Although it still dominates Indonesia’s fintech industry, there has been no increase in the number of fintech lending companies in Indonesia for the past 12 months. This is because the OJK (the Indonesia Financial Services Authority) has put in place a moratorium on new registrations of fintech lending companies since the beginning of 2021.

Via the policy, all registered fintech lending companies are encouraged to upgrade their status by obtaining a business licence. This is proven to work: based on the OJK’s list dated 3 January 2022, more than 100 fintech lending companies exist and all are licensed by the OJK.

The moratorium is also intended to increase the quality of the fintech lending market in Indonesia, given that there has been a rise in the operation of illegal fintech lending companies. From 2018–21, the OJK, together with the Investment Awareness Task Force (IATF), recorded that it had suspended more than 3,000 illegal fintech lending companies.

Despite poor practice by illegal players, fintech lending seems to have gained the public’s trust, which can be shown by the market statistics recorded by the OJK and the IATF as at 31 August 2021: 749,175 lenders and 68,414,603 borrowers utilised fintech lending services and national-level loan distribution reached IDR249,938 trillion. The authors consequently believe that the Indonesian fintech lending market will continue to grow over the next 12 months.

Fintech lending still dominates Indonesia’s fintech industry, with more players than other fintech sectors. At the time of writing, the OJK has recognised more than 100 companies that provide peer-to-peer lending provider services and has regulated this business sector through OJK Regulation No 77/POJK.01/2016 on Information Technology-based Money Lending Services (“OJK Reg. 77”).

Indonesia’s fintech industry is supervised by two discrete regulators: BI and the OJK. Whilst BI supervises fintech and payment systems (e-money, e-wallets and other unclassified payment system fintech providers), the OJK supervises non-payment fintech (peer-to-peer lending, equity crowdfunding and digital financial innovation, or DFI).

The regulations that serve as the legal basis for the fintech models described above are:

• BI Regulation No 23/6/PBI/2021 on Payment System Providers (“BI Reg. 23/6”), BI Regulation No 23/7/PBI/2021 on Payment System Infrastructure Providers (“BI Reg. 23/7”), BI Regulation No 22/23/PBI/2020 on Payment Systems (“BI Reg. 22/2020”), and BI Regulation No 14/23/PBI/2012 on Fund Transfers (“BI Reg. 14/2012”), for payment services providers;
• OJK Reg. 77 on fintech lending;
• OJK Regulation No 57/POJK.04/2020 on Securities Offerings via Information Technology-based Equity Crowdfunding Services as amended by OJK Regulation No 16/POJK.04/2021 (“OJK Reg. 57”) for equity crowdfunding; and
• OJK Regulation No 13/POJK.02/2018 on DFI in the Financial Services Sector (“OJK Reg. 13”) for DFI.

There are no specific requirements; compensation depends on the contractual arrangements between fintech providers and their customers.

The fintech regulations apply to both existing and new fintech providers.

Indonesia has a regulatory sandbox that aims to assess the reliability of business processes, business models and financial instruments, and for the governance of unrecognised or unregulated fintech providers. BI maintains a regulatory sandbox for payment system fintech providers, whilst the OJK has one for providers of non-payment system fintech.

BI Regulatory Sandbox

The legal basis for the BI regulatory sandbox is set out in BI Reg. 23/6. A regulatory sandbox is conducted by BI to test the development of technology innovation (which includes products, activities, services and business models) against prevailing policies or provisions on payment systems.

OJK Regulatory Sandbox

Under OJK Reg. 13, a fintech provider in the non-payment system sector – such as an aggregator, a financial planner or an innovative credit assessor – must apply for recordation at the OJK as a DFI provider. Once recorded, the provider will be assessed by the OJK while in a regulatory sandbox, and can be recommended for registration with the OJK.

Indonesian regulators may co-ordinate with each other to confirm the boundaries of their respective regulatory authority. In 2019, the OJK’s DFI group decided to transfer its regulatory authority over crypto-assets and digital gold trading to BAPPEBTI (a government agency under the Ministry of Trade that regulates futures trading, and, in this case, oversees crypto-asset trading). In addition, a joint task force of Indonesian regulators is also a concrete example of how Indonesian regulators co-operate with each other. In 2016, the IATF was established by the following Indonesian regulators and law enforcement institutions:

• the OJK;
• the Ministry of Trade;
• the Investment Coordinating Board;
• the Ministry of Communications and Informatics (MCI);
• the Public Prosecution Service of Indonesia; and
• the National Police.

Unlike some other financial sectors that specify outsourcing, fintech regulations are silent on whether a function of a fintech provider can be outsourced to a third party. Generally, the types of work appropriate are non-core activities pursuant to Law No 13 of 2003 on Labour (the “Labour Law”). However, the majority of the provisions on outsourcing under the Labour Law were removed by Law No 11 of 2020 on Job Creation; this has created a perception that any type of work, whether core or non-core, may be outsourced.

