Bank Indonesia Regulation Number 22/23/PBI/2020 On Payment System

BANK INDONESIA REGULATION NUMBER 22/23/PBI/2020 ON PAYMENT SYSTEM BY THE BLESSINGS OF ALMIGHTY GOD GOVERNOR OF BANK INDONESIA, Considering : a. that development of digitalization and innovation in payment system on one hand has increased efficiency of payment system industry and acceleration of digital economic and financial inclusion, on the other hand, it has increased risks with higher complexity of activities and variations of payment system provider business models; b. that development of digitalization and innovation in payment system demands rearrangement of payment system industry through payment system regulatory reform; c. that an effective and responsive payment system regulation is necessary, which includes all aspects in payment system implementation in order to accommodate development of digital economy and finance; d. that based on the foregoing considerations as referred to in point a, point b, and point c, it is necessary to establish Bank Indonesia Regulation on Payment System; Observing : 1. Law Number 23 of 1999 on Bank Indonesia (State Gazette of the Republic of Indonesia of 1999 Number 66, Supplement to State Gazette of the Republic of Indonesia

• 2 - Number 3843) as amended several times and last by Law Number 6 of 2009 on Establishment of Government Regulation in Lieu of Law Number 2 of 2008 on the Second Amendment to Law Number 23 of 1999 on Bank Indonesia as a Law (State Gazette of the Republic of Indonesia of 2009 Number 7, Supplement to State Gazette of the Republic of Indonesia Number 4962);

2. Law Number 3 of 2011 on Fund Transfer (State Gazette of the Republic of Indonesia of 2011 Number 39, Supplement to State Gazette of the Republic of Indonesia Number 5204); HAS DECIDED: To enact : BANK INDONESIA REGULATION ON PAYMENT SYSTEM. CHAPTER I GENERAL PROVISIONS Article 1 In this Bank Indonesia Regulation:
3. Payment System means a system including a set of regulation, institution, mechanism, infrastructure, source of fund for payment, and access to source of fund for payment, which are used to execute fund transfer to meet an obligation arising from an economic activity.
4. Bank means any commercial bank and people’s credit bank as referred to in the Law on banking, including branch office of foreign bank in Indonesia, and sharia commercial bank and sharia rural bank as referred to in the Law on sharia banking.

• 3 -

3. Non-Bank Institution means non-Bank business entity lawfully established in Indonesia.
4. Payment Service Provider, hereinafter referred to as PJP, means Bank or Non-Bank Institution providing services to facilitate payment transactions to users.
5. Payment System Infrastructure Provider, hereinafter referred to as PIP, means a party operating infrastructures as a means which may be used for fund transfer for the interest of its members.
6. Supporting Provider means a party cooperating with PJP and PIP to support the operation of Payment System service activities.
7. User means a party using the services of PJP.
8. Goods and/or Services Provider means aparty selling goods and/or services which receives payments from Users.
9. Self-Regulatory Organization in Payment System Sector, hereinafter referred to as SRO, means a forum or institution lawfully established in Indonesia which represents the industry and is determined by Bank Indonesia to support Payment System operation.
10. Systemically Payment System Provider, hereinafter referred to as PSPS, means PJP and PIP having systemic impacts on Payment System and/or financial system in the event the PJP and PIP experience disruption or failure.
11. Critical Payment System Provider, hereinafter referred to as PSPK, means PJP and PIP having critical impacts on Payment System and/or financial system in the event the PJP and PIP experience disruption or failure.
12. General Payment System Provider, hereinafter referred to as PSPU, means PJP and PIP which not having significant

• 4 - impacts on Payment System and/or financial system in the event the PJP and PIP experience disruption or failure.

13. Source of Fund for Payment, hereinafter referred to as Source of Fund, means source of fund used to meet obligations in payment transactions and administered in an account for payment. Article 2 The implementation of Payment System aims to create a fast, easy, affordable, safe, and reliable Payment System with remain in observing access expansion and consumer protection. Article 3 Visions of the implementation for Payment System in Indonesia include: a. to reinforce the integration of national digital economy and finance in assuring the proper functioning Bank Indonesia in money circulation, monetary policy, and financial system stability, and to support financial inclusion; b. to support banking digitalization as the primary institution in digital finance economy through open application programming interface and deployment of use of digital technology and data in the financial business; c. to assure interlink between financial technology and banks to avoid shadow banking risk through the regulation of digital technology, such as open application programming interface, business cooperation, and business ownership; d. to strike the balance among innovation and consumer protection, integrity and stability, and fair business competition through:

• 5 -

1. the implementation of know your customer principle and the implementaion of anti-money laundering and countering the financing of terrorism;
2. the obligation of openness of data, information, or public business; and
3. the deployment of innovative technology by the industry to ensure compliance with regulations and increase effectiveness of supervision and technology￾based supervision for reporting obligation, regulatory, and supervisory; and e. to safeguard national interest on cross-border digital finance economy through the obligation of domestic processing for all onshore transactions and cooperation between foreign and domestic provider by observing reciprocity principle. CHAPTER II COMPONENT, PAYMENT SYSTEM SERVICE PROVIDER, AND PAYMENT SYSTEM PROCESSING PHASES Article 4 Payment System components consist of: a. mechanism; b. infrastructure; c. institution; and d. Source of Fund and access to Source of Fund. Article 5 (1) Payment System serviceprovider consist of: a. PJP; and

• 6 - b. PIP. (2) The Payment System service provider as referred to in paragraph (1) may cooperate with Supporting Provider in supporting the operationof Payment System activity. (3) The Payment System service provider in the form of PIP as referred to in paragraph (1) point b consist of: a. Bank Indonesia as Payment System infrastructure provider; and b. other parties which operate Payment System infrastructures in the industry. Article 6 Payment transaction processing phases include the following activities: a. pre-transaction; b. initiation; c. authorization; d. clearing; e. settlement; and f. post-transaction. CHAPTER III AUTHORITY OF BANK INDONESIA IN PAYMENT SYSTEM Part One General Article 7 Bank Indonesia has the authority to conduct the following:

• 7 - a. formulation, establishment, and communication of policies on Payment System; b. issuance of regulations on Payment System; c. determination of access to Payment System operation; d. approval for and reporting on activity development, product development, and/or cooperation in Payment System operation; e. Payment System infrastructure operation; f. supervision and imposition of sanctions; g. management of data and/or information related to Payment System; and h. other authorities in Payment System determined by Bank Indonesia. Article 8 (1) The formulation, establishment, and communication of policies as referred to in Article 7 point a include: a. policy on licensing and designationfor PJP and PIP; b. policy on activity operation for PJP and PIP; c. policy related to data; d. policy on termination of access to Payment System operation; and e. other policies determined by Bank Indonesia. (2) The authority for formulation, establishment, and communication of policies as referred to in Article 7 point a is implemented to achieve the Payment System objectives as referred to in Article 2 and to: a. boost innovative, quality, and sustainable industry growth;

• 8 - b. create interconnection and interoperability of Payment System; and/or c. maintain fair business competition including through management and use of payment transaction data. Part Two SRO Article 9 Bank Indonesia has the authority to regulate criteria, mechanism, and requirements for parties which are determined as SRO. Article 10 In supporting the implementation of authority in Payment System, Bank Indonesia may assign SRO to: a. support implementation of Bank Indonesia policies; b. support implementation of licensing, approval, and supervision process; c. prepare and issue technical and micro provisions for Payment System with the approval of Bank Indonesia; and d. prepare and manage standards determined by Bank Indonesia. Article 11 Further provisions for determination and implementation of SRO duties shall be regulated in Regulation of Member of Board of Governors.

• 9 - CHAPTER IV ACTIVITIES OF PJP, PIP, AND SUPPORTING PROVIDER, AS WELL AS PJP LICENSING AND PIP DESIGNATION Part One Activities of PJP, PIP, and Supporting Provider Article 12 (1) PJP as referred to in Article 5 paragraph (1) point a operates the following activities: a. provision of Source of Fund information; b. payment initiation and/or acquiring services; c. administration of Source of Fund; and/or d. remittance services. (2) The activities of provision of Source of Fund information as referred to in paragraph (1) point a include provision of Source of Fund information for payment initiation according to the approval of User. (3) The activities of payment initiation and/or acquiring services as referred to in paragraph (1) point b include payment transaction forwarding. (4) The activities of administration of Source of Fund as referred to in paragraph (1) point c include execution of payment transaction authorization. (5) The activities of remittance services as referred to in paragraph (1) point d include acceptance and execution of fund transfer order whose source does not come from an account administered by remittance service operators.

• 10 - Article 13 (1) PIP as referred to in Article 5 paragraph (1) point b operates the following activities: a. clearing; and/or b. settlement, for the interest of PIP members. (2) The clearing activities as referred to in paragraph (1) point a include reconciliation, confirmation, and calculation of financial rights and obligations of PIP members prior to settlement. (3) The settlement activities as referred to in paragraph (1) point b include final and binding settlement through debiting and crediting of accounts of the parties against financial rights and obligations of PIP members according to clearing result. Article 14 (1) The Supporting Provider as referred to in Article 5 paragraph (2) operates activities to support PJP or PIP activities on condition that: a. Supporting Provider may only provide technical or solution supporting services; b. payment transaction processing control remains on PJP or PIP; and c. Supporting Provider may not access and/or administer Source of Fund. (2) Activities of Supporting Provider in payment transaction processing include provision of: a. technology for payment transaction processing; and/or

• 11 - b. other supporting services activities in Payment System operation. (3) Provisions for Supporting Provider activities shall be regulated in a Bank Indonesia Regulation. Part Two PJP Licensing Article 15 (1) The party acting as PJP as referred to in Article 5 paragraph (1) point a must first obtain license from Bank Indonesia. (2) The party which applies for license to become PJP must be a: a. Bank; or b. Non-Bank Institution. Article 16 (1) License for PJP to conduct the activities as referred to in Article 12 paragraph (1) is granted by the following license categories: a. license one category which includes the following activities:

1. provision of Source of Fund information;
2. payment initiation and/or acquiring services;
3. administration of Source of Fund; and
4. remittance services; b. license two category which includes the following activities:
5. provision of Source of Fund information; and

• 12 -

2. payment initiation and/or acquiring services; and/or c. license three category which includes the following activities:
3. remittance services; and/or
4. other activities determined by Bank Indonesia. (2) Bank Indonesia may determine a certain period for validity of license granted to PJP as referred to in paragraph (1). Article 17 (1) The party applying for the license as referred to in Article 15 paragraph (1) must comply with the mechanism and procedure for license application determined by Bank Indonesia. (2) The mechanism and procedure for license application as referred to in paragraph (1) are conducted through electronic system by referring to Bank Indonesia Regulation on integrated license of Bank Indonesia through front office license. (3) The phase for reviewing the PJP licensing consist of: a. administrative review; and b. substance analysis of applications according to the applied license categories. (4) In addition to the phase for reviewing the PJP licensing as referred to in paragraph (3), inspection is conducted. (5) According to the result of licensing review as referred to in paragraph (3) and inspection as referred to in paragraph (4), Bank Indonesia will determine whether the submitted license application:

