Bank Indonesia Circular Letter No. 11/10/DASP on Management of Card-Based Payment Instrument Activities

No. 11/10/DASP Jakarta, 13 April 2009 CIRCULAR LETTER Subject: Management of Card-Based Payment Instrument Activities In regard to the promulgation of Bank Indonesia Regulation Number 11/11/PBI/2009 dated 13 April 2009 concerning Management of Card-Based Payment Instrument Activities (State Gazette of the Republic of Indonesia Number 64 of 2009, Supplement to the State Gazette of the Republic of Indonesia Number 5000), and to support the smooth and effective management of card-based payment instrument activities, it is necessary to stipulate further regulatory provisions concerning the management of card-based payment instrument activities in a Circular Letter of Bank Indonesia. I. REQUIREMENTS AND PROCEDURE FOR LICENSING AS PRINCIPAL A. Parties Eligible to Conduct Activities as Principal Activities as Principal may be conducted by a Bank or Non-Bank Institution B. Application for Licence as Principal A Bank or Non-Bank Institution intending to conduct activities as Principal is required to be licensed by Bank Indonesia. An application for licence to conduct activities as Principal shall be submitted to Bank Indonesia in writing in the Indonesian language and shall state at least the following information: Unofficial Translation

2

1. type of Card-Based Payment Instrument (CBPI) activities to be provided;
2. schedule for launching of activities; and
3. name of the network to be used. C. Required Documents for Bank Acting as Principal For a Bank, a licence application as referred to in letter B shall enclose the following documents:
4. photocopy of the Bank Business Plan for the current year, including the plan for Bank activities as Principal;
5. draft business arrangement between the prospective Principal and Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties, acknowledged by the management, and stating at least the following: a. requirements for Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties intending to use the network of the Principal; b. operating procedures for Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties intending to cooperate with the Principal; and c. plan for implementing cooperation with Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties;
6. business analysis 1 (one) year forward for management of activities to be conducted as Principal, describing at least:

3 a. existing market potential; b. business competition analysis; c. plan for cooperation with Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties, including numbers and their names; d. planned territorial coverage of operation; and e. forecast of targeted revenues; 4. evidence of legal instrument readiness, covering: a. draft written agreement or highlights of written agreement between the prospective Principal and Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties, among others stating clauses in regard to:

1. agreement on use of the Principal's network in the management of CBPI activities;
2. rights and obligations of the individual parties;
3. plan for launching of the cooperation;
4. time frame for the cooperation; and
5. procedure and mechanism for resolution of disputes that may arise among the parties; b. draft of the rights and obligations of the parties, such as provisions prescribing the rights and obligations of the Principal, Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties; and

4 c. procedure and mechanism for resolution of disputes arising between the Principal and Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties; 5. disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; 6. photocopy of information technology audit by an internal or external independent auditor as evidence of use of proven technology in management of CBPIs, encompassing at least compliance with system and/or network security requirements as referred to in item VII F; and 7. photocopy of recommendation from the Sharia Supervisory Board for activities to be conducted by the Principal, specifically for a Bank conducting business based on Sharia principles. D. Required Documents for Non-Bank Institution Acting as Principal For a Non-Bank Institution, a licence application as referred to in letter B shall enclose the following documents:

1. company profile, stating among others the plan for activities as Principal;
2. photocopy of deed of incorporation including any amendments thereto, validated by the competent authority, which must be legalised by a competent party/official;

5 3. draft business arrangement between the prospective Principal and Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties, acknowledged by the management, and stating at least the following: a. requirements for Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties intending to use the network of the Principal; b. operating procedures for Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties intending to cooperate with the Principal; and c. plan for implementation of cooperation with Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties; 4. business analysis 1 (one) year forward for management of activities as Principal, describing at least the following: a. existing market potential; b. business competition analysis; c. plan for cooperation with Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties, including numbers and their names; d. planned territorial coverage of operations; and e. forecast of targeted revenues; 5. evidence of legal instrument readiness, covering:

6 a. draft of the written agreement or highlights of written agreement between the prospective Principal and Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties, among others stating clauses with regard to:

1. agreement concerning use of the Principal's network in the management of CBPI activities;
2. rights and obligations of the individual parties;
3. plan for implementation of the cooperation;
4. time frame for the cooperation; and
5. procedure and mechanism for resolution of disputes that may arise among the parties; b. draft of the rights and obligations of the parties, such as provisions prescribing the rights and obligations of the Principal, Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties; and c. procedure and mechanism for resolution of disputes arising between the Principal and Issuers, Acquirers, Clearing Providers, Settlement Providers and/or other parties;

6. disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system;
7. photocopy of the information technology audit by an independent internal or external auditor as evidence of use of proven technology

7 in operation of CBPIs, encompassing at least compliance with system and/or network security requirements as referred to in item VII F; 8. photocopy of recommendation from Sharia Supervisory Board for CPBI activities to be conducted, specifically for a Non-Bank Institution conducting business based on sharia principles; and 9. written recommendation from the supervisory authority for the Non￾Bank Institution, if the Non-Bank Institution has a supervisory authority. This recommendation shall cover at least financial condition, operational readiness and the regulatory compliance of the Non-Bank Institution, including information that the Non-Bank Institution is not prohibited from conducting activities as Principal, and other information concerning issues faced by that Non-Bank Institution. II. REQUIREMENTS AND PROCEDURE FOR LICENSING AS ISSUER A. Parties Eligible to Conduct Activities as Issuer Activities as Issuer of Credit Cards, ATM Cards and/or Debit Cards may be conducted by a Bank or Non-Bank Institution. B. Requirements for a Non-Bank Institution Intending to Act as Issuer A Non-Bank Institution intending to conduct activities as Issuer of Credit Cards, ATM Cards and/or Debit Cards shall satisfy the following requirements:

