Indonesia’s Financial Services Authority (OJK) has issued new regulations to strengthen information technology governance and digital security for Rural Banks (BPR) and Sharia Rural Banks (BPR Syariah) (08/01).

The policy is set out in OJK Regulation Number 34 of 2025 on the Implementation of Information Technology by BPR and BPR Syariah, along with its implementing rule, Board of Commissioners Regulation Number 43/PADK.03/2025.

Regulation Supports BPR and Sharia BPR Digitalization Roadmap

The issuance of the regulation is part of OJK’s efforts to accelerate the digitalization of BPR and BPR Syariah in line with Pillar 2 of the 2024–2027 Roadmap for the Development and Strengthening of the BPR and BPR Syariah Industry.

Through this policy, OJK encourages the industry to strengthen information security across IT operations by applying proper IT governance and technology risk management.

Rules Focus on IT Governance, Risk Management, and Cyber Resilience

The regulation governs IT governance, including the determination of authority and responsibilities of the Board of Directors and the Board of Commissioners.

It also regulates IT architecture for BPR and BPR Syariah that provide digital services, as well as IT risk management related to information security, cooperation with Information Technology Service Providers, and the ownership of a Disaster Recovery Plan.

In addition, electronic systems must be placed in data centers and disaster recovery centers located within Indonesia, while cyber resilience and security are required in response to increasing system connectivity with third parties.

OJK Stresses Prudence and Customer Protection in IT Development

OJK’s Chief Executive of Banking Supervision, Dian Ediana Rae, emphasized that the regulation aims to create an environment that supports optimal IT implementation.

“With the issuance of this regulation, it is expected to realize the mandate of the 2024–2027 Roadmap so that BPR and Sharia BPR can have an environment that supports optimal IT implementation, including people, process, and technology aspects, as well as the application of good governance in IT implementation,” Dian said.

He also stressed the importance of prudential principles and customer protection in developing IT systems.

“All BPR and Sharia BPR are expected to build IT systems, either independently or using IT vendors, while applying prudential principles, not endangering the soundness of BPR and Sharia BPR, and prioritizing customer protection,” he said.

The regulation will take effect one year from its promulgation date, and once effective, previous regulations issued in 2016 and 2017 on IT standards for BPR and Sharia BPR will be revoked and declared no longer valid.

PHOTO: FREEPIK

This article was created with AI assistance.