. However, specifically for banks and non-bank financial institutions that also include fintech companies that receive or bridge fund flows from their customers or users, both the OJK and BI have stipulated more specific AML rules that should be implemented by fintech companies categorised as non-bank financial institutions.

Although unregulated fintech companies are not bound by the AML rules under the BI and the OJK as they have not been recognised as financial service providers by the laws and regulations, they are expected to adopt the general AML rules. This can be achieved by a business association issuing a policy on AML that is then adopted by the unregulated fintech companies.

Indonesia is a member of the Financial Action Task Force (FATF) and has been adopting FATF standards in the financial service sectors. The OJK, BI, and Bappebti have established the regulatory framework to implement the standards through these regulations:

• OJK Reg 8;
• BI Regulation No 10 of 2024 on Implementation of Anti-Money Laundering, Prevention of Terrorism Funding, and Prevention of Funding for the Proliferation of Weapons of Mass Destruction for Parties Regulated and Supervised by Bank Indonesia; and
• Bappebti Regulation No 6 of 2019 on Implementation of Anti-Money Laundering and Prevention of Financing of Terrorism Programmes Related to the Administration of the Physical Market of Commodities on Futures Exchanges.

The regulators have developed AML supervisory frameworks, including measures to prevent criminals from controlling financial institutions through ownership, requiring business actors in financial service sectors to use IT tools, and employing experts to assess AML risks. The OJK also implements financial inclusion as the key AML strategy.        

Indonesian law does not provide a distinction as to the methods of product marketing. No distinction is made between general solicitation, reverse solicitation and unsolicited approach.

In principle, offering regulated products and services from another jurisdiction under a pure reverse solicitation scenario, where the Indonesian client independently initiates the engagement, may not trigger domestic licensing or approval requirements. However, in practice, this is assessed on a case-by-case basis, with regulators focusing on whether there has been any active marketing, facilitation or indirect solicitation within Indonesia that would trigger compliance with the domestic regulations in Indonesia.

Since Bappebti issued Regulation No 12 of 2022 on the Implementation of Delivery of Information Technology-based Advice in the Form of Expert Advisers in the Commodity Futures Trading Sector (“Bappebti Reg 12/2022”) on 2 September 2022, a party offering and providing an IT-based advisory service in the form of an expert adviser in commodity futures trading must obtain the prior approval of the head of Bappebti to carry out activities as a futures adviser providing IT-based advisory services. This way, Bappebti aims to eradicate fraudulent trading robots that were in the public spotlight in 2022.

In different asset classes (for example, mutual funds), several mutual fund sales agents (APERDs) have used robo-advisory services when operating their businesses. Robo-advisory services in this asset class have not yet been regulated. However, based on the authors’ observation, APERDs that provide robo-advisory services have secured approval from the OJK as financial advisers. In theory, if a specific stipulation does not exist for a given asset class, a robo-adviser for that class may fall within the regulatory sandbox scheme, specifically the OJK scheme.

The implementation of solutions introduced by robo-advisers may vary, depending on the features provided by the providers. However, this must adhere to specific regulations, internal guidelines or rules that apply to those fintech providers.

For robo-adviser operators in stock trading, the actual trading of stocks should be carried out by securities companies. The robo-adviser platform should therefore co-operate with a securities company instead of replacing it. This issue arises owing to the absence of regulations on robo-advisers in stock trading in Indonesia, which might otherwise differentiate between robo-adviser services and conventional existing services.

OJK Reg 40 does not identify special treatment for individuals or small-business borrowers. OJK Reg 40 stipulates that Indonesian citizens, legal entities and business enterprises can all become borrowers in P2P lending.

P2P lending companies are required to mitigate risk in carrying out their business, pursuant to OJK Reg 40. Risk mitigation includes the activities of:

• analysing funding risk;
• verifying identity of users;
• collecting funding; and
• facilitating the transfer of risks.

For P2P lending, funds come from individual or institutional investors. This is regulated under OJK Reg 40.

Equity-based fundraising is covered separately in OJK Reg 57. This does not involve lending but allows companies to raise capital through equity, debt securities, or sukuk.

Deposit-taking is strictly regulated and reserved for commercial banks. This is regulated under the Banking Law (Law 7 of 1992, as amended) OJK Regulation 12/POJK.03/2021 on Commercial Banks.

Lenders, particularly banks and multi-finance companies, may securitise their loan portfolios by issuing asset-backed securities (KIK-EBA).

OJK Reg 40 does not dictate a catch-all scheme for fintech lenders. However, a borrower that uses a P2P lending company’s platform may receive a loan from many lenders or from just one.

