New Integrated OJK Regulation on Risk Management in the Usage of Information Technology for Non-bank Financial Services Institutions
With the majority of population still taking preventive measures to combat the ever-looming return of COVID-19 cases, physical interaction has been deemed obsolete. This has accelerated the integration of technology into various aspects of human life, including financial services. While this might look good on paper, in reality, a lot could go wrong and deviate the impact of the integration to the negative territory. This became more apparent if we consider the fact that the majority of Indonesians access the internet using mobile devices, which is more prone to risks such as loss of mobile devices (theft or other instances), unauthorised access (hacking of software or hardware), device malfunction, etc.
This has led the Financial Services Authority/Otoritas Jasa Keuangan (the “OJK”) of Indonesia to improve the risk mitigation of usage of technology, particularly in non-bank financial services sector by issuing OJK Regulation No.4/POJK.05/2021 on the Implementation of Risk Management in the Use of Information Technology (“RMIT”) by Non-Bank Financial Services Institutions (the “Regulation”). This Regulation is applicable to non-bank financial services institutions (“NBFS”), such as insurance companies and financing companies. The OJK has actually issued several regulations in the past to cover RMIT based on the type of the NBFS but the Regulation is an attempt to harmonise and integrate these regulations into one umbrella regulation for RMIT.
Below are the key takeaways from the Regulation, which has been in force since 17 March 2021.
Implementation of RMIT
NBFS are required by the Regulation to implement RMIT measures, which should encompass at least the following matters:
- active supervision from the Boards of Directors (“BoD”) and Boards of Commissioners (“BoC”);
- adequacy of policies and procedures for the use of information technology (“IT”);
- adequacy of all identification, measurement, control, and monitoring processes in relation to any risks that are associated with the use of IT; and
- internal control systems for the use of IT.
The above implementation shall be carried out in an integrated manner in every stage of the use of IT, starting from the planning, procurement, development, operation, maintenance to termination and elimination of IT resources.
Newly introduced Information Technology Steering Committee
NBFS with total assets of more than IDR1 trillion will be required to have an Information Technology Steering Committee/Komite Pengarah Teknologi Informasi (“Committee”). The Committee is expected to give recommendations to the BoD regarding RMIT measures and management of IT of NBFS. The Committee shall consist of:
- the director in charge of the working unit that is implementing IT in NBFS;
- the director or officer in charge of the risk management functions;
- the highest official in charge of the working unit that is implementing IT in NBFS; and
- the highest official in charge of the working unit for IT users.
It is worth noting that NBFS will still be required to maintain the Committee although there is a reduction in the total assets of NBFS. The Regulation is silent on the timeline for the formation of such committee.
Several notable obligations of NBFS in relation to RMIT measures stipulated under the Regulation are as follows:
- to make and implement policies and procedures for using IT consistently and continuously;
- to set a tolerable risk limit to ensure that aspects related to IT can run optimally;
- to review and update policies and procedures on a regular basis, the period of which is specified in the written policy;
- to have policies and procedures for identifying, measuring, controlling, and monitoring the risks of using IT;
- in the event that NBFS uses IT service provider, NBFS is required to ensure that IT service provider implements risk management as stipulated in the Regulations;
- to implement an effective internal control system for all aspects of the use of IT; and
- to have a data center and/or disaster recovery center are required to place electronic systems at the data centers and/or disaster recovery centers in the territory of Indonesia, in different locations by taking into account geographical factors.
Additional RMIT obligations based on total assets value of NBFS
NBFS will be required to adhere to certain additional obligations if the value of their total assets reaches the following:
- NBFS with total assets of up to IDR500 billion is required to periodically back up all activity data that is processed through the use of IT;
- NBFS with total assets of between IDR500 billion and IDR1 trillion is required to operate data centers and must periodically back up all activity data that is processed through the use of IT; and
- NBFS with total assets of more than IDR1 trillion and/or that carry out a majority of its business operations through the use of IT is required to operate data centers and disaster recovery centers located within the territory of Indonesia.
Reporting obligations to the OJK
The Regulation requires NBFS to submit IT development plans that support the business activity plans of NBFS as part of NBFS policies and management plans to the OJK. This obligation, however, is only applicable to NBFS that are required to submit a business plan to the OJK.
NBFS are also required to report critical incidents, abuses, and/or crimes in the operation of IT that can and/or have resulted in significant financial losses and/or disrupted the smooth operation of NBFS no later than five working days after the critical incident and/or misuse or crime is known by the NFBS.
Protection of personal data
The Regulation also emphasises the importance of personal data protection on RMIT, of which NBFS is required to guarantee that:
- the acquisition, processing, use, storage, updating, and/or disclosure of consumers’ personal data is carried out based on the consent of the consumer concerned unless otherwise stipulated by the provisions of the laws and regulations; and
- the use or disclosure of consumers’ personal data in accordance with the purpose conveyed to the consumer at the time of data acquisition.
In addition, NBFS is explicitly required to maintain the security of all information, including consumer personal data; report to OJK or determine the follow-up action that needs to be taken in the event of violation by IT service provider against the confidentiality provisions of NBFS and the obligation to keep consumer personal data confidential.
Data center and disaster recovery center
NBFS that owns a data center and/or disaster recovery center must place the electronic system at the data center and/or disaster recovery center in the territory of Indonesia. The Regulation also indicates that the data center and the disaster recovery center shall be located in different locations. NBFS is allowed to have data center and/or disaster recovery center outside the territory of Indonesia only in certain conditions and with prior approval from the OJK.
NBFS that has placed the electronic system in the data center and/or disaster recovery center outside the territory of Indonesia prior to the enacment of the Regulation must submit an application to the OJK to obtain approval no later than six months since from the enacment. As for NBFS that does not meet the condition for exemptions mentioned in the Regulation, they shall transfer the electronic system to the data center and/or disaster recovery center in the territory of Indonesia no later than one year from the enactment of the Regulation.
The Regulation provides a transition period for the implementation of RMIT provisions according to business activities of which the company is categorised into as well as the total assets of NBFS:
- one year from the enactment of the Regulation for:
- providers of IT-based lending and borrowing services; and
- NBFS with total assets of more than IDR1 trillion;
- two years from the enactment for NBFS with total assets between IDR500 billion and IDR1 trillion; and
- three years from the enactment for NBFS with total assets of up to IDR500 billion.
Actions to consider
The Regulation will impact NBFS that utilises any form of IT in its operation. Certain actions and steps may need to be taken to adhere to the new RMIT provisions within the stipulated period, both as prudent practice and measures to avoid potential sanctions from the authorities.
If you have any questions or require any additional information, please contact Jade Hwang, Randyaz Iskandar, David Septian Lienardo, or Hillary Tjandra of Roosdiono & Partners (a member of ZICO Law).
This alert is for general information only and is not a substitute for legal advice.