The Financial Technology Law Review: Indonesia

Overview

Financial technology (fintech) activities in Indonesia are primarily regulated by Bank Indonesia (BI) and the Financial Services Authority (OJK). If a fintech activity is specifically regulated, companies engaging in that activity must comply with the regulation. As the fintech sector in Indonesia has grown exponentially, the Indonesian government has attempted to monitor and facilitate the development of fintech activities that have yet to be specifically regulated. This is achieved through sandbox mechanisms provided by BI and the OJK, with BI focusing on fintech-related payment systems and the OJK focusing on financial services related to fintech, including banking, capital markets, insurance, pension funds, and financing institutions.

By requiring unclassified industry players to comply with the sandbox mechanism, the Indonesian government seeks to protect Indonesian consumers while supporting fintech innovation. Law No. 4 of 2023 regarding development and strengthening of the financial sector (P2SK Law), which was issued on 12 January 2023, further strengthens the government’s efforts to facilitate and regulate the development of the fintech sector in Indonesia. Under the P2SK Law, BI and the OJK are required to coordinate in regulating, supervising, and implementing technology innovations in the financial sector, including sandbox mechanisms.

Tax incentives are available for certain fintech companies under the P2SK Law, which is part of the government’s efforts to develop and strengthen the financial sector. The government may provide tax incentives for specific financial services and programmes in accordance with tax regulations. Additionally, companies conducting business in a pioneer industry may receive tax facilities, such as a reduction in corporate income tax.

Regulation

i Licensing and marketing

Fintech companies in Indonesia are regulated by BI and the OJK, with each having its own scope of authority. The P2SK Law defines technology innovation in the financial sector to include activities such as payment systems, capital raising, investment management, risk management, cryptocurrencies, and other digital financial services and activities. The OJK regulates fintech activities related to financial services, whereas BI regulates fintech activities related to payment systems.

The OJK has put in place provisions and extensive criteria for regulated fintech activities related to financial services, which are regulated under OJK Regulation No. 13/POJK.02/2018 regarding digital financial innovation in the financial services sector, dated 16 August 2018 (OJK Reg 13). These criteria include being innovative in nature and future-oriented, using information and communications technology as the primary basis for providing financial services to consumers, and supporting financial inclusion and literacy. Providers that meet these criteria are required to register with the financial regulatory bodies. Companies engaged in digital financial innovation in the financial services sector are also required to register or obtain a licence, unless otherwise exempted.

BI regulates fintech activities related to payment systems under various regulations, including BI Regulation No. 22/23/PBI/2020 regarding payment systems, dated 30 December 2020 (BI Reg 22), BI Regulation No. 23/6/PBI/2021 regarding payment service providers, dated 1 July 2021 (BI Reg 23/6), and BI Regulation No. 23/7/PBI/2021 regarding payment system infrastructure providers, dated 1 July 2021 (BI Reg 23/7). The regulation of fintech companies by BI is also explicitly addressed in the P2SK Law, with payment systems included as one of the activities of technology innovation in the financial sector. New implementing regulations on this matter are expected.

No specific regulations in Indonesia currently govern the marketing measures that fintech companies can undertake, but companies must comply with general regulations governing advertising and promotion. Fintech companies should also ensure that their marketing practices comply with recently issued regulations on consumer protection in the financial services sector.

Even though there is no specific law or regulation in Indonesia for automated digital advisory services, investment management and market support activities that use artificial intelligence (AI), machine learning, big data and other technologies fall under technology innovation in the financial sector. Companies providing these services must comply with sandbox mechanisms under the P2SK Law and OJK Reg 13.

Any party that wishes to establish an asset management company in Indonesia must refer to the activities of an investment manager (IM) company operating on the Indonesia Stock Exchange pursuant to Law No. 8 of 1995 regarding capital markets, dated 10 November 1995, as amended by the P2SK Law (the Capital Market Law). Other than the requirement for the company to be established in the form of an Indonesian limited liability company (PT), the company must also be registered as a securities company, specifically as an IM company, for which a licence must be obtained from the OJK, pursuant to the Capital Market Law.