8

1. A Non-Bank Institution eligible to act as Credit Card Issuer is a Non-Bank Institution licensed by the Ministry of Finance of the Republic of Indonesia as a finance company that in principle may conduct Credit Card business.
2. A Non-Bank Institution eligible to act as Issuer of ATM Cards and/or Debit Cards is a Non-Bank Institution authorised to mobilise deposit funds from the public pursuant to the laws governing that Non-Bank Institution. C. Application for Licence as Issuer A Bank or Non-Bank Institution intending to conduct activities as Issuer, whether as Issuer of Credit Cards, ATM Cards and/or Debit Cards, is required to obtain a licence from Bank Indonesia for each of these activities as CBPI Issuer. The licence application shall be submitted to Bank Indonesia in writing in the Indonesian language, and shall state at least the following information:
3. type of CBPI activities to be conducted;
4. schedule for launching of activities; and
5. product name to be used. D. Required Documents for Bank Acting as Issuer For a Bank, a licence application as referred to in letter C shall enclose the following documents:
6. photocopy of the Bank Business Plan for the current year, stating the plan for Bank activities as Issuer;

9 2. draft business arrangement between the prospective Issuer and Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties, acknowledged by the management and stating at least the following: a. operating procedures for Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties intending to cooperate with the Issuer; and b. plan for implementing cooperation with Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties; 3. business analysis 1 (one) year forward for operation of activities to be conducted as Issuer, describing at least: a. existing market potential; b. targeted market segment and competition analysis; c. targeted number of Card Holders to be achieved; d. planned cooperation with Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties, including numbers and their names; e. planned territorial coverage of operations; and f. forecast of targeted revenues; 4. evidence of legal instrument readiness, covering: a. photocopy of the written agreement or highlights of the written agreement between the Issuer and Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties;

10 The highlights of the written agreement shall state, among others, clauses with regard to:

1. agreements between the Issuer and Principals, Acquirers, Clearing Operators, Settlement Operators and/or other parties concerning management of CBPI activities;
2. rights and obligations of the individual parties;
3. plan for implementation of the cooperation;
4. time frame for the cooperation; and
5. procedure and mechanism for resolution of disputes that may arise between the parties, If the prospective Issuer is a branch office of a foreign Bank, and the agreement with Principals constitutes a Global Agreement between the head office of the Bank and Principals, it is sufficient for the branch office of the foreign Bank to submit a photocopy of that Global Agreement; b. draft of the rights and obligations of the parties, such as provisions prescribing the rights and obligations of the Issuer, Principals, Acquirers, Clearing Providers, Settlement Providers, Card Holders and/or other parties; and c. procedure and mechanism for resolution of disputes arising between the Issuer and Principals, Acquirers, Clearing Operators, Settlement Operators, Card Holders and/or other parties;

11 5. evidence of readiness of risk management, encompassing at least management of liquidity risk, management of credit risk, management of operational risk and/or management of risks in use of information technology as follows: a. Internal regulations prescribing the active oversight by the board of commissioners and board of directors, covering at least the following:

1. provisions prescribing accountability, policy and control processes for management of risks arising from card issuance; and
2. approval and review of the key aspects of the security control procedures for card issuance; b. Security control procedures for card issuance, stating at least rules for the following:
3. security procedures and measures carried out in the issuance of cards, such as printing and delivery of the Personal Identification Number (PIN) and delivery of cards to Card Holders;
4. segregation of tasks between the processes of application, approval and billing;
5. powers or controls in the approval of prospective Card Holders;

12 4) measures for authentication of identity and authorisation of customers conducting CBPI transactions; 5) audit trail of Card Holder transactions; 6) adequate procedures to guarantee integrity of data, records or archives and information on CBPI transactions; and 7) measures to protect the confidentiality of Card Holder information; c. Procedures for control of reputational and operational risk, stating at least the following:

1. disclosure of information on the benefits and risks of the product before the customer becomes a Card Holder; and
2. disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; d. Evidence of operational readiness, covering at least the following:
3. planned organisational structure and readiness of human resources; and
4. plan for business equipment and facilities, stating at least information on the following:

13 a) office location or space to be used for operational activities; and b) hardware and software and the network to be used; 6. photocopy of information technology audit by an independent auditor as evidence of use of proven technology in management of CBPIs, encompassing at least compliance with system and/or network security requirements as referred to in item VII F; and 7. photocopy of recommendation from the Sharia Supervisory Board for activities to be conducted as Issuer, specifically for a Bank conducting business based on sharia principles. E. Required Documents for Non-Bank Institution Acting as Issuer For a Non-Bank Institution, a licence application as referred to in letter C shall enclose the following documents:

1. company profile, stating among others the plan for activities as Issuer;
2. photocopy of the deed of incorporation of legal entity including amendments thereto, if any, validated by the competent authority, which must be legalised by a competent party or official;
3. draft business arrangement between the prospective Issuer and the Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties, acknowledged by the management and stating at least the following:

14 a. operating procedures for Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties intending to cooperate with the Issuer; and b. plan for implementing cooperation with Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties; 4. business analysis 1 (one) year forward for operation of activities to be conducted as Issuer, describing at least the following: a. existing market potential; b. targeted market segment and competition analysis; c. targeted number of Card Holders to be achieved; d. planned cooperation with Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties, including numbers and their names; e. planned territorial coverage of operations; and f. forecast of targeted revenues; 5. evidence of legal instrument readiness, covering: a. photocopy of the written agreement or highlights of the written agreement between the Issuer and Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties. The highlights of the written agreement shall state, among others, clauses with regard to:

15

1. agreements between the Issuer and Principals, Acquirers, Clearing Providers, Settlement Providers and/or other parties concerning management of CBPI activities;
2. rights and obligations of the individual parties;
3. plan for launching of the cooperation;
4. time frame for the cooperation; and
5. procedure and mechanism for resolution of disputes that may arise among the parties; b. draft of the rights and obligations of the parties, such as provisions prescribing the rights and obligations of the Issuer, Principals, Acquirers, Clearing Providers, Settlement Providers, Card Holders and/or other parties; and c. procedure and mechanism for resolution of disputes arising between the Issuer and Principals, Acquirers, Clearing Providers, Settlement Providers, Card Holders and/or other parties;

6. evidence of readiness of risk management, encompassing at least management of liquidity risk, management of credit risk, management of operational risk and/or management of risks in use of information technology as follows: a. Internal regulations prescribing the active oversight by the board of commissioners and board of directors, covering at least the following:

16

1. provisions prescribing accountability, policy and control processes for management of risks arising from card issuance; and
2. approval and review of the key aspects of the security control procedures for card issuance; b. Security control procedures for card issuance, stating at least rules for the following:
3. security procedures and measures carried out in the issuance of cards, such as printing and delivery of PIN numbers and delivery of cards to Card Holders;
4. segregation of tasks between the processes of application, approval and billing;
5. powers or controls in the approval of prospective Card Holders;
6. measures for authentication of identity and authorisation of customers conducting CBPI transactions;
7. audit trail of Card Holder transactions;
8. adequate procedures to guarantee integrity of data, records or archives and information on CBPI transactions; and
9. measures to protect the confidentiality of Card Holder information;

17 c. Procedures for control of reputational and operational risk, stating at least the following:

1. disclosure of information on the benefits and risks of the product before the customer becomes a Card Holder; and
2. disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; d. Evidence of operational readiness, covering at least the following:
3. planned organisational structure and readiness of human resources; and
4. plan for business equipment and facilities, stating at least information on the following: a) office location or space to be used for operational activities; and b) hardware and software and the network to be used;

7. photocopy of the information technology audit by an independent internal or external auditor as evidence of use of proven technology in CBPI operations, encompassing at least compliance with security requirements as referred to in item VII F;
8. written recommendation from the supervisory authority for the Non￾Bank Institution, if the Non-Bank Institution has a supervisory

18 authority. This recommendation shall cover at least financial condition, operational readiness and the regulatory compliance of the Non-Bank Institution, including information that the Non-Bank Institution is not prohibited from conducting activities as Issuer, and other information concerning issues faced by that Non-Bank Institution; and 9. photocopy of recommendation from the Sharia Supervisory Board for activities to be conducted as Issuer, specifically for a Non-Bank Institution conducting business based on sharia principles. III. REQUIREMENTS AND PROCEDURE FOR LICENSING AS ACQUIRER A. Parties Eligible to Conduct Activities as Acquirer Activities as Credit Card and/or Debit Card Acquirer may be conducted by a Bank or Non-Bank Institution. B. Application for Licence as Acquirer A Bank or Non-Bank Institution intending to conduct activities as Credit Card and/or Debit Card Acquirer is required to obtain a licence from Bank Indonesia for each activity as Acquirer of Credit Cards and/or Debit Cards. The licence application shall be submitted to Bank Indonesia in writing in the Indonesian language, and shall state at least the following information:

1. planned time for commencement of activities as Acquirer;

19 2. names and numbers of Principals, Issuers, Clearing Providers, Settlement Providers and/or other parties intending to participate in cooperation; and 3. names and numbers of Merchants to participate in the cooperation. C. Required Documents for Bank Acting as Acquirer For a Bank, a licence application as referred to in letter B shall enclose the following documents:

1. photocopy of the Bank Business Plan for the current year, in which is stated the plan for Bank activities as Acquirer;
2. draft business arrangement between the prospective Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties, acknowledged by the management and stating at least the following: a. highlights of written agreement and the rights and obligations between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties cooperating with the Acquirer; and b. plan for implementing cooperation with Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties.
3. business analysis 1 (one) year forward for operation of activities to be conducted as Acquirer, describing at least: a. existing market potential;

20 b. business competition analysis; c. planned cooperation with Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties, including numbers and their names; d. planned territorial coverage of operations; and e. forecast of targeted revenues; 4. evidence of legal instrument readiness, including: a. photocopy of the written agreement or highlights of the written agreement between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties. The highlights of the written agreement shall state, among others, clauses with regard to:

1. agreement between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties concerning management of CBPI activities;
2. rights and obligations of the individual parties;
3. plan for implementation of the cooperation;
4. time frame for the cooperation; and
5. procedure and mechanism for resolution of disputes that may arise among the parties; b. draft of the rights and obligations of the parties, such as provisions prescribing the rights and obligations of the Issuer,

21 Principals, Acquirers, Clearing Providers, Settlement Providers, Merchants and/or other parties; and c. procedure and mechanism for resolution of disputes arising between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties; 5. evidence of readiness of risk management, encompassing at least management of liquidity risk, management of credit risk and/or management of operational risk as follows: a. Internal regulations prescribing the active oversight by the board of commissioners and board of directors, covering at least the following:

1. accountability, policy and control processes for management of risks arising from activities conducted as Acquirer; and
2. approval and review of the key aspects of the security control procedures for conducting activities as Acquirer. b. Security control procedures for conducting activities as Acquirer, stating at least the following:
3. security procedure and security actions to be taken when conducting activities as Acquirer, such as safeguarding of transaction data and Card Holder data;

22 2) measures for authentication of identity and authorisation of customers conducting CBPI transactions; 3) audit trail of CBPI transactions; 4) adequate procedures to guarantee integrity of data, records or archives and information on CBPI transactions; and 5) measures to protect the confidentiality of Card Holder information; c. Procedure for control of reputational risk and operational risk, stating at least a disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; d. Evidence of operational readiness, covering at least the following:

1. planned organisational structure and readiness of human resources; and
2. plan for business equipment and facilities, stating at least information on the following: a) office location or space to be used for operational activities; and b) hardware and software and the network to be used;

23 e. Evidence of readiness of liquidity risk management; including but not limited to:

1. mechanism for settlement of Acquirer obligations; and
2. failure to settle mechanism, in case the Acquirer sustains default;

6. photocopy of the information technology audit by an independent internal or external auditor as evidence of use of proven technology in operation of CBPIs, encompassing at least compliance with security requirements as referred to in item VII F; and
7. photocopy of recommendation from the Sharia Supervisory Board for activities to be conducted as Acquirer, specifically for a Bank conducting business based on sharia principles. D. Required Documents for Non-Bank Institution Acting as Acquirer For a Non-Bank Institution, a licence application as referred to in letter B shall enclose the following documents:
8. company profile, stating among others the plan for activities as Acquirer;
9. photocopy of the deed of incorporation of legal entity including amendments thereto, if any, validated by the competent authority, which must be legalised by a competent party or official;
10. draft business arrangement between the prospective Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers,

24 Merchants and/or other parties, acknowledged by the management and stating at least the following: a. photocopy of the written agreement and provisions prescribing the rights and obligations between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties; and b. plan for implementing cooperation with Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties; 4. business analysis 1 (one) year forward for management of activities as Acquirer, describing at least the following: a. existing market potential; b. business competition analysis; c. planned cooperation with Principals Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties, including numbers and their names; d. planned territorial coverage of operations; and e. target of revenues to be achieved. 5. evidence of legal instrument readiness, including: a. photocopy of written agreement or highlights of written agreement between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or

