Following the issuance of Indonesia’s Financial Services Authority (Otoritas Jasa Keuangan or “OJK”) Regulation No. 11/POJK.03/2022 regarding the Implementation of Information Technology by Commercial Banks (“OJK Reg. 11/2022”), which establishes the general framework, requirements, and principles governing the use of information technology (IT) by commercial banks in Indonesia, the OJK has now issued its implementing regulation, Member of the Board of Commissioners of OJK Regulation No. 1 of 2026 regarding Information Technology Governance for Commercial Banks (“BOC OJK Reg. 1/2026”).
BOC OJK Reg. 1/2026 took effect on March 1, 2026 (the “Effective Date”), simultaneously revoking and replacing OJK Circular Letter No. 21/SEOJK.03/2017 regarding the Implementation of Risk Management for the Use of Information Technology by Commercial Banks (“OJK CL 21/2017”).
OJK CL 21/2017 previously established the risk management principles for commercial banks in Indonesia in their use of IT, including the minimum requirements for service agreements with IT service providers.
BOC OJK Reg. 1/2026 is intended to strengthen the governance of information technology by commercial banks in Indonesia, ensuring that the use of IT delivers added value to banks and serving as a reference for banks in organizing and managing their IT operations. The framework applies to commercial banks operating in Indonesia on either a conventional or sharia basis that provide payment system services.
The scope of BOC OJK Reg. 1/2026 encompasses the implementation of IT governance, including the application of IT risk management, cybersecurity and cyber resilience measures, the engagement of IT service providers, the location of electronic systems and the processing of IT-based transactions, the provision of IT services by banks, and the assessment of a bank’s level of digital maturity.
Compared with OJK CL 21/2017, the new regulation introduces several notable changes and provides more comprehensive guidance on, among other things, the following aspects:
Adjustment of Report and Licensing Application Formats
Banks are required to submit reports in the format and within the timelines as stipulated under BOC OJK Reg. 1/2026 as of its Effective Date. However, licensing processes that commenced prior to the Effective Date remain subject to OJK CL 21/2017.
The new formats for reports and licensing applications are outlined in Annex III of BOC OJK Reg. 1/2026, covering, among other things, the IT Development Plan Report, the Current Condition of IT Utilization Report, the Internal IT Audit Report, and the Initial Notification and IT Incident Report.
Use of IT Service Providers
Commercial banks in Indonesia may engage third-party IT service providers for IT solutions, including the provision of software, hardware, technical support and consulting services, either on an ongoing or fixed-term basis.
Pursuant to Article 30(2) of OJK Reg. 11/2022, the selection of an IT service provider must be preceded by an appropriate due diligence process. Cooperation between a bank and an IT service provider must be documented in a written agreement, as further specified in Chapter V of Annex I of BOC OJK Reg. 1/2026.
Banks may engage IT service providers located outside Indonesia. In such cases, the same policies and procedures applicable to domestic service providers apply, and banks must ensure that the OJK’s supervisory and examination functions are not impeded.
Materiality Assessment of IT Service Providers
BOC OJK Reg. 1/2026 introduces more detailed requirements for assessing the materiality of third-party IT service providers. In principle, banks must reassess the materiality of an IT service provider wherever a significant change occurs that could affect the provider’s ability to deliver services to the bank. These changes may include changes in the service provider’s ownership or financial condition. The reassessment is intended to determine whether these changes have altered the nature, scale, or complexity of the risks associated with the services provided.
Banks must establish policies, standards, and procedures governing the reassessment process. At a minimum, these must address the evaluation of an IT service provider’s reliability, including its reputation, performance, and service continuity, the timing of the reassessment, and any follow-up measures to be taken based on the results of the reassessment.
In conducting the reassessment, banks must also consider the application of arm’s-length principles, the sustainability of the IT service provider’s service delivery, and the provider’s performance and compliance with applicable requirements.
Internal Controls for IT Implementation
BOC OJK Reg. 1/2026 establishes a rigid framework for effective internal controls over the implementation of IT by commercial banks in Indonesia. This includes requirements to maintain adequate audit trails and documentation; ensure both general and application controls over IT systems and security; prepare recovery and contingency arrangements for disruptions; and ensure that information is relevant, accurate, timely, accessible, and consistently presented.
In addition, IT systems used for record-keeping must be supported by sound accounting controls, including documented procedures and record retention schedules.
Additional Regulatory Provisions
BOC OJK Reg. 1/2026 introduces a more comprehensive framework for data management and personal data protection.
In addition, Annex II of the regulation provides detailed procedures for the submission of reports and licensing applications, including report submission timelines, which were previously regulated under OJK Reg. 11/2022. (9 July 2026)