Credit information services are regulated in OJK Regulation No. 5/POJK.03/2022 regarding credit information management agencies, dated 28 March 2022, and OJK Circular Letter No. 27/SEOJK.03/2022 regarding credit information management agencies, dated 22 December 2022. Under these Regulations, a credit bureau is referred to as Credit Information Management Institution that collects and processes credit or financing data and other data to produce credit information, and they must obtain a business licence from the OJK.

ii Cross-border issues

Indonesia does not recognise the concept of passporting. Under Indonesian law, a party providing any fintech services or products in the jurisdiction must establish a local presence, usually in the form of a PT, and obtain the requisite licence from the Indonesian regulatory bodies as stipulated by the prevailing laws and regulations.

Under Indonesian law, certain limitations or restrictions on foreign ownership of Indonesian companies may apply depending on the company’s business line. This includes foreign shareholding limitations. For example, a company engaging in the provision of peer-to-peer (P2P) lending activities must have a local presence in the form of a limited liability company with a maximum foreign ownership of 85 per cent, indirectly or directly, which means that at least 15 per cent of the ownership must be held by Indonesian shareholders.

In certain fintech sectors, if offshore products or services are actively marketed in Indonesia, there is a risk that the relevant authority will require the provider of those products or services to establish a local presence, as the entity may be considered to be carrying out business in Indonesia. However, if the provision of the product or service is carried out on a reverse-enquiry or reverse-solicitation basis, where the approach is made by potential clients on an unsolicited basis, it should not trigger a licensing requirement in relation to the fintech activities, provided that the company responds to the potential clients on a reach-in or fly-in basis.

With respect to currency controls in Indonesia, the Indonesian rupiah cannot be remitted outside Indonesian territory, and exemptions from this prohibition are granted for certain activities only. Additionally, only an amount of less than 100 million rupiah can be freely taken physically out of Indonesia at any one time.

Digital identity and onboarding

Digital identity in Indonesia is generally recognised as an electronic certificate that holds a person’s electronic signature, as referred to under Law No. 11 of 2008 regarding electronic information and transactions, dated 21 April 2008, as last amended by Law No. 19 of 2016, dated 25 November 2016 (the ITE Law). To support and expand the safety of using digital identification to access financial services, the Indonesian authorities have issued various regulations, including:

validation of certified e-signature and electronic certificates for electronic transactions; and
use of electronic know-your-customer (KYC) guidelines.
Indonesia has been working to implement a strong digital identity infrastructure through the National Council for Financial Inclusion and its relevant partners. Several state and private enterprises have registered with or obtained a licence from the Ministry of Communication and Informatics (MOCI) to issue electronic certificates in Indonesia.

Financial services providers are allowed to fully digitise client onboarding, which covers providers in the banking, capital market and non-bank financial institution sectors. However, the conditions for implementing fully digitised onboarding may vary across regulations governing specific financial services activities.

Digital markets, payment services and funding

i Digital marketplace

The regulation of digital marketplaces in Indonesia falls under the authority of the Minister of Trade (MOT), as contained under the relevant regulations that govern business licensing, advertisements, guidance and supervision of business practitioners in trade through electronic systems. To operate a digital marketplace, a company must obtain the relevant licence from the MOT, and any other required supporting licences.

ii Digital or cryptoassets

The trading of cryptoassets in Indonesia is currently regulated by the Commodity Futures Trading Supervisory Agency (Bappebti), an agency under the MOT. However, the authority that supervises cryptoassets is expected to shift from Bappebti to the OJK within two years from the enactment of the P2SK Law.

iii Collective investment schemes

Two types of collective investment schemes are regulated under Indonesian law: collective investment contracts (CIC) and joint investment contracts (JIC). A CIC is defined under the Capital Market Law as a contract that binds investor and the investment manager and custodian bank, authorising the investment manager to manage the collective investment portfolio and the custodian bank to carry out collective custody. This typically takes the form of a mutual fund. A JIC is not a legal entity in Indonesia and is managed by a venture capital (VC) company with the approval of the OJK.