• 13 - a. approve; or b. decline. Article 18 (1) The party which submits license application to become PJP must meet license requirements determined by Bank Indonesia with the following aspects: a. institutional; b. capital and financial; c. risk management; and d. information system capability. (2) The institutional aspect as referred to in paragraph (1) point a includes entity legality, ownership, control, and management. (3) The capital and financial aspect as referred to in paragraph (1) point b includes minimum required paid-up capital, feasibility analysis, and business forecasting. (4) The risk management aspect as referred to in paragraph (1) point c includes legal risk, operational risk, and liquidity risk. (5) The information system capability as referred to in paragraph (1) point d includes security and reliability of information system. Article 19 (1) The institutional aspect in the form of ownership as referred to in Article 18 paragraph (2) for PJP in the form of Non-Bank Institution is regulated as follows: a. share ownership composition, at least 15% (fifteen percent) of which shall be owned by:

• 14 -

1. Indonesian citizen; and/or
2. Indonesian legal entity; and b. share ownership composition for PJP in the form of Non-Bank Institution with the status of public company is calculated only for share ownershipat the percentage of 5% (five percent) or more. (2) The institutional aspect in the form of control as referred to in Article 18 paragraph (2) for PJP in the form of Non￾Bank Institution is regulated as follows: a. share composition with voting rights of at least 51% (fifty-one percent) must be owned by a domestic party, namely:
3. Indonesian citizen; and/or
4. Indonesian legal entity; b. in the event of special right to nominate majority members of board of directors and/or members of board of commissioners, the right must be owned by a domestic party; and c. in the event of special right in the form of veto right against a decision or approval in a general meeting of shareholders with significant impacts on the company, the right must be owned by a domestic party. (3) PJP in the form of Non-Bank Institution which has obtained its license is required to keep maintaining the share ownership composition as referred to in paragraph (1) and domestic control as referred to in paragraph (2). (4) Bank Indonesia may determine institutional aspect in the form of other control according to the assessment of Bank Indonesia.

• 15 - (5) In the event that PJP has obtained an institutional license from another authority, Bank Indonesia may determine another policy on institutional aspect in the form of ownership and/or control. Article 20 If required, Bank Indonesia may request a prospective PJP to submit additional data and/or information to meet the requirements as referred to in Article 18. Article 21 Provisions for PJP licenses shall be regulated in Bank Indonesia Regulation. Part Three PIP Designations Article 22 (1) The party acting as PIP as referred to in Article 5 paragraph (1) point b must first obtain designation from Bank Indonesia. (2) The party which may obtain designation to become PIP must be in the form of: a. Bank; or b. Non-Bank Institution. (3) The provisions as referred to in paragraph (1) do not apply to Bank Indonesia as PIP.

• 16 - Article 23 (1) The designation as referred to in Article 22 is according to the assessment of Bank Indonesia. (2) Bank Indonesia conducts the assessment as referred to in paragraph (1) by considering: a. impacts on financial system stability; and/or b. public interest. (3) Bank Indonesia may determine a certain period for validity of designation granted to PIP as referred to in paragraph (1). Article 24 (1) In addition to considering the matters as referred to in Article 23 paragraph (2), Bank Indonesia obliges a prospective PIP to meet designation requirements including the following aspects: a. institutional; b. capital and financial; c. risk management; and d. information system capability. (2) The institutional aspect as referred to in paragraph (1) point a includes legality of legal entity, ownership, control, and management. (3) The capital and financial aspect as referred to in paragraph (1) point b includes minimum required paid-up capital, feasibility analysis, and business forecasting. (4) The risk management aspect as referred to in paragraph (1) point c includes legal risk, operational risk, and liquidity risk.

• 17 - (5) The information system capability as referred to in paragraph (1) point d includes security and reliability of information system. Article 25 (1) The institutional aspect in the form of ownership as referred to in Article 24 paragraph (2) for PIP in the form of Non-Bank Institution is regulated as follows: a. share ownership composition, at least 80% (eighty percent) of which shall be owned by:

1. Indonesian citizen; and/or
2. Indonesian legal entity; and b. share ownership composition for PIP in the form of Non-Bank Institution with the status of public company is calculated only for share ownership at the percentage of 5% (five percent) or more. (2) The institutional aspect in the form of control as referred to in Article 24 paragraph (2) for PIP in the form of Non￾Bank Institution is regulated as follows: a. share composition with voting rights of at least 80% (eighty percent) must be owned by a domestic party, namely:
3. Indonesian citizen; and/or
4. Indonesian legal entity; b. in the event that special right to nominate majority members of board of directors and/or members of board of commissioners, the right must be owned by a domestic party; and c. in the event of special right in the form of veto right against a decision or approval in a general meeting of

• 18 - shareholders with significant impacts on the company, the right must be owned by a domestic party. (3) PIP in the form of Non-Bank Institution which has obtained its designation is required to keep maintaining the share ownership composition as referred to in paragraph (1) and domestic control as referred to in paragraph (2). (4) Bank Indonesia may determine institutional aspect in the form of other control according to the assessment of Bank Indonesia. (5) In the event that PIP has obtained an institutional license from another authority, Bank Indonesia may determine another policy on institutional aspect in the form of ownership and/or control. Article 26 If required, Bank Indonesia may request a prospective PIP to submit additional data and/or information to meet the requirements as referred to in Article 24. Article 27 Provisions for PIP designations shall be regulated in a Bank Indonesia Regulation.

• 19 - Part Four Limitation of PJP License and PIP Designations Article 28 Any party may only submit application or have license or designation as one of the Payment System provider as referred to in Article 5 paragraph (1). Article 29 The license and/or designation granted by Bank Indonesia may not be transferred to any other party. Article 30 (1) Bank Indonesia has the authority to impose the administrative sanctions on PJP and/or PIP against any breach of obligation as referred to in Article 19 paragraph (3) and Article 25 paragraph (3), with the following forms: a. warning; b. penalty; c. temporary, partial, or entire, suspension of activities, including cooperation implementation; and/or d. revocation of licenses as PJP or designations as PIP. (2) Further provisions for the procedure for the administrative sanction imposition as referred to in paragraph (1) shall be regulated in Bank Indonesia Regulation.

• 20 - CHAPTER V PAYMENT SYSTEM OPERATION Part One PJP Obligations Article 31 (1) In operating Payment System, PJP which has obtained a license is required to fulfill obligations determined by Bank Indonesia. (2) The obligations as referred to in paragraph (1) include fulfillment of the following aspects: a. governance; b. risk management including prudential principle; c. information system security standard; d. interconnection and interoperability; and e. compliance with the laws and regulations. Article 32 (1) The governance aspect as referred to in Article 31 paragraph (2) point a is implemented according to the following principles: a. openness; b. accountability; c. responsibility; d. independence; and e. fairness. (2) The minimum scope of governance implementation shall be as follows: a. implementation of duties and responsibilities:

• 21 -

1. board of directors and board of commissioners for PJP in the form of limited liability company; or
2. function or organ performing the functions of management and supervisor for PJP in other form of legal entities; b. implementation of periodic audit function; and c. Information openness related to Payment System operation. Article 33 The risk management aspect, including prudential principle, as referred to in Article 31 paragraph (2) point b includes: a. active supervision by:
3. board of directors and board of commissioners for PJP in the form of limited liability company; or
4. function or organ performing the functions of management and supervisor for PJP in other form of legal entities. b. availability of policies and procedures as well as fulfillment of organizational structure adequacy; c. risk management process and risk management function as well as human resources; and d. internal control. Article 34 The information system security standard aspect as referred to in Article 31 paragraph (2) point c includes: a. availability of written policy and procedure of information system;

• 22 - b. use of a safe and reliable system at least as follows:

1. security and protection of data confidentiality;
2. fraud management;
3. fulfillment of certification and/or standard for system security and reliability; and
4. maintenance and improvement of technology security; c. implementation of cyber-security standard; d. security of data and/or information; and e. implementation of periodic information system audit. Article 35 (1) The interconnection and interoperability aspect as referred to in Article 31 paragraph (2) point d include: a. compliance with interconnection and interoperability mechanism, including the standard determined by Bank Indonesia; b. interconnection with data infrastructure and Payment System infrastructure; and c. domestically process of payment transactions. (2) The domestically process of payment transactions as referred to in paragraph (1) point c applies to phases of initiation, authorization, clearing, and final settlement. (3) The domestically process of payment transactions as referred to in paragraph (2) is conducted for any transaction which: a. uses access to Source of Fund in the form of instruments and/or services provided by PJP; and b. is executed within the territory of the Republic of Indonesia.

• 23 - (4) Bank Indonesia shall determine the types of access to Source of Fund and enforcement phases of domestically process of transactions as referred to in paragraph (2). (5) The payment transactions as referred to in paragraph (2) may be processed outside the territory of the Republic of Indonesia with Bank Indonesia’s approval. Article 36 The implementation of PJP obligation in Payment System operation as referred to in Article 31 is adjusted to PJP activities. Article 37 Provisions for PJP obligations in Payment System operation shall be regulated in Bank Indonesia Regulation. Part Two PIP Obligations Article 38 (1) In operating Payment System infrastructures, PIP which has obtained designation is required to fulfill obligations determined by Bank Indonesia. (2) The obligations as referred to in paragraph (1) include fulfillment of the following aspects: a. governance; b. risk management including prudential principle; c. information system security standard; d. interconnection and interoperability;

• 24 - e. availability of facilities and infrastructures for infrastructure operation; f. procedure and mechanism for infrastructure operation; g. participation in infrastructures; and h. compliance with the laws and regulations. Article 39 (1) The governance aspect as referred to in Article 38 paragraph (2) point a is conducted according to the following principles: a. openness; b. accountability; c. responsibility; d. independence; and e. fairness. (2) The minimum scope of governance shall be as follows: a. implementation of duties and responsibilities of board of directors and board of commissioners; b. implementation of periodic audit function; c. communication and collaboration with the relevant parties; and d. information openness related to Payment System operation. Article 40 The risk management aspect, including prudential principle, as referred to in Article 38 paragraph (2) point b includes: a. active supervision by board of directors and board of commissioners;

• 25 - b. availability of policies and procedures as well as fulfillment of organizational structure adequacy; c. risk management process and risk management function as well as human resources; and d. internal control. Article 41 The information system security standard aspect as referred to in Article 38 paragraph (2) point c includes: a. availability of written policies and procedures for information system; b. use of a safe and reliable system at least as follows:

1. security and protection of data confidentiality;
2. fraud management;
3. fulfillment of certification and/or standard for system security and reliability; and
4. maintenance and improvement of technology security; c. implementation of cyber-security standard; d. security of data and/or information; and e. implementation of periodic information system audit. Article 42 (1) The interconnection and interoperability aspect as referred to in Article 38 paragraph (2) point d include: a. compliance with interconnection and interoperability mechanism, including the standard determined by Bank Indonesia; b. interconnection with data infrastructure and Payment System infrastructure; and c. domestically process of payment transactions.