Payment processors may use existing payment rails or create/implement new ones if they have obtained the required licences from the BI as a payment system, payment system infrastructure or payment system-supporting service provider. If newly created payment rails do not fall completely within the scope of existing payment system licences issued by the BI, the fintech recordation regime must accommodate them.

As the activity relates to payment systems, fintech recordation should fall under the fintech regulation of the BI, and for such recordation, payment processors must lay out details of their new payment rails. The BI will then decide whether the new payment rails can be used in Indonesia until it issues a new regulation or policy. Alternatively, it may require payment processors to obtain a licence based on the existing regulations or order them to stop using the new payment rails.

Cross-border payments and remittances fall within the supervision of the BI, and may be carried out both by banks and by non-bank entities. For licensing, only non-bank entities will need to obtain a remittance licence as a category-3 payment service provider from the BI before engaging in remittance activities. For banks, since remittance is one of their permitted activities, no separate licence is required to provide this service. However, both banks and non-bank entities will need to comply with requirements to report to the BI on their remittance services.

Cross-border remittance can only be done in co-operation with a provider that has obtained a remittance licence from the relevant authority in its home jurisdiction, and it must obtain BI approval. The BI is also authorised to stipulate an upper limit for cross-border remittances. However, this will only apply to non-bank entities.

Banks and non-bank entities that provide cross-border remittance services also need to comply with the reporting requirements set out by the PPATK.

Securities Trading

The most common trading platforms in Indonesia are those that relate to securities (including scripless stock and mutual funds) trading. These platforms must be operated by a licensed securities broker and may only be used by customers of that broker. Operation of such a trading platform is stipulated in OJK Regulation No 50/POJK.04/2020 on Internal Control of Securities Companies that act as Securities Brokers, which allows a securities company to use electronic communication – including the internet, short messaging services, wireless application protocols and other electronic media – to facilitate its securities transactions.

In addition to the trading feature, the platform must also provide information on:

• trading risk;
• the security and confidentiality of all data;
• how an order will be processed by the broker; and
• procedures for handling order delays or instructions for addressing disruption to the system.

In marketing securities, the securities broker can also engage another bank or non-bank financial institution (including a crowdfunding organiser) or a peer-to-peer lender to act as its marketing partner. The partner must be registered with the OJK as a partner of the securities broker.

The sale of mutual funds via a platform can also be performed by fintech companies licensed by the OJK to act as mutual fund sales agents.

Crypto-Assets Trading

Law 4/2023 and its implementing regulation transferred the oversight and supervisory authority over digital financial assets, including crypto-assets and financial derivatives, from Bappebti to OJK. Subsequently, OJK issued OJK Reg 27/2024.

The key players involved in the crypto-asset trading ecosystem are, OJK, crypto exchanges, crypto-asset clearing agencies, crypto-asset traders (commonly known as crypto-asset trading/exchange platforms), and crypto-asset depository agencies.

Please refer to 6.3 Impact of the Emergence of Cryptocurrency Exchanges and 10.3 Classification of Blockchain Assets for further details on this topic.

Futures Commodities Trading

Bappebti, as futures trading supervisor, has not issued a specific regulation on the use of online platforms for futures trading. However, Bappebti allows futures commodities brokers to use online electronic media for customer onboarding processes, provided prior approval from Bappebti exists for an online feature. In practice, trading in commodities futures, which may also include digital gold, can be done via a platform as long as the platform is operated by a licensed commodities futures broker also connected to an online trading platform provided by the Indonesia Commodity and Derivatives Exchange (ICDX) and the Jakarta Futures Exchange (JFX).

Money Market

Under BI Board of Governors Regulation No 21/19/PADG/2019 on Providers of Electronic Trading Platforms, operators of electronic trading platforms that facilitate transactions within money and foreign exchange markets need to be licensed by the BI. Initially, an operator can apply to the BI for an in-principle licence. With this, the operator is allowed to start preparing the infrastructure of its platform, including a feasibility study of its business operation. Once preparation is complete and the operator is ready to start operating, it may apply for a business licence. Operations can only commence after a BI licence has been issued.

As discussed in 6.1 Permissible Trading Platforms, each asset class will have its own regulatory regime. Securities trading and crypto-assets trading falls under the supervision of the OJK, while futures commodities (including digital gold) fall under the supervision of Bappebti. The BI supervises the use of trading platforms within money and foreign exchange markets.

Virtual currencies (including cryptocurrencies) are not recognised as a legitimate payment instrument in Indonesia. However, the increase in popularity of cryptocurrencies in Indonesia has pushed the Indonesian government to issue a legal framework for cryptocurrencies in the Indonesian market.