iv Crowdfunding

Companies are permitted to conduct securities crowdfunding if they obtain the requisite licence from the OJK. Security crowdfunding is defined as the provision of security offerings by issuers to sell securities directly to investors through an open electronic system network.

v Crowd-lending and P2P lending

P2P lending in Indonesia requires providers of IT-based co-financing services to be a PT and meet certain prerequisites. Shareholders can be Indonesian individuals or legal entities, or a combination of Indonesian and foreign individuals or legal entities. The funding limit is set at 2 billion rupiah for both the funding receiver and provider. Furthermore, controlling shareholders, board members and commissioners, must pass a fit and proper test before conducting any actions. Additional requirements for P2P providers include electronic system requirements, risk management and internal audit obligations, and controlling shareholder requirements.

vi Trading of loans in secondary markets

There is no specific restriction on the trading of loans in the secondary market, nor is it regulated in Indonesia.

vii Payment services

Companies offering payment services must obtain a licence from BI. Payment system providers are categorised as payment service providers (PSP) and payment system infrastructure providers (PSIP). PSP offer services that facilitate payment transactions to users, whereas PSIP offer infrastructure that enables fund transfers on behalf of their members. The licensing requirements for PSP and PSIP are provided in BI Reg 23/6 and BI Reg 23/7, respectively.

BI Reg 22, BI Reg 23/6, and BI Reg 23/7 impose restrictions on foreign ownership of newly licensed payment system providers. Non-bank PSPs are required to have at least 15 per cent of total shares, with at least 51 per cent of those shares having voting rights, owned by a domestic party or parties. PSIPs are required to have at least 80 per cent of total shares and shares with voting rights held by domestic parties.

The minimum capital requirement for PSPs varies according to the licence category. The minimum initial paid-up capital for PSIPs is 100 billion rupiah. Additionally, ongoing capital must be fulfilled by PSPs for as long as they carry out payment system activities. The calculation of ongoing capital differs from one provider to another and is determined by BI. Payment system providers must conduct self-assessments to calculate ongoing capital, and BI makes the final determination of the ongoing capital requirement for each provider. All foreign investment companies are required to have a minimum initial paid-up capital of 10 billion rupiah.

viii Mandated accessibilities to client or product data

MOCI Regulation No. 5 of 2020, as amended by MOCI Regulation No. 10 of 2021, requires private electronic system providers (ESPs) to grant access to their electronic systems or data to authorised institutions for supervisory purposes and law enforcement officers for the purpose of law enforcement, particularly in criminal investigations, prosecutions and trials in Indonesia.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

i Blockchain technology and cryptocurrency

Even though there is no specific rule or regulation for blockchain technology in Indonesia, it is referred to in two different regulations issued by BI and the OJK, which aim to support innovative industry players in the financial services and payment systems fields. Blockchain technology is mentioned in BI Reg 23/6, which provides that the use of blockchain technology or distributed ledger technology for fund transfers, electronic money, electronic wallets or mobile payments is considered to be providing financial technology in the payment system sector. OJK Reg 13 also mentions, as an example, digital financial innovation related to other financial services activities, such as invoice trading, vouchers and tokens.

ii Security tokens

Security tokens are not explicitly regulated in Indonesia. However, tokens are regulated as cryptoassets under Bappebti Reg. 8/2021 and Bappebti Reg. 11/2022, which determine the list of tradable cryptoassets in the cryptoasset physical market. Under Bappebti Reg. 8/2021, cryptoassets are defined as intangible commodities in digital form that use cryptography, information technology networks and distributed ledgers to regulate the creation of new units, verify transactions and secure transactions without the interference of other parties. The regulation further clarifies that coins and tokens are a form of cryptoasset.

iii Tokens and underlying assets

We have not identified any provisions under relevant regulations on tokens and underlying assets. Similarly, there are no provisions or prohibitions in Indonesia on the issuance of shares or bonds in the form of tokens. According to Bappebti Reg. 8/2021, cryptoassets can only be traded in Indonesia if they meet certain requirements. These requirements include being based on distributed ledger technology, being in the form of utility cryptoassets or crypto-backed assets, and having undergone an assessment by Bappebti using the Analytical Hierarchy Process.

iv Money laundering rules and cryptocurrencies

Cryptoasset exchanges in Indonesia are required to apply KYC, customer due diligence (CDD) or enhanced due diligence (EDD) principles to ensure the accuracy and completeness of cryptoasset customer data. Accounts of a cryptoasset customer can only be used once the customer has gone through an identification and verification process, which shall be carried out using regulatory technology (regtech).The implementation of CDD or EDD must be in accordance with provisions and laws and regulations governing anti-money laundering and prevention of terrorism funding programmes.

