OJK Tightens Risk Control and Information Technology Security for Banks through Regulation of the Members of the Board of Commissioners of OJK Number 1 of 2026
Introduction
On January 23, 2026, the Indonesian Financial Services Authority (Otoritas Jasa Keuangan, “OJK”) issued Regulation of the Members of the Board of Commissioners of Financial Services Authority Number 1 of 2026 on the Implementation of Information Technology by Commercial Banks (“PADK OJK 1/2026”), which took effect on March 1, 2026. PADK OJK 1/2026 serves as an implementing regulation of Financial Services Authority Regulation Number 11 of 2022 on the Implementation of Information Technology (“IT”) by Commercial Banks. The detailed technical provisions are set out in Annex I through Annex IV, which form an integral and inseparable part of this regulation.
PADK OJK 1/2026 was issued to address the increasing dependence of banks’ business activities on information technology systems, including the provision of digital banking services, transaction processing, customer data management, and the use of third-party technology providers. In its recitals, OJK emphasized that strengthening information technology controls is necessary to mitigate operational, data security, legal, and reputational risks that may directly affect banks’ business continuity and the stability of the financial system.
Comparison
PADK OJK 1/2026 revokes Financial Services Authority Circular Letter Number 21/SEOJK.03/2017 on the Application of Risk Management in the Use of Information Technology by Commercial Banks (“SEOJK 21/2017”). The following table provides a comparison between PADK OJK 1/2026 and SEOJK 21/2017:
| Aspect | PADK OJK 1/2026 | SEOJK 21/2017 |
| IT Management Approach | Governs the implementation of information technology covering planning, development, operations, and system termination phases. | Governs the application of risk management in the use of information technology through general guidelines. |
| Security and Incidents | Stipulates the obligation to submit an initial notification to OJK at the latest 24 (twenty-four) hours after a non-cyber information technology incident has been identified. | Governs the handling of information technology events as part of risk management application without specifying an initial notification deadline. |
| Information Technology Service Providers (Pihak Penyedia Jasa Teknologi Informasi, “PPJTI”) | Requires Banks to include specific provisions in cooperation agreements with information technology service providers, including audit access and termination arrangements. | Governs the use of third parties through general provisions regarding selection and risk management. |
| Customer Data Protection | Governs the procedure for obtaining customer consent for personal data processing, which must be actively provided by the customer, and prohibits passive consent mechanisms such as pre-ticked boxes. | Did not yet specifically govern the procedures for obtaining customer consent for personal data processing. |
Key Provisions
Information Technology Architecture and IT Strategic Plan
Annex I Chapter I Letters A and B require Banks to maintain an information technology architecture describing the current state and target state of systems, and to formulate an IT Strategic Plan aligned with the Bank’s business plan. In its implementation, Banks use these documents as a reference for the development, integration, and replacement of information technology systems, including the planning of resource and cost requirements.
Information Technology Risk Management
Banks must apply information technology risk management across all phases of system implementation, from planning, development, testing, and implementation to operations and system termination. This obligation includes the identification, measurement, monitoring, and control of risks arising from the use of information technology, as set forth in Annex I Chapter III.
Information Security and Customer Data Protection
In implementing information technology, Banks are required to protect the confidentiality, integrity, and availability of data and information technology systems as regulated in Annex I Chapter IV. Furthermore, provisions regarding the procedure for obtaining personal data processing consent prohibit the use of pre-ticked boxes; therefore, consent must be actively provided by the customer, as governed in Annex I Chapter VII Letter B Number 1.
Use of Information Technology Service Providers
Annex I Chapter V Letter B Number 3 emphasizes that the use of information technology service providers does not transfer the Banks’ responsibility for information technology implementation. Consequently, cooperation agreements with information technology service providers must, at a minimum, include provisions regarding audit access by OJK, the obligation to submit event reports to the Bank, and the termination of cooperation under certain conditions, in accordance with the provisions in Annex I of PADK OJK 1/2026.
Information Technology Incident Notification Obligations
In the event of a non-cyber information technology incident that significantly impacts Banks’ services, the Banks must submit an initial notification to OJK at the latest 24 (twenty-four) hours after such incident is identified and submit a complete incident report no later than 5 (five) business days thereafter. These provisions are governed in Annex II Letter A Number 5 and Annex III of PADK OJK 1/2026. Cyber incident reporting follows separate regulations regarding cybersecurity.
Background Checks for Information Technology Human Resources
Banks must conduct background checks on employees or third parties holding specific positions with significant access and impact on the management of information technology systems and customer data, including criminal record or professional track record checks, in accordance with the Bank’s internal policies. This provision is set forth in Annex I Chapter IV Letter B Number 1.
Transitional Provisions
Banks that have entered into cooperation agreements with Information Technology Service Providers prior to the enactment of PADK OJK 1/2026 must adjust such agreements through changes or amendments to align with the provisions set out in the Annex to PADK OJK 1/2026, as governed in Article 2. Such adjustments include changes or amendments to cooperation agreements to incorporate provisions on audit access by OJK and exit strategies. Since PADK 1/2026 took effect on March 1, 2026, SEOJK 21/2017 is no longer in force pursuant to Article 4.
Closing
PADK 1/2026 establishes bank obligations with respect to information technology implementation, which include the management of information technology systems, the application of information technology risk management across the entire system lifecycle, and the security of data and systems used in business activities. PADK 1/2026 also mandates the adjustment of cooperation agreements with Information Technology Service Providers, including audit access by OJK and termination of cooperation under certain conditions; the obligation to submit initial notifications to OJK at the latest 24 (twenty-four) hours after a non-cyber information technology incident with a significant impact on services is identified; the implementation of procedures for obtaining customer personal data processing consent that must be actively provided by the customer, including the exclusion of passive consent mechanisms such as pre-ticked boxes; and background checks for human resources involved in managing information technology systems and customer data. With SEOJK 21/2017 no longer in effect, banks need to ensure that internal policies, cooperation agreements, information technology systems, and operational procedures have been adjusted to meet the provisions of PADK 1/2026.
Related Regulations
Click a regulation to view details.
What is
Veritask is an integrated AI-powered legal platform that helps with regulatory research, document preparation, and compliance management in one dashboard.
Berlangganan untuk menerima email mingguan gratis berisi analisis hukum terbaru.