Cryptocurrencies in Indonesia are recognised as crypto-assets that can only be traded as digital financial assets at a crypto-assets futures exchange approved by the OJK. Trading can also be done through a crypto-asset traders’ platform connected with a digital financial assets exchange platform. Key players involved in crypto-assets transactions are:

• exchanges;
• clearing agencies;
• traders;
• depository agencies for crypto-assets;
• facilitator of supporting activities in the digital financial assets market; and
• FSTI organisers.

All of these need to be licensed by the OJK.

Tradable crypto-assets are only those registered in the crypto-asset list issued by the digital financial asset exchanges and such list must be evaluated by the OJK. OJK Reg 27 states that the crypto-asset list issued by Bappebti remains valid until a new list is issued by the exchange, which must be done within three months from the effective date of OJK Reg 27. Currently, the list is stipulated in Bappebti Regulation No. 11 of 2022 as lastly amended by Bappebti Regulation No. 4 of 2023 and Bappebti Regulation No. 1 of 2025 (the “Bappebti List of 2025”). Under the Bappebti List of 2025, Bappebti has increased the number of types of crypto-assets that could be traded in the exchange from 545 to 1,396. These include:

• SushiSwap (SUSHI);
• PancakeSwap (CAKE);
• AAVE;
• Internet Computer (ICP);
• Axie Infinity (AXS);
• Ethereum Name Service (ENS);
• TROY;
• Reef;
• 1inch Network;
• dYdX;
• THORchain (RUNE);
• The Graph (GRT);
• Apecoin (APE);
• Anchor Protocol (ANC); and
• Secret (SCRT).

See 10. Blockchain for more detail on the criteria for crypto-assets.

In Indonesia, listing standards are relevant for products in the capital markets sector, which includes stocks and bonds. The listing must follow the rules of the Indonesian Stock Exchange (IDX). There are currently three listing boards on the IDX: the main, development and acceleration boards.

The main and development boards are designated for companies that have already started operations within a certain period and have a certain level of assets. For example, to list its stocks on the main board a company must have net tangible assets of more than IDR100 billion; while to be listed on the development board, it must have IDR5 billion in assets and income of more than IDR40 billion. Most companies in Indonesia list their stocks on the main board.

The acceleration board is designated for small and medium-scale businesses with a range of assets from IDR50 billion to IDR250 billion. Small and medium-scale companies may list their stocks immediately upon establishment. The financial and accounting requirements and the offering structure for the acceleration board are relatively simple compared with those for the main and development boards.

In relation to stock trading, both the OJK and the IDX set out general rules on procedures that need to be implemented by securities brokers when handling their customers’ orders. In accepting orders, the OJK requires securities brokers to verify customer identity and record details of the order, such as the number, type and price of the stocks. The securities broker must also maintain a risk-management unit that is responsible for, among other things, verifying orders or instructions from customers to ensure the availability of funds or stocks for settlement of the transaction. Specifically, securities brokers that operate a trading platform must ensure that the platform provides information on procedures to handle delays to orders owing to an interruption of the online system.

The IDX also stipulates that a securities broker may only accept and execute a trading order from a board member or member of staff if the securities broker maintains a standard operating procedure that stipulates, among other matters, the prioritising of customer orders.

Recent developments on the order-handling rules are the introduction of an automated ordering feature in the securities-trading platform operated by securities brokers. With this feature, a user may order securities based on algorithms and parameters established in the platform, which may include volume, price, instrument, market and time. In order to be able to include this automated ordering feature in its trading platform, the securities broker must first obtain prior approval from the IDX.

Before the acknowledgment of cryptocurrency as crypto-assets, many players in the sector established peer-to-peer trading platforms to trade various cryptocurrencies. However, since the enactment of regulation on crypto-asset trading on futures and digital exchanges, trading was centralised to the crypto-assets futures exchange. Trading in crypto-assets needs to be carried out via a crypto-assets exchange approved by the OJK. This marks the end of peer-to-peer trading platforms for cryptocurrencies in Indonesia.

For stock trading, all activities are centralised with the IDX and every party involved in stock trading needs to obtain a licence beforehand from the OJK and follow the IDX rules. The closest structure to a peer-to-peer trading platform is the securities crowdfunding platform stipulated in OJK Reg 57. This regulation defines securities crowdfunding as an offering of securities by an issuer directly to an investor using a publicly accessible electronic system. The issuer will be exempted from the normal capital market rules on initial public offerings if the offer is through an OJK-licensed provider and only for a period of not more than 12 months; and should not raise more than IDR10 billion.

