In early March, the financial service authority (FSA) issued new regulations* (the Regulations) that apply to non-bank financial institutions (the Institutions) in specific sectors including insurance and pension funds. The new Regulations require any Institutions providing financial services through a technology platform to implement specific risk management procedures.

The risk management procedures set out in the Regulations are comprehensive and include internal supervision, reporting procedures, proper protection, control and management of information technology systems, among other things.

The new Regulations require certain Institutions to have data centers and disaster recovery centres and procedures, which must be physically located within Indonesia, unless approved by the financial services authority. Any Institutions that already have data/disaster recovery centres outside Indonesia must apply to the FSA for approval. If approval is not granted, then those Institutions must move all data centres/disaster recovery centres to a location within Indonesia within one year from the refusal. Institutions that do not comply with the Regulations may be subject to written warnings. If, after a written warning, Institutions continue to breach the Regulations, then they risk the FSA reevaluating their suitability to do business at all.

Under the Regulations, Institutions must report crimes causing financial loss or operational disruption to the FSA within 5 business days of their becoming aware of the loss or disruption. Breach of this obligation may attract fines of up to IDR 25 million (approx. USD1700).

Different obligations in the Regulations will come into force at different times – the time period ranging from March 2021 until March 2024.

*FSA Regulation No. 4/POJK.05/2021 concerning the Implementation of Risk Management in The Use of Information Technology By Non-Bank Financial Services Institutions