OJK has taken a significant step forward with the enactment of OJK Regulation Number 3 of 2024 on the Implementation of Financial Sector Technology Innovation. This pivotal regulation aims to enhance the regulatory framework for financial sector technology innovation, reflecting OJK's commitment, as outlined in Law Number 4 of 2023, to the development and enforcement of the financial sector. With this regulation, OJK updates and expands upon the provisions for digital financial innovation established in the previous OJK Regulation Number 13/POJK.02/2018. Moreover, OJK is set to provide an innovative playground through its Sandbox, fostering a space for trial and innovation development. Find out more about our insights on this topic in our Legal Brief publication.
2. BACKGROUND
The Financial Services Authority (Otoritas Jasa Keuangan – “OJK”) enacted OJK Regulation Number 3 of 2024 on the Implementation of
Financial Sector Technology Innovation (Inovasi Teknologi Sektor Keuangan – “ITSK”) ("OJK Reg. No. 3/2024"). This regulation is enacted
for the purpose of:
16 February 2024
01
02
Implementing of OJK's regulatory and supervisory authority
based on Law Number 4 of 2023 on Development and
Enforcement of the Financial Sector ("Law No. 4/2023") which
stipulates that OJK has the authority to regulate financial sector
technological innovation.
Updating the provisions regarding digital financial innovation which were previously regulated in OJK Regulation Number
13/POJK.02/2018 on Digital Financial Innovation in the Financial Services Sector ("Previous Regulation").
Bank Indonesia and OJK regulate and
supervise the implementation of ITSK in
accordance with the scope of their
respective authorities.
Principles
balance between efforts to encourage innovation and
mitigate risk;
digital economic and financial integration;
efficiency and sound business practices;
consumer protection; and
coordination of regulations and supervision between
authorities.
Scope of Regulatory and Supervisory
providing space and/or facilitating trial/innovation
development (Sandbox);
licensing;
monitoring and evaluation;
financial education;
consumer protection;
protection of consumer personal data;
institutional aspects;
ITSK implementation, including activities carried out by
supporting third parties; and
ITSK implementation.
To support digital economic and financial development, Bank
Indonesia also provides a trial space for developing payment
system technology innovations, which includes products,
activities, services and business models that use innovative
technology in the digital economic and financial ecosystem that
can support the implementation of payment systems. Currently, it
is regulated in Bank Indonesia Regulation No. 19/12/PBI/2017
and the Board of Governors of Bank Indonesia Regulation
Number 24/7/PADG/2022.
What is Sandbox?
Sandbox is a means and mechanism to facilitate testing and development of innovations
provided by OJK to assess the feasibility and reliability of ITSK.
Objective and Scope of Sandbox
The Sandbox is provided to ensure that innovation and technological development in the
financial sector are conducted responsibly with good risk management.
Objective
Providing facilities to conduct trials
within a limited timeframe and
environment.
Scope
Providing facilities to obtain explanations
of provisions applicable in the financial
services sector.
Providing facilities to conduct
development of ITSK at an early stage.
Providing other facilities for trials and
development of ITSK.
a
b
c
d
A H R P L e g a l B r i e f
3. Financial Services Institutions/Lembaga Jasa Keuangan (“LJK”),
must apply the following principles:
securities transaction
settlement
capital mobilization
investment management
risk management
fund raising and/or
disbursement
market support
activities related to digital financial
assets, including crypto assets
other digital financial
service activities
Art. 2 OJK Reg. No. 3/2024
1
5
2 8
4 6
3 7
New scope that is not
regulated in Previous
Regulation
Key Changes:
Scope that are no longer regulated in OJK Reg. No.
3/2023: (i) insurance; (ii) other digital financial
supporters; and (iii) other financial services activities.
Scope of ITSK
Other parties engaging in activities in the financial sector
according to the provisions of laws and regulations:
Governance. Includes transparency, accountability,
responsibility, independence, and fairness.
Risk Management. Includes active oversight by
management, availability of policies and procedures,
compliance with adequate organizational structure, risk
management processes, and risk management functions,
as well as human resources and internal controls.
Consumer Protection and personal data protection.
Includes financial education and literacy, as well as market
conduct supervision.
