Indonesia's OJK and the digital bank stress test
OJK's POJK 11/2022 on IT risk for commercial banks and the broader digital banking guidance have set a clear bar. The supervisory question now is whether the framework holds under real stress.

Indonesia's Financial Services Authority, OJK, issued POJK No. 11/POJK.03/2022 on the implementation of information technology by commercial banks in July 2022, replacing the earlier 2016 regulation and updating the framework for a market that had moved decisively into digital channels. The regulation sets expectations on IT governance, risk management, operational and resource management, information security, business continuity, cloud use and incident reporting, with associated detailed guidance in the form of Circular Letters that fill in the operational specifics.
The digital banking guidance, including OJK's regulation on digital banks issued in 2021, has shaped a generation of new and transformed institutions in the Indonesian market. Several legacy banks have repositioned as digital-first, and a smaller number of greenfield digital banks have launched at scale. Each carries the same supervisory expectation on IT governance, business continuity and customer protection, calibrated to its size and complexity, and OJK has been clear that the digital label does not reduce the prudential obligations.
Incident notification expectations are explicit. Banks are required to notify OJK of significant incidents affecting IT systems within defined timeframes, with the precise expectation depending on incident type and severity. The supervisory dialogue after major incidents has focused not only on the technical root cause but on the quality of customer communication, the speed of restoration and the credibility of post-incident commitments to prevent recurrence.
Cyber and fraud pressure on Indonesian institutions has been sustained. A series of incidents affecting banks and payment service providers, including ransomware events and account takeover at scale, has tested response capability and reputation. The supervisory response has emphasised the integration of cyber, fraud and customer protection responses, the readiness of contact centres to absorb spikes in disputed transaction volumes and the realism of business continuity arrangements in cities outside Jakarta where the supporting infrastructure is concentrated.
Third-party and cloud risk is a sharpening focus. POJK 11/2022 sets expectations on the use of cloud services and on third-party arrangements, including notification and approval requirements for material arrangements. Practice in the market is uneven, particularly for sub-contracting arrangements behind the headline cloud provider, and supervisory engagement has been pressing on the depth of due diligence and the realism of exit plans. Data localisation considerations under the broader Indonesian data and electronic information regime add a further constraint that needs to be reflected in architecture and contracts.
The personal data protection regime introduced by Law No. 27 of 2022, with the implementation period extending into late 2024, runs in parallel. The law establishes consent, purpose limitation, breach notification and accountability obligations that intersect directly with operational resilience and incident management. Reconciling the data protection notification timeline with the prudential notification timeline, and ensuring a single coherent incident narrative for the regulator and the customer, is an active operational design question.
For Indonesian institutions setting priorities, three areas matter most. Treat the digital banking framework as a single operational reality rather than as two regulatory regimes for legacy and digital units. Rehearse incidents that engage OJK, data protection and customer protection obligations simultaneously, because real incidents will. And invest in the supervisory dialogue ahead of the next significant incident, because the credibility of the framework will be tested by what the institution does on its worst day, not by what it documented on its best.