• 26 - (2) The domestically process of payment transactions as referred to in paragraph (1) point c applies to phases of initiation, authorization, clearing, and final settlement. (3) The domestically process of payment transactions as referred to in paragraph (2) is conducted for any transaction which: a. uses access to Source of Fund in the form of instruments and/or services provided by PJP; and b. is executed within the territory of the Republic of Indonesia. (4) Bank Indonesia shall determine the types of access to Source of Fund and enforcement phases of domestically process of transactions as referred to in paragraph (2). (5) The payment transactions as referred to in paragraph (2) may be processed outside the territory of the Republic of Indonesia with Bank Indonesia’s approval. Article 43 The participation in infrastructures aspect as referred to in Article 38 paragraph (2) point g includes: a. criteria and requirements for becoming infrastructure participant; b. scope of PIP service for participants; c. rights and obligations of participants; d. dispute resolution mechanism between PIP and its participant and between participants; and e. monitoring of compliance of participants and other parties executing transactions with Bank Indonesia provisions and PIP provisions.

• 27 - Article 44 Provisions for PIP obligations in Payment System operation shall be regulated in Bank Indonesia Regulation. Part Three Fund Transfer Operation Article 45 The operation of fund transfer activities by PJP and/or PIP are conducted according to the laws and regulations on fund transfers. Part Four Classifications of PJP and PIP Article 46 In Payment System operation, Bank Indonesia determines PJP and PIP classification. Article 47 The PJP and PIP classifications as referred to in Article 46 consists of: a. PSPS; b. PSPK; and c. PSPU. Article 48 In determining the classifications as referred to in Article 47, Bank Indonesia considers the following criteria:

• 28 - a. size; b. interconnectedness; c. complexity; and/or d. substitutability. Article 49 (1) Bank Indonesia may determine fulfillment of certain obligations according to PJP and PIP classifications as referred to in Article 47. (2) The fulfillment of certain obligations according to PJP and PIP classifications as referred to in paragraph (1) includes the following aspects: a. capital; b. risk management and information system; and c. other aspects determined by Bank Indonesia. Article 50 Bank Indonesia periodically evaluates the determined classification of PJP and PIP as referred to in Article 47. Article 51 Bank Indonesia submits a written notice to PJP and PIP of: a. the result of PJP and PIP classifications as referred to in Article 47; and b. the evaluation result of PJP and PIP determination as referred to in Article 50 in the event of change of PJP and PIP classifications.

• 29 - Article 52 Provisions for obligations in relation to PJP and PIP classifications shall be regulated in Bank Indonesia Regulation. Part Five Activity Development, Product Development, and/or Cooperation Part 1 General Article 53 (1) PJP and PIP may conduct activity development, product development, and/or cooperation with other parties. (2) The cooperation with other parties as referred to in paragraph (1) may be conducted with: a. another PJP or PIP; and b. Supporting Provider. Part 2 Categories of Activity Development, Product Development, and/or Cooperation Article 54 (1) The activity development, product development, and/or cooperation as referred to in Article 53 are categorized by risk level, consisting of low risk, medium risk, and high risk.

• 30 - (2) The categories of low risk, medium risk, and high risk as referred to in paragraph (1) are determined as: a. low risk, if the activity development, product development, and/or cooperation:

1. do not result in change of business model, system, and infrastructure used; or
2. result in change of business model, system, and/or infrastructure used in low scale; b. medium risk, if the activity development, product development, and/or cooperation result in medium scale change of business model, system, and/or infrastructure; and c. high risk, if the activity development, product development, and/or cooperation result in high scale change of business model, system, and/or infrastructure. Part 3 Application for Activity Development, Product Development, and/or Cooperation Article 55 (1) PJP and PIP must first conduct self assessment on the risk of planned activity development, product development, and/or cooperation to be implemented according to risk categories as referred to in Article 54. (2) Against the self assessment result of PJP and PIP as referred to in paragraph (1), Bank Indonesia may

• 31 - determine different risk categories from the assessment result of PJP and PIP. (3) In the event of different risk categories between the PJP and PIP assessment result as referred to in paragraph (2) with the assessment of Bank Indonesia, the risk categories determined by Bank Indonesia shall prevail. Article 56 According to the risk assessment result as referred to in Article 55, PJP and PIP are required to: a. submit reports to Bank Indonesia on activity development, product development, and/or cooperation, if the activity development, product development, and/or cooperation meet low risk category; or b. submit approval requests to Bank Indonesia for activity development, product development, and/or cooperation, if the activity development, product development, and/or cooperation meet medium or high risk category. Article 57 The submission of approval request for activity development, product development, and/or cooperation as referred to in Article 56 point b is equipped by supporting documents to meet the requirements, which include the following aspects: a. operational readiness; b. security and reliability of the system; c. implementation of risk management; and d. consumer protection.

• 32 - Article 58 If required, Bank Indonesia may request PJP and PIP to submit additional data and/or information to meet the requirements as referred to in Article 57. Part 4 Processing of Application for Activity Development, Product Development, and/or Cooperation Article 59 To process the approval application as referred to in Article 56 point b, Bank Indonesia conducts: a. administrative review; b. analysis of business model of the planned activity development, product development, and/or cooperation; c. analysis of requirement fulfillment according to the documents submitted as referred to in Article 57 and Article 58; and d. inspection, if required. Article 60 According to the processing of approval applicationas referred to in Article 59, Bank Indonesia determines whether the submitted approval application : a. approve; or b. decline.

• 33 - Part 5 Cooperation with Supporting Provider Article 61 (1) PJP and PIP that cooperate with Supporting Provider must: a. assess the Supporting Provider; and b. be fully responsible for the security and smoothness of payment transaction processing. (2) The responsibility for security and smoothness of payment transaction processing as referred to in paragraph (1) point b shall at least be conducted by: a. having mechanism for monitoring of Supporting Provider implementation; b. ensuring risk management implementation by Supporting Provider; and c. ensuring availability of access to Supporting Provider for Bank Indonesia. Article 62 Bank Indonesia may impose certain requirements to Supporting Provider that conducting payment forwarding from PJP to Goods and/or Services Provider.

• 34 - Part 6 Cooperation with Supporting Provider and/or Payment System Service Provider Outside the Territory of the Republic of Indonesia Article 63 In addition to considering the requirement fulfillment as referred to in Article 57, if a request for cooperation is submitted by PJP or PIP with Supporting Provider and/or Payment System service provider outside the territory of the Republic of Indonesia, Bank Indonesia may consider the following: a. reciprocal aspect; b. equal standard for risk management implementation; and c. benefits for the economy of Indonesia. Article 64 Provisions for activity development, product development, and/or cooperation shall be regulated in Bank Indonesia Regulation. Part Six Corporate Actions, Change of Ownership, and Change of Control of PJP and PIP Article 65 In the event that PJP or PIP conducts corporate actions in the form of merger, consolidation, spin-off, and/or acquisition of PJP or PIP, the following provisions apply to: a. PJP or PIP in the form of Non-Bank Institution, is required to first obtain approval from Bank Indonesia; and

• 35 - b. PJP or PIP in the form of Bank, is required to submit a report to Bank Indonesia. Article 66 The approval request as referred to in Article 65 point a and the report as referred to in Article 65 point b shall at least contain the following information: a. background of the corporate action; b. party that will conduct the corporate action; c. targeted time of the corporate action; d. management structure, share ownership structure, and corporate ownership structure after the corporate action; and e. business plan for Payment System service operation after the corporate action. Article 67 In the event that a legal entity resulting from the merger, consolidation, or spin-off does not have any license as PJP or designation as PIP, such legal entity is required to first obtain license or designation from Bank Indonesia. Part Seven Source of Fund and Access to Source of Fund Article 68 Source of Fund must meet the following: a. have value in rupiah unit;

• 36 - b. be used for the purpose of payment and/or fulfillment of economic activities; c. the value of money in the Source of Fund is according to the fund first deposited to the party administering the Source of Fund or in the form of credit facility extended by the party administering the Source of Fund. d. be stored in electronic media or any other media; e. be able to be used for payment other than to the party administering the Source of Fund or only be able to be used for payment to the party administering the Source of Fund according to the limitation determined by Bank Indonesia; and f. represent the rights of User and/or claims against an issuer except for the Source of Fund according to credit facility. Article 69 Bank Indonesia may determine the criteria, scope, and types of access to Source of Fund according to fund transfer mechanism through: a. credit transfer; and b. debit transfer. Article 70 Bank Indonesia may determine certain requirements for the use of Source of Fund and access to Source of Fund within the territory of the Republic of Indonesia operated by a foreign provider.

• 37 - Article 71 Bank Indonesia determines the prudential aspect in relation to Source of Fund and access to Source of Fund. Article 72 Provisions for Source of Fund and access to Source of Fund shall be regulated in Bank Indonesia Regulation. Part Eight Prohibition for PJP and PIP Article 73 Bank Indonesia may determine regulation on prohibition for: a. PJP from having and/or managing the value that may be equalized to the value of money or value other than rupiah which may be widely used beyond the scope of the relevant PJP; and b. PJP and PIP from receiving, using, correlating, and/or processing payment transaction by using virtual currency. Part Nine Operation of Integrated Payment Interface Article 74 (1) Bank Indonesia may operate integrated payment interface which is connecting access to Source of Fund with PJP to forward process of initiation and/or authorization of payment transactions. (2) Provisions for integrated payment interface shall be regulated in Bank Indonesia Regulation.

• 38 - Part Ten Operation of Systemic Payment System Infrastructures Article 75 (1) Bank Indonesia designates Payment System infrastructures categorized as systemic financial market infrastructures. (2) The determination as referred to in paragraph (1) is according to the following considerations: a. quantity and value of the processed transaction; b. number and type of participant; c. type of market served; d. market share; e. connectivity with infrastructures of financial market and another financial institution; f. availability of immediate substitute of Payment System infrastructures; and/or g. other matters determined by Bank Indonesia. Article 76 (1) The operation of Payment System infrastructures categorized as systemic financial market infrastructures as referred to in Article 75 are operated according to the applicable international standard. (2) Fulfillment of the international standard as referred to in paragraph (1) includes: a. the aspect of infrastructure operation; and

• 39 - b. the aspect of authority’s responsibility in conducting oversight. (3) Further actions to the monitoring as referred to in paragraph (2) point b is in the following forms: a. moral suasion; b. recommendations for policies, regulations, or developments; c. coordination with the relevant authority; and/or d. any other actions determined by Bank Indonesia. Article 77 Provisions for systemic financial market infrastructures shall be regulated in Bank Indonesia Regulation. Article 78 (1) Bank Indonesia may impose the following administrative sanctions on PJP and PIP against any breach of obligation as referred to in Article 31 paragraph (1), Article 38 paragraph (1), Article 56, Article 65, and Article 67, in the form of : a. warning; b. penalty; c. temporary, partial, or entire suspension of activities, including cooperation implementation; and/or d. revocation of licenses as PJP or designations as PIP. (2) Further provisions for the procedure for the administrative sanction imposition as referred to in paragraph (1) shall be regulated in Bank Indonesia Regulation.