The authors are of the view that the business association of each fintech sector may have an internal code of conduct or rules on whether certain functions of a provider may be outsourced.

Fintech providers are fully responsible for their platforms and other services provided to their customers and cannot abdicate their responsibility to any party (with reference to Law No 8 of 1999 on Consumer Protection, or the “Consumer Protection Law”), also adopted by OJK Regs. 77 and 57.

The OJK has deregistered many fintech players, especially peer-to-peer companies. The most significant reasons for deregistration are late filing of licence applications (or passing of the deadline) and illicit conduct.

Through its IATF, the OJK regularly receives reports from the public on a variety of unlicensed investments, including cross-border investments. The OJK updates a list of entities that allegedly offer "illegal" investments and are potentially fraudulent. In performing its duties, the IATF co-operates with the MCI to block access to websites or apps of the operators concerned.

Obtaining an Electronic System Operator (ESO) Certificate

Fintech providers must comply with regulations on the use of electronic platforms in Indonesia. Whether applications or websites, these are classified as electronic systems pursuant to Government Regulation No 71 of 2019 on the Implementation of Electronic Systems and Transactions (“Reg. 71”). An ESO and its electronic system must be registered with the MCI in accordance with Reg. 71. The MCI will issue an ESO Certificate to an ESO that has successfully registered its platform with it.

Personal Data Management and Handling

In addition to a requirement to obtain an ESO Certificate, implementation of an electronic system must accord with personal data protection principles. Nonetheless, all stages of personal data processing by an ESO (including the collection, processing and analysis, storage, disclosure and deletion of user data) must maintain data privacy and comply with the law, in this case, Law No 11 of 2008, as last amended by Law No 19 of 2016 on Electronic Information and Transactions (the “EIT Law”) in conjunction with Reg. 71 and MCI Regulation No 20 of 2016 on Personal Data Protection in Electronic Systems.

Prohibition on Pornographic Content

The EIT Law prohibits the intentional and unauthorised distribution of, transmission of, creation of, or action resulting in accessibility to electronic information or data with immoral content. This is also in line with the Pornography Law, which prohibits anyone from producing, creating, copying, multiplying, distributing, broadcasting, importing, exporting, offering, selling and purchasing, leasing, or providing pornography that explicitly shows:

• sexual intercourse, including deviant sexual activity;
• sexual exploitation;
• masturbation;
• nudity or displays of exotic nudity;
• sex organs; or
• child pornography.

Implementation of Anti-money Laundering (AML) and Counter-Terrorism Financing (CTF)

OJK Regulation No 12/POJK.01/2017 on the Implementation of AML and CTF (“OJK Reg. 12”) applies to fintech providers that receive fees from customers in return for their services as peer-to-peer lenders and equity crowdfunding providers. These providers must have a policy, supervisory protocol and procedure to mitigate the risk of money laundering and financing of terrorism related to their customers, and report the implementation thereof to the OJK and suspicious transactions to the Financial Transaction Reports and Analysis Centre (PPATK).

Business associations in fintech sectors play a significant role in overseeing fintech players. Currently, two business associations are recognised by the OJK: the Indonesia FinTech Association (AFTECH) and the AFPI. Both associations have tried to supervise those aspects of fintech activities that are not yet stipulated in the regulation by issuing a code of conduct for each fintech sector. It has also been a mandate of the OJK to the associations to ensure the compliance of fintech players with the prevailing regulation as well as to supervise the way the fintech players conduct their business.

The AFPI has issued a code of conduct that prevails for all peer-to-peer lending providers, while AFTECH issued codes of conduct in November 2020 for three business clusters: aggregator, innovative credit scorers and financial planners. In addition to the associations, the public can also participate in the review of illegal fintech provider activities by submitting a report to the IATF.

Financial products and services are highly regulated in Indonesia, in the sense that all financial products and services offered should be supervised by either the OJK, BAPPEBTI or BI. In the fintech sector, not all products and services are yet regulated. This is due to the rapid growth of innovation in digital financial services and because regulators are still playing catch-up with this development, particularly in formulating regulations that fit products and services offered by fintech players.

The OJK and BI have attempted to address the situation by introducing a regulatory sandbox as a testing mechanism aimed at accommodating all types of fintech products and services while simultaneously assessing their "fit" with existing regulations; otherwise, new regulations would need to be prepared. This helps them create a framework that accommodates innovation but also affords adequate protection to the public.

For those parts of the fintech industry already regulated, such as peer-to-peer lending and securities crowdfunding, entities engaged in these sectors must be single-purpose companies, and will not be permitted to offer other products or services beyond what their licences permit.

In general, the AML rules are applicable to all companies in Indonesia. However, specifically for banks and non-bank financial institutions that also include fintech companies that receive or bridge fund flows from their customers or users, both the OJK and BI have stipulated more specific AML rules that should be implemented by fintech companies categorised as non-bank financial institutions.