A securities crowdfunding platform provider may also provide a system that facilitates secondary market trading in securities that were distributed at least one year before the trade. A trade in the secondary market can only be conducted between investors that are registered with the platform, with no more than two trades within 12 months and a gap of six months between each trade.

Although the platform operates in a similar way to a peer-to-peer trading platform, all trading (including changes of securities ownership) made through the securities crowdfunding platform must be registered with the Indonesian Central Securities Depository (KSEI) as the agency in the Indonesian capital markets that provides organised, standardised and efficient central custodian and securities transaction settlement services, in compliance with the Indonesian Capital Market Law.

No specific regulation on payment for order flow exists in Indonesia. In general, all securities brokers need to execute their trade orders themselves, and may only assign them to another broker if there is trouble in the trading system or if the stock exchange suspends them while an outstanding order needs to be executed. Furthermore, the securities brokers must also disclose fees charged to customers when facilitating a trade (including their fee) and fees charged by the stock exchange.

A benchmark fee (or commission) that may be charged by a securities broker must be agreed and stipulated by members of the Indonesia Securities Company Association.

The fundamental principles of Indonesian capital market laws and regulations are:

• disclosure;
• efficiency;
• fairness; and
• protection of investors.

For investor protection, the Indonesian Capital Market Law stipulates two key areas of market abuse: insider trading and market manipulation. The Law stipulates that parties (which includes individuals, companies, partnerships, associations or organised groups) are prohibited from:

• deceiving or misleading other parties through the use of whatever means or methods;
• participating in a fraud or deception against another party;
• giving false statements on material facts; or
• failing to disclose material facts that are necessary in order to avoid a statement being misleading.

A violation of the market abuse prohibition is subject to imprisonment for up to ten years and a fine of up to IDR15 billion.

Aside from the IDX rule on the use of the automated ordering feature in a securities trading platform (see 6.5 Order Handling Rules), high-frequency and algorithmic trading are not yet specifically regulated in Indonesia. In practice, many players already use these technologies in both securities and futures commodities trading. This practice is also acknowledged by both the OJK and the IDX.

The OJK, under its digital finance innovation rule, recognises the use of retail algorithmic trading as part of innovation that needs to be recorded at the OJK. Once recorded, the OJK will include a provider of retail algorithmic trading in a regulatory sandbox. The OJK will then further analyse the activities to determine whether the provider may continue their services in retail algorithmic trading. Additionally, in a press release on the IDX’s mission for 2018–21, one item was to increase securities transaction liquidity by perfecting the features and capacity of the trading system (including to anticipate customers that use algorithmic trading and high-frequency trading as their trading methods). The mission was then implemented with the introduction of an automated ordering feature in the securities trading platform operated by securities brokers that allows users to order securities through the platform based on algorithms and parameters in the platform.

One concern with the use of high-frequency and algorithmic trading is the potential breach of the market manipulation rule under the Indonesian Capital Market Law, which prohibits action that is misleading with regard to trading activity and manipulation of securities prices.

Market makers in Indonesia are only recognised for trading in commodities futures. market maker is defined as a party continuously quoting sell or purchase orders during trading hours. The futures exchange and futures clearing house will jointly determine parties appointed as market makers with the approval of the head of Bappebti. However, there are no specific registration requirements for market makers within the context of high-frequency and algorithmic trading in commodities futures.

For securities trading, the OJK is still preparing a regulation that will require the registration of market makers at the stock exchange.

This is not applicable in Indonesia. See 7.1 Creation and Usage Regulations.

There is still no specific regulation in Indonesia on the development and creation of trading algorithms. To the extent that programmers are only involved in the creation of the system but not actual trades, it is unlikely that they would fall under the supervision of the OJK, Bappebti, the BI or the IDX. However, if the activities progress to involvement in actual trades, they may fall within the ambit of the OJK’s digital finance innovation rule and would thus need to be recorded with the OJK.

By virtue of the new OJK Regulation No 28 of 2022, which is an amendment to its predecessor, OJK Regulation No 70/POJK.05/2016 on Business Operations of Insurance Brokers, Reinsurance Brokers and Insurance Loss Assessor Companies (“OJK Reg 28”), insurtech is finally covered by a comprehensive regulatory regime. Previously, the insurtech business was largely unregulated, classified as a fintech cluster, and categorised as an FSTI under the OJK.