Information system security and reliability, including
cyber resilience. Include the availability of written
information system policies and procedures, the use of
secure and reliable systems, including data confidentiality,
fraud management, compliance with certifications and/or
security standards, maintenance and enhancement of
technology security, implementation of cyber security
standards, data and/or information security, and periodic
information system audits.
limited liability company
other legal entities
according to the provisions
of laws and regulations
Sharia Principles
ITSK can be utilized to support economic and financial
activities, including those conducted based on Sharia
Principles issued by institutions authorized to issue fatwas
in the field of Sharia.
obliged to comply with the licensing provisions regulated by
OJK
Compliance with laws and regulations.
in the form of:
01 02
ITSK Organizer
Key Changes:
Previous Regulation only allowed ITSK organizers to be in the
form of limited liability company or cooperative. Furthermore,
Unlike OJK Reg. No. 3/2023, the Previous Regulation required
organizers who are or will be conducting activities within the
scope and criteria of ITSK to submit a registration application to
OJK.
Art. 3 – Art. 5 OJK Reg. No. 3/2024
Business within ITSK Framework
A H R P L e g a l B r i e f
4. 1. LJK
2. Other parties who intend to
carry out activities in the
financial sector in accordance
with the laws and regulations.
1. Limited liability company
2. Other legal entities according
to the provisions of laws and
regulations
The Participant candidate must be approved by OJK to
become a Participant by submitting an application and
attaching: (i) application form; (ii) Trial Plan; (iii) supporting
documents; and (iv) recommendation from the relevant
supervisor at OJK (if the ITSK Organizer is an LJK).
Eligibility Criteria
Party who will carry
out activities within
the scope of ITSK.
OJK approves or rejects
an application to
become a Participant by
taking into account the
eligibility criteria and
Trial Plan.
Trial Plan
Approval from the OJK to
become a Participant and use
the Sandbox does not constitute
a business license to carry out
full business operations in the
financial services sector.
Art. 6 – Art. 10 OJK Reg. No. 3/2024
Participant
Approved by OJK
• innovation that has a scope in the
financial services sector that will be
used by consumers, partners and/or
the public in Indonesia;
• innovation that meets the element of
novelty and/or has a significant
differentiating element from what has
been done previously in the financial
sector;
• innovation that provides benefits,
improves services, and provides
added value to consumers, society,
and/or the financial sector
ecosystem;
• innovations that are ready for testing
and development;
• innovations that require testing and
development support, and have not
been subject to prior regulation and
supervision in the applicable
provisions in the financial sector; and
• other criteria determined by OJK.
a
b
c
d
e
f
Trial Plan is a plan for testing and developing innovations created by Participants as a basis for
implementing the Sandbox process. In the event that based on OJK's assessment, improvements to
the Trial Plan are required, the Participant candidate must make improvements and submit the revised
Trial Plan again to OJK.
• explanation of product innovations, activities,
services and/or business models that will be
tested and developed;
• identification of potential risks regarding product
innovations, activities, services and/or business
models that will be tested and developed;
• risk mitigation implementation plan for potential
risks;
• limits on the implementation of testing and
innovation development which include the
required testing period, consumer targets and
profiles, number of consumers, trial and
development partners, number of transactions,
and other measurable limits;
• a consumer protection framework that
includes at least consumer complaint services
and compensation mechanisms;
• readiness of capital and resources to carry
out trials and develop innovations;
• exit policy and transition policy if the
innovation being tested and developed
cannot be continued after the Sandbox
process;
• scenarios for testing and developing product
innovations, activities, services and/or
business models that will be tested and
developed; and
• key performance indicators for testing
scenarios and innovation development.
a
b
c
d
e
f
g
h
i
Minimum Content
Key Changes from the Previous OJK Regulation
• Under the Previous Regulation, registration was conducted after receiving a recommendation from OJK as a result of the
Sandbox evaluation, whereas recording was carried out prior to the commencement of Sandbox implementation.
• OJK Reg. 3/2024 requires the Participant candidate to submit a Trial Plan to assess the readiness and innovative aspects.
Category
Form
Who Can Utilize the Sandbox?
A H R P L e g a l B r i e f
5. The approved Participant shall fulfil
the following provisions:
a. to notify OJK for any alteration
regarding ITSK and participant;
b. to disclose any information
and/or document related to
Sandbox to OJK; and
c. to join every activity related to
Sandbox implementation.