• 40 - CHAPTER VI TECHNOLOGY INNOVATIONS IN PAYMENT SYSTEM Article 79 Bank Indonesia provides a testing environment for development of innovations in Payment System technology to support development of digital economy and finance. Article 80 Technology innovations in Payment System include products, activities, services, and business models using innovative technology in the ecosystem of digital economy and finance which may support Payment System operation. Article 81 Provision of the testing environment as referred to in Article 79 aims to: a. promote technology innovations; and b. monitor and detect opportunities and risks of technology innovations, for development of the ecosystem of digital economy and finance as well as Payment System operation. Article 82 The testing of development of technology innovations in Payment System as referred to in Article 79 is conducted by Bank Indonesia through the following testing: a. development of innovations which have been unused or have been used in the Payment System industry in a limited manner (innovation lab);

• 41 - b. innovations in policies or regulation of Payment System (regulatory sandbox); and c. innovations which have been used in the Payment System industry and shall be promoted for widely used (industrial sandbox). Article 83 The testing of development of technology innovations in Payment System as referred to in Article 82 may derive from: a. requests submitted by:

1. PJP;
2. PIP; or
3. any other parties determined by Bank Indonesia; or b. initiative of Bank Indonesia. Article 84 In the implementation of testing development of technology innovations in Payment System as referred to in Article 82, Bank Indonesia may involve SRO and/or another party. Article 85 Provisions for technology innovations in Payment System shall be regulated in Bank Indonesia Regulation.

• 42 - CHAPTER VII PAYMENT SYSTEM SUPERVISION Article 86 Bank Indonesia supervises Payment System operation by using risk-based and/or compliance-based supervision approach. Article 87 Supervision of Payment System operation aims to ensure achievement of the Payment System operation objectives as referred to in Article 2 by promoting innovations in Payment System industry as well as observing international standards and practices. Article 88 The objects of supervision of Payment System operation as referred to in Article 86 include: a. PJP, PIP, including cooperating parties, are conducted through supervision; and b. Payment System infrastructures operated by Bank Indonesia, is conducted through monitoring. Article 89 (1) The supervision of Payment System operation as referred to in Article 88 point a is conducted through: a. off-site supervision; and b. on-site supervision. (2) Bank Indonesia may assign another party for and on behalf of Bank Indonesia to conduct the on-site supervision as referred to in paragraph (1) point b.

• 43 - Article 90 The scope of supervision by Bank Indonesia of the supervision objects as referred to in Article 88 point a includes: a. risk exposure, including compliance with the applicable laws and regulations; b. implementation of risk governance and risk management; and c. other aspects determined by Bank Indonesia. Article 91 In conducting the supervision of Payment System operation as referred to in Article 86, Bank Indonesia also observes PJP and PIP classifications as referred to in Article 47. Article 92 In conducting the supervision as referred to in Article 86, Bank Indonesia may: a. implement supervision according to innovative technology; and/or b. promote the use of innovative technology by the industry to ensure compliance with the provisions and to increase supervision effectiveness. Article 93 (1) PJP, PIP, and cooperating parties are required to submit the following to Bank Indonesia or any other party assigned by Bank Indonesia: a. documents, data, information, and/or reports; b. oral and written details and/or explanation;

• 44 - c. access to infrastructures and/or information system required in supervision; and/or d. any other requirements. (2) PJP, PIP, and cooperating parties as referred to in paragraph (1) are required to be responsible for the validity, accuracy, completeness, and timeliness of submission of each document, data, information, report, details, and/or explanation to Bank Indonesia. (3) The documents, data, information, reports, details, and/or explanation as referred to in paragraph (2) are submitted through: a. reporting; b. direct meeting; and/or c. any other means of communication determined by Bank Indonesia. Article 94 (1) Bank Indonesia may conduct integrated supervision of parent companies, subsidiaries, and/or any other affiliated parties. (2) PJP, PIP, and the parties as referred to in paragraph (1) are prohibited from hindering the supervision process by Bank Indonesia. Article 95 According to the supervision as referred to in Article 89, Bank Indonesia may: a. request PJP and/or PIP to:

1. do or omit any action;
2. limit activities or operation; and/or

• 45 -

3. temporary, partial, or entire, suspension of activities, including cooperation implementation; and/or b. revoke any granted licenses, designations, and/or approvals. Article 96 (1) Bank Indonesia may impose administrative sanctions on PJP and/or PIP in the following forms: a. warning; b. penalty; c. temporary, partial, or entire, suspension of activities, including cooperation implementation; and/or d. revocation of licenses as PJP or designations as PIP. (2) Further provisions for the procedure for the administrative sanction imposition as referred to in paragraph (1) shall be regulated in Bank Indonesia Regulation. Article 97 In imposing the administrative sanctions as referred to in Article 96, Bank Indonesia considers the following aspects: a. level of errors and/or breaches; b. any consequences on:
4. the aspect of smoothness and security of Payment System;
5. the aspect of consumer protection;
6. the aspect of anti-money laundering and countering the financing of terrorism; and/or
7. other aspects determined by Bank Indonesia.

• 46 - Article 98 Bank Indonesia may impose the following administrative sanctions on the other parties assigned to conduct on-site supervision as referred to in Article 89 paragraph (2) that breach Bank Indonesia provisions: a. written warning; b. recommendation for the relevant institution to:

1. exclude the other parties assigned from a particular profession list; and/or
2. revoke business license. Article 99 Provisions for supervision of Payment System operation shall be regulated in Bank Indonesia Regulation. Article 100 (1) Bank Indonesia may impose the following administrative sanctions on PJP and/or PIP against any breach of obligation as referred to in Article 93: a. warning; b. penalty; c. temporary, partial, or entire, suspension of activities, including cooperation implementation; and/or d. revocation of licenses as PJP or designations as PIP. (2) Further provisions for the procedure for the administration sanction imposition as referred to in paragraph (1) shall be regulated in Bank Indonesia Regulation.

• 47 - CHAPTER VIII TERMINATION OF PAYMENT SYSTEM OPERATION Part One Evaluation of Licenses and Evaluation of Designations Article 101 (1) Bank Indonesia evaluates licenses and designations granted to PJP and PIP. (2) The evaluation as referred to in paragraph (1) is conducted according to: a. supervision result by Bank Indonesia; b. corporate actions by PJP and PIP; c. request for licenses extension; d. recommendations from other authorities; e. final and binding court decision; f. request from PJP and PIP operators to terminate their activities; and/or g. any other considerations. (3) The evaluation result as referred to in paragraph (2) may serve as the basis for Bank Indonesia to: a. shorten the license validity; b. revoke PJP licenses and PIP designations; or c. grant extension of the validity of licenses or designations.

• 48 - Part Two Settlement of Obligations of PJP and PIP Article 102 PJP and PIP must settle all obligations arising in Payment System operation according to the mechanism and within the period determined by Bank Indonesia prior to revocation of PJP licenses or PIP designations by Bank Indonesia. Article 103 Provisions for evaluation of licenses and evaluation of designations shall be regulated in Bank Indonesia Regulation. CHAPTER IX DATA AND/OR INFORMATION Part One Management of Data and/or Information Article 104 Management of data and/or information related to Payment System conducted by Bank Indonesia aims to: a. formulate policies on Payment System; b. support development of digital economy and finance; c. supervise Payment System operation; and/or d. conduct market intelligence analysis in the Payment System industry.

• 49 - Part Two Subject of Data and/or Information Collection Article 105 (1) PJP and PIP are required to submit data and/or information related to Payment System to Bank Indonesia according to the procedure and mechanism determined by Bank Indonesia. (2) If requested by Bank Indonesia, any other party cooperating with PJP and PIP is required to submit data and/or information related to Payment System to Bank Indonesia according to the procedure and mechanism determined by Bank Indonesia. Part Three Mechanism of Data and/or Information Collection Article 106 The collection of data and/or information related to Payment System from PJP, PIP, and/or any other parties cooperating with PJP and PIP as referred to in Article 105 is conducted by: a. submission of reports to Bank Indonesia; b. data capturing through connections between systems; and/or c. any other mechanisms determined by Bank Indonesia.

• 50 - Part Four Processing of Data and/or Information Article 107 (1) In the processing of data and/or information related to Payment System, PJP, PIP, and/or any other parties cooperating with PJP and PIP are required to: a. implement the personal data protection principles including meet the aspect of User’s consent for the use of their personal data; b. meet the mechanism of processing of data and/or information related to Payment System determined by Bank Indonesia, including processing mechanism through data infrastructures and Payment System infrastructures of Bank Indonesia; c. meet the mechanism of utilization of third-party data infrastructures determined by Bank Indonesia; d. implement the cyber-risk management in Payment System operation, including the information system security standard; and e. comply with the laws and regulations. (2) The mechanism of processing of data and/or information related to Payment System as referred to in paragraph (1) point b includes: a. access and procedure for processing; b. data standardization, technical standardization, security standardization, and governance standardization; and/or c. any other mechanisms determined by Bank Indonesia.

• 51 - Part Five Use and Openness of Individual Customer Data Article 108 (1) PJP and/or PIP may exchange data of individual customer with any other PJP and/or PIP and any other relevant parties according to the laws and regulations on personal data protection and Bank Indonesia provisions. (2) The exchange of individual customer data as referred to in paragraph (1) may be conducted: a. directly by PJP and/or PIP; and/or b. through data management infrastructures and/or Payment System infrastructures in an integrated manner operated or facilitated by Bank Indonesia. Part Six Transfer of Individual Customer Data to Locations Outside the territory of the Republic of Indonesia Article 109 (1) PJP and PIP may transfer data of individual customer to any other parties outside the territory of the Republic of Indonesia according to the laws and regulations on personal data protection and Bank Indonesia provisions. (2) In the event that the transfer of individual customer data as referred to in paragraph (1) does not comply with the laws and regulations and/or aims to protect the national interest, Bank Indonesia may terminate such transfer of individual customer data.

• 52 - Article 110 (1) Bank Indonesia may impose the following administrative sanctions against any breach of obligation as referred to in Article 105 and Article 107: a. warning; b. penalty; c. temporary, partial, or entire, suspension of activities, including cooperation implementation; and/or d. revocation of licenses as PJP or designations as PIP. (2) Further provisions for the procedure for the administration sanction imposition as referred to in paragraph (1) shall be regulated in Bank Indonesia Regulation. Article 111 (1) Provisions for data and/or information shall be regulated in Bank Indonesia Regulation. (2) Provisions for data standardization, technical standardization, security standardization, and governance standardization as referred to in Article 107 paragraph (2) shall be regulated in a Regulation of Member of Board of Governors. CHAPTER X COORDINATION AND COMMUNICATION Article 112 In implementing the authority and functions in Payment System, Bank Indonesia may coordinate with any other authorities, institutions, and/or parties.

