Indonesia is now the largest economy in Southeast Asia. As a well-known startup hub, there are a growing number of startups nurtured and grown domestically in Indonesia, such as Tokopedia and OVO. Most of the startups leverage the benefits of cloud computing technologies to accelerate its digitalization and solve problems arising from business growth. By using Alibaba Cloud Infrastructure as a Service, big data solutions, AI capabilities, and security features, Tokopedia provides more intelligence and better user experience to their end customers.

General Privacy Laws:
There is no general law on data protection in Indonesia. Currently a Personal Data Protection Bill (RUU PDP) is under discussion but has not been finalized. However, there are certain laws and regulations concerning the use of electronic data/information, which include:
1.Law No. 19 of 2016 as revision from Law No. 11 of 2008 regarding Electronic Information and Transactions
2.Government Regulation No. 71/2019 (GR71) as the revision from Government Regulation No. 82/2012 regarding Provisions of Electronic Systems and Transactions
3.Ministry of Communication and Information Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems

Data Localization Requirements:
GR 71 classifies electronic system operators into public and private scopes. Public scope electronic system operators must manage, process, and/or store electronic system and electronic data in the territory of Indonesia. Private scope electronic system operators can place their electronic systems and data inside or outside of Indonesia, providing that effective supervision by government agencies is assured. When private electronic system operators store their system and data offshore, they must provide access to the electronic system and data for monitoring and law enforcement purposes.

Overview:
Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud with THREE Availability Zones in Indonesia. With proper solution design, it can meet the requirements of security, resilience, data residency, recoverability, and performance for regulated entities in the Financial Services industry. Customers can deploy systems across three Availability Zones to achieve higher levels of resilience. Alibaba Cloud has helped several customers minimize the risks of losses in confidentiality, integrity, and availability when moving to a public cloud.

Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry-specific regulatory requirements. With initial high-level due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance, Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspects, best practices in services and products configuration, automated and continuous security check tools, as well as assurance over the design and operational effectiveness of internal controls.

Regulator:
Financial institutions in Indonesia are regulated by Bank Indonesia (BI) and Indonesian Financial Services Authority (OJK). BI is the central bank of Indonesia, who oversees monetary and payment systems and is responsible for maintaining the stability of the country's currency. OJK regulates and supervises all activities of the financial services sector, including banks, capital markets, insurance, pension funds and other financing institutions and financial services institutions.

Regulations/Guidelines to look at when using cloud computing services:
1.POJK No. 13/POJK.03/2020 as the revision of OJK No. 38/POJK.03/2016 concerning Risk Management in the Use of Information Technologies for Commercial Banks
2.POJK No. 4/POJK.05/2021 concerning Risk Management in the Use of Information Technologies for Non-Bank Financial Service Institutions
3.Circular Letter No. 21/SEOJK.03/2017 concerning Application of Risk Management in the Use of Information Technology by Commercial Banks
4.POJK No. 38/POJK.05/2020 as the revision of POJK No. 69/POJK.05/2016 concerning Business Operation of Insurance, Sharia Insurance, Reinsurance and Sharia Reinsurance Companies
5. POJK No.38/POJK.03/2016 concerning the Implementation of Risk Management in the Use of Technology by Commercial Banks
6. POJK No.10/POJK.05/2022 as the replacement of OJK No.77/POJK.01/2016 concerning Information Technology Based Collective Funding Services
7. PBI No.23/7/PBI/2021 concerning Payment System Infrastructure Operator
8. PBI No.23/6/PBI/2021 concerning Payment Service Provider
9.PBI No. 20/6/PBI/2018 concerning Electronic Money
10.PBI No. 18/40/PBI/2016 concerning the Implementation of Payment Transaction Processing

The points listed above are not an exhaustive list of regulations, but it shows the most comprehensive and widely referenced ones. POJK 38/POJK.03/2016 and Circular Letter No. 21/SEOJK.03/2017 have the most stringent requirements and can be used as a benchmark for most of the financial institutions in Indonesia. Meanwhile, it is worth mentioning that POJK 38/POJK.03/2016 requires banks to place an electronic system in a data center and disaster recovery center in the region of Indonesia. Although there are some exceptional cases where banks can put electronic systems outside of Indonesia upon approval from OJK, it will be safer to comply with data residency requirements by using Alibaba Cloud local services.