The approved Participant may:
a. join every coordination and cooperation activity
with the authority, ministry, institution, and other
party which are related to the implementation of
Sandbox; and
b. conduct coordination and/or cooperation with
financial institution and/or other party who are
related to the implementation of Sandbox under
the coordination of OJK.
The approved Participant shall provide
report on result of trial and innovation
development regularly and/or from-time-
to-time to OJK. The provisions on trial
and innovation development will be
stipulated further by OJK.
Upon the Participant’s request, OJK has the
authority to give temporary exception against
certain OJK’s regulation(s) and provision(s) to
the participant during Sandbox phase, so long
as the participant is (i) within the Sandbox; and
(ii) given the approval by related OJK’s
oversight work unit.
The Participant shall convey the final report of the trial and innovation development no later than
20 days before the trial period is over.
OJK will convey the letter which states the Participant
has passed the trial. The Participant who passes the
trial shall apply the business permit to OJK within
passing letter’s validity period, i.e. 6 months and
can be extended upon OJK’s consideration. The
Participant is allowed to conduct limited operational
business as conducted within the Sandbox limit
during the validity of passing letter.
Upon OJK’s consideration, the Participant may be
obliged to conduct registration before applying the
business permit. The Participant shall convey a
document which is, at least, related to the aspects of
(i) institutional and governance; (ii) business model;
(iii) technology information; and (iv) partnership. The
related provisions will be stipulated further by OJK.
If the Participant fails to do such, no
later than 3 months after the letter is
conveyed by OJK, the Participant is
obliged to do the followings:
a. stop activities on business
operation, product innovation,
other activities, and services
which utilize the trialed and
developed business model within
Sandbox;
b. complete all of its responsibilities
to the consumers and other
parties; and
c. conduct exit policy as stated in
the Trial Plan
Art. 11 – Art. 19 OJK Reg. No. 3/2024
How Does Sandbox Work?
Key Changes from the Previous OJK Regulation
With the stipulation of OJK Reg. No. 3/2024, one of the significant changes from the Previous OJK Regulation laid on the result
of Sandbox trial. As the Previous OJK Regulation provided 3 options of result, i.e., recommended, to be improved, and not
recommended, OJK Reg. No. 3/2024 provides a stricter provision by regulating that OJK may only provide pass or fail statement
to the Sandbox trial.
Phases of Sandbox
The eligible Participant is
given approval by OJK
The approved Participant
shall conduct the trials and
innovation development in
conformity with the Trial
Plan as conveyed to OJK.
Within 1 year
or stipulated
otherwise
by OJK
Evaluation of Sandbox result
by OJK
1
2
3
Pass the Trial Fail to Pass the Trial
A H R P L e g a l B r i e f
6. Compliance Aspects
Implementing anti-money laundering, terrorism financing
prevention, and prevention of proliferation of weapons of
mass destruction programs in the financial services sector
in accordance with the provisions of laws and regulations.
Implementing the Sharia Principles issued by institutions
authorized to issue fatwas in the field of Sharia (as
relevant).
Implementing the principles of information and
communication technology governance in
accordance with the provisions of laws and
regulations.
Implementing the enhancement of literacy and financial
inclusion in the financial services sector for consumers and
the public in accordance with the provisions of laws and
regulations.
Implementing the consumer and public protection in
the financial services sector in accordance with the
provisions of laws and regulations.
Implementing the cooperation between LJK and non-
financial institutions to create synergy in the digital financial
ecosystem in accordance with the provisions of laws and
regulations.
Implementing the licensing and supervision of each
type of ITSK in accordance with OJK regulations.
Implementing personal data protection in
accordance with the provisions of laws and
regulations.
Art. 4 (1) Art. 20 jo. Elucidation of Art. 16 (3) OJK Reg. No. 3/2024
Art. 5, 26, 29, 36, 37, 38, 42, and 44 OJK Reg. No. 3/2024
Licensing
ITSK Organizer
ITSK Participant
ITSK Organizers are obliged to comply with the licensing provisions regulated by OJK.
ITSK Participants who have been declared to have passed must apply for a business license to OJK during the validity period of
the pass letter.
OJK issues a business license letter for ITSK Participants who have completed the licensing process, which follows the OJK
regulations regarding the licensing and supervision of each type of ITSK.
Type of ITSK is a series of products, activities, services, and business models in the digital financial ecosystem that have
specificities and are produced from the Sandbox process.
