Regulatory AlertsRegulation of the Board of Commissioners of the Financial Services Authority Number 1 of 2026 on Information Technology Management by Commercial Banks
The Financial Services Authority (OJK) issued Regulation of the Board of Commissioners Number 1 of 2026 to mandate comprehensive information technology governance and risk management for all commercial banks. The regulation requires banks to establish robust IT governance structures, manage IT risks including data protection, and obtain licensing for IT systems and services located outside Indonesia. This regulation supersedes previous guidelines and becomes effective on March 1, 2026, to ensure IT utilization adds value while mitigating operational risks.
Regulation of the Board of Commissioners of the Financial Services Authority Number 1 of 2026 concerning Information Technology Management by Commercial Banks
Abstract: Information Technology (IT) plays an important role in supporting the operations and business of the banking industry. The very rapid development of IT offers various alternative solutions and conveniences for the banking industry. On the other hand, increased utilization of IT can also give rise to risks that need to be identified, mitigated, and even controlled, so as not to disrupt banking business. Therefore, Banks need to strengthen governance in IT management so that IT utilization can add value to the Bank through resource optimization to mitigate the risks faced by the Bank.
The Legal Basis for this Regulation of the Board of Commissioners of the Financial Services Authority (PADK OJK) is: Law No. 21 of 2011 as amended by Law No. 4 of 2023; and POJK No. 11/POJK.03/2022.
This PADK OJK regulates among others: a. Implementation of IT governance aspects, including the roles and responsibilities of the Board of Directors, Board of Commissioners, IT Steering Committee, and IT operational units; b. The process of developing IT architecture and IT strategic plans; c. IT risk management processes, including information security and communication network security; d. Use of IT service providers; e. Licensing for the placement of electronic systems and IT-based transaction processing outside the territory of Indonesia; f. Data management and personal data protection; g. Provision of IT services by banks; h. Internal control and audit; and i. Reporting.
Notes: This PADK OJK takes effect on March 1, 2026. This PADK OJK was established on January 23, 2026. Guidelines for IT management by commercial banks refer to Appendix I which is an integral part of this PADK OJK. The procedure for submitting reports and permission requests in IT management refers to Appendix II which is an integral part of this PADK OJK. The format for reports and notifications in IT management refers to Appendix III which is an integral part of this PADK OJK. The format for permission requests and realization reports in IT management refers to Appendix IV which is an integral part of this PADK OJK. Upon the entry into force of this PADK OJK, the provisions as referred to in the Circular Letter of the Financial Services Authority Number 21/SEOJK.03/2017 concerning the Implementation of Risk Management in the Use of Information Technology by Commercial Banks are revoked and declared invalid. This PADK OJK applies to all Commercial Banks.