Although unregulated fintech companies are not bound by the AML rules under BI and the OJK as they have not been recognised as financial services providers by the laws and regulations, they are expected to adopt the general AML rules. This can be achieved by a business association issuing a policy on AML that is then adopted by the unregulated fintech companies.

Indonesian law does not specifically regulate robo-advisers. However, in practice, several financial service providers have used robo-advisory services when operating their business, such as mutual fund sales agents (APERD) and financial planners. The use of robo-advisory services in these businesses must follow the requirements that prevail for each asset class. If a specific stipulation does not exist for a given asset class, a robo-adviser for that class may fall within the regulatory sandbox scheme, specifically the OJK scheme.

There is no specific regulation on robo-advisers. Thus, the implementation of solutions introduced by robo-advisers must adhere to specific regulations, internal guidelines or rules that apply to those fintech providers.

With regard to robo-adviser operators in stock trading, the actual trade of stocks should be carried out by securities companies. The robo-adviser platform should therefore co-operate with a securities company instead of replacing it. This issue arises due to the absence of regulations on robo-advisers in Indonesia, which might otherwise differentiate between robo-adviser services and conventional existing services.

OJK Reg. 77 does not identify special treatment for individuals or small-business borrowers. However, in the draft that will replace OJK Reg. 77, the OJK requires providers to facilitate funding to:

• productive sectors, accounting for at least 40% of total outstanding funding annually; and
• fund recipients outside Java.

A provider that does not fulfil these obligations will be subject to a fine of IDR25 million, according to the draft.

Fintech lending companies or peer-to-peer lending providers are required to mitigate risk in carrying out their business, pursuant to OJK Reg. 77. This includes both operational and credit risks that may occur. In addition, peer-to-peer lending providers may also co-operate with other information technology-based supporting providers to improve their services, as OJK Reg. 77 further explains. In this regard, the authors understand that some peer-to-peer lending providers co-operate with credit scoring companies for improving the quality of their underwriting processes. This is in line with the draft regulation projected to replace OJK Reg. 77, as it refers to third-party agreements for risk mitigation and requires risk mitigation mechanisms to be used by providers in the event that a loan does not perform.

Indonesian law only recognises one type of loan-based fundraising: peer-to-peer lending stipulated in OJK Reg. 77. Equity-based fundraising is covered separately in OJK Reg. 57.

OJK Reg. 77 does not dictate a catch-all scheme for fintech lenders. However, a borrower that uses a peer-to-peer lending provider’s platform may receive a loan from many lenders or just one.

Payment processors may use existing payment rails or create/implement new ones if they have obtained the required licences from BI as a payment system, payment system infrastructure or payment system supporting services provider. If newly created payment rails do not fall completely within the scope of existing payment system licences issued by BI, the fintech recordation regime must accommodate them.

As the activity relates to payment systems, fintech recordation should fall under the fintech regulation of BI, and for such recordation, payment processors must lay out details of their new payment rails. BI will then decide whether the new payment rails can be used in Indonesia until it issues a new regulation or policy. Alternatively, it may require payment processors to obtain a licence based on the existing regulations or order them to stop using the new payment rails.

Cross-border payments and remittances fall within the supervision of BI, and may be carried out by both banks and non-bank entities. For licensing, only non-bank entities will need to obtain a remittance licence as a category-3 payment services provider from BI before engaging in remittance activities. For banks, since remittances is one of their permitted activities, no separate licence is required to provide this service. However, both banks and non-bank entities will need to comply with reporting requirements to BI on their remittance services.

Cross-border remittance can only be done in co-operation with a provider that has obtained a remittance licence from the relevant authority in its home jurisdiction, and it must obtain BI approval. BI is also authorised to stipulate an upper limit for cross-border remittances. However, this will only apply to non-bank entities.

Banks and non-bank entities that provide cross-border remittance services also need to comply with the reporting requirements set out by the PPATK.

No specific regulation exists for fund administrators. The administration of funds in Indonesia is handled mostly by securities companies that act as investment managers, for which they must be licensed by the OJK. The main task of an investment manager is to manage the securities/investment portfolio of its customers, which may include bonds, stocks, collective investment units and futures contracts related to securities. The administration of funds by banks, insurance companies and pension funds is subject to regulations applicable to those sectors.

Fund advisers are known as investment advisers and their activities are supervised by the OJK. Investment advisers may be companies or individuals and are subject to OJK licensing requirements. A fund adviser’s main role is to provide advice on the sale and purchase of securities; a fund adviser is not permitted to manage customers’ funds or forecast the performance of securities.

There is no strict prohibition on an investment adviser entering into a co-operation agreement with an investment manager, if the scope of co-operation is still within the permitted activities of both functions.

Securities Trading

The most common trading platforms in Indonesia are those that relate to securities (including scripless stock and mutual funds) trading. This platform must be operated by a licensed securities broker and may only be used by customers of that broker. Operation of such a trading platform is stipulated in OJK Regulation No 50/POJK.04/2020 on Internal Control of Securities Companies that act as Securities Brokers, which allows a securities company to use electronic communication – including the internet, short messaging services, wireless application protocol and other electronic media – to facilitate its securities transactions.