OJK Reg 28 defines the concept of “insurtech” as a digital insurance brokerage service, which is one of the activities carried out by an insurance broker company with prior approval from the OJK. A party that can carry out such activities includes either a duly licensed insurance broker or one that has not secured a business licence as an insurance broker at that time but is in the process of filing an application for an insurance broker business licence. Certain requirements are imposed by the OJK for an insurance broker to secure approval, including meeting equity requirements – ie, by submitting:

• the last two-quarters of the company’s financial statements for a licensed insurance broker; or
• an audited financial statement by a public accountant for a party that has not been licensed as an insurance broker.

As regards the underwriting process, OJK Reg 28 clarifies that the underwriting of a digital insurance broker must be minimal – ie, a process that does not require a direct or face-to-face survey over risks, a health check, etc. For example, in motor vehicle insurance, there is no requirement for physical checking of the vehicle, and no medical examination would be required for life insurance for underwriting within guaranteed acceptance criteria.

Insurance products in Indonesia are generally grouped into two categories from an insurance regulatory perspective: life insurance and general insurance products.

Insurance companies are limited to doing business tailored to their licences; this means that the offer of overlapping services – ie, life insurance and general insurance at the same time – is not permitted.

Business expansion for insurance companies, however, is possible in that life insurance companies can expand their business to investment-related insurance products and fee-based activities (these include marketing other non-insurance products – eg, mutual funds or other products of financial institutions licensed by the OJK), credit insurance and suretyship, or other activities assigned by the government. Sharia-compliant general insurance companies can expand into these activities, except for credit insurance and suretyship; whereas general insurance companies are only allowed to add fee-based activities to their expanding business.

Life insurance and general insurance products, including those that are Sharia-compliant, are subject to different regulatory treatment.

At the time of writing, regtech is unregulated and classified as a fintech cluster, and players in the sector qualify as FSTIs under the OJK. It was reported in 2022 that the regulator was preparing a regulatory framework for regtech. Regtech solutions in the market today are spread into several clusters under the OJK:

• regtech (automates the collection and storage of customer due diligence (CDD) data to comply with AML and CFT regulations);
• e-KYC (solutions for digital identity and digital signature);
• verification technology (identification and non-CDD verification platforms);
• tax and accounting (tax and accounting reporting solutions); and
• management of track record information for parties involved in financial offences within the financial services sector.

Subcontracts between duly licensed financial service entities and third parties are generally dictated by regulations. For example, this is the case in banks (commercial and rural banks, including those that are Sharia-compliant) for outsourcing their IT systems.

While not specifically applicable to regtech, the OJK mandates specific provisions that must be included for banks to outsource their IT activities, and the contract must contain standard clauses as prescribed by OJK regulations (eg, OJK Regulation No 11/POJK.03/2022 on the Implementation of IT by Commercial Banks, and its implementing regulation, OJK Circular Letter No 21/SEOJK.03/2017). Among the most significant provisions are those concerning:

• data protection;
• confidentiality;
• human resources;
• IP rights and licences;
• systems security standards;
• data centres; and
• disaster-recovery centres.

Service-level agreements (SLAs) are also mandatory, containing performance standards such as promised service levels and performance targets.

The use of blockchain by incumbent players in Indonesia’s financial sector is growing. In fact, the BI has been a pioneer in leveraging blockchain technology by formulating the country’s own central bank digital currency (CBDC): a digital rupiah pilot programme known as Project Garuda. This is further discussed in 10.2 Local Regulators’ Approach to Blockchain.

Some major banks have paved the way for blockchain adoption: Bank Permata, Bank Negara Indonesia (BNI) and Bank Rakyat Indonesia (BRI) deploy blockchain for trade finance and remittance products. Bank Central Asia (BCA) initiated a financial hackathon for start-ups to drive growth in the use of blockchain. Some other major banks are reportedly pursuing routes to blockchain adoption, including the potential to use blockchain for KYC shared storage on blockchain.

The authors believe that the leveraging of blockchain technology by traditional players – particularly in some aspects of settlements, KYC and financial inclusion – will become more prevalent to keep up with blockchain technology.

There has yet to be a specific rule proposal, let alone legislation, that governs blockchain adoption, although the government continues to welcome this through its technology-neutral approach in general. Within the financial sector, as mentioned in 10.1 Use of Blockchain in the Financial Services Industry, the BI has formulated Project Garuda, for which a White Paper was released on 30 November 2022. The digital rupiah will be developed in three stages – immediate state, intermediate and end-state – and will run on a permitted blockchain network. The three-stage approach will create the digital rupiah as a wholesale CBDC (w-CBDC or w-digital rupiah cash ledger), a more-advanced w-CBDC (w-digital rupiah cash and securities ledger) and retail digital rupiah (r-CBDC).

