Indonesia's Financial Services Authority issues new governance and risk management rules for fintech innovation providers and business plan requirements for digital financial asset trading

Indonesia's Financial Services Authority (OJK) issued a new regulation and a circular letter to strengthen governance and risk management for Financial Sector Technology Innovation (ITSK) providers and to standardise business planning and reporting for Digital Financial Asset Trading Operators. Regulation Number 30 of 2025 applies to licensed ITSK providers, including Alternative Credit Rating and Financial Services Aggregation providers. It introduces governance requirements such as a minimum of two members of the Board of Directors and Board of Commissioners arrangements calibrated to the scale and complexity of the business. The risk management framework must cover, at a minimum, active oversight by the Board of Directors and Board of Commissioners, adequate policies and procedures, end-to-end risk processes, supporting management information systems and internal controls, and management of key risks including strategic, operational, cyber, legal, compliance and reputational risks. ITSK providers must submit an annual good governance implementation report and a semiannual risk profile report, with the regulation effective from 1 July 2026 and transitional provisions for industry adjustment. Circular Letter Number 34/SEOJK.07/2025 follows OJK Regulation Number 27 of 2024 as amended by OJK Regulation Number 23 of 2025 and applies to all Digital Financial Asset Trading Operators, including exchanges, clearing and settlement institutions, storage providers, traders and other parties designated by OJK. Business plans must cover at least one-year business targets, strategies and financial projections, with additional trader-specific requirements covering products and services, consumer targets, and target trading value and volume. The circular also requires a business plan realisation report covering implementation achievements, follow-up actions and specified financial information, with the first business plan due by 30 November 2026 and the first realisation report due after the end of the first quarter of 2027.