Cyptoasset exchanges are also required to report any suspicious financial transactions to the head of the Financial Analysis and Transaction Reporting Centre (PPATK) and comply with other reporting obligations in accordance with laws and regulations governing anti-money laundering and prevention of terrorism financing and proliferation of weapons of mass destruction programmes.

v Cryptocurrencies and tax laws

Pursuant to MOF Regulation No. 68/PMK.03/2022 regarding value-added tax (VAT) and income tax on cryptoasset transactions, dated of 1 May 2022 (MOF Reg. 68/2022), VAT shall be applied to the following:

the sale of intangible taxable goods in the form of cryptoassets by cryptoasset sellers;
taxable services in the form of electronic facilities and services used for cryptoasset trading transactions by organisers of trade through electronic systems (PPMSEs); and
taxable services in the form of cryptoasset transaction verification services or mining pool management services by cryptoasset miners.
On the basis of the above, the delivery of cryptoassets, including sales and purchases of cryptoassets with fiat currency, the exchange of cryptoassets with other cryptoassets (swap), or the exchange of cryptoassets with non-cryptoassets or services shall be subject to taxes. Cryptoasset mining services shall also be subject to the general VAT rate as well as final income tax.

vi Offering of tokens from abroad

In Indonesia, cryptoasset exchanges are required to have a local presence by establishing a company and obtaining a licence as a cryptoasset physical trader to offer crypto trading platform services. Foreign crypto exchange companies are not permitted to offer services in the Indonesian market without the necessary licences and local presence. Bappebti and the Investment Alert Task Force may investigate foreign companies and, if violations are found, publish their name and platform on a blacklist, resulting in access termination. However, to date, the authorities have not pursued criminal sanctions against foreign business actors. Despite this, there is currently no provision in Indonesian law that specifically regulates cross-border crypto exchange platform activities in Indonesia.

Other new business models

i Smart contracts

Smart contracts are recognised and defined as one of the forms of electronic contract under the P2SK Law, as regulated by laws concerning electronic information and transactions. The use of smart contracts is explicitly permitted in the capital market, money market, and foreign currency market, including derivative instruments transactions. To date, there is no specific legal framework for self-executing contracts and there is currently no correction mechanism implemented by law; however, further implementing regulations are expected.

ii Automated investments

OJK Reg 13 and the P2SK Law generally cover the provision of automated investment advice and investment management as part of digital financial innovation in the investment management sector. However, the extent to which this automation may be implemented is unclear. Included within the same sector is the use of advanced algorithms, cloud computing, capabilities sharing, open-source information technology, social trading and retail algorithmic trading.

iii AI

There are no specific rules under Indonesian law relevant to the use of AI. However, AI is mentioned in OJK Reg 13 and the P2SK Law as part of digital financial innovation and technological innovation in the financial sector that is considered a market support activity. This includes machine-readable news, social sentiment, big data, market information platforms, and automated data collection and analysis. Thus, the use of AI in financial products is allowed, subject to the limitations provided in OJK Reg 13 and the P2SK Law, as well as any regulation specific to the financial product being offered.

iv Aggregators

Third-party websites that compare products or provide information on financial products are considered aggregators and are required to comply with the P2SK Law and OJK Reg 13 with regard to the conduct of their business. Aggregators are also required to abide by the PDP Law as well as any other data protection requirements.

v New business models and fintech

The issuance of the P2SK Law is expected to bring new business models to fintech, particularly related to technology innovation in the financial sector. Regulatory issues may arise regarding the implementation of sandbox mechanisms in light of the new law.

vi DeFi and DAOs

We note that Indonesia has not acknowledged or regulated decentralised finance (DeFi) or decentralised autonomous organisations (DAOs) as standalone entities that embody legal power as limited liability companies or other recognised forms of legal entities in Indonesia.