25 other parties. The highlights of the written agreement shall state, among others, clauses with regard to:

1. agreement of the Acquirer with Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties concerning the management of CBPI activities;
2. rights and obligations of the individual parties;
3. plan for implementation of the cooperation;
4. time frame for the cooperation; and
5. procedure and mechanism for resolution of disputes that may arise among the parties; b. draft of the rights and obligations of the parties, such as provisions prescribing the rights and obligations of the Acquirer, Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties; c. procedure and mechanism for resolution of disputes arising between the Acquirer and Principals, Issuers, Clearing Providers, Settlement Providers, Merchants and/or other parties;

6. evidence of readiness of risk management, encompassing at least management of liquidity risk, management of credit risk and/or management of operational risk as follows:

26 a. Internal regulations prescribing the active oversight by the board of commissioners and board of directors, covering at least the following:

1. accountability, policy and control processes for management of risks arising from activities conducted as Acquirer; and
2. approval and review of the key aspects of the security control procedures in activities conducted as Acquirer; b. Security control procedures for conducting activities as Acquirer, stating at least the following:
3. security procedure and security actions to be taken when conducting activities as Acquirer, such as safeguarding of transaction data and Card Holder data;
4. measures for authentication of identity and authorisation of customers conducting CBPI transactions;
5. audit trail of CBPI transactions;
6. adequate procedures to guarantee integrity of data, records or archives and information on CBPI transactions; and
7. measures to protect the confidentiality of Card Holder information; c. Procedure for control of reputational risk and operational risk, stating at least a disaster recovery plan and business continuity

27 plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; d. Evidence of operational readiness, covering at least the following:

1. planned organisational structure and readiness of human resources; and
2. plan for business equipment and facilities, stating at least information on the following: a) office location or space to be used for operational activities; and b) hardware and software and the network to be used; e. evidence of readiness of liquidity risk management; including but not limited to:
3. mechanism for settlement of Acquirer obligations; and
4. failure to settle mechanism, in case the Acquirer sustains default;

7. photocopy of the information technology audit by an independent internal or external auditor as evidence of use of proven technology in operation of CBPIs, encompassing at least compliance with security requirements as referred to in item VII F,

28 8. photocopy of recommendation from the Sharia Supervisory Board for activities to be conducted as Acquirer, specifically for a Non￾Bank Institution conducting business based on sharia principles; and 9. written recommendation from the supervisory authority for the Non￾Bank Institution if the Non-Bank Institution has a supervisory authority. This recommendation shall cover at least financial condition, operational readiness and the regulatory compliance of the Non-Bank Institution, including information that the Non-Bank Institution is not prohibited from conducting activities as Acquirer, and other information concerning issues faced by that Non-Bank Institution. IV. REQUIREMENTS AND PROCEDURE FOR LICENSING AS CLEARING PROVIDER AND/OR SETTLEMENT PROVIDER A. Application for Licence as Clearing Provider and/or Settlement Provider A Bank or Non-Bank Institution intending to conduct activities as a Clearing Provider and/or Settlement Provider must submit a licence application to Bank Indonesia in writing in the Indonesian language, stating at least the following information:

1. plan for commencement of activities as Clearing Provider and/or Settlement Provider;
2. names and numbers of Principals, Issuers, Acquirers and/or other parties intending to participate in cooperation; and

29 3. trade name or trade mark to be used. B. Required Documents for Bank Acting as Clearing Provider and/or Settlement Provider For a Bank, a licence application as referred to in letter A shall enclose the following documents:

1. photocopy of the Bank Business Plan for the current year, stating among others the plan for Bank activities as Clearing Provider and/or Settlement Provider;
2. draft of the business arrangement between the Clearing Provider and/or Settlement Provider and Principals, Issuers, Acquirers and/or other parties, acknowledged by the management and stating at least: a. requirements for Principals, Issuers, Acquirers and/or other parties intending to use the services of the Clearing Provider and/or Settlement Provider; b. highlights of written agreement and provisions prescribing the rights and obligations between the Clearing Provider and/or Settlement Provider and Principals, Issuers, Acquirers and/or other parties cooperating with the Clearing Provider and/or Settlement Provider; c. risk management in clearing operations and/or settlement operations; d. clearing and/or settlement mechanism; and

30 e. procedure and mechanism for resolution of disputes between the Clearing Provider and/or Settlement Provider and Principals, Issuers, Acquirers and/or other parties; 3. disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; 4. evidence of operational readiness, covering at least the following: a. planned organisational structure and readiness of human resources; and b. plan for business equipment and facilities, stating at least information on the following:

1. office location or space to be used for clearing and/or settlement operations; and
2. hardware and software and the network to be used;

5. photocopy of the information technology audit by an internal or external independent auditor as evidence of use of proven technology in operation of clearing and/or settlement, encompassing at least compliance with security requirements as referred to in item VII F; and
6. photocopy of recommendation from the Sharia Supervisory Board for clearing and/or settlement activities to be conducted, specifically for a Bank conducting business based on sharia principles.

31 C. Required Documents for Non-Bank Institution Acting as Clearing Provider and/or Settlement Provider For a Non-Bank Institution, an application as referred to in letter B shall enclose the following documents:

1. company profile, stating among others the plan for activities as Clearing Provider and/or Settlement Provider;
2. photocopy of the deed of incorporation of the legal entity, including amendments thereto, if any, validated by the competent authority, which must be legalised by a competent party or official;
3. draft of the business arrangement between the Clearing Provider and/or Settlement Provider and Principals, Issuers, Acquirers, and/or other parties, acknowledged by the management and containing at least the following: a. requirements for Principals, Issuers, Acquirers and/or other parties intending to use the services of the Clearing Provider and/or Settlement Provider; b. highlights of written agreement and provisions prescribing the rights and obligations between the Clearing Provider and/or Settlement Provider and Principals, Issuers, Acquirers and/or other parties cooperating with the Clearing Provider and/or Settlement Provider; c. risk management in clearing operations and/or settlement operations;