In addition to the trading feature, the platform must also provide information on trading risk, the security and confidentiality of all data, and how an order will be processed by the broker, along with information on procedures for handling order delays or instructions for addressing disruption to the system.

In marketing securities, the securities broker can also engage another bank or non-bank financial institution, including a crowdfunding organiser, or peer-to-peer lender to act as its marketing partner. The partner must be registered with the OJK as a partner of the securities broker.

The sale of mutual funds via a platform can also be done by fintech companies licensed by the OJK to act as mutual fund sales agents.

Futures Commodities Trading

BAPPEBTI, as futures trading supervisor, has not issued a specific regulation on the use of online platforms for futures trading. However, BAPPEBTI allows futures commodities brokers to use online electronic media for customer onboarding processes, provided prior approval from BAPPEBTI exists for an online feature. In practice, trading in commodities futures, which may also include digital gold, can be done via a platform as long as the platform is operated by a licensed commodities futures broker also connected to an online trading platform provided by the Indonesia Commodity and Derivatives Exchange (ICDX) and the Jakarta Futures Exchange (JFX).

Money Market

Under BI Board of Governors Regulation No 21/19/PADG/2019 on Providers of Electronic Trading Platforms, operators of electronic trading platforms that facilitate transactions within money and foreign exchange markets need to be licensed by the BI. Initially, an operator can apply to the BI for an in-principle licence. With this, the operator is allowed to start preparing the infrastructure of its platform, including a feasibility study of its business operation. Once preparation is complete and the operator is ready to start operating, it may apply for a business licence. Operations can only commence after a BI licence has been issued.

Each asset class will have its own regulatory regime, as described above. Securities trading falls under the supervision of the OJK, while futures commodities (including digital gold and crypto-assets) fall under the supervision of BAPPEBTI. BI supervises the use of trading platforms within money and foreign exchange markets.

Virtual currencies (including cryptocurrencies) are not recognised as a legitimate payment instrument in Indonesia. However, the increase in popularity of cryptocurrencies in Indonesia has pushed the Indonesian government to issue a legal framework for cryptocurrencies in the Indonesian market.

Cryptocurrencies in Indonesia are recognised as crypto-assets that can only be traded as futures commodities at a crypto-assets futures exchange approved by BAPPEBTI. Trading can also be done through a crypto-asset traders’ platform connected with a crypto-assets futures exchange platform. Key players involved in crypto-assets transactions are exchanges, clearing agencies, traders and depository agencies for crypto-assets. All of these need to be licensed by BAPPEBTI.

Tradable crypto-assets are only those approved by BAPPEBTI and listed for trading in a futures exchange. Currently the list is stipulated in BAPPEBTI regulation No 7 of 2020 (“Bappebti List of 2020”). In December 2020, BAPPEBTI had listed 229 types of crypto-assets that could be traded in a futures exchange, including Bitcoin, Ethereum and XRP (see 12. Blockchain for more detail on the criteria for crypto-assets).

In Indonesia, listing standards are relevant for products in the capital market sector, which include stocks and bonds. The listing must follow the rules of the Indonesian Stock Exchange (IDX). There are currently three listing boards on the IDX: the main, development and acceleration boards. The main and development boards are designated for companies that have already started operations within a certain period and have a certain level of assets. For example, a company that can list its stocks on the main board must have net tangible assets of more than IDR100 billion, while to be listed on the development board, it is IDR5 billion and income of more than IDR40 billion. Most companies in Indonesia list their stocks on the main board.

The acceleration board is designated for small and medium-scale businesses with a range of assets from IDR50 billion to IDR250 billion. Small and medium-scale companies may list their stocks immediately upon establishment. The financial and accounting requirements and the offering structure for the acceleration board are relatively simple compared with those for the main and development boards.

In relation to stock trading, both the OJK and the IDX set out general rules on procedures that need to be implemented by securities brokers when handling their customers' orders. In accepting orders, the OJK requires securities brokers to verify customer identity and record details of the order, such as the number, type and price of the stocks. The securities broker must also maintain a risk management unit that is responsible for, among other things, verifying orders or instructions from customers to ensure the availability of funds or stocks for settlement of the transaction. Specifically, securities brokers that operate a trading platform must ensure that the platform provides information on procedures to handle delays to orders due to an interruption of the online system.

The IDX also stipulates that a securities broker may only accept and execute a trading order from a board member or member of staff if the securities broker maintains a standard operating procedure that stipulates, among other matters, the prioritising of customer orders.

Before the acknowledgment of cryptocurrency as crypto-assets, many players established peer-to-peer trading platforms to trade various cryptocurrencies. However, since the enactment of regulation on crypto-asset trading on futures and digital exchanges, trading was centralised to the crypto-assets futures exchange. Trading in crypto-assets needs to be carried out via a crypto-assets futures exchange approved by BAPPEBTI. This marks the end of peer-to-peer trading platforms for cryptocurrencies in Indonesia.