The W-digital rupiah (initial stage) will include CBDC issuance, redemption and transfer, including integration with the BI real-time gross settlement (RTGS) system. The second stage – ie, a more-advanced w-CBDC – will take the digital rupiah as a means of settlement of securities transactions via central counterparties (CCP) as well as tokenisation of securities. In the final stage, the digital rupiah will become an r-CDBC to be distributed to retail users, including for distribution and collection, P2P transfer, and payments.

Notwithstanding the above, by virtue of the consolidated law within the financial sector, Law 4/2023, Indonesia now permits smart contracts as a form of contract for transactions in capital markets, money markets and foreign exchange (forex) markets, including derivatives transactions. Law 4/2023 further clarifies that smart contracts, or their printouts, can be used as legal evidence, as will be further stipulated in the law on information and electronic transactions.

The use of smart contracts must be followed by storage of such contracts, which must at least contain terms and conditions concerning the automation of rights and performance of obligations based on a smart contract; such a contract is used as a framework agreement that contains natural language to underpin automation of rights and performance of obligations in smart contracts. In other words, the use of smart contracts in the financial sector is an alternative to traditional contracts, since the contract is agreed upon in natural language, but the obligations are performed by code (program).

Law 4/2023 further states that smart contracts will be subject to the OJK implementing regulations in accordance with the law on information and electronic transactions.

The OJK has been embracing the use of blockchain, as seen in the identification of blockchain-based fintech companies as a fintech cluster. Also, the OJK envisages blockchain-based technology as an aid for securities crowdfunding in data exchange.

Law 4/2023 mandates the shift of authority and supervisory duties over digital financial assets (including crypto-assets), as well as other financial derivatives, from Bappebti to the OJK. The transition is to be completed within 24 months, and will be subject to an implementing regulation mandated to be completed within six months after the enactment of Law 4/2023.

As a result of the shift of regulatory and supervisory authority from Bappebti to the OJK, blockchain or crypto-assets are recognised as digital financial assets. This shift signifies that crypto-assets are no longer being classified as tradable commodities under the supervision of Bappebti.

Crypto-assets may only be traded through a crypto-asset exchange supervised by OJK or futures exchange licensed under Bappebti before the authority shifted to the OJK. The assets shall also be listed in the white list which will be updated from time to time (currently, in the Bappebti List of 2025, there are 1,396 registered crypto-assets). To be eligible as tradable crypto-assets in the local market, they must meet, at a minimum, the following criteria.

• They must employ distributed ledger technology (DLT).
• They must be asset-backed or utility-based.
• Have been assessed via the analytical hierarchy process (AHP) method as determined by Bappebti or the OJK, which also considers the market cap value of the crypto-assets, and whether they:
1. are traded on the largest crypto-asset exchange in the world;
2. offer economic benefit; and
3. have successfully passed a risk assessment, including regulations on AML, CFT and proliferation of weapons of mass destruction.
• They are not financial assets that are recorded electronically by financial service institutions.
• They are not sourced and/or used in activities contrary to the provisions of laws and regulations.
• They must fulfil other criteria determined by the OJK.

The issuance of crypto-assets remains unregulated despite their rising popularity among local “issuers” in the country; the same sentiment also applies to initial coin offerings (ICOs), and the main regulation of crypto-assets (OJK Reg 27) explicitly states that it excludes ICOs and/or initial token offerings from the scope of its regulatory scheme.

Blockchain asset-trading platforms are regulated in Indonesia. These are defined in the regulation as “crypto-asset traders”. Crypto-asset traders (commonly known as crypto-asset trading/exchange platforms) are defined as parties that have secured approval from Bappebti to carry out crypto-asset trading transactions in their own right and on behalf of customers.

While the authors understand that the term “cryptocurrency exchanges” is more commonly used internationally for crypto-asset traders, it is important to point out here that the term “exchange” is used in the regulation to define a futures exchange that has secured approval from Bappebti to facilitate the trading of crypto-assets; hence, the government of Indonesia is introducing a rather different approach as regards the crypto-asset ecosystem in Indonesia.

In general, the key players involved in the physical crypto-asset futures market are:

• Bappebti;
• crypto-asset exchanges;
• clearing agencies;
• traders; and
• depository agencies.

A crypto-asset trader must be:

• incorporated as a limited liability company;
• a member of a crypto-asset exchange and a crypto-asset clearing agency; and
• designated as a trader by the crypto-asset exchange.

Each type of transaction mechanism deployed by crypto-asset traders must be regulated under the rules and regulation of the exchange. Such rules and regulation, along with amendments (if any), must be approved by the OJK.

