INDONESIA: Regulating the growth of electronic and digital banking services
With the rapid development of technology and the rise of new finance products and players in the fintech industry, banks are pushed to produce new products and innovative services in order to serve their customers and keep abreast of the behaviour of consumers who appreciate the convenience of digital services.
In response to this, Indonesia's Financial Services Authority (Otoritas Jasa Keuangan -- OJK) has issued OJK Regulation No. 12/POJK.03/2018 on the Organization of Digital Banking Services by Commercial Banks ("OJK 12/18").
OJK 12/18 has 10 chapters and covers electronic banking services and digital banking services. It explains the types of electronic and digital banking services that can be provided and the requirements that must be complied with before introducing the services and during the operation of the services. The following are several key provisions of OJK 12/18.
The Scope of the Regulation
OJK 12/18 distinguishes between electronic banking services and digital banking services.
a. Electronic banking services: services provided by a bank to obtain information, to communicate and to conduct banking transactions through electronic media.
b. Digital banking services: Electronic Banking Services developed to optimize the utilization of customer data in order to provide customers services faster, more easily and effectively (customer experience), which can be accessed fully independently by customers while ensuring security.
Electronic Banking Services
Electronic banking services are provided by commercial banks. In this advisory, references to banks are references to licensed commercial banks in Indonesia. To provide electronic banking services, banks utilize such delivery channels as automated teller machines (ATM), internet banking, short message services and mobile banking. Banks are required to include their plan to launch electronic banking services in their business plan and to obtain approval from the OJK before launching electronic banking services which are transactional in nature.
OJK 12/18 also provides the details of the documents that must be submitted when applying for approval, which include, among others, the result of a risk analysis and identification of the product and the bank's readiness to manage the risks, particularly their security control to ensure compliance with the principles of confidentiality, integrity, authentication, non-repudiation and availability. Further, the organization of the IT system used to provide the electronic banking services must comply with the OJK provisions on risk management applications in the use of information technology by commercial banks. The application for approval must be submitted at least 2 (two) months before the product is launched.
Digital Banking Services
Banks may provide digital banking services, as an extension of their electronic banking service products. Digital banking services can be provided by either: (i) banks; or (b) banks under a partnership arrangement with the bank's partner ("Partner"). The Partner may be a financial services institution or non-financial services institution.
Banks that provide digital banking services must satisfy the following requirements:
- have a risk profile level of `Rank 1' or `Rank 2' based on the latest assessment of the bank's soundness level;
- have an information technology infrastructure and a sufficient informational technology management infrastructure;
- be included in the group of commercial banks that may provide electronic banking services under the relevant OJK regulations (determined based on their capital and business activities).
To provide digital banking services, banks are required to form an internal unit or function tasked with handling digital banking services whose duties include among others, formulating the policies, standards and procedures for the organization of the digital banking services, supervising financial transaction data related to the digital banking services and monitoring constraints and issues arising from the organization of digital banking services.
Digital banking services provided by banks may include:
a. account administration- opening accounts, customer data renewal, closing accounts using electronic media;
b. transaction authorization- financial and non-financial transactions, such as authorizing access to a mobile banking application using a sound scanner or utilizing QR codes or near field communication features to authorize transactions;
c. financial management- financial planning, financial transaction execution and banking services related financial consultancy; this can include offering facilities to manage funds based on the customer's personal data eg, planning term savings for children's educational needs and offering personalized financial advice as a result of the bank's analysis of the customer's personal data;
d. other financial products approved by the OJK.
To provide these digital banking services to customers and prospective customers, banks must first identify the customer or prospective customer and verify the customer's or prospective customer's supporting information and documents. Banks can verify prospective customers and prospective customers' information and documents either with face-to-face interactions and/or without face-to-face interactions.
In face-to-face interactions, the verification can be conducted `directly face-to-face' (physical presence) or using the bank's software and the bank's or the customer's hardware. The bank's hardware may include ATM machines in the bank's network equipped with video banking features connected in real-time online to bank employees. Meanwhile, the customer's hardware may include the customer's gadget equipped with supporting features such as cameras or ID card scanners. The hardware should enable the customer to access the bank's software (eg applications for video banking).