For stock trading, all activities are centralised with the IDX and every party involved in stock trading needs to obtain a licence beforehand from the OJK and follow the IDX rules. The closest structure to a peer-to-peer trading platform is the securities crowdfunding platform stipulated in OJK Regulation No 57/POJK.04/2020 on securities crowdfunding as amended by OJK Regulation No 16/POJK.04/2021. This regulation defines securities crowdfunding as an offering of securities by an issuer directly to an investor using a publicly accessible electronic system. The issuer will be exempted from the normal capital market rules on initial public offerings if the offer is through an OJK-licensed provider and only for a period of not more than 12 months; and should not raise more than IDR10 billion.

A securities crowdfunding platform provider may also provide a system that facilitates secondary market trading in securities that were distributed at least one year before the trade. A trade in the secondary market can only be conducted between investors that are registered with the platform, with no more than two trades within 12 months and a gap of six months between each trade.

Although the platform operates in a similar way to a peer-to-peer trading platform, all trading (including changes of securities ownership) made through the securities crowdfunding platform must be registered with the Indonesian Central Securities Depository (KSEI) as the agency in the Indonesian capital market that provides organised, standardised and efficient central custodian and securities transaction settlement services, in compliance with the Indonesian Capital Market Law.

No specific rules exist in Indonesia for best execution of customer trades. The OJK and the IDX, however, stipulate general rules that require every securities company that acts as a broker to put the interest of customers ahead of its own interest when performing a transaction. In providing their buy and sell recommendations, brokers must also inform customers if they have an interest in the securities recommended to them.

No specific regulation on payment for order flow exists in Indonesia. In general, all securities brokers need to execute their trade orders themselves, and may only assign them to another broker if there is trouble in the trading system or if the stock exchange suspends them while an outstanding order needs to be executed. Furthermore, the securities brokers must also disclose fees charged to customers when facilitating a trade, including their fee, and fees charged by the stock exchange.

A benchmark fee (or commission) that may be charged by a securities broker must be agreed and stipulated by members of the Indonesia Securities Company Association.

The fundamental principles of Indonesian capital market laws and regulations are:

• disclosure;
• efficiency;
• fairness; and
• protection of investors.

For investor protection, the Indonesian Capital Market Law stipulates two key areas of market abuse: insider trading and market manipulation. The Law stipulates that parties (which includes individuals, companies, partnerships, associations or organised groups) are prohibited from:

• deceiving or misleading other parties through the use of whatever means or methods;
• participating in a fraud or deception against another party;
• giving false statements on material facts; or
• failing to disclose material facts that are necessary in order to avoid a statement being misleading.

A violation of the market abuse prohibition is subject to imprisonment for up to ten years and a fine of up to IDR15 billion.

High-frequency and algorithmic trading are not yet specifically regulated in Indonesia, even though, in practice, many players already use these technologies in both securities and futures commodities trading. This practice is also acknowledged by both the OJK and the IDX.

The OJK, under its digital finance innovation rule, recognises the use of retail algorithmic trading as part of innovation that needs to be recorded at the OJK. Once recorded, the OJK will include a provider of retail algorithmic trading in a regulatory sandbox. The OJK will then further analyse the activities to determine whether the provider may continue their services in retail algorithmic trading. Additionally, in a press release on the IDX’s mission for 2018–21, one item is to increase securities transaction liquidity by perfecting the feature and capacity of the trading system (including to anticipate customers that use algorithmic trading and high-frequency trading as their trading methods).

One concern in the use of high-frequency and algorithmic trading is potential breach of the market manipulation rule under the Indonesian Capital Market Law, which prohibits action that is misleading about trading activity, and manipulation of securities prices.

Market makers in Indonesia are only recognised for trading in commodities futures. A market maker is defined as a party continuously quoting sell or purchase orders during trading hours. The futures exchange and futures clearing house will jointly determine parties appointed as market makers with the approval of the head of BAPPEBTI. However, there are no specific registration requirements for market makers within the context of high-frequency and algorithmic trading in commodities futures.

For securities trading, the OJK is still preparing a regulation that will require the registration of market makers at the stock exchange.

This is not applicable in Indonesia. See 8.1 Creation and Usage Regulations.

There is still no specific regulation in Indonesia on the development and creation of trading algorithms. To the extent that programmers are only involved in the creation of the system but not actual trades, it is unlikely that they would fall under the supervision of the OJK, BAPPEBTI, BI or the IDX. However, if the activities evolve to involvement in actual trades, they may fall within the ambit of the OJK’s digital finance innovation rule and thus need to be recorded with the OJK.

To date, a financial research platform is regarded as a fintech business model, is often regarded as an “aggregator” cluster and is classified as a DFI under the supervision of the OJK. A financial research platform, in this case, should be limited to a digital platform offering information on financial products and services of financial institutions but should not be undertaking activities that may trigger the need for a licence under the OJK (ie, investment broker or investment adviser licensing).

