LogoRegulatory Alerts
OJK Regulation No. 34 of 2025 on Information Technology Management by Rural Banks and Sharia Rural Banks
The Financial Services Authority (OJK) issued Regulation No. 34 of 2025 to replace previous IT standards for Rural Banks (BPR) and Sharia Rural Banks (BPRS), mandating enhanced governance, risk management, and cyber resilience. The regulation requires these institutions to implement robust IT architectures, ensure data privacy and security, and maintain disaster recovery capabilities, including the placement of data centers within Indonesia. Compliance is mandatory for all BPRs and BPRSs, with the new rules taking effect one year after promulgation and repealing the prior Regulation No. 75 of 2016.
Otoritas Jasa Keuangan (Financial Services Authority) logo
Indonesia
Otoritas Jasa Keuangan (Financial Services Authority)
Click to view thumbnail
Regulation of the Financial Services Authority
Number 34 of 2025 concerning Information Technology Management by Rural Banks and Sharia Rural Banks


Abstract:
In order to improve banking services to the public, it is necessary to increase the utilization of information technology (IT) to support business processes in the operational activities of Rural Banks (BPR) and Sharia Rural Banks (BPRS).
To reduce potential risks related to IT utilization, it is necessary to strengthen regulations regarding governance aspects, risk management, as well as cyber resilience and security in IT management. Therefore, the Financial Services Authority Regulation Number 75/POJK.03/2016 concerning IT Management Standards for Rural Banks and Sharia Financing Banks needs to be replaced.
The legal basis for this Financial Services Authority Regulation is:
Law Number 7 of 1992 as amended several times, lastly with Law Number 4 of 2023;
Law Number 21 of 2008 as amended several times, lastly with Law Number 4 of 2023; and
Law Number 21 of 2011 as amended with Law Number 4 of 2023.


This POJK regulates among other things:
a. The obligation to apply good IT governance in IT management, including:


    

  1. Establishing clear authority and responsibilities for:
a) The Board of Directors;
b) The Board of Commissioners; and
c) Executive officials or employees handling IT management,
regarding the application of IT governance.
    2. 

  2. Having and applying policies and procedures for IT management.
    3. 

  3. Appointing a work unit or function responsible for IT management.
    4. 



b. The obligation for BPR and BPRS providing digital services to have an IT architecture. The preparation of IT architecture can be carried out by BPR and BPRS independently and/or in cooperation with third parties, considering the business plans of BPR and BPRS.


c. The obligation to apply effective risk management in IT management, including:


    

  1. Ensuring that information security is implemented effectively and efficiently by applying the principles of confidentiality, integrity, and availability.
    2. 

  2. Having a Disaster Recovery Plan and ensuring that the Disaster Recovery Plan can be implemented effectively.
    3. 

  3. Providing a Disaster Recovery Center.
    4. 

  4. Ensuring:
a. Availability of Core Banking Applications; and
b. Data backup,
in IT management independently and/or in cooperation with IT service providers.
    5. 

  5. Recording all transactions in the accounting books of BPR and BPRS on the same day.
    6. 



d. The obligation of BPR and BPRS to maintain cyber resilience and security.


e. The obligation of BPR and BPRS regarding the use of IT service providers, including:


    

  • Content of cooperation agreements between BPR and BPRS with IT service providers.
    • 

  • Specific actions by BPR and BPRS in the event of certain conditions that cause disruption or cessation of IT services from the IT service provider.
    • 



f. The obligation to place Electronic Systems at Data Centers and Disaster Recovery Centers within the territory of Indonesia.


g. The obligation for effective data management in the data processing of BPR and BPRS to support the achievement of business objectives of BPR and BPRS.


h. The obligation to implement the principle of personal data protection in processing personal data in accordance with applicable legislation.


i. The obligation to implement an effective internal control system in IT management.


j. The obligation to conduct internal audits of IT management in accordance with applicable legislation.


k. The obligation for periodic reports and incidental reports, as well as the procedures for submitting reports.


Notes:
The provisions concerning Information Technology Management by Rural Banks and Sharia Rural Banks will take effect after 1 (one) year from the date of promulgation, namely December 18, 2026.
This Financial Services Authority Regulation was promulgated on December 17, 2025, and established on December 16, 2025.
BPR and BPRS that have used IT service providers before the implementation of this Financial Services Authority Regulation must adjust to the provisions in this Financial Services Authority Regulation after the expiration of the cooperation agreement period between BPR and BPRS and the IT service provider.
This Financial Services Authority Regulation applies to BPR and BPRS.
Upon the implementation of this Financial Services Authority Regulation, the Financial Services Authority Regulation Number 75/POJK.03/2016 concerning IT Management Standards for Rural Banks and Sharia Financing Banks is repealed and declared invalid.
Share