• 53 - Article 113 Bank Indonesia conducts policy communication of Payment System policies to PJP and/or PIP as well as other parties. CHAPTER XI TRANSITIONAL PROVISIONS Article 114 (1) Upon promulgation of this Bank Indonesia Regulation, Bank Indonesia conducts assessment on payment system service provider that have obtained licenses prior this Bank Indonesia Regulation comes into force, to: a. reclassify the PJP activities as referred to in Article 12 or the PIP activities as referred to in Article 13; and b. ensure the commitment in fulfilling PJP license requirements as referred to in Article 18 paragraph (3), paragraph (4), and paragraph (5) or PIP designation requirements as referred to in Article 24 paragraph (3), paragraph (4), and paragraph (5), according to the reclassification result as referred to in point a and limitation of licenses and/or designations as referred to in Article 28. (2) According to the assessment result as referred to in paragraph (1), Bank Indonesia converts the license of payment system service provider to PJP license or to PIP designation upon this Bank Indonesia Regulation comes into force. Article 115 (1) The following provisions apply to licensed payment system

• 54 - service provider which commit to meet the requirements as referred to in Article 114 paragraph (1) point b according to the assessment result: a. Bank Indonesia provides 2 (two) years at the maximum to meet the requirements as referred to in Article 114 paragraph (1) point b; and b. within the period as referred to in point a, a licensed payment system service provider may only conduct activities according to the PJP license and the PIP designation granted by Bank Indonesia. (2) The following provisions apply to licensed payment system service operators which do not commit to meet the requirements as referred to in Article 114 paragraph (1) point b according to the assessment result: a. Bank Indonesia provides 2 (two) years at the maximum for licensed payment system service provider to settle the rights and obligations as payment system service providers; and b. Bank Indonesia revokes the PJP licenses or the PIP designations after settlement of the rights and obligations as referred to in point a. Article 116 (1) Bank Indonesia conducts evaluation of the fulfillment of requirements by PJP and PIP within the period as referred to in Article 115 paragraph (1). (2) According to the evaluation result as referred to in paragraph (1), Bank Indonesia may: a. grant extension of the PJP licenses and/or the PIP designations; or

• 55 - b. revoke the PJP licenses and/or the PIP designations. Article 117 The party which is in the process of licensing phase as payment system service provider, when this Bank Indonesia Regulation comes into force, must meet all requirements for the PJP licenses or the PIP designations specified here in. Article 118 (1) The provisions for share ownershipcomposition as referred to in Article 19 paragraph (1) or Article 25 paragraph (1) must be fulfilled by payment system service providers that have obtained licenses prior to this Bank Indonesia Regulation comes into force, if upon this Bank Indonesia regulation comes into force , there is a change of share ownership composition conducted by foreign party. (2) The provisions for share ownershipcomposition as referred to in paragraph (1) do not apply to change of foreign share ownership composition conducted according to the policy or further actions to the supervision by Bank Indonesia. (3) The provisions for domestic control as referred to in Article 19 paragraph (2) or Article 25 paragraph (2) must be fulfilled by payment system service providers that have obtained licenses prior to this Bank Indonesia Regulation comes into force, if upon this Bank Indonesia regulation comes into force, there is a change of control conducted by a foreign party. (4) The provisions for domestic control as referred to in paragraph (3) do not apply to change of foreign share

• 56 - ownership composition conducted according to the policy or further actions to the supervision by Bank Indonesia. (5) In the event of change of foreign share ownership composition as referred to in paragraph (1) and/or change of control by foreign party as referred to in paragraph (3), Bank Indonesia conducts further action to the supervision. Article 119 The payment system service providers that have submitted or are in the process of approval of activity development, product development, and/or cooperation upon this Bank Indonesia Regulation comes into force must meet all requirements for approval requests for activity development, product development, and/or cooperation regulated in this Bank Indonesia Regulation. Article 120 The party that has been designated as SRO prior to this Bank Indonesia regulation comes into force is designated as SRO as referred to in Article 10. CHAPTER XII CLOSING PROVISIONS Article 121 At the time when this Bank Indonesia Regulation comes into force, all laws and regulations on Payment System in Bank

• 57 - Indonesia are declared to remain applicable to the extent they are not in contravention of this Bank Indonesia Regulation. Article 122 This Bank Indonesia Regulation comes into force on 1 July

In order that every person may know hereof, it is ordered to promulgated this Bank Indonesia Regulation by its placement in State Gazette of the Republic of Indonesia. Issued in Jakarta on 29 December 2020 GOVERNOR OF BANK INDONESIA, PERRY WARJIYO Promulgated in Jakarta on 30 December 2020 MINISTER OF LAW AND HUMAN RIGHSTS REPUBLIC OF INDONESIA, YASONNA H. LAOLY STATE GAZETTE OF THE REPUBLIC OF INDONESIA OF 2020 NUMBER 311

ELUCIDATION OF BANK INDONESIA REGULATION NUMBER 22/23/PBI/2020 ON PAYMENT SYSTEM I. GENERAL Development of digitalization and innovation in Payment System on one hand gives opportunities to increase the efficiency of Payment System industry and accelerate the digital economy and financial inclusion. On the other hand, development of digitalization and innovation in Payment System raises challenges coming from high complexity of activities and business model variations of Payment System service providers, thereby increasing various risks in Payment System operation which may impact the overall financial system stability. Payment System regulatory reform is necessary as an effort to respond the Payment System digitalization and innovation through re-arrangement of Payment System industry, including mitigating risks arising from the increasing development of Payment System service provider’s activities conducted by Non-Bank Institution and expansion of digital payment ecosystem among providers in one business group or different business groups that have led to challenges for level playing field provisions for Payment System service providers. Payment System regulatory reform is conducted among others by the changes of regulation approach in Payment System operation from institution-based to risk-and-activity based, so it is ensured that for the same activity and risk, same regulation will be applied. On the entry side, reclassification of Payment System operation based on activities is necessary to be supported by strengthening of business

• 2 - process, mechanism, and license requirements, among others through regulation of the aspects of capital and finance, risk management, information system capability, and institution, including ownership of Payment System service providers. In addition, simplification of license process is necessary to increase license efficiency through grant of license based on activity group according to license category (bundling). Supervision of Payment System operation needs to be strengthened to ensure development of activities/business operations, business performance, and risk exposure which exists inthe Payment System service providers, supported by adequate aspects of financial, capital, governance, and risk management. Therefore, risk-based supervision approach must be strengthened by assessment of supervision of size, interconnectedness, complexity of products/activities, and substitutability of Payment System service provider by keep observing compliance of providers with the applicable provisions. Payment System functions in facilitating fund transfer must be aligned with digitalization development through strengthening of regulation related to the concept of Source of Fund and access to Source of Fund through instrument and channel, including aspect of cross-border Payment System operation. Meanwhile, the direction of development of Payment System infrastructures according to Bank Indonesia future policies needs to be accommodated within the regulatory framework, including Payment System infrastructures with systemic impacts as part of financial market infrastructures by referring to fulfillment of international standards. The currently limited testing of Payment System technology innovation must be strengthened in order to increase monitoring and market intelligence functions of Bank Indonesia for development in the industry, which may then serve as an input for policy formulation, regulation, supervision, and license.

• 3 - Payment System regulation reform needs to be supported by strengthening of the integrated processing of data and/or information of payments, including regulation of mechanism and supporting infrastructures as well as implementation of personal data protection principles and utilization of third-party data infrastructures policies. Effectiveness of Payment System regulation needs to be increased among others through application of regulation approach which prioritizes principle-based regulation and optimization of SRO role in issuing technical and micro provisions and supports implementation of licenses, approvals, supervision, preparation, and management of standard under the policy direction of Bank Indonesia. Payment System regulatory reform will be supported by strengthening and harmonization of the functions and authority of Bank Indonesia in relation to licenses, supervision, and integrated data and/or information. It aims to create a fast, easy, affordable, safe, and reliable Payment System by observing access expansion and consumer protection. Payment System regulatory reform is directed to be able to restructure industry which prioritizes sound business practices and simplification of regulations through restructuring of regulatory framework and issuance of main regulation which may comprehensively cover Payment System ecosystem in line with development of digital economy and finance. II. ARTICLE BY ARTICLE Article 1 Sufficiently clear. Article 2 Achievement of Payment System operation objectives is also directed to support monetary stability and financial system stability.

• 4 - Article 3 Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d The use of innovative technology by the industry to ensure compliance with the provisions and to increase supervision effectiveness is known as regulatory technology. Technology-based supervision is known as supervisory technology. Point e Sufficiently clear. Article 4 Point a The term “mechanism” means series of phases and procedures for Payment System operation. Point b The term “infrastructure” means the entire technical device and/or system used for Payment System operation. Point c The term “institution” means matters related to parties conducting and/or supporting Payment System operation. Point d Source of Fund is administered in Source of Fund accounts among others in the form of electronic money user account, savings account, and/or credit facility account.

• 5 - The term “access to Source of Fund” means device, medium, and/or a set of procedures, including instruments and channels, to initiate payment transactions and/or provide access to Source of Fund for payment through a certain method or usage of technology. The certain method or usage of technology among others are the use of payment channels such as Electronic Data Capture (EDC), Automated Teller Machine (ATM), and Quick Response Code Indonesian Standard. Payment System components also apply to cross-border payment transactions between payor and payee which comply with different jurisdictions. Article 5 Paragraph (1) Sufficiently clear. Paragraph (2) Sufficiently clear. Paragraph (3) Point a The example of Payment System infrastructures at Bank Indonesia among others are Bank Indonesia – Real Time Gross Settlement (BI-RTGS) and Bank Indonesia National Clearing System (SKNBI). Point b The example of other parties which operate Payment System infrastructures in the industry among others are provider that operates clearing and/or final settlement for the interest of its members.

• 6 - Article 6 Point a The term “pre-transaction” means an preliminary activity to commence payment transaction processing among others to select consumers, card printing, card personalization, providing information of Source of Fund, and providing infrastructures such as terminal or reader. Point b The term “initiation” means an activity to initiate fund transfer order or instruction through device, medium, and/or a set of procedures by using certain method or technology in payment transactions, continued with forwarding activity of payment transaction data and authorization. Point c The term “authorization” means transaction approval after forwarding activity of payment transaction data have been conducted through the following:

1. verify or authenticate the identity of the owner of the Source of Fund who conducts payment transactions;
2. validate the access to Source of Fund and the processed payment transactions; and
3. ensure the adequacy of Source of Fund. Point d The term “clearing” means a process after a transaction occurs, which includes activities to reconcile, confirm, and calculate the rights and obligations of parties, indicating the final position of the rights and obligations of the parties prior to the settlement. Point e The term “settlement” means final and binding settlement activities through debiting and crediting of accounts of the parties

• 7 - against the financial rights and obligations of the parties involved in the payment transaction processing according to clearing result. Point f The term “post-transaction” means an activity after settlement of payment transaction is conducted, such as printing of invoices for completed transactions and submission of data and/or information on payment transactions accomplished by User. Article 7 Point a Sufficiently clear. Point b Sufficiently clear. Point c The authority to determine access to Payment System operation (entry policy) includes:

1. licenses among others: a. grant of PJP licenses; b. licenses validity; c. licenses extension and revocation; d. adjustment to license categories (bundling) and activities; and e. evaluation of licenses; and
2. designation among others: a. grant of designation to PIP; b. evaluation of designation; and c. revocation of designation. Point d Sufficiently clear.