Financial research platforms operate as limited liability companies (PTs). Note that for DFIs, recordation or registration with the OJK is voluntary and is not licensing per se. The participants should undergo the recordation process following their PT’s incorporation. Furthermore, digital platform providers are ESOs and must also be registered at the MCI.

The spreading of rumours or unverified information in the electronic information and transactions field is under the authority of the MCI. The EIT Law prohibits distribution of, transmission of, or access to electronic information or electronic documents that contain, among other matters, fake news (hoaxes) and misleading information that may result in consumers suffering losses in electronic transactions.

As a sign of strong government commitment to the country's digital agenda, the MCI and law enforcement authorities are more aware of the need to combat fake news and misleading or unverified information across the internet in recent years. Under the EIT Law, any person who deliberately and unlawfully disseminates a hoax or misleading news that causes losses for consumers in an electronic transaction may incur criminal sanctions, with imprisonment for up to six years or a fine of up to IDR1 billion.

In the capital market, the spreading of rumours or unverified information may lead to market manipulation restrictions under the Indonesian Capital Market Law: a person is prohibited from making false or misleading statements that affect the price of securities on the stock exchange if, at the time the statement is made or the information is disclosed, the person failed to exercise due care in determining the truth of the statement or information. A violation of the market manipulation prohibition is subject to imprisonment for up to ten years and a fine of up to IDR15 billion.

Although specific regulation on the curation of conversation on the internet at present remains largely unregulated, a financial research platform would typically be expected to establish internal rules to ensure safeguards and oversight over conversation within its platform.

In fact, it is common in the market for digital platforms as over-the-top service providers to maintain:

• active filtering features on their platforms whereby the operator can actively monitor and filter any false or misleading information/content or other types of unacceptable behaviour within its forum; and
• a feature whereby users can report content within the platform, and, subsequently, platform operators will take action against a report, such as taking down the content.

At the time of writing, insurtech has yet to be covered by a comprehensive regulatory regime. It is reported that the OJK is preparing a regulatory framework for insurtech as a means to drive insurtech growth while safeguarding consumers’ interests as more industry players embrace digital transformation. The business is still largely unregulated; it is still classified as a fintech cluster, hence it is categorised as a DFI under the OJK.

While the traditional underwriting model is regulated under the "incumbent" insurance sector, insurtech remains unregulated. Where insurtech enters into partnership with insurance companies in offering their traditional products, the insurance companies underwrite the products; hence, the underwriting process would follow the traditional underwriting model. Use of big data and other innovative data-driven approaches in the underwriting process of innovative insurance products may vary, as insurtech players set their own rules for better pricing and risk assessment of products.

Under the insurance regulatory landscape, insurance products in Indonesia are generally grouped in two categories: life insurance and general insurance products.

Insurance companies are limited to doing business tailored to their licences; this means that the offer of overlapping services – ie, life insurance and general insurance at the same time – is not permitted.

Business expansion for insurance companies, however, is possible in that life insurance companies can expand their business to investment-related insurance products and fee-based activities (these include marketing other non-insurance products; eg, mutual funds or other products of financial institutions licensed by the OJK), credit insurance and suretyship, or other activities assigned by the government. Sharia-compliant general insurance companies can expand into these activities, except for credit insurance and suretyship, whereas general insurance companies are only allowed to add fee-based activities to their expanding business.

Life insurance and general insurance products, including those that are sharia-compliant, are subject to different regulatory treatment.

Like insurtech, at the time of writing, regtech is unregulated and classified as a fintech cluster, and players qualify as DFIs under the OJK. Regtech solutions in the market today are spread into several clusters under the OJK:

• regtech (automates the collection and storage of customer due diligence (CDD) data to comply with AML and CTF regulations);
• e-KYC (solutions for digital identity and digital signature);
• verification technology (identification and non-CDD verification platforms); and
• tax and accounting (tax and accounting reporting solutions).

Subcontracts between duly licensed financial services entities and third parties are generally dictated by regulations. For example, this is the case in banks (commercial and rural banks, including sharia-compliant ones) for outsourcing their IT systems.

While not specifically applicable to regtech, the OJK mandates specific provisions that must be included for banks to outsource their IT activities, and the contract must contain standard clauses as prescribed by OJK regulations (eg, OJK Regulation No 38/POJK.03/2016 on the Application of Risk Management in the Use of IT by Commercial Banks, last amended by Regulation No 13/POJK.03/2020 and Regulation 13/POJK/03/2021, and its implementing regulation, OJK Circular Letter No 21/SEOJK.03/2017). Among the most significant provisions are data protection, confidentiality, human resources, IP rights and licences, systems security standards, data centres, and disaster recovery centres. Service-level agreements (SLAs) are also mandatory, containing performance standards such as promised service levels and performance targets.

