These elements are expected to be the tools for the banking industry to develop product innovation and financial services attuned to consumer needs.

The blueprint acknowledges that not all banks are able to manage and fulfill all their information technology (IT) needs internally. It therefore lays down the principles on IT outsourcing under the risk management dimension. IT outsourcing must adhere to prudential principles and an adequate risk management system that incorporates governance principles, due diligence, contractual requirements, information security, monitoring and control, business continuity plan, right to access and audit, and exit strategies.

These principles are imposed to ensure that the outsourcing work achieves its purpose and does not harm banks and ultimately, the consumers. Banks will likely outsource their IT work to external parties that can give added value to the services banks provide to their customers. This is where the digital finance innovation plays a role.

Back in 2018, the OJK issued a regulation on digital finance innovation in the financial sector to support the development of financial technology in the country. Any parties providing value-added financial services that are not specifically regulated fall within the space of digital finance innovation. The parties in this space are required to undergo three procedural stages for the OJK to identify and observe the dynamics and risks arising from their activities.

The first stage is recordation, in which the OJK assesses whether the activities constitute digital financial service innovations. Next is a regulatory sandbox, the OJK’s test mechanism to evaluate the reliability of the activities. At the end of the regulatory sandbox, the OJK will produce three different results: recommendation for registration (the final stage), correction, and not recommended. A recommendation status means that the party is required to register with the OJK and be subject to OJK supervision in going forward.

In light of the blueprint and the digital finance innovation space, the focus should be on banks outsourcing their IT work to external parties. Parties in the digital finance innovation space are those external parties that provide outsourcing services to banks.

How banks should treat external service providers in the context of IT outsourcing is an important question.

Let us take electronic know your customer (e-KYC) as an example. E-KYC is essentially a method of identifying and verifying potential customers in a way that uses electronic means and therefore eliminates face-to-face interactions. E-KYC appears to be popular nowadays, given that the method offers flexibility and convenience to consumers.

Consumers can register easily through the e-KYC process using apps or via their smartphone. Considering that the “e” means electronic, e-KYC can arguably be considered a digital financial service innovation.

Can banks outsource their e-KYC to parties in the digital finance innovation space? This is a subset to the main question. For banks to outsource their IT work to external parties, they must ensure that the work supports their main operations or supporting activities. Banks must also ascertain that the outsourced work: (i) is of low risk, (ii) does not need high competence in the banking sector and (iii) is not directly related to decision-making processes that affect banks’ business operations.

If all these criteria are met, another immediate question is whether e-KYC can be outsourced to parties that are still in the recordation or regulatory sandbox stage.

Conservatively speaking, outsourcing work to parties still in the trial stage might not be advisable, given that their products or activities are still under observation and evaluation. Thus, banks should only outsource their IT work to parties that are registered with the OJK (i.e. the final stage in the digital finance innovation procedure). In the spirit of digital finance innovation, however, the answer might be different.

To keep up with technological advancements, the blueprint lays out several principles that must be satisfied prior to IT outsourcing, including due diligence, information security and monitoring and control. In general, due diligence means that the IT service provider has the relevant capacity and capability.

As regards information security, the IT service provider is expected to guarantee data confidentiality for bank customers. Finally, in monitoring and control, banks must have effective control procedures and measures in place for IT service providers, including a contingency plan if things go south.

Considering the above examples, it seems that we need to wait for the blueprint’s principles to be implemented through upcoming the OJK regulations. However, the blueprint hints that the related implementing regulation will be principle-based.

This approach could mean that instead of setting out detailed and prescriptive rules, the implementing regulation would essentially set out broad and high-level approaches with a focus on outcome (meaning that the details are left to banks to achieve their desired outcomes). If this is the case, banks should arguably be flexible in outsourcing their IT work to external service providers in the digital finance innovation space.

This certainly comes with the caveat that all abovementioned principles are satisfied. Also, banks must take full responsibility in the event of any issues that arise with respect to outsourcing.

E-KYC is simply one example in the context of IT outsourcing. To serve customer needs in light of technological advancements, banks might need to outsource a variety of their IT operations sooner or later. The blueprint as the OJK’s response may pave the way for banks to improve their financial services so they are attuned to their customers’ needs.

 ***

The writer is a senior lawyer at LHBM Counsel. The views expressed are personal.