• 8 - Point e The authority in Payment System infrastructure operation among others:

1. determine participation aspects, among others, criteria, institution, type, requirement, and obligation;
2. determine the procedure for infrastructure operation;
3. monitor participant’s compliance with the provisions for Payment System infrastructures; and
4. impose sanctions. The authority of Bank Indonesia in relation to Payment System infrastructure operation may be regulated in provisions of Bank Indonesia, agreement or bylaws, as well as provisions issued by SRO according to the approval of Bank Indonesia. Point f Sufficiently clear. Point g The authority to manage data and/or information on Payment System includes, among others collection of data and/or information on Payment System as well as determination of mechanism and integrated infrastructures of payment data. Point h Sufficiently clear. Article 8 Paragraph (1) Point a Sufficiently clear. Point b Policies on activity operation for PJP and PIP among others:

• 9 -

1. the price scheme, such as merchant discount rate (MDR), terminal usage fee (TUF), and transaction fee, determined under considerations, such as: a. acceptance expansion, efficiency, competition, services, and innovation; b. cost of recovery aspect with reasonable margin and risk level; c. amount and structure of tariff and fee; and d. not in contravention of the national policy;
2. the approval for and reporting on activity development, product development, and/or cooperation;
3. the scheme and arrangement involving the parties in electronic payment;
4. the use of central bank money, namely fund available in accounts administered at the central bank and may be used for completion of transactions or obligations, in the mechanism of domestic transactions settlement;
5. the standardization and certification, such as: a. standardization of access to Source of Fund, such as Quick Response Code Indonesian Standard and National Standard Indonesian Chip Card Specification for ATM Cards and/or Debit Cards; b. standardization of employee competency in Payment System operation; and c. other national standards determined by Bank Indonesia as standard which is required to be used by all Payment System service providers, such as open application programming interface (open API) standard and cyber-security standard for Payment System;

• 10 -

6. cyber-security and resiliency strategy of Payment System include among others: a. cyber-security standard; and b. capability of monitoring and mitigation of cyber incidents in Payment System;
7. interconnection and interoperability among others are determination of limit of instrument value and fund transfer nominal amount, including domestic and cross￾border remittance;
8. limit and scope of service;
9. limitation of Source of Fund scope;
10. implementation of supervision; and
11. domestic processing. Point c Data policy among others:
12. data processing;
13. implementation of personal data protection principle; and
14. the use of data infrastructures, both facilitated by Bank Indonesia and provided by a third party, in Payment System. Point d Exit policy of access to implementation of Payment System among others:
15. evaluation of license or designation; and
16. mechanism and completion period of obligations of Payment System provider whose license or designation is revoked or expired. Point e Sufficiently clear.

• 11 - Paragraph (2) Sufficiently clear. Article 9 Sufficiently clear. Article 10 Point a Sufficiently clear. Point b The SRO’s supports in the implementation of license, approval, and supervision process among others:

1. providing certification or formulating standard as fulfillment of requirements for license or approval; and
2. verifying and registering internal and external information system auditor. The formulated standards as fulfillment of requirements for license or approval among others:
3. standardization of scope and area of activity of information system audit or security test of Payment System infrastructures used by PJP and PIP or prospective PJP and PIP; and
4. standard, scope, methodology, and requirements for auditors in the activity of information system audit of PJP and PIP or prospective PJP and PIP. Point c Technical and micro provisions in Payment System issued by SRO may consist of SRO provisions and technical guidance.

• 12 - The example of SRO provisions among others the provision on debit instrument invoicing beyond the mechanism of Bank Indonesia National Clearing System (SKNBI). The example of technical guidance among others guidance for fund transfer activity through Payment System infrastructures of Bank Indonesia. Point d Standards determined by Bank Indonesia among others are Quick Response Code Indonesian Standard and National Standard Indonesian Chip Card Specification for ATM Cards and/or Debit Cards. Article 11 Sufficiently clear. Article 12 Paragraph (1) Point a Providing information of Source of Fund is known as account information services. Point b Sufficiently clear. Point c Administration of Source of Fund information is known as account issuance services. Point d Sufficiently clear. Paragraph (2) The implementation of account information services activity for payment initiation is conducted through cooperation and/or

• 13 - interconnection with PJP conducting account issuance services activities. Paragraph (3) The term “payment transaction forwarding” means: a. forwarding order or instruction of fund transfer through instrument, media, and/or a set of procedures through the use of a certain method or technology in payment transactions; and/or b. forwarding payment transaction data among others are data on instruments and payment transaction nominal amount. In conducting activities in the group of payment initiation and/or acquiring services, PJP may also operate one or more activities as follows: a. store data on Source of Fund and access to Source of Fund; b. process payment transactions using different instruments; c. acquire Goods and/or Services Providers; d. exchange fund with the banks for payment to Goods and/or Services Providers; and/or e. disburse fund to Goods and/or Services Providers. Paragraph (4) In conducting activities in the group of administration of Source of Fund, PJP may also conduct the following activities: a. administer Source of Fund accounts for payment; b. issue access to Source of Fund, among others are instruments based on certain media; c. have relation with the Service User; and d. execute fund transfer as an issued instrument feature. Paragraph (5) Sufficiently clear.

• 14 - Article 13 Paragraph (1) In conducting clearing and/or settlement, PIP may conduct forwarding activity of payment transaction data and other tasks related to clearing and/or settlement activities. The term “PIP members” means PJP, other PIP, and/or any other parties determined by Bank Indonesia. Paragraph (2) Sufficiently clear. Paragraph (3) Sufficiently clear. Article 14 Paragraph (1) Sufficiently clear. Paragraph (2) Point a Providing the technology for payment transaction processing includes providing the technology services and/or platform used by Payment System service provider in conducting payment transaction processing in the phases of initiation, authorization, clearing, and/or settlement. Providing the technology service for payment transaction processing among others are providing the authentication features for authorization of payment transaction, fraud management system, cloud computing, and card management system. Point b Providing the supporting services for other Payment System operation activities among others are providing the card

• 15 - printing, providing the card personalization, providing the terminal, providing the security features, and trading through electronic system provider facilitating payment transactions. Paragraph (3) Sufficiently clear. Article 15 Sufficiently clear. Article 16 Sufficiently clear. Article 17 Paragraph (1) Sufficiently clear. Paragraph (2) Sufficiently clear. Paragraph (3) Sufficiently clear. Paragraph (4) Inspection is conducted by on-site visits. Paragraph (5) Sufficiently clear. Article 18 Paragraph (1) Sufficiently clear. Paragraph (2) Institutional aspect in the form of ownership among others are shareholding composition and ownership structure.

• 16 - Paragraph (3) Sufficiently clear. Paragraph (4) Operational risk includes cyber-risk. Paragraph (5) Sufficiently clear. Article 19 Paragraph (1) Point a Assessment of Bank Indonesia on share ownership composition is conducted until the ultimate shareholder. Point b Sufficiently clear. Paragraph (2) Point a Assessment of Bank Indonesia on share ownership composition with voting rights is conducted collectively on each ownership level until the ultimate shareholder with the biggest voting right individually owned by a domestic party. Point b Sufficiently clear. Point c The term “general meeting of shareholders” means general meeting of shareholders as specified under the Law on Limited Liability Companies. The term “decision or approval in a general meeting of shareholders with significant impacts on a company” among others are change of articles of association, change of equity, appointment and dismissal of members of board of directors

• 17 - and/or members of board of commissioners, as well as merger, consolidation, acquisition, spin off, and liquidation. Paragraph (3) Sufficiently clear. Paragraph (4) Institutional aspect in the form of other control among others is control arising from: a. certain requirements or obligations specified under an agreement; and b. decision-making in PJP operational management. Paragraph (5) Sufficiently clear. Article 20 The example of additional data and/or information among others is document on data centre architecture. Article 21 Sufficiently clear. Article 22 Sufficiently clear. Article 23 Paragraph (1) The designation of PIP is conducted according to assessment of Bank Indonesia which may consider inputs from SRO and/or other related parties. Paragraph (2) Point a

• 18 - The impact on financial system stability among others is systemic risk in financial system arising from disruption on PIP infrastructures. Point b Public interest is considered among others by taking into account impacts of PIP designation on increasing Payment System efficiency which is useful for the wider community. Paragraph (3) Sufficiently clear. Article 24 Paragraph (1) Sufficiently clear. Paragraph (2) Institutional aspect in the form of ownership among others are share ownership composition and ownership structure. Paragraph (3) Sufficiently clear. Paragraph (4) Operational risk includes cyber-risk. Paragraph (5) Sufficiently clear. Article 25 Paragraph (1) Point a Assessment of Bank Indonesia on share ownership composition is conducted until the ultimate shareholder. Point b Sufficiently clear.

• 19 - Paragraph (2) Point a Assessment of Bank Indonesia on share ownership composition with voting rights is conducted collectively on each ownership level until the ultimate shareholder with the biggest voting right individually owned by a domestic party. Point b Sufficiently clear. Point c The term “general meeting of shareholders” means general meeting of shareholders as specified under the Law on Limited Liability Companies. The term “decision or approval in a general meeting of shareholders with significant impacts on a company” among others are change of articles of association, change of equity, appointment and dismissal of members of board of directors and/or members of board of commissioners, as well as merger, consolidation, acquisition, spin off, and liquidation. Paragraph (3) Sufficiently clear. Paragraph (4) Institutional aspect in the form of other control among others is control arising from: a. certain requirements or obligations specified under an agreement; and b. decision-making in PIP operational management. Paragraph (5) Sufficiently clear.

• 20 - Article 26 The example of additional data and/or information among others is document on data centre architecture. Article 27 Sufficiently clear. Article 28 The example of limitation of license and designation approval request among others is a party that has obtained a license as PJP may not submit any request for designation as PIP. Article 29 Sufficiently clear. Article 30 Sufficiently clear. Article 31 Paragraph (1) Sufficiently clear. Paragraph (2) Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d Sufficiently clear.

• 21 - Point e The laws and regulations include among others:

1. fair business competition;
2. electronic information and transaction;
3. anti-money laundering and countering the financing of terrorism;
4. consumer protection;
5. implementation of mandatory use of rupiah; and
6. personal data protection. Article 32 Paragraph (1) Sufficiently clear. Paragraph (2) The example of legal entity among others is cooperative. Article 33 Fulfillment of risk management aspect including prudential principle is adjusted to the size and complexity of PJP activities. Point a Scope of active supervision among others are determination of accountability, policy, and control process to manage risks which may arise from Payment System operation. Point b Availability of policies and procedures as well as fulfillment of organizational structure adequacy among others:
7. clear organizational structure and separation of duties or authority;
8. risk measurement method; and
9. risk management procedure.