The use of blockchain by incumbent players in the country's financial sector, although small, is indeed emerging. In fact, BI is also among the pioneers in leveraging blockchain technology by formulating the country’s own central bank digital currency (CBDC), as it sets to launch its CBDC pilot programme.

Some major banks have paved the way for blockchain adoption: Bank Permata, Bank Negara Indonesia (BNI) and Bank Rakyat Indonesia (BRI) deploy blockchain for trade finance and remittance products. Bank Central Asia (BCA) initiated a financial hackathon for start-ups to drive blockchain's growth in use. Some other major banks are reportedly pursuing routes to blockchain adoption, including the potential to use blockchain for KYC shared storage on the blockchain.

The authors believe that the leveraging of blockchain technology by traditional players – particularly in some aspects of settlements, KYC and financial inclusion – will become more prevalent, especially with digitisation playing an even bigger role, moving forward.

There has yet to be a specific rule proposal, let alone legislation, that governs blockchain adoption, although the government continues to welcome it with its technology-neutral approach in general. Within the financial sector, as mentioned in 12.1 Use of Blockchain in the Financial Services Industry, BI is formulating the CBDC programme at the same time as the regulatory framework to regulate and provide legal backing for a digital version of the rupiah. The OJK is also embracing the use of blockchain, as seen in the identification of blockchain-based fintech companies as a fintech cluster. Also, the OJK envisages blockchain-based technology as an aid for securities crowdfunding in data exchange.

Notwithstanding the absence of rules, however, some recent notable government and industry projects have involved blockchain, as follows.

• Indonesia’s Customs and Excise Department (within the Ministry of Finance) aimed to leverage blockchain technology in the logistics sector, via a blockchain-based global trading platform, TradeLens (developed by Maersk and powered by IBM’s cloud and blockchain). The platform provides container tracking and information sharing between platform members (importers, exporters, logistics operators) and government authorities. With the blockchain-based platform, the government takes aim at minimising shipping costs, reducing  disorganised and inefficient traditional paper-based practices in logistics to enable a seamless and efficient supply chain in the long run.
• The Directorate General of Taxation (DGT) is deploying blockchain technology for its core tax administration system.

Blockchain or crypto-assets are only recognised as futures trading commodities; however, Indonesian law does not specify blockchain assets as a form of regulated financial instrument. With crypto-assets classified as tradable commodities, the Indonesian government allows trading in crypto-asset commodities. Therefore, they fall under the authority of BAPPEBTI, which has issued several regulations entailing futures trading of crypto-assets.

Crypto-assets may only be traded through a futures exchange if approved by BAPPEBTI and listed in a BAPPEBTI regulation, which will be updated from time to time (currently, in the BAPPEBTI list, there are 229 registered crypto-assets at BAPPEBTI). To be eligible as tradable crypto-assets in the local market, they must meet, at a minimum, the following criteria:

• employ distributed ledger technology (DLT);
• be asset-backed or utility-based; and
• have been assessed via the analytical hierarchy process (AHP) method as determined by BAPPEBTI, which also considers the market cap value of the crypto-asset, whether they are traded on the largest crypto-asset exchange in the world, offer economic benefit and have successfully passed a risk assessment, including AML, CTF and proliferation of weapons of mass destruction regulations.

The issuance of crypto-assets remains unregulated despite its rising popularity among local “issuers” in the country; the same sentiment also applies to initial coin offerings (ICOs), and the main regulation of crypto-assets (BAPPEBTI Regulation No 8 of 2021 on Guidelines for the Operation of Physical Crypto-asset Markets in Futures Exchanges, dated 29 October 2021, or “Reg. 8/2021”) explicitly stated that it excluded ICOs and/or initial token offerings from the scope of its regulatory scheme.

Blockchain asset trading platforms are regulated in Indonesia. These are defined in the regulation as “crypto-asset traders”. Crypto-asset traders (commonly known as crypto-asset trading/exchange platforms) are defined as parties that have secured approval from BAPPEBTI to carry out crypto-asset trading transactions in their own right and on behalf of customers.

While the authors understand that the term “cryptocurrency exchanges” is more welcome and commonly used internationally for crypto-asset traders, it is important to point out here that the term “exchanges” is used in the regulation to define a futures exchange that has secured approval from BAPPEBTI to facilitate the trading of crypto-assets; hence, the government of Indonesia is introducing a rather different approach as regards the crypto-asset ecosystem in Indonesia.

In general, the key players involved in the physical crypto-asset futures market are BAPPEBTI, crypto-asset exchanges, clearing agencies, traders and depository agencies.

A crypto-asset trader must be incorporated as a limited liability company, be a member of a crypto-asset exchange and a crypto-asset clearing agency, and be designated as a trader by the crypto-asset exchange. Separate BAPPEBTI approval is required for each type of transaction mechanism deployed by crypto-asset traders.

Crypto-asset traders must meet certain criteria as specified in the regulation, including different financial requirements (paid-up capital and equity) at the time of registration and post-registration, specific good corporate governance, and some technical requirements; ie, having a reliable online system to facilitate trading transactions that connects to all the other players in the market.

