Indonesia’s Financial Services Authority (OJK) issued new requirements on the operation of information technology (IT) by rural banks (BPR) and Sharia rural banks (BPR Syariah), aiming to strengthen digital security as the sector expands digital services. The package sets expectations for end-to-end IT governance and IT risk management, including stronger data management, personal data protection, and cyber resilience and response capabilities. The rules cover IT governance, including defining the authority and responsibilities of the Board of Directors and Board of Commissioners, and establish requirements for IT architecture for institutions providing digital services. They also address IT risk management, including information security, arrangements with IT service providers, and the requirement to maintain a disaster recovery plan, alongside a requirement to locate electronic systems as well as data centre and disaster recovery centre facilities in Indonesia. The new framework takes effect one year after promulgation; once effective, OJK Regulation No. 75/POJK.03/2016 and OJK Circular Letter No. 15/SEOJK.03/2017 on IT standards for BPR and Sharia rural banks are revoked.
OJK 2026-01-08
Financial Services Authority issues new IT governance and cybersecurity rules for Indonesia’s rural banks and Sharia rural banks
Indonesia’s Financial Services Authority (OJK) has introduced new IT operation requirements for rural banks and Sharia rural banks to enhance digital security, focusing on IT governance, risk management, and data protection. The framework, effective one year post-promulgation, will replace existing regulations and mandates local data center and disaster recovery facilities.