• 22 - Point c Risk management process and risk management function, as well as human resources shall at least be fulfilled with a dedicated function for risk management. Point d Internal control of Payment System operation among others includes:

1. procedure and safety measurement which is conducted in providing services for Users;
2. audit trail of processed payment transactions;
3. adequate procedure to guarantee the integrity of data and/or information; and
4. measurement to protect confidentiality of data and/or information on Users. Article 34 Point a Sufficiently clear. Point b Point 1 Sufficiently clear. Point 2 Fraud management includes phases of prevention, detection, response, and monitoring. Fraud management implementation may be conducted among others by applying Fraud Detection System (FDS) at account level and transaction. Point 3 The term “certification and/or standard for system security and reliability system” means certification and/or standard

• 23 - that generally applicable or determined by Bank Indonesia or the relevant authority/institution adjusted to the types of activities conducted by PJP. Point 4 Sufficiently clear. Point c Implementation of cyber-security standard using approach of the aspects of governance, prevention, and resolution. Governance aspect shall at least includes strategy components and framework, clarity of authority and responsibility, as well as support of corporate culture. Prevention aspect shall at least includes components of identification, protection, and detection. Resolution aspect shall at least includes components of response and recovery, including communication. Point d Security of data and/or information among others is security of data and/or information on Users, payment instruments, and payment transactions. Point e Sufficiently clear. Article 35 Paragraph (1) Point a The term “interconnection and interoperability mechanism” among others are interconnection and interoperability mechanism of payment transaction processing as well as data processing.

• 24 - Point b The term “data infrastructure” among others is integrated data infrastructure which is facilitated by Bank Indonesia. Point c Sufficiently clear. Paragraph (2) Electronic system used for transaction processing at the phases of initiation, authorization, clearing, and settlement is placed in the data centre and disaster recovery centre within the territory of Republic of Indonesia. Paragraph (3) Sufficiently clear. Paragraph (4) Sufficiently clear. Paragraph (5) The approval of Bank Indonesia for payment transaction processing outside of the territory of Republic of Indonesia may be granted among others to: a. global reconciliation which does not constitute part of main activities of phases of initiation, authorization, clearing, and settlement; b. electronic system used for risk management in an integrated manner with PJP headquarter or main office/main entity office outside the Republic of Indonesia; and c. electronic system used for implementation of anti-money laundering and countering the financing of terrorism in an integrated manner with PJP headquarter or PJP main office outside the territory of Republic of Indonesia.

• 25 - Article 36 Sufficiently clear. Article 37 Sufficiently clear. Article 38 Paragraph (1) Sufficiently clear. Paragraph (2) Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d Sufficiently clear. Point e Availability of facilities and infrastructures for infrastructure operation among others consists of contingency and data communication network. Point f Procedure and mechanism for infrastructure operation among others include clearing and settlement mechanism. Point g Sufficiently clear. Point h The laws and regulations include among others:

1. fair business competition;

• 26 -

2. electronic information and transaction;
3. consumer protection;
4. implementation of mandatory use of rupiah; and
5. personal data protection. Article 39 Paragraph (1) Sufficiently clear. Paragraph (2) Point a Sufficiently clear. Point b Sufficiently clear. Point c The form of communication and collaboration with related parties among others is the implementation of education to participants. Point d Sufficiently clear. Article 40 Fulfillment of risk management aspect is adjusted to the size and complexity of PIP activities. Point a Scope of active supervision of board of directors and board of commissioners among others is determination of accountability, policy, and control process to manage risks which may arise from Payment System operation.

• 27 - Point b Availability of policies and procedures as well as fulfillment of organizational structure adequacy among others:

1. clear organizational structure and separation of duties or authority;
2. risk measurement method; and
3. risk management procedure. Point c Risk management process and risk management function, as well as human resources shall at least be fulfilled with a dedicated function for risk management. Point d Internal control of Payment System operation among others:
4. procedure and safety measurement in providing services for PIP members;
5. audit trail of processed payment transactions;
6. adequate procedure to guarantee the integrity of data and/or information; and
7. measurement to protect confidentiality of data and/or information on User. Article 41 Point a Sufficiently clear. Point b Point 1 Sufficiently clear. Point 2 Fraud management includes the phases of prevention, detection, response, and monitoring.

• 28 - Fraud management implementation may be conducted among others by applying Fraud Detection System (FDS) on account levels and transaction. Point 3 The term “certification and/or standard for system security and reliability” means certification and/or standard that generally applicable or determined by Bank Indonesia or the relevant authority/institution adjusted to the types of activities conducted by PIP. Point 4 Sufficiently clear. Point c Implementation of cyber-security standard using approach of the aspects governance, prevention, and resolution. Governance aspect shall at least include strategy components and framework, clarity of authority and responsibility, as well as support of corporate culture. Prevention aspect shall at least includes components of identification, protection, and detection. Resolution aspect shall at least includes components of response and recovery, including communication. Point d Security of data and/or information among others is security of data and/or information on User, payment instruments, and payment transactions. Point e Sufficiently clear. Article 42 Paragraph (1)

• 29 - Point a The term “interconnection and interoperability mechanism” among others are interconnection and interoperability mechanism of payment transaction processing as well as data processing. Point b The term “data infrastructure” among others is integrated data infrastructure which is facilitated by Bank Indonesia. Point c Sufficiently clear. Paragraph (2) Electronic system used for transaction processing at the phases of initiation, authorization, clearing, and settlement is placed in the data centre and disaster recovery centre within the territory of Republic of Indonesia. Paragraph (3) Sufficiently clear. Paragraph (4) Sufficiently clear. Paragraph (5) The approval of Bank Indonesia for payment transaction processing outside the territory of Republic of Indonesia may be granted among others to: a. global reconciliation which does not constitute part of main activities of phases of initiation, authorization, clearing, and settlement; b. electronic system used for risk management in an integrated manner with PIP headquarter or main office/main entity office outside the Republic of Indonesia; and

• 30 - c. electronic system used for implementation of anti-money laundering and countering the financing of terrorismin an integrated manner with PIP headquarter or PIP main office outside the territory of Republic of Indonesia. Article 43 Criteria and requirements for participants, scope of services, rights and obligations, dispute resolution mechanism, and monitoring of participant compliance are stipulated under Bank Indonesia provisions, agreement or bylaws, and/or provisions issued by SRO. Article 44 Sufficiently clear. Article 45 Sufficiently clear. Article 46 Sufficiently clear. Article 47 Sufficiently clear. Article 48 Determination of classification with the criteria of size, interconnectedness, complexity, and/or substitutability aim to identify Payment System industry structure based on its role and/or contribution in the national Payment System ecosystem.

• 31 - Article 49 Paragraph (1) Sufficiently clear. Paragraph (2) Point a Fulfillment of certain obligations in relation to capital among others include imposition of additional capital according to business performance, risk profile, and assessment of impacts on Payment System and financial system. Point b Fulfillment of certain obligations in relation to risk management and information system among others include fulfillment of standard operating procedure, information system capability, human resources, and organizations, such as obligation to have a certain special unit. Point c Sufficiently clear. Article 50 Sufficiently clear. Article 51 Sufficiently clear. Article 52 Sufficiently clear.

• 32 - Article 53 Paragraph (1) The term “activity development” means additional activities in the same license category. Product development among others includes additional or development of features, additional of types of access to Source of Fund in the form of instrument or canal, platform replacement, system replacement, and infrastructure relocation. Paragraph (2) Sufficiently clear. Article 54 Paragraph (1) Sufficiently clear. Paragraph (2) Point a The examples of activity development, product development, and/or cooperation with other parties categorized as low risk are as follows:

1. design change in ATM/Debit cards, credit cards, and chip-based electronic money;
2. co-branding cooperation with another party, whose role is only as a marketing agent; and
3. additional variations of card-based means of payment, such as silver, gold, or platinum credit cards. Point b Sufficiently clear. Point c Sufficiently clear.

• 33 - Article 55 Sufficiently clear. Article 56 Sufficiently clear. Article 57 Supporting documents for fulfillment of requirements are adjusted to risk categories. Article 58 Sufficiently clear. Article 59 Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d Inspection is conducted by on-site visit. Article 60 Sufficiently clear. Article 61 Paragraph (1) Point a

• 34 - Assessment of Supporting Provider is conducted prior to cooperation implementation, among others to ensure fulfillment of the following aspects:

1. legality and profile of Supporting Provider;
2. performance of Supporting Provider;
3. fulfillment of principle of security and reliability of information system and infrastructures by Supporting Provider;
4. capability or competency of Supporting Provider; and
5. fulfillment of the laws and regulations on services provided under cooperation. Point b Sufficiently clear. Paragraph (2) Point a Sufficiently clear. Point b Implementation of risk management by Supporting Provider includes among others implementation of periodic information system audit, strengthening of business continuity plan, and mitigation of single point of failure. Implementation of risk management is conducted in an integrated manner in each phase in the usage of Supporting Provider from the process of planning, procurement, development, operation, maintenance, until termination of cooperation. Point c Availability of access to Supporting Provider by Bank Indonesia includes among others access to data or

• 35 - information, system and infrastructure, and human resources. Article 62 Certain requirement on Supporting Provider is conducted to ensure prudential aspect in the event of fund escrow exists prior to payment forwarding. The form of certain requirement among others is service level agreement on payment forwarding from Supporting Provider to Goods and/or Services Provider such as:

1. limitation of period; and
2. limitation of gained benefit. Article 63 Point a The term “considering reciprocal aspect” means Bank Indonesia considers among others are the policy and/or provisions of payment system in a domiciled country of payment system service provider to be invited for cooperation, and also allows implementation of payment system activities by PJP and PIP in the country. Point b The term “considering equal standard for risk management implementation” means Bank Indonesia considers among others are the policy and/or provisions of payment system in a domiciled country of payment system service Provider to be invited for cooperation, has risk mitigation impelementation standard which is at least equal to the standard of risk mitigation implementation required to PJP and PIP according to the laws and regulations in the territory of Republic of Indonesia.

• 36 - Point c The term “considering benefits for the economy of Indonesia” means Bank Indonesia considers among others is the cooperation may increase efficiency, inclusivity, and support digital economy and finance within the territory Republic of Indonesia. Article 64 Sufficiently clear. Article 65 Sufficiently clear. Article 66 Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d Corporate ownership structure includes share ownership composition and corporate control. Point e Sufficiently clear. Article 67 Sufficiently clear.

• 37 - Article 68 Point a Sufficiently clear. Point b Sufficiently clear. Point c The term “credit facility” means credit facility provided through credit card instrument or any other instruments with characteristics, features, and business models as same as credit card. Point d Sufficiently clear. Point e Sufficiently clear. Point f Sufficiently clear. Article 69 Point a The term “credit transfer” means series of fund transfer between a payor and payee where the fund transfer order is initiated by the payor. Point b The term “debit transfer” means series of fund transfer between a payor and payee consisting the activity of payment request and payment execution where the fund transfer order is initiated by the payee. Article 70 Certain requirement for the use Source of Fund and access to the

• 38 - Source of Fund among others are use of access to the Source of Fund, cooperation with PJP and/or PIP, and scheme or arrangment of payment processing. Article 71 Prudential aspect related to Source of Fund and access to Source of Fund among others:

1. procedure of administration of Source of Fund, including mandatory of accounting, management, and/or fund placement;
2. usage features;
3. transaction nominal amount or volume;
4. validity; and/or
5. fund escrow period. The determination of criteria for the scope, usage features, and mandatory to fulfill prudential aspect is conducted by considering progress of the transactions and interconnection in payment ecosystem. Article 72 Sufficiently clear. Article 73 Sufficiently clear. Article 74 Paragraph (1) Access to Source of Fund connected to integrated payment interface is prioritized for account-based instruments and uses mobile or internet channels.