Currently, fund investing in blockchain assets is not regulated, although, per the regulation, only individuals are allowed to become crypto-asset customers trading in the Indonesian physical crypto-assets market.

Virtual currencies and blockchain assets are treated differently, in that virtual currencies are prohibited from use as legitimate means of payment in Indonesia. In contrast, blockchain assets or crypto-assets, as discussed previously, are recognised as commodities that can be traded on the country’s futures exchange.

Decentralised finance (DeFi) is not yet regulated in Indonesia. Nonetheless, some local players have tested the water, as listed below, which are still in their early stages, although the market is expected to move up going forward:

• Litedex Protocol, which is a decentralised exchange (DEX) that is supported by the Minister of Trade of Indonesia, is a protocol that will serve as a meta finance blockchain developer for local players; the protocol develops elements of DeFi, including staking, yield farming, swapping, liquidity pool and lending-borrowing, as well as non-fungible token (NFT) marketplace and bridge features. Litedex Protocol is also developing its native token, the LDX token; and
• tokocrypto, which is the first registered crypto-asset trader (crypto-exchange), initiated DeFi utility project through its platform token; ie, Toko Token (TKO). The TKO ecosystem promotes some DeFi elements, such as borrowing and lending, and staking and savings. On another note, tokocrypto (and some other traders) also lists native DeFi tokens available for trading purposes on its platform.

At the time of writing, NFTs are not yet regulated, although it is to be noted that by virtue of the definition of “crypto-assets” under Reg. 8/2021, NFTs may fall into the regulatory regime. Crypto-assets are defined in the regulation as intangible commodities in digital form that use cryptography, an IT network and distributed ledger to create new units, and verify and secure transactions, without the involvement of other parties. Nonetheless, BAPPEBTI has recently clarified that NFTs are yet to be regulated, indicating that NFTs do not fall within the existing regulatory framework.

Nevertheless, given the skyrocketing number of local industry players as well as NFT collectors and their communities, its popularity and the growing concerns as regards the taxation and intellectual property aspects (not to mention that the government is also aware of the growing market), we may expect some efforts from the government to clear up some regulatory uncertainties in the local NFT space.

Open banking in Indonesia has yet to be comprehensively implemented, although the notion is included in BI’s new strategic framework, the 2025 Indonesia Payment Systems Blueprint (the "BI Blueprint"). The BI Blueprint specifies five initiatives for the next five years to create a more effective and streamlined system for payments:

• open banking;
• retail payment systems (and a Quick Response Code Indonesia Standard (QRIS) code system);
• market infrastructure;
• data; and
• regulatory licensing and supervision.

These initiatives are to be implemented by five working units under BI, which has now launched the National Open API Payment Standard (SNAP) as well as sandbox trials of QRIS and Thai QR payment interconnectivity. These measures are crucial to accelerate open banking in the payment systems space.

Before the BI Blueprint, the OJK cued the open banking drive by virtue of OJK Regulation No 12/POJK.03/2018 on the Organization of Digital Banking Services by Commercial Banks ("OJK Reg. 12"). OJK Reg. 12 accommodates the needs of various integrated IT-based banking services and carries elements of open banking; ie, banks' co-operation with their partners (financial institutions and/or non-financial institutions) as a means of banking product innovation. OJK Reg. 12 also addresses matters relating to customer protection and risk management for banks running IT-based banking services.

Data collection, use and disclosure within the financial services sector mirrors the EIT regime. Under the Banking Law (Law No 7 of 1992, as amended by Law No 10 of 1998 and Law No 11 of 2020), banks are prohibited from disclosing information on their customers to third parties, except in specific circumstances as mandated by law; ie, for taxation purposes, debt settlement, criminal proceedings, civil lawsuits between banks and customers, interbank information exchange, and inheritance. Moreover, banks and other financial institutions (players in capital markets, insurance, pension funds, finance companies and others) are prohibited from providing third parties with data or information on their own customers except where (i) customers provide written consent, or (ii) the provision of the data or information is required by law.

In light of bank secrecy, banks, in particular, are challenged to implement open banking. Some major banks have launched an application programming interface (API), while others are still adapting to customer behaviour that is moving toward a less-cash and more-digital economy culture. The market has seen some collaborative approaches between banks and fintechs; there are numerous instances of banks that have opened up their APIs to allow their systems to be integrated with technology providers and facilitate financial transactions.

As stated before, given the open banking, API-enabled environment, OJK Reg. 12 provides customer protection. With the BI Blueprint, BI is to prioritise the standardisation and implementation of open APIs to allow for the interlinking of banks and fintech players in tackling risks from shadow banking.

In implementing open banking, customer data will be the main concern, and BI aims to address customer data protection (including customer consent and dispute resolution), risk management and technical aspects. At the time of writing, BI is still collecting input from market players to develop system-wide open banking and formulate relevant regulations.