Verification without face-to-face interactions is also possible using the bank's software and the bank's or the customer's hardware. The type of verification used without face-to-face interactions should include fingerprint scanning and identity card scanning. As above, the verification should be conducted through the bank's application or website, accessible to the customer using hardware such as a smartphone, tablet computer, desktop or laptop computer.
In the above verifications, banks must use such authentication factors as the following:
- `what you know': personal identification numbers (PIN), passwords, identity card numbers and personal data;
- `what you have': magnetic based cards, chip-based cards, tokens, digital signatures, etc.;
- `what you are': biometrics such as fingerprints, voice and iris recognition.
Particularly for verification for financial transactions related to their digital transactional services, banks must implement two-factor identification in their digital banking service products. Meanwhile, the digital banking services provided by banks through partnership arrangements can include:
a. information services (only for partnerships with financial services institutions) these services limited to the provision of information to the bank's customers without further interactions or being followed by the execution of financial transactions. The provision of information to the bank's customers must, among other things, be based on the bank's analysis of the customer's portfolio and be personal and specific in nature, according to the customers' needs and characteristics. The information provided to customers may differ from one customer to another.
b. transactional services services- beginning with the provision of information to the bank's customers that may be accompanied by facilities for interacting with the bank in order to help the customers make financial transaction decisions that according to the financial needs and capacity of each customer. As explained above, the information provided to customers may differ from one customer to another as it is based on the bank's analysis of the customer's portfolio and is personal and specific in nature.
c. other services approved by the OJK.
Certain requirements apply to banks and their Partners for providing digital banking services under partnership arrangements. The following are some of the requirements that either the Partner or the bank must comply with:
- the Partner that provides financial services based on information technology must already hold a license from the OJK or other authority;
- banks are prohibited from becoming a marketplace for providing transactional services to their Partner through an application or website owned by the bank;
- for providing transactional services, banks must implement two factor authentication to verify the transactions;
- for providing digital banking services through a partnership arrangement, banks are required to have a policy and procedure for determining who can be a Partner and a written agreement between the bank and Partner in the Indonesian language;
- banks are prohibited from guaranteeing the risks arising from the product or services offered by the Partner for providing the digital banking services.
In providing electronic and digital banking services, banks must apply the consumer protection principles required under the prevailing laws and regulations on consumer protection in the financial services sector. Further, banks offering digital banking services must also have 24-hour functions and mechanisms in place to handle customer questions and complaints.
Banks are required to submit realization reports on the provision of electronic or digital banking services to the OJK, at least 3 months after the launch of the services. In addition to realization reports, banks are also required to submit conditions reports, development plan reports, audit result reports and incidental reports on the use and utilization of information technology related to the provision of electronic or digital banking services.
Applicable Sanctions and Ceasing Activities
The OJK may instruct a bank to cease providing electronic or digital banking services if, according to its evaluation, the services:
a. are not in line with the plan to engage in new activities submitted to the OJK or the approval or recording of the products by the OJK; and
b. could potentially have a negative impact on the performance and reputation of the bank concerned.
In addition to the above, failure to comply with certain requirements under OJK 12/18 may result in the imposition of the following administrative sanctions:
(a) a written warning;
(b) a downgrading of the bank's soundness level by lowering the bank's governance level when reviewing the bank's soundness level;
(c) a prohibition against launching new products or engaging in new activities;
(d) a suspension of certain business activities; or
(e) the inclusion of the members of the Board of Directors, Board of Commissioners and executive officers in the list of failed a fit and proper test candidates.
The sanctions in (b) to (e) above can be imposed without first a written warning being served.
Fines may also be imposed for failure to submit reports in a timely manner. The fine for each report is IDR 1,000,000 per day of delay, capped at IDR50,000,000 for failure to submit the report more than 1 month after the due date. The imposition of fine does not waive the bank's obligation to submit the relevant report.