32 d. clearing and/or settlement mechanism; and e. procedure and mechanism for resolution of disputes between the Clearing Provider and/or Settlement Provider and Principals, Issuers, Acquirers and/or other parties; 4. disaster recovery plan and business continuity plan for effective resolution and minimising of problems arising from unforeseen events that may disrupt the smooth operation of the CBPI system; 5. evidence of operational readiness, covering at least the following: a. planned organisational structure and readiness of human resources; and b. plan for business equipment and facilities, stating at least information on the following:

1. office location or space to be used for clearing and/or settlement operations; and
2. hardware and software and the network to be used;

6. photocopy of the information technology audit by an internal or external independent auditor as evidence of use of proven technology in clearing and/or settlement operations, encompassing at least compliance with security requirements as referred to in item VII F;
7. photocopy of recommendation from the Sharia Supervisory Board for the CBPIs to be issued, specifically for a Non-Bank Institution conducting business based on sharia principles; and

33 8. written recommendation from the supervisory authority for the Non￾Bank Institution if the Non-Bank Institution has a supervisory authority. This recommendation shall cover at least financial condition, operational readiness and the regulatory compliance of the Non-Bank Institution, including information that the Non-Bank Institution is not prohibited from conducting activities in clearing and or settlement of CBPIs, and other information concerning issues faced by that Non-Bank Institution. V. PROCESSING OF LICENSING AS PRINCIPAL, ISSUER, ACQUIRER, CLEARING PROVIDER AND/OR SETTLEMENT PROVIDER

1. Bank Indonesia shall issue a licence or rejection in writing within a period not exceeding 45 (forty-five) working days from the date of receipt by Bank Indonesia of the application and required documents.
2. With regard to issuance of licence or rejection in writing as referred to in number 1, Bank Indonesia shall take the following actions: a. administrative checks to ensure that the documents submitted by the Bank or Non-Bank Institution are complete, truthful and satisfy requirements; b. on-site visit to the Bank or Non-Bank Institution to verify that the submitted documents are truthful and satisfy requirements and to obtain assurance of operational readiness, if necessary; and/or

34 c. if the applicant is a Bank, Bank Indonesia shall request a recommendation from the Bank supervisory authority concerning at least financial condition, soundness rating, operational readiness and the regulatory compliance of the Bank, including information on any problems that the Bank may be facing. 3. Based on the results of administrative checks of the documents, on-site visit and/or recommendation of the Bank supervisory authority as referred to in number 2, Bank Indonesia shall take the following action: a. issuance of licence, if:

1. results of the administrative checks referred to in item 2.a indicate that the documents submitted by the applicant are complete, truthful and satisfy the requirements of Bank Indonesia;
2. results of the on-site visit as referred to in item 2.b indicate that the submitted documents are truthful and satisfy requirements and that operational readiness is achieved; and
3. the competent supervisory authority for the Bank or Non-Bank Institution recommends the Bank or Non-Bank Institution to be licensed as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider. b. rejection, if:

35

1. results of the administrative checks referred to in item 2.a indicate that the documents submitted by the applicant are incomplete, untruthful and/or fail to satisfy the requirements of Bank Indonesia;
2. results of the on-site visit as referred to in item 2.b indicate any untruthfulness or failure to satisfy requirements in the submitted documents and/or lack of operational readiness; and/or
3. the competent supervisory authority for the Bank or Non-Bank Institution refuses to recommend the Bank or Non-Bank Institution to be licensed as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider.

4. If any matters require follow up action, the licensing period as referred to in number 1 may be extended. Bank Indonesia shall inform the applicant in writing of such extension of the licensing period. VI. NOTIFICATION OF EFFECTIVE DATE OF COMMENCEMENT OF ACTIVITIES AS PRINCIPAL, ISSUER, ACQUIRER, CLEARING PROVIDER AND/OR SETTLEMENT PROVIDER
5. A Bank or Non-Bank Institution licensed as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider shall launch activities no later than 180 (one hundred and eighty) calendar days commencing from the date of the letter from Bank Indonesia for issuance of the licence.

36 2. If within the period of 180 (one hundred and eighty) calendar days as referred to in number 1 the Bank or Non-Bank Institution has launched activities as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider, the Bank or Non-Bank Institution shall notify Bank Indonesia in writing of the effective date of commencement of activities as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider. The Bank or Non-Bank Institution shall be deemed effectively able to launch activities as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider if its network or system is in operating condition and its products can be used by the general public as CBPIs 3. If the Bank or Non-Bank Institution does not launch activities within a period of 180 (one hundred and eighty) calendar days as referred to in number 1, the Bank or Non-Bank Institution shall notify Bank Indonesia in writing, enclose supporting evidence reinforcing the explanation of the reasons and constraints preventing it from launching activities as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider. 4. Written notification as referred to in number 2 shall be delivered no later than 10 (ten) working days commencing from the effective launching date of activities as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider. Written notification as referred to in number 3 shall be delivered no later than 10 (ten) working days commencing from the date of expiration of the period of 180 (one hundred and eighty) calendar days as referred to in number 1.

37 VII. MANAGEMENT OF CPBI ACTIVITIES A. Customer Protection

1. Issuers are required to apply the principle of customer protection in the management of CBPI activities, including but not limited to the provision of written information to Card Holders concerning issued CBPIs. This information must be presented in clear, easily understandable Indonesian language, inscribed in letters and words easily legible to the Card Holder.
2. In the case of ATM Cards and/or Debit Cards, Issuers of ATM Cards and/or Debit Cards are required to provide written information to the Card Holder covering at least the following: a. procedures and use of the card, facilities included with the card, and risks that may arise from use of the card; b. rights and obligations of the Card Holder, covering at least the following:

1. important information for the attention of the Card Holder in use of the card, including all consequences/risks that may arise from use of the card, for example, not to disclose the PIN to a third party and to exercise caution when conducting transactions with an ATM machine;

38 2) rights and obligations of the Card Holder in the event of various matters with consequences of loss for the Card Holder and/or the Issuer, whether caused by card forgery, Issuer system failure or other cause; 3) types and amounts of charges; and 4) procedure and consequences if the Card Holder no longer wishes to be a Card Holder; c. procedure for submission of complaints related to card use and estimated time required for handling of these complaints. 3. In the case of Credit Cards, the Credit Card Issuer is required to provide written information to the Card Holder consisting of all information as referred to in number 2, and also take actions including but not limited to the following: a. provide general information concerning:

1. credit collectibility (current, substandard, doubtful or loss) and the consequences of each collectibility status;
2. use of services provided by a party other than the Issuer for bill collection, if the Issuer uses such services; and
3. procedure and basis for calculation of interest and/or penalties and the components of the interest and/or penalty calculation, including the time at which interest calculation is discontinued; and

39 b. provide complete, accurate and informative billing statements punctually and in the proper manner; 4. The Card Holder must be informed again of the written information as referred to in number 2 and number 3 letter a in the event of any general changes. 5. The obligation to provide written information and any amendments thereto shall apply in keeping with the following provisions: a. Written information to be communicated by the Issuer to each prospective Card Holder and Card Holder. b. The material that is communicated shall be of a general nature, applicable to all Card Holders, for example, information provided on criteria of credit collectibility is collectibility criteria established by the Issuer and applicable to all Holders of its Credit Cards. c. Written information may be communicated by public media such as brochures, leaflets, newspapers and/or a website, or by individual media such as billing statements or notices delivered directly to each Card Holder. 6. Credit Card Issuers are prohibited from automatically extending a facility incurring added costs for the Card Holder and/or other facility outside the main Credit Card function without written consent of the Card Holder. Written consent in this matter includes written consent communicated by facsimile and email, and verbal

40 consent expressed in an official record of an officer of the Issuer concerned. 7. Credit Card Issuers are prohibited from listing clauses in any agreement between the Credit Card Issuer and Card Holders providing opportunity for a product to be extended automatically to a Card Holder and/or for any facility to be extended that incurs added cost, without written consent from the Card Holder. Examples of prohibited clauses: a. Clauses in an agreement between Credit Card Issuer and Card Holder, for example: "With the signature of this agreement, the Credit Card issuer may at any time extend a facility or product with fees charged to the card and these fees shall be charged automatically to the Card Holder." b. Statement in the product offering, for example: "This product offering shall be deemed accepted by the Card Holder if within a period of 30 days after the date of this product offering, the Card Holder does not confirm otherwise at the telephone number of 021-12345678." B. Prudential Principles

1. In issuing Credit Cards, Credit Card Issuers are required to manage risk in compliance with the Bank Indonesia regulatory provisions concerning risk management.

41 2. Credit Card Issuers are required to stipulate a minimum payment by Card Holders amounting to no less than 10% (ten percent) of the total billed amount. The required minimum payment may be amended by Bank Indonesia based on considerations for safeguarding the soundness of the Credit Card industry and protection for Card Holders. 3. The following rules are established to improve security and ensure that each Issuer is properly able to manage liquidity: a. The maximum nominal limit on funds that may be transferred between ATM Card Holders over ATM machines is Rp 25,000,000.00 (twenty-fife million rupiahs) per account in one day, subject to the following provisions:

1. The maximum nominal limit on funds shall apply to funds transfer between Issuers over ATMs, in which the sending account and beneficiary account are at different Issuers; and
2. The maximum nominal limit on funds shall not apply to funds transfer internal to the ATM card Issuer, in which the sending account and beneficiary account are with the same Issuer. b. The maximum nominal limit on funds for cash withdrawals at ATM machines, whether using an ATM Card or Credit Card, is Rp 10,000,000.- (ten million rupiahs) per account in one day.

42 C. Enhancement of CBPI Security

1. Issuers are required to enhance CBPI security to prevent and reduce CBPI fraud and simultaneously improve public confidence in CBPIs.
2. Security enhancement as referred to in number 1 shall be performed for the entire technology infrastructure pertaining to the management of CBPIs, encompassing card security and security of the entire system used for processing CBPI transactions as follows: a. Enhancement of card security shall be performed with the use of chip technology (integrated circuit) with the ability to store and/or process data, enabling applications to be added to the card for the purpose of security in processing transaction data. b. Security enhancement of Electronic Data Capture (EDC) machines at Merchants, security of ATM machines and security in back-end systems at the Issuer, Acquirer and/or other third party processor shall be implemented by providing machines and systems capable of processing chip technology cards as referred to in letter a. c. Specifically for ATM Cards and Debit Cards issued in Indonesia, the PIN shall have no less than 4 (four) digits.
3. Use of chip technology standards for enhancement of card security as referred to in number 2 shall operate under the following provisions:

43 a. For Credit Cards using the global network, the standards for the chip technology and system or application in use shall be guided by the standards for chip technology and system or application in prevailing use and/or required by the Principal in the capacity of owner of the card network. b. For Credit Cards using the domestic network, the standards for the chip technology for cards shall be guided by the standards for chip technology applicable to cards using the global network as referred to in letter a. The standards for the systems or applications used (such as EDC) must be adjusted in such matter as to be able to process cards using this chip technology. c. The chip technology standards for ATM Cards and/or Debit Cards issued in Indonesia shall be guided by industry-agreed chip technology standards. 4. Use of chip technology in Credit Cards, ATM Cards and/or Debit Cards shall conform to the following provisions: a. Credit Cards All Credit Cards issued by Issuers in Indonesia, whether new cards or card renewal, must already be using the chip technology no later than 31 December 2009. Accordingly, no later than 31 December 2009. Accordingly, no later than 1 January 2010, all Credit Card transactions in the territory of Indonesia issued by Issuers in Indonesia must be processed

44 with the use of chip technology. In the event that a Credit Card equipped with this chip technology cannot be processed for a transaction, it is prohibited to continue the transaction process for that Credit Card with the use of magnetic stripe technology. b. ATM Cards and Debit Cards All ATM Cards and Debit Cards issued in Indonesia are required to use chip technology with reference to the technical standards agreed by the ATM Card and Debit Card industry, with launching to be based on an agreement reached by the ATM Card and Debit Card industry. 5. Use of technology capable of processing cards with chip technology in CBPI systems, such as EDC, ATMs and back-end systems, in measures to improve system security shall be phased in as follows: a. Credit Card Acquirers are required to replace or upgrade security at all EDC and back-end systems provided so that all such EDC and back-end systems will be capable of processing transactions from Credit Cards using chip technology no later than 31 December 2009. b. Issuers of ATM Cards and/or Debit Cards and Acquirers of Debit Cards are required to replace and upgrade security on all ATM, EDC and back-end systems, with the timing of launching at the discretion of the industry. D. Issuer Cooperation with Other Parties

