The Financial Services Authority (OJK) has addressed this trend by issuing regulations on commercial banks, which encompass digital bank provisions. However, unlike Singapore or Malaysia, Indonesia does not have a license specific to digital banks. The license falls under the commercial banking licensing regime, as OJK arguably considers digital banking as a business model that does not require a specific license.

Along the way, this approach seems to have resulted in many banks becoming self-proclaimed digital banks. It is clear, under the regulation, that a digital bank is a commercial bank that operates through electronic channels, having at least one physical office. However, since there is no specific license provided for digital banking, it appears that the appellation “digital bank” has been exploited as a gimmick for marketing purposes.

To mitigate this practice, OJK intends to issue regulations sometime this year that specifically governs qualifications for digital banking. 

OJK would apply Digital Maturity Assessment for Banks to determine the digitalization level of banks, which, pursuant to OJK’s blueprint for digital transformation in banking, would be done by assessing six pivotal elements in a bank: data, technology, risk management, collaboration, institutional governance and customers. OJK then will rate the digitalization level from 1 to 3, with 3 being the highest digital maturity level. Banks with digitalization level 3 would then able to claim themselves as digital banks.  

We suppose that OJK will incorporate the abovementioned elements into the regulations, considering recent news. In that case, the following are several points to be considered by those expecting to be Indonesian digital banks.

First, the blueprint suggests that OJK adopt principle-based regulations. Instead of setting out detailed and prescriptive rules, the regulations should be set out in a broad and high-level manner, and outcome-focused (which indicates that details would be left to the banks to achieve outcomes). Despite this, for implementation purposes, we foresee there will be some detailed elaboration of the principles in the regulations.

Let us take data for an example. OJK would predominantly focus on data protection, data transfer and data governance. Regarding data protection, OJK emphasizes, among other things, the principle that banks must have a valid legal basis to process and collect personal data.

The data must also be collected for clear, explicit and legitimate purposes. We anticipate that the regulations will detail these principles, including the form and the language of the relevant consents.  

As to data transfer, banks should have consistent policies, including a data transfer agreement, customer data security and a data protection impact assessment. The regulations are expected to describe minimum provisions that must be set out in the data transfer agreement as well as the security standard of customer data. Further, banks should carry out a data protection impact assessment if the data collection and processing could potentially harm customers, which can possibly be the case if banks are adopting new technology.

As to data governance, we presume that OJK will oblige banks to keep up with the latest technology including the use of cloud for the purposes of data confidentiality. Banks need to continually improve their human resources, particularly in data management systems.

Second, OJK adopts a neutral technology stance, which means that OJK does not govern technical details of technological aspect in banks. Therefore, banks can use the technology they prefer as long as it complies with OJK’s requirements, including the information technology (IT) architecture and the latest technology-adoption principles.

Banks would need to adopt IT architecture that is prepared based on banks’ business strategies. The banks’ boards of directors and commissioners should have the duty of evaluating, directing and monitoring IT architecture implemented by the banks.

Banks are encouraged to adopt the latest technology in the market, such as biometrics and artificial intelligence. If they do, banks should ensure that such adoption would bring about benefits to customers. Banks must also be transparent so that customers can understand the outcomes of the latest technology usage. Moreover, banks must be responsible for any issues arising from the application of the technology.

Third, OJK should arguably put emphasis on risk management and institutional governance in the regulations. According to the blueprint, OJK has done digital assessment on banks in Indonesia, and these are the two (out of six) elements whose scores are the lowest thus far. Hence, the emphasis.

Banks should apply risk management in IT usage to prevent cyber-attacks from occurring. The risk management should include active supervision of the board of directors, board of commissioners and internal control system for IT usage.

If banks outsource their IT needs, they must guarantee that the outsourcing process adhere to prudent principles and that the risk management systems are sufficient to ensure that the outsourcing work would achieve its purposes and not harm the banks or, ultimately, the customers. 

As to institutional governance, banks are expected to have clear and sufficient fund sources for investment in the IT sector.

Lastly, digital talent development from leadership positions to technical staff is needed from time to time so that banks can implement IT effectively in their business.

All the said points are non-exhaustive and subject to the upcoming regulations. However, as they are taken from the blueprint, banks can still observe these points for digital transformation purposes. We are hopeful that the upcoming regulations will set a standard for Indonesian digital banks and that subsequently, the digital bank gimmick will vanish.

 ***

The writer is a managing partner at LHBM law firm. These views are personal.