Heading size 2
Microsoft's Commitment to the Indonesian Financial Services Sector
We believe that no cloud services provider has more experience delivering compliant solutions to financial institutions in Indonesia than Microsoft. Having helped numerous financial institutions move to the cloud while working in close cooperation with OJK, Microsoft recognizes that a cloud services provider needs to facilitate compliance through full, transparent andproactive engagement with the financial institution and, as required, with OJK. Through this process of collaboration, Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk and security standards.
From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with OJK, Microsoft stands ready to support our financial institutions customers in Indonesia. We have developed a range of materials to help our cloud customers in the financial services sector. For example, we have developed practical checklists for our key cloud services so that financial institutions can see how the use of Microsoft's cloud services and our contractual terms map against the relevant guidelines. Our subject-matter experts are available to understand your organization's needs and provide detailed information on the technical, contractual and practical aspects of your proposed cloud project.
By providing these tools and materials, Microsoft reaffirms our commitment to make the adoption of cloud as smooth as possible for financial institutions and to empower our customers to innovate and navigate their way to the Microsoft cloud with confidence.
The Indonesian financial services sector has been at the forefront of the country's digital transformation. Financial services institutions across the country, including major banks and insurance companies, are adopting cloud services, from testing and development of data analytics solutions through to communications, CRM and business productivity applications.
From a regulatory perspective, cloud is permitted. There are, however, some important considerations regarding data transfers and OJK approval, as further outlined below.
Regulatory Deep Dive
The Financial Services Authority of Indonesia (OJK) is the Indonesian Government agency that regulates and supervises financial institutions.
Yes, cloud services are permitted for commercial banks, except for non-banking financial institutions, rural banks and guarantee agencies who can only use DCs and DRCs located in Indonesia. Significant data residency restrictions apply to insurance companies as well. Microsoft is working with OJK to address these concerns.
- Indonesian Banking Law (Law No.7 of 1992 on Banking, as amended by law No.10 of 1998);
- OJK Regulation No. 38/POJK.03/2016 on Risk Management Implementation on Information Technology Use by Commercial Banks (OJK Reg. 38/2016) for commercial banks amended by Regulation of OJK number 13/POJK.03/2020 on Risk Management Implementation on Information Technology Use by Commercial Banks;
- OJK Regulation No. 69/POJK.05/2016 on Business Operation of Insurance, Sharia Insurance, Reinsurance and Sharia Reinsurance Companies (OJK Reg. 69/2016) for insurance and reinsurance companies;
- OJK Circular Letter No. 10/SEOJK.05/2016 on Implementation Guidelines on Risk Management and Self-Assessment Result Report on Implementation of Risk Management for Non-Bank Financial Service Institutions (SE OJK 10/2016) for pension funds and financing businesses;
- OJK Regulation No. 75/POJK.03/2016 on IT Operation Standards for Commercial Rural Banks and Sharia Rural Banks (OJK Reg. 75/2016) for rural banks;
- OJK Regulation No. 2/POJK.05/2017 on Business Operation of Guarantee Agency (OJK Reg. 2/2017) for guarantee agencies amended by OJK Regulation No. 30/POJK.05/2018 on Business Operation of Guarantee Agency; and
- OJK Regulation No. 9/POJK.04/2019 on Securities Broker for Bonds and Sharia Bonds
GR 71 does not require prior approval for private organizations to store data outside of the country. However, implementing guidelines for the regulation are still under deliberation.
Banks are required to request approval from OJK to store data outside the country under POJK 38/2016 and POJK 13/2020.
As part of the approvals process, OJK requires assurances it will have access to conduct audits and/or on-site inspections of the IT provider. This is achieved one of two ways:
- Through a letter of no objection/affidavit issued by the IT service provider’s Supervisory Authority; or
- Where no Supervisory Authority exists then the affidavit should be issued by the IT service provider stating that it allows OJK to conduct an audit at any time
OJK is increasingly providing helpful and practical guidance. It has confirmed that certain categories of electronic systems, namely front-end systems including those containing individual transaction or customer details, held by banks may be stored outside of Indonesia with OJK’s approval (OJK Reg. 38/2016 and OJK Reg. 13/2020)
Below are some success stories from satisfied customers who switched to Microsoft's Trusted Cloud. Read on to find out more about how your organization may benefit from Microsoft's Trusted Cloud as well.
About Microsoft's Trusted Cloud
Protecting you from external cyberthreats
Our comprehensive approach to security helps protect your data wherever it may be - in a data center, on a phone, on a desktop, or in transit through the internet.
Privacy and control
Giving you control over access to your data
At Microsoft, we invest heavily in technology development and practices to ensure we actively protect your privacy and provide the necessary tools to control both the privacy and administrative aspects of the data you put in the Microsoft cloud.
Unparalleled investment in meeting global standards
We are proactively adopting new certifications and partnering with regulators and standards bodies to develop new regulation and standards when we identify opportunities to increase digital privacy and safety.
Clear insight into our policies and procedures
We work tirelessly to increase not only our own transparency, but the transparency of the industry and its regulators. We submit to third-party audits and publish reports detailing government requests for customer data and notify individual customers where possible.