45

1. If an issuer cooperates with another party in the management of CBPI activities, such as cooperation in card printing, card personalisation, document sending, marketing, bill collection and/or system operation, the Issuer must ensure that: a. the method, mechanism, procedure and quality of the activity performed by the other party conforms with the method, mechanism, procedure and quality of activities performed by the Issuer itself; and b. the other party shall safeguard the security and confidentiality of data/information.
2. If the Issuer uses the services of another party in card printing: a. card printing must be performed by a card printing company providing a guarantee of security over the entire process, commencing from printing and until the cards are received by the Issuer. b. the guarantee of security referred to in letter a shall be substantiated by:

1. certification from the Principal, if the Issuer is a user of the network of the Principal and the Principal operates a certification process for card printing companies. In this case, a Principal shall designate the card printing companies satisfying the requirements for printing cards

46 and the Principal shall require Issuers to print their cards at these certified companies; or 2) the Issuer is assured of the security of the production process and shipping process of the card printing company, if the Issuer is a user of the network of the Principal but the Principal has not certified a card printing company, or the Issuer also acts as Principal. Therefore, in this case, card printing may be performed at any card printing company insofar as the Issuer obtains assurance of the security of the production process and shipping process. 3. If the Issuer uses the services of another party in card personalisation, the Issuer must ensure that the personalisation company complies with the following provisions: a. For cards joined in the network of an international Principal, the card personalisation must be performed by a card personalisation company certified by the Principal; b. For cards joined in the network of a domestic Principal, the card personalisation must comply with the following provisions:

1. If the Principal operates a certification process for personalisation companies, the card personalisation must

47 be performed at a personalisation company certified by that Principal; 2) If the Principal does not operate a certification process for personalisation companies, the card personalisation must be performed at a personalisation company with capability for secure card personalisation, substantiated by a certificate of an information technology audit by an independent internal or external auditor. 4. If the Issuer uses the services of another party in bill collection for Credit Card transactions: a. the bill collection by the other party may only be conducted if the quality of the Credit Card claims falls with the collectibility category of doubtful or loss based on the collectibility criteria according to the Bank Indonesia regulations governing collectibility; b. The Issuer must guarantee that the bill collection by the other party must, in addition to observing the provisions in letter a, also be conducted by means not in violation of law; and c. the agreement of cooperation between the Issuer and the other party to conduct bill collection for Credit Card transactions must state a clause concerning the responsibility of the Issuer for all legal consequences arising from the cooperation with that other party.

48 5. If the Issuer cooperates with another party, such as a Switching Company and/or other company providing CBPI transaction processing facilities: a. system operation must be performed by a switching company and/or other company providing CBPI transaction processing facilities with guarantee of security over the entire CBPI transaction process. This guarantee of security shall be substantiated by:

1. information technology audit performed by an independent internal or external auditor;
2. certification conducted by the Principal, if the Issuer is a member of the Principal. b. The Issuer must ensure that the Switching Company and/or other company providing CBPI transaction processing facilities is able to safeguard confidentiality of data, comprising both Card Holder data and transaction data.

6. If the Issuer cooperates with a Principal, Acquirer, Switching Company, Clearing Provider and/or Settlement Provider, the Issuer must ensure that: a. the Principal, Acquirer, Clearing Provider and/or Settlement Provider is licensed by Bank Indonesia; b. the system used by the Principal, Acquirer, Clearing Provider and/or Settlement Provider complies with the security

49 standards prescribed for Issuers in this Circular Letter of Bank Indonesia. 7. when cooperating with or using the services of another party for processing CBPI transactions, a Bank acting as issuer is also required to observe and comply with the Bank Indonesia regulatory provisions governing Bank cooperation with other parties, including but not limited to the Bank Indonesia regulatory provisions concerning application of risk management in the use of information technology by Commercial Banks. E. Cooperation of Acquirers with Merchants or Other Parties

1. If an Acquirer cooperates with a Merchant, the Acquirer must obtain assurance that: a. the line of business of the Merchant is not a prohibited business by law; b. the agreement of cooperation between the Acquirer and Merchant must contain clauses stating at least the following:

1. rights and obligations of the Acquirer and Merchant;
2. Merchant is prohibited from processing any cash withdrawal transaction with the use of a Credit Card;
3. Merchant is prohibited from imposing a surcharge on the Card Holder; and/or
4. Merchant is required to safeguard confidentiality of data/information of the transaction and Card Holder.

50 c. the Merchant complies with the agreement of cooperation with the Acquirer as referred to in letter b; and d. the Merchant understands transaction procedures and mechanisms in the use of CBPIs. In this regard, the Acquirer is required to provide regular education and dissemination for Merchants, including upon any launching of new CBPI type/product. 2. If the Acquirer cooperates with another party, such as a Switching Company and/or other company providing CBPI transaction processing facilities: a. system operation must be performed by a Switching Company and/or other company providing CBPI transaction processing facilities with guarantee of security over the entire CBPI transaction process. This guarantee of security shall be substantiated by:

1. information technology audit performed by an independent internal or external auditor; and
2. certification conducted by the Principal, if the Acquirer is a member of the Principal. b. The Acquirer must ensure that the Switching Company and/or other company providing CBPI transaction processing facilities is able to safeguard confidentiality of data, both for Card Holder data and transaction data.