For instance: the type of ITSK is an alternative credit rating known as alternative/innovative credit scoring.
*New Provision
Licensing for ITSK Business
A H R P L e g a l B r i e f
7. OJK shall conduct oversight against ITSK Organizer who has registered and/or obtained the business permit from OJK, in which
the oversight can be conducted directly or indirectly. The ITSK Organizer is obliged to own device which enhance the efficiency and
compliance on oversight process conducted by OJK. The ITSK oversight covers the followings:
Risk Based Oversight, which at least covers:
a. balanced approach between prudential aspect and support over
innovation;
b. emphasizing reliable governance and risk management aspects in
exploiting technology and controlling the digital ecosystem; and
c. implementation of good processing in relation to introduction to
consumers, risk management, and operational oversight conducted
by the third party.
Market Research Oversight, namely supervision of the
behavior of financial services business actors in
designing, providing and conveying information, offering,
drafting agreements, providing services for the use of
products and/or services, as well as handling complaints
and resolving disputes in an effort to realize consumer
protection.
01 02
Oversight by OJK
Self Evaluation
ITSK Organizer who has registered and/or obtained the business permit from OJK is
obliged to conduct self-evaluation and to report such to OJK for every 3 months
along with the monthly report, which at least consists of:
a. governance principle on information
and communication technology
pursuant to the prevailing regulations;
b. consumer protection pursuant to the
OJK Reg. 22/2023;
c. education and socialization to
consumer;
d. confidentiality of consumer’s data
and/or information including the data
and/or information on transaction;
e. risk management and cautionary
principles;
f. anti money laundering, terrorism
financing prevention, and mass gun
proliferation financing prevention
principles in accordance with the
prevailing regulations; and
g. inclusivity and principle of information
disclosure.
To conduct self-evaluation, ITSK
Organizer shall identify main risks
which at least consist of:
Violations to the aforementioned are
subject to administrative sanctions
written warning
temporary suspension
of activities
approval
cancellation
registration
cancellation
license
revocation
may be imposed with or
without prior written warning
New sanction that is not regulated
in Previous Regulation
Note:
Sanction that is no longer regulated in
OJK Reg. No. 3/2023 is fine.
Art. 25, and Art. 27 OJK Reg. No. 3/2024
1 2 3 4 5
Art. 23 and Art. 24 OJK Reg. No. 3/2024 jo. Art. 1 (20) OJK Reg. No. 22/2023
Art. 26 OJK Reg. No. 3/2024
a. strategic risk;
b. operational risk;
c. risk on money laundering, terrorism financing
prevention, and mass gun proliferation
financing prevention principles in accordance
with the prevailing regulations;
d. consumer data protection risk;
e. risk on using third-party services; and
f. cyber risk.
Administrative Sanctions
Association
To support the conduct of ITSK, OJK has the authority to appoint and stipulate association of ITSK Organizer. Every ITSK Organizer
who has registered and/or obtained business license shall join the said organization and be bound to participation provisions within
the association. The association of ITSK Organizer shall be bound to the provisions which will be further stipulated by OJK.
Monitoring by the Association. The association shall stipulate standard based on market discipline approach which at least:
Art. 21 and Art. 28 OJK Reg. No. 3/2024
a
b
c
a
b
c
d
e
f
g
a
b
c
d
e
f
a. ensures the compliance on OJK report conveyance;
b. formulates operational, industry standard, and ethic code
regulations based on the characteristics of ITSK organizer;
c. accepts and forwards report(s) as well as complaint(s);
d. draws up financial statistics and monitors the risk as well as
research on macro and micro levels of financial issues;
e. conducts OJK orders to ITSK Organizer to support the regulatory,
monitoring, as well information dissemination functions;
f. stipulates mechanism of self-assessment, including sanction
mechanism on the member’s violation on regulation and ethic codes;
e. conducts consumer protection; and
f. conducts domestic and international cooperation.
a
b
c
d
e
f
g
h
A H R P L e g a l B r i e f
Oversight, Self-Evaluation, and Association
8. ITSK Organizers who have been
registered and/or obtained a
business license
must have an electronic system
strategic plan that supports the
ITSK Organizers’ business plan
must develop policies,
procedures, and standards,
that includes the following
aspects:
must have human resources with
expertise and/or backgrounds in
information technology and
finance
must report changes related to the
business model, business processes,
institutions, and operations of the ITSK
held to OJK (if any)
business strategy
consumer protection
risk and capital
human resource development
product and service
development and planning
information technology operation
communication networks information security
disaster recovery plan
user services use of information technology
service providers
Art. 31 – Art. 32 OJK Reg. No. 3/2024
For the development and strengthening of
ITSK implementation, OJK conducts
institutional arrangements for ITSK organizers.
