• Indonesia is now the largest economy in Southeast Asia. As a well-known startup hub, there are a growing number of startups nurtured and grown domestically in Indonesia, such as Tokopedia and OVO. Most of the startups leverage the benefits of cloud computing technologies to accelerate its digitalization and solve problems arising from business growth. By using Alibaba Cloud Infrastructure as a Service, big data solutions, AI capabilities, and security features, Tokopedia provides more intelligence and better user experience to their end customers.

  • General Privacy Laws:
    There is no general law on data protection in Indonesia. Currently a Personal Data Protection Bill (RUU PDP) is under discussion but has not been finalized. However, there are certain laws and regulations concerning the use of electronic data/information, which include:
    1.Law No. 19 of 2016 as revision from Law No. 11 of 2008 regarding Electronic Information and Transactions
    2.Government Regulation No. 71/2019 (GR71) as the revision from Government Regulation No. 82/2012 regarding Provisions of Electronic Systems and Transactions
    3.Ministry of Communication and Information Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems


    Data Localization Requirements:
    GR 71 classifies electronic system operators into public and private scopes. Public scope electronic system operators must manage, process, and/or store electronic system and electronic data in the territory of Indonesia. Private scope electronic system operators can place their electronic systems and data inside or outside of Indonesia, providing that effective supervision by government agencies is assured. When private electronic system operators store their system and data offshore, they must provide access to the electronic system and data for monitoring and law enforcement purposes.

  • Overview:
    Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud with two Availability Zones in Indonesia. With proper solution design, it can meet the requirements of security, resilience, data residency, recoverability, and performance for regulated entities in the Financial Services industry. Alibaba Cloud will open the third data center in early 2021. After the new data center opens, customers can deploy systems across three Availability Zones to achieve higher levels of resilience. Alibaba Cloud has helped several customers minimize the risks of losses in confidentiality, integrity, and availability when moving to a public cloud.

    Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry-specific regulatory requirements. With initial high-level due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance, Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspects, best practices in services and products configuration, automated and continuous security check tools, as well as assurance over the design and operational effectiveness of internal controls.


    Regulator:
    Financial institutions in Indonesia are regulated either by Otoritas Jasa Keuangan (OJK) for banking, insurance, and leasing or Bank Indonesia (BI) for electronic money or payment gateway service provider.


    Regulations/Guidelines to look at when using cloud computing services:
    1.POJK No. 13/POJK.03/2020 as the revision of OJK No. 38/POJK.03/2016 concerning Risk Management in the Use of Information Technologies for Commercial Banks
    2.POJK No. 4/POJK.05/2021 concerning Risk Management in the Use of Information Technologies for Non-Bank Financial Service Institutions
    3.Circular Letter No. 21/SEOJK.03/2017 concerning Application of Risk Management in the Use of Information Technology by Commercial Banks
    4.POJK No. 38/POJK.05/2020 as the revision of POJK No. 69/POJK.05/2016 concerning Business Operation of Insurance, Sharia Insurance, Reinsurance and Sharia Reinsurance Companies
    5. POJK No.38/POJK.03/2016 concerning the Implementation of Risk Management in the Use of Technology by Commercial Banks
    6. PBI No.22/23/PBI/2020 concerning Payment Systems
    7.PBI No. 20/6/PBI/2018 concerning Electronic Money
    8.PBI No. 18/40/PBI/2016 concerning the Implementation of Payment Transaction Processing

    The points listed above are not an exhaustive list of regulations, but it shows the most comprehensive and widely referenced ones. POJK 38/POJK.03/2016 and Circular Letter No. 21/SEOJK.03/2017 have the most stringent requirements and can be used as a benchmark for most of the financial institutions in Indonesia. Meanwhile, it is worth mentioning that POJK 38/POJK.03/2016 requires banks to place an electronic system in a data center and disaster recovery center in the region of Indonesia. Although there are some exceptional cases where banks can put electronic systems outside of Indonesia upon approval from OJK, it will be safer to comply with data residency requirements by using Alibaba Cloud local services.


    Is cloud permitted?
    Yes.


    Is there any additional approval needed?
    Banks need to obtain prior approval from the Financial Services Authority if they would like to use IT service providers outside of the territory of Indonesia.


    Are offshore outsourcing arrangements allowed?
    OJK and BI have separate regulations in place to govern the management, storage, and process of financial data. Article 21 in guideline POJK 38/POJK.03/2016 requires banks to place an electronic system in a data center and disaster recovery center in the region of Indonesia. There are some cases where banks can put electronic systems, especially integrated electronic systems within Bank Groups, outside of Indonesia once approval from OJK has been obtained. However, banks need to ensure that the OJK’s supervisory power and access rights to the data are not impeded. For other non-bank institutions, such as insurance and reinsurance, they are required to put data in data centers and disaster recovery centers in the territory of Indonesia, as per the requirements in the POJK 69/POJK.05/2016 regulation.

Informational Resources
Alibaba Cloud Indonesia is certified for compliance with ISO/IEC27001:2013 with accreditation from
Komite Akreditasi Nasional (KAN).
In this user guide, Alibaba Cloud clarifies how the local infrastructure and service offerings can help the customers enhance data security, fulfill data residency requirements, and perform IT risk management in Indonesia.
Alibaba Cloud has engaged with an independent auditor to assess Alibaba Cloud's internal controls in accordance with applicable regulatory requirements issued by the BI, OJK, KOMINFO and President of the Republic of Indonesia throughout the period November 1, 2019 to October 31, 2020.

Start with Alibaba Cloud Solutions

Learn and experience the power of Alibaba Cloud with a free trial.

Contact Sales