Alibaba Cloud has engaged with an independent auditor to assess Alibaba Cloud's internal controls in accordance with applicable regulatory requirements issued by the BI and OJK. The audited report will be useful to assist customers in understanding how Alibaba Cloud comply with applicable requirements as a outsourced service provider.

Is cloud permitted?
Yes. OJK and BI permits the use of public cloud services by FSIs. Based on Alibaba Cloud’s past experience of successful cloud adoption cases, it can be seen that OJK and BI are supportive in the cloud adoption and digitalization transformation as long as FSIs can demonstrate that they meet relevant regulatory requirements. Both commercial banks and NBFIs are allowed to outsource the operation of data center/recovery data center and IT-based transaction processing to an IT service provider.

Is there any additional approval needed?
Prior approval is required from OJK and BI before cloud adoption. For commercial banks, they must submit an application to OJK for approval at least two months prior to cloud implementation in Indonesia. In case commercial banks plan to implement electronic system outside of Indonesia, they are required to submit an application to OJK for approval at least three months prior to cloud implementation. Meanwhile, commercial banks should report to OJK within one month on the realization of the cloud implementation from when the outsourced activities commence.

For NBFIs, they are required to notify OJK of the use of IT service providers in the technology development plan, and update the implementation progress in the realization report. And similarly, NBFIs are required to submit an application to OJK for approval at least three months prior to implementation, if they plan to implement electronic system outside of Indonesia.
In addition, prior approval will be required for Banks and Non-Bank Institutions who provide payment services (including mobile payments, payments backend, point-of-sale (POS) payments, payments to and from customers and consumer payments). Payment service providers are required to submit reports to BI regularly on the payment transaction processing.

Is licensing required for Fintech activities?
Fintech activities related to financial services are regulated by the OJK. OJK Regulation No. 13/POJK.02/2018 regarding digital financial innovation in the financial services sector, requires companies carrying out the following digital financial innovation activities to register or obtain an OJK license (unless otherwise exempted).

Peer-to-Peer/P2P lending is defined therein as the provision of financial services to bring together lenders and borrowers for the purpose of concluding lending agreements in rupiah directly through an electronic system using the internet. Companies providing P2P lending platforms are required to register and obtain a licence from the OJK upon the fulfilment of certain requirements. Customers/Companies shall ensure that they have the necessary licensing and verify that they are registered with OJK/BI/Kemen Kominfo at cekfintech prior to cloud adoption.

Are offshore outsourcing arrangements allowed?
By default, FSIs are required to use data centers and disaster recovery centers located in Indonesia, and carry out IT-based transaction processing in Indonesia. However, under certain specific circumstances, FSIs are allowed to place their electronic systems in data centers and/ or disaster recovery centers outside of Indonesia as long as they obtain prior approval from OJK. FSIs can place their electronic systems in data centers and/ or disaster recovery centers outside of Indonesia, if they are (a) used to support integrated analysis (b) used for risk management of overseas-headquartered banks (c) used for AML/CTF functions of overseas-headquartered banks (d) used for providing services for customer globally (e) used for communication management between offices (f) used for internal management, upon obtaining approval from OJK. FSIs are allowed to conduct IT-based transaction processing outside of Indonesia if they attain prior approval from OJK and demonstrate their attempt to develop the Indonesian economy. Therefore, the use of IT service providers outside the territory of Indonesia is restricted to certain scenarios and is subject to additional approval from OJK. In addition, payment transactions can be processed outside of territory of Indonesia as long as the prior approval has been obtained from BI.