Institutional aspects include:
ITSK Organizers that
have been Registered
ITSK Organizers that have
Obtained Business
Licenses
governance
readiness of capital and resources to
conduct trials and innovation development
organizational
support
resources
governance
operational budget
implementation
Good Institutional Governance Principles
ITSK organizers who have been registered and/or obtained business licenses in carrying out ITSK implementation must prioritize the
principle of good institutional governance. Specifically, Provisions regarding institutional aspects for ITSK organizers who have obtained
business licenses shall abide the OJK regulations regarding licensing and supervision of each type of ITSK.
Art. 40 OJK Reg. No. 3/2024
*New Provision
A H R P L e g a l B r i e f
Governance of ITSK Organizers
9. PROHIBITION
ITSK Organizer who has registered and/or obtained the business permit from OJK is prohibited to give the data and/or information regarding
the consumer to the third party, except for the followings:
a. the consumer gives the approval; and/or
b. ITSK Participant and Organizer are obliged by the prevailing regulations to provide data and/or information of the consumer to the third party.
Key Changes from the Previous OJK Regulation
With the stipulation of OJK Reg. No. 3/2024, one of the significant changes from the Previous OJK Regulation is the adherence to the
prevailing regulations on consumer and public protections in financial sector. This comes with the enactment of POJK Regulation
Number 22 of 2023 on Consumer and Public Protections in Financial Sector last year. The said regulation also includes the basic
principles of consumer protection and financial literacy and inclusion activities which was regulated in the Previous OJK Regulation.
Consumer and public protections
shall be conducted in conformity
with the prevailing regulations on
consumer and public protections
in financial sector.
Art. 37 OJK Reg. No. 3/2024
ITSK Organizer in carrying out business activities is obliged to apply the principles of consumer
protection by applying the following principles:
protection of consumer assets, privacy and data;
handling complaints and resolving disputes
effectively and efficiently;
compliance enforcement; and
fair competition.
adequate education;
openness and transparency of product
and/or service information;
fair treatment and responsible
business conduct;
Art. 3 (1) – (2) OJK Reg. No. 22/2023
ITSK Organizer who has registered and/or obtained the business permit from OJK is obliged to:
Utilization of consumer’s data and information obtained by ITSK Organizer shall fulfil the following terms:
Maintain the wholeness and availability of personal data, transaction data, and financial data that it manages since the acquisition until the
erasure of such data.
Maintain the confidentiality and safety of the consumer’s data and/or information, including when conducting cooperation with other parties
to manage consumer’s data and/or information.
Obtain the approval from users
Notify every change of data and information usage purposes to the consumer (if any).
Notify the limitation of data and information usage to consumers.
Media and method being used to obtain the data and information shall be
guaranteed of its confidentiality, safety, and wholeness.
Other provisions which are regulated in the prevailing regulations.
Art. 38 OJK Reg. No. 3/2024
A H R P L e g a l B r i e f
Consumer and Personal Data Protection
10. We will continue to follow the developments on this topic and provide additional information as it
becomes available. If you have any questions on this topic, please contact:
Merina Elfian
merina@ahrplaw.com
Hana Oktaviandri
hana@ahrplaw.com
Indira Jauhara Pratiwi
indira@ahrplaw.com
This publication has been prepared by AHRP for educational and informational purposes only. The information contained in this publication is not
intended and should not be construed as legal advice. Due to the rapidly changing nature of law, AHRP makes no warranty or guarantee
concerning the accuracy or completeness of this content. You should consult with an attorney to review the current status of the law and how it
applies to your circumstances before deciding to take any action.
World Capital Tower 19th floor
Jl. Mega Kuningan Barat No.3, Kuningan
Jakarta 12950 Indonesia
P: +6221 50917915
+6221 50917916
E: office@ahrplaw.com
www.ahrplaw.com