• 39 - Paragraph (2) Sufficiently clear. Article 75 Paragraph (1) Sufficiently clear. Paragraph (2) Consideration of designation as systemic financial market infrastructures is adjusted to the types and characteristics of Payment System infrastructures to be designated. Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d Sufficiently clear. Point e Sufficiently clear. Point f The term “availability of immediate substitute Payment System infrastructures” means availability of other Payment System infrastructures which may substitute the function of the Payment System infrastructure in a prompt manner. Point g Other considerations such as adjustment to the international standard.

• 40 - Article 76 Paragraph (1) The term “international standards” among others are Principles for Financial Market Infrastructures issued by Bank for International Settlements – Committee on Payment and Settlement Systems (CPSS) and International Organization of Securities Commissions (IOSCO). Paragraph (2) Point a Aspects of Infrastructure operation includes:

1. legal basis;
2. governance;
3. framework for comprehensive management of risks;
4. credit risk;
5. collateral;
6. liquidity risk;
7. settlement finality;
8. money settlements;
9. exchage-of-value settlement systems
10. participant default rules and procedures ;
11. general business risk;
12. custody and investment risks;
13. operational risk;
14. access participation requirements;
15. tiered participation arrangements;
16. efficiency and effectiveness;
17. communication procedures and standard; and
18. disclosure of rules, key procedures, and market data.

• 41 - Point b The aspect of Bank Indonesia’s responsibility as the authority in conducting oversight includes:

1. regulation and oversight on financial market infrastructures;
2. authority and resources for regulation and oversight;
3. disclosure of policies on financial market infrastructures;
4. implementation of financial market infrastructure principles; and
5. cooperation with other authorities. Paragraph (3) Sufficiently clear. Article 77 Sufficiently clear. Article 78 Sufficiently clear. Article 79 Sufficiently clear. Article 80 The term “innovative technology” means technology used in the ecosystem of digital economy and finance which may support Payment System operation such as:
6. use of un-tested technology;
7. use of technology with limited use;
8. use of non-standardized technology; and/or

• 42 -

4. use of new technology, which may impact financial system and Payment System. Article 81 Monitoring and detection may be used among others for policy formulation, regulation, license, approval, and supervision. Article 82 Point a Sufficiently clear. Point b Innovation testing of policy or provisions for Payment System among others is the use of digital signature technology on the provisions for Payment System operation. Point c Innovation testing used in Payment System industry which shall be encouraged to be widely used among others are the use of technology in the application programming interface, biometric, and Quick Response Code Indonesian Standard (QRIS). Article 83 Sufficiently clear. Article 84 Other parties among others is the relevant ministry or institution. Article 85 Sufficiently clear.

• 43 - Article 86 Sufficiently clear. Article 87 Sufficiently clear. Article 88 Parties cooperating with PJP and PIP among others are Supporting Provider or any other parties cooperating with PJP and/or PIP in facilitating payment transactions. Payment System Infrastructures operated by Bank Indonesia among others systemic Payment System infrastructure. Article 89 Paragraph (1) Point a Off-site supervision is conducted through monitoring, identification, and/or assessment of PJP and PIP through analysis of reports, data, and information obtained by Bank Indonesia. Point b On-site supervision is conducted through periodic and/or occasional inspection of PJP and PIP and parties cooperating with PJP and PIP face to face or by any other mechanisms determined by Bank Indonesia. Inspection among others is conducted on documents, infrastructures, and information system used by PJP and PIP. Paragraph (2) Sufficiently clear.

• 44 - Article 90 Point a Compliance aspect with the laws and regulations among others are the implementation of consumer protection and anti-money laundering and countering the financing of terrorism. PJP and PIP risks consist of operational risk, settlement risk, legal risk, reputation risk, and strategic risk. Operational risk among others are risk on information system and cyber-risk. Settlement risk among others are risk of unfulfillment of rights and/or obligations of payment transactions of PJP and/or PIP to User and/or cooperating parties. PJP and PIP risks are assessed to PJP and PIP individually and in an integrated manner which constitutes part of conglomerate business group. Point b The implementation of governance and risk management principle among others:

1. active supervision by board of directors and board of commissioners;
2. adequacy of internal policy and procedure;
3. adequacy of risk identification and mitigation process; and
4. internal control. Point c Sufficiently clear. Article 91 Mechanism, intensity, and focus of supervision is conducted by Bank Indonesia considering classifications of PJP or PIP based on risks,

• 45 - including fulfilling additional obligations in accordance with classification result. Article 92 Sufficiently clear. Article 93 Paragraph (1) Point a Sufficiently clear. Point b Sufficiently clear. Point c Access to information system among others are data and/or information accommodated in the information system. Point d Sufficiently clear. Paragraph (2) Including accuracy of data and/or information obtained through access to infrastructure and/or information system. Paragraph (3) Sufficiently clear. Article 94 Paragraph (1) Integrated supervision is conducted to: a. identify and mitigate risk exposure arising from conglomeration which may affect sustainability of business and operational activities of PJP and/or PIP. Risk exposure

• 46 - may come from activities of parent companies, subsidiaries, and/or any other affiliated parties; and b. ensure fulfillment of the aspects of institutional and legal, business feasibility, governance, and risk management by PJP and/or PIP. Paragraph (2) Sufficiently clear. Article 95 Sufficiently clear. Article 96 Sufficiently clear. Article 97 Sufficiently clear. Article 98 The term “Bank Indonesia provisions” among others are provisions for data confidential obligation. Article 99 Sufficiently clear. Article 100 Sufficiently clear. Article 101 Paragraph (1) Sufficiently clear.

• 47 - Paragraph (2) Point a Sufficiently clear. Point b Sufficiently clear. Point c Sufficiently clear. Point d Sufficiently clear. Point e Sufficiently clear. Point f Sufficiently clear. Point g Other considerations among others are development and business sustainability of PJP and PIP. Paragraph (3) Sufficiently clear. Article 102 Sufficiently clear. Article 103 Sufficiently clear. Article 104 Sufficiently clear. Article 105 Paragraph (1)

• 48 - The examples of data and/or information on Payment System are reports, documents, data, information, details, and/or explanation related to: a. Payment System operation such as consumer complaint, fraud, incident, and cyber-interference. b. oversight of compliance of Payment System infrastructure members conducted by Bank Indonesia such as the aspects of governance, operation, infrastructure, business continuity plan related to incident and cyber-interference, fraud, and consumer protection. c. payment transaction, such as instrument, nominal amount, and payment channel; d. payment transaction underlying, such as profile of Goods and/or Services Provider, profile of User, payment method, transaction area, and product; and e. PJP and PIP performance, such as financialreport, business performance report, statement of change of equity, and business plan of PJP and/or PIP. Paragraph (2) Other parties cooperating with PJP and PIP among others are trading through electronic system provider facilitating payment transactions and Goods and/or Services Provider. The examples of data and/or information on Payment System are:

1. report, document, data, information, details, and/or explanation related to payment transaction, such as instrument, nominal amount, and payment channel; and
2. payment transaction underlying, such as profile of Goods and/or Services Provider, profile of User, payment method, transaction area, and product.

• 49 - Article 106 Point a Submissions of reports to Bank Indonesia may be conducted online through Bank Indonesia system in periodic or incidental manner. Point b Data capturing may be conducted directly and real time among others through data infrastructures operated by Bank Indonesia, other authority, or providing access of information system to Bank Indonesia. Point c Submission of data and/or information through other mechanisms among others submission of data and/or information in a meeting between Bank Indonesia or any other medium. Article 107 Paragraph (1) Point a Implementation of Personal data protection principle is conducted in accordance with the laws and regulations and/or international standards on personal data protection. Point b Mechanism of processing of data and/or information related to Payment System may consist of:

1. mechanism of processing of data and/or information on payment between User and PJP or PIP;
2. mechanism of processing of data and/or information on payment between PJP or PIP;
3. mechanism of processing of data and/or information on payment between PJP or PIP and Bank Indonesia;

• 50 -

4. mechanism of processing of data and/or information on payment between User;
5. mechanism of processing of data and/or information on payment between User and Bank Indonesia. Data infrastructures of Bank Indonesia among others are information system and data infrastructures operated by Bank Indonesia such as integrated payment interface and data hub, or operated by parties appointed by Bank Indonesia. The infrastructures of Bank Indonesia Payment System among others are infrastructures used to operate or facilitate clearing and/or settlement of payment transactions. Point c Utilization of third-party data infrastructures among others is the use of cloud computing. Point d Cyber-risk management shall at least include the aspect of governance, prevention, and resolution. Point e Sufficiently clear. Paragraph (2) Point a Sufficiently clear. Point b Mechanism of processing of data and/or information related to Payment System conducted by standardization among others is standardization of open application programming interface (open API). Point c Sufficiently clear.

• 51 - Article 108 Paragraph (1) Laws and regulations on personal data protection among others is include the obligation of consumer consent of User for the use of their personal data. Paragraph (2) Individual consumer data exchange occurs more efficiently through data management infrastructures and/or Payment System infrastructures in an integrated manner which may be conducted by PJP and/or PIP among others is to develop innovation of new product and service to increase consumer experience and financial inclusion or access. Article 109 Paragraph (1) Laws and regulations on personal data among others is obligation of consumer consent of User for the use of their personal data. Paragraph (2) Sufficiently clear. Article 110 Sufficiently clear. Article 111 Sufficiently clear. Article 112 Coordination with any other authorities, institutions, and/or other parties is conducted among others are through domestic and foreign cooperation.

• 52 - Coordination among others:

1. use of integrated infrastructures of data and/or information;
2. exchange of data and/or information;
3. policy formulation, preparation of provisions, recommendation for license and/or approval, as well as implementation of supervision;
4. facilitating and testing of payment system technology innovations; and
5. participation in international fora and fulfillment of international best practices. Article 113 Policy communication may be conducted by Bank Indonesia in a broad or limited manner, oral or in writing, among others through official publications or statements of Bank Indonesia officials. The examples of policy communication by Bank Indonesia are press release, frequently asked questions, guideline, business model catalog, dissemination, and meeting with industry. Article 114 Sufficiently clear. Article 115 Sufficiently clear. Article 116 Sufficiently clear. Article 117 Sufficiently clear.

• 53 - Article 118 Paragraph (1) The term “change of foreign share ownership composition” means foreign share ownership composition which materially and/or significantly changes. Paragraph (2) Sufficiently clear. Paragraph (3) Sufficiently clear. Paragraph (4) Sufficiently clear. Paragraph (5) Sufficiently clear. Article 119 Sufficiently clear. Article 120 Sufficiently clear. Article 121 Sufficiently clear. Article 122 Sufficiently clear. SUPPLEMENT TO THE STATE GAZETTE OF THE REPUBLIC OF INDONESIA NUMBER 6610