Crypto-asset traders must meet certain criteria as specified in the regulation, including:

• having minimum paid-up capital of IDR100 billion during the application of business licences;
• the ability to maintain equity of at least IDR50 billion;
• an organisational structure consisting of at least an information technology division, audit division, legal division, consumer complaints division, client support division, as well as an accounting and finance division;
• sufficient online trading systems and facilities to facilitate the trade;
• having certain trading rules and standard operating procedures based on minimum requirements set out by the regulations;
• having at least one employee who is a certified information systems security professional; and
• having prospective members of the board of directors, board of commissioners, shareholders, and/or controllers who pass the fit-and-proper test conducted by the OJK.

Article 82 paragraph 4 of OJK Reg 27 acknowledges that the OJK may grant additional licences to licensed crypto-asset traders, including licences for staking services. However, such authorisations are contingent upon the trader entering into a co-operation agreement with the Ministry of Home Affairs to secure access rights and use population data in connection with the implementation of AML, CFT, and the Prevention of Proliferation of Weapons of Mass Destruction Funding Programmes. Nevertheless, OJK Reg 27 does not yet provide specific details regarding the staking licence.

Crypto-related lending remains unregulated under the current regulatory frameworks.

The offering of cryptocurrency derivatives is not regulated. However, CFX, a crypto exchange in Indonesia launched its first cryptocurrency derivative product in September 2024.

Decentralised finance (DeFi) is not yet regulated in Indonesia. Nonetheless, some local players have tested the water, as listed below. It should be noted that the following are still in their early stages and that the market is expected to evolve.

• Litedex Protocol, a decentralised exchange (DEX), is a protocol that will serve as a meta finance blockchain developer for local players. The protocol develops elements of DeFi, including staking, yield farming, swapping, liquidity pool and borrowing and lending, as well as non-fungible token (NFT) marketplace and bridge features. Litedex Protocol is also developing its native token, the LDX token.
• tokocrypto, the first registered crypto-asset trader (crypto-exchange), initiated a DeFi utility project through its platform token, Toko Token (TKO). The TKO ecosystem promotes some DeFi elements, such as borrowing and lending, and staking and savings. On another note, tokocrypto, and some other traders, also list native DeFi tokens available for trading purposes on its platform.

Currently, funds investing in blockchain assets are not regulated, although, per the prevailing regulation, only individuals are allowed to become crypto-asset customers trading in the Indonesian physical/spot crypto-assets market.

Virtual currencies and blockchain assets are treated differently, in that virtual currencies are prohibited from use as legitimate means of payment in Indonesia, except for the digital rupiah (see 10.2 Local Regulators’ Approach to Blockchain for further detail). Per Law 4/2023, in a move to keep up with the fast-changing crypto landscape, Indonesia has now paved the way for CBDC through a digital rupiah, which will be a form of legal tender and have effectively the same role as the fiat rupiah.

In contrast, blockchain assets or crypto-assets are recognised as commodities that can be traded on the country’s crypto exchanges.

At the time of writing, NFTs are not yet regulated, although it should be noted that, by virtue of the definition of “crypto-assets” under OJK Reg 27, NFTs may fall under the regulatory regime. Crypto-assets are defined in the regulation as a digital representations of value that can be stored and transferred using technology that enables the use of distributed ledger systems, such as blockchain, to verify transactions and ensure the security and validity of stored information. They are not guaranteed by a central authority, such as a central bank, but are issued by private entities. This representation can be transacted, stored, and transferred electronically and may take the form of digital coins, tokens, or other asset representations, including backed crypto-assets and unbacked crypto-assets.

Open banking in Indonesia has yet to be comprehensively implemented, although such notion is included in the BI’s new strategic framework, the 2025 Indonesia Payment Systems Blueprint (the “BI Blueprint”). The BI Blueprint specifies five initiatives for the next five years to create a more effective and streamlined system for payments:

• open banking;
• retail payment systems (and a Quick Response Code Indonesia Standard (QRIS) code system);
• market infrastructure;
• data; and
• regulatory licensing and supervision.

These initiatives are implemented by five working units under the BI, which has now launched the National Open API Payment Standard (SNAP) as well as sandbox trials of QRIS and Thai QR payment interconnectivity. These measures are crucial for accelerating open banking in the payment systems space.