Intellectual property and data protection

i Intellectual property

Under Indonesian intellectual property regulations, fintech business models and related software are categorised as computer programs, which are protected by copyright. The granting of copyright for computer programs does not rely on prior registration by the creator and, as such, copyright shall be automatically attached to computer programs once they are created. Patent protection is also available, provided that the invention fulfils the following three requirements:

it is new (i.e., the invention is not the same as previously disclosed technologies);
it is inventive (i.e., it cannot be easily created by another individual with expertise in the technical sector); and
it can be used in the industry.
If a software or business model is developed by an employee or a contractor for a client, the economic rights over the intellectual property shall remain with that employee or contractor as its creator, unless otherwise transferred to the client (for example, under the employment agreement or service agreement). Employers in Indonesia normally include a clause in employment agreements concluded with employees or contractors that explicitly states that the employer has economic rights over any creations by its employees and contractors. Compensation for the transfer of economic rights is not required but commonly provided.

Data protection

The main instruments regulating data protection in Indonesia are the PDP Law, ITE Law, Government Regulation No. 71 of 2019 regarding the provision of electronic systems and transactions, dated 10 October 2019 (GR 71), and Minister of Communication and Informatics Regulation No. 20 of 2016 regarding personal data protection in electronic systems, dated 1 December 2016 (MOCI Reg 20) (together, the Data Protection Regulations).

Digital profiling of clients is considered a data processing activity and is subject to the Data Protection Regulations. Protection afforded under the Data Protection Regulations includes, but is not limited to, protection of confidentiality and data accuracy and minimisation. Prior to collection, data owners must give their consent for their data to be processed and shall be given the reason for the collection as well as details of how their data will be handled. The data collection shall be limited where possible to the extent necessary for the purpose of the collection. Certain regulations for specific types of financial services providers, such as P2P lending platform operators and companies deemed to be providing innovative digital finance services, also require client data to be protected, but do not provide for a higher threshold of data protection than what is already provided in the Data Protection Regulations. Aside from the aforementioned, there are no special rules on the digital profiling of clients.

Year in review

With the issuance of the P2SK Law, there will be a transfer of regulatory authority over several fintech-related sectors to either the OJK or BI within the next two years. This will be further regulated in a government regulation that is yet to be issued. The P2SK Law introduces the concept of financial sector technology innovation (ITSK), which will be regulated by both BI and the OJK.

OJK Reg. 10/2022 expands the scope of regulation not only for the P2P lending sector but also for IT-based co-funding activities in general, including factoring. The new OJK regulation introduces stricter and more specific requirements compared to the previous regulation, OJK Reg. 77/2016. However, the process for implementing and fulfilling certain requirements remains unclear. Therefore, investors and business players in the co-funding sector should be alert for further implementing regulations and clarifications from the OJK.

Outlook and conclusions

One of the most anticipated developments in the market is related to cryptocurrencies due to the change of supervising authority from Bappebti to the OJK within the next two years. Additionally, a government regulation related to cryptocurrencies is expected to be issued in July 2023. With the P2SK Law regulating technology innovation in the financial sector, BI and the OJK are expected to issue further implementing regulations. It remains to be seen whether these regulations will fundamentally impact the current regulations relevant to the sandbox mechanism.

The Indonesian government introduced the Central Bank Digital Currency (CBDC), also known as digital rupiah, through the P2SK Law. Digital rupiah is officially recognised as a form of currency in Indonesia, along with banknotes and coins. Although current regulations regarding digital rupiah are still limited, BI’s vision for digital rupiah is outlined in the Project Garuda White Book. This serves as a guideline for the implementation of digital rupiah and introduces phases for the use of digital rupiah in Indonesia.

With the issuance of the P2SK Law, it appears that Indonesia is not shying away from technological advancement and is determined to regulate it, while still being cautious about integrating technology into the daily operations and activities of the country.

By SSEK, Indonesia, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact indonesia@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. TransatlanticLaw International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.