Before the BI Blueprint, the OJK cued the open banking drive by virtue of OJK Regulation No 21 of 2023 on the Digital Services by Commercial Banks (“OJK Reg 21”). OJK Reg 21 accommodates the needs of various integrated IT-based banking services and carries elements of open banking – ie, banks’ co-operation with their partners (financial institutions and/or non-financial institutions) as a means of fostering banking product innovation. OJK Reg 21 also addresses matters relating to customer protection and risk management for banks running IT-based banking services.

Data Protection and Financial Services

Data collection, use and disclosure within the financial services sector mirrors the electronic information and transactions regime provided in the EIT Law. Under the Banking Law (Law No 7 of 1992, as last amended by Law 4/2023), banks are prohibited from disclosing information on their customers to third parties, except in specific circumstances as mandated by law – ie, for:

• taxation purposes;
• debt settlement;
• criminal proceedings;
• civil lawsuits between banks and customers;
• interbank information exchange; and
• inheritance.

Moreover, banks and other financial institutions (players in capital markets, insurance, pension funds, finance companies and others) are prohibited from providing third parties with data or information on their own customers except where:

• customers provide written consent; or
• the provision of the data or information is required by law.

Open Banking Implementation

In light of banking secrecy provisions, banks, in particular, face challenges in implementing open banking. Some major banks have launched an application programming interface (API), while others are still adapting to customer behaviour that is moving away from physical cash payments and towards a digital economy culture. The market has seen some collaborative approaches between banks and fintechs; there are numerous instances of banks that have opened up their APIs to allow their systems to be integrated with technology providers and to facilitate financial transactions.

As part of a drive to encourage open banking, the BI prioritises standardisation and implementation of the open API to enable the interlinking of payment service providers and other players; this is implemented under Regulation of the Board of Governors No 23/15/PADG/2021 on the Implementation of the National Standard for Open Application Programming Interface in Payments (“BI Reg 23/15”). The BI developed SNAP along with the industry stakeholders to cover:

• the technical and security standards, data standards and technical specifications, as published on the developer’s site; and
• the SNAP governance guidelines for interconnected and interoperable open API payments.

In implementing open banking, customer data is the main concern. BI addresses customer data protection (including customer consent and dispute resolution), risk management and technical aspects as issued under Regulation of the Board of Governors No 20 of 2023 on Procedures for the Implementation of BI Consumer Protection: BI Regulation No 3 of 2023 on BI Consumer Protection.

Currently, only the banking and insurance sectors already have umbrella laws pertaining to fraud – namely OJK Regulation No 12 of 2024 on the Implementation of Anti-Fraud Strategies for Financial Services Institutions (“OJK Reg 12”), and OJK Circular Letter No 46/SEOJK.05/2017 Concerning Fraud Control and Implementation of Anti-Fraud Strategies and Anti-Fraud Strategy Reports for Insurance Companies, Sharia Insurance Companies, Reinsurance Companies, Sharia Reinsurance Companies or Sharia Units (“OJK CL 46”).

The definition of fraud provided by the regulation is as follows:

“an act of deviation and/or omission that is deliberately carried out to deceive, cheat, or manipulate a financial service institution, consumers or other parties, which occurs in the environment of and/or facilities used by the financial services institution so that the financial services institution, consumers, or other parties suffer losses and/or fraud perpetrators and/or other parties secure benefits directly or indirectly.”

Furthermore, the OJK is currently preparing a regulation for the implementation of an anti-fraud strategy, which will apply to all financial service sectors, including fintech. However, there is no indication from public sources as to when the regulation will be issued. Predicting the timeline for the issuance of implementing regulations is challenging, given the observed inconsistency in practice.

In practice, regulators are likely to focus on any sort of fraud that is reported by the public. As the primary regulator of Indonesia’s financial services sector, the OJK, through the EIFA Task Force, is increasingly more active in overseeing and monitoring this sector. It also receives reports from the public on investments and updates on a regular basis, and will place these on a list of companies (including foreign companies) that allegedly offer “illegal” investments and which do not hold any required local licences and/or are deemed to be potentially fraudulent – this list is available to the public.

According to OJK Reg 27 and OJK Reg 40, fintech service providers such as P2P lending companies and crypto-asset traders shall be responsible for preparation and implementation of the anti-fraud strategy in accordance with the fraud regulations in the financial services sector, such as OJK Reg 12 and OJK CL 46.

Neither OJK Reg 12 nor OJK Circular Letter 46 specify the limitations on a fintech service provider’s liability for customer losses resulting from fraud. However, Article 22 of OJK Reg 12 provides that a financial service institution may be held liable for losses to customers or other parties arising from errors and/or negligence of the board of directors, board of commissioners, employees, and/or third parties working for the interests of the financial service institution, pursuant to the applicable laws and regulations.