51 3. If in the course of conducting CBPI activities a Bank acting as Acquirer intends to cooperate with or use the services of another party for processing CBPI transactions, it is also required to observe and comply with the Bank Indonesia regulatory provisions governing Bank cooperation with other parties, including but not limited to the Bank Indonesia regulatory provisions concerning application of risk management in the use of information technology by Commercial Banks. F. Management of Operational Risk Principals, Issuers, Acquirers, Clearing Providers and/or Settlement Providers are required to manage operational risk, including but not limited to using proven technology that at the minimum encompasses compliance with the following:

1. Information technology security system satisfies at least the following principles: a. two factors authentication; b. confidentiality of data; c. integrity of system and data; d. authentication of system and data; e. non-repudiation of transactions; and/or f. system availability, operated effectively and efficiently in observance of the applicable regulatory provisions;

52 2. System and procedures for audit trail; 3. Internal policy and procedures for the system and human resources (HR); and 4. Business Continuity Plan (BCP) capable of ensuring the continuity of CBPI operations. The BCP must include preventive actions and a contingency plan (including provision of backup system) in the event of emergency or breakdown preventing the use of the main system for CBPI operations. VIII. REQUIREMENTS AND PROCEDURE FOR LICENSING AND REPORTING WITHIN FRAMEWORK OF TRANSFER OF LICENSING BY MERGER, CONSOILDATION, CORPORATE SPLIT OR TAKEOVER A. Merger

1. If a Bank licensed by Bank Indonesia for management of CBPI activities intends to merge with a Bank holding or not holding a licence from Bank Indonesia for management of CBPI activities, the following provisions shall apply: a. if the Bank to result from the merger is a Bank licensed by Bank Indonesia for management of CBPI activities, the Bank resulting from the merger must notify Bank Indonesia in writing of the plan to continue CBPI activities. b. if the Bank to result from the merger is a Bank not licensed by Bank Indonesia for management of CBPI activities, the Bank

53 resulting from the merger is first required to obtain a licence from Bank Indonesia to be able to continue CBPI activities. 2. If a Non-Bank Institution licensed by Bank Indonesia for management of CBPI activities intends to merge with a Non-Bank Institution holding or not holding a licence from Bank Indonesia for management of CBPI activities, the following provisions shall apply: a. if the Non-Bank Institution to result from the merger is a Non￾Bank Institution licensed by Bank Indonesia for management of CBPI activities, the Non-Bank Institution resulting from the merger must notify Bank Indonesia in writing of the plan to continue CBPI activities. b. if the Non-Bank Institution to result from the merger is a Non￾Bank Institution not licensed by Bank Indonesia for management of CBPI activities, the Non-Bank Institution resulting from the merger is first required to obtain a licence from Bank Indonesia to be able to continue CBPI activities. B. Consolidation

1. If a Bank licensed by Bank Indonesia for management of CBPI activities intends to enter into consolidation with another Bank holding or not holding a licence from Bank Indonesia for management of CBPI activities, the Bank resulting from the

54 consolidation is first required to obtain a licence from Bank Indonesia to be able to continue CBPI activities. 2. If a Non-Bank Institution licensed by Bank Indonesia for management of CBPI activities intends to enter into consolidation with another Non-Bank Institution holding or not holding a licence from Bank Indonesia for management of CBPI activities, the Non￾Bank Institution resulting from the consolidation is first required to obtain a licence from Bank Indonesia to be able to continue CBPI activities. C. Corporate Split

1. If a Bank or Non-Bank Institution licensed by Bank Indonesia for management of CBPI activities intends to divide, the Banks or Non￾Bank Institutions resulting from the division are first required to obtain licences from Bank Indonesia to be able to continue CBPI activities.
2. If a Bank or Non-Bank Institution licensed by Bank Indonesia for management of CBPI activities is to conduct a spin-off, the following provisions shall apply: a. the licence from Bank Indonesia for management of CBPI activities shall remain with the Bank or Non-Bank Institution conducting the spin-off. Accordingly, the Bank or Non-Bank Institution conducting the spin-off must notify Bank Indonesia of any plan to continue CBPI activities.

55 b. The Bank or Non-Bank Institution resulting from the spin-off is first required to obtain a licence from Bank Indonesia to be able to continue CBPI activities. D. Takeover

1. In the event of takeover of a Bank or Non-Bank Institution licensed by Bank Indonesia for management of CBPI activities, the Bank or Non-Bank Institution intending to takeover must notify Bank Indonesia of the takeover plan.
2. This notification of takeover must be complete with information covering at least the background to the takeover, the party intending to conduct the takeover, the targeted time frame for completion of the takeover, composition of the management and/or controlling shareholders after the takeover and the business plan after the takeover with specific reference to the management of CBPI activities, such the planned change of name, change in organisational structure or change in system used. E. Notification as referred to in item A.1.a., item A.2.a., item C.2.a. and item D.1 must be delivered to Bank Indonesia subject to the following provisions:
3. The notification must be delivered to Bank Indonesia or the competent authority for supervision of Non-Bank Institution concurrently with any application for approval of plan for merger, corporate split or takeover.

56 2. Notification as referred to in number 1 must enclose documents including but not limited to the business plan after the merger, corporate split or takeover, including plans for system use and system expansion, report of infrastructure readiness and information technology audit report from an independent auditor, in the event of expansion and/or merger of an existing system. F. Licence application as referred to in item A.1.b., item A.2.b., item B.1., item B.2., item C.1. and item C.2.b. must be delivered to Bank Indonesia subject to the following provisions:

1. The licence application must be submitted to Bank Indonesia or the competent authority for supervision of Non-Bank Institution concurrently with any application for approval of plan for merger, corporate split or takeover.
2. A licence application as referred to in number 1 must enclose documents including but not limited to the following: a. financial statement for the last 3 (three) years, audited by an independent public accountant, for a Non-Bank Institution; b. business plan after merger, consolidation or corporate split, including plan for system use and system expansion. c. infrastructure readiness report; d. information technology audit report by an independent auditor, in the case of expansion and/or merger of an existing system;

57 e. composition of share ownership after merger, consolidation or corporate split, for a Non-Bank Institution; and f. recommendation from the supervisory authority of the Non￾Bank Institution, specifically for a Non-Bank Institution. G. Licensing applications to permit continuation of CPBI activities with regard to a merger, consolidation or corporate split shall be processed under the following regulatory provisions:

1. Bank Indonesia shall issue a licence or rejection in writing within a period not exceeding 45 (forty-five) working days from the date of receipt by Bank Indonesia of the required documents.
2. With regard to issuance of licence or rejection as referred to in number 1, Bank Indonesia shall take the following actions: a. administrative checks to ensure that documents submitted by the Bank or Non-Bank Institution are complete, truthful and satisfy requirements; b. on-site visit to the Bank or Non-Bank Institution to verify that the submitted documents are truthful and satisfy requirements and to obtain assurance of operational readiness, if necessary; and/or c. if the applicant is a Bank, Bank Indonesia shall request a recommendation from the Bank supervisory authority concerning at least financial condition, soundness rating, operational readiness and the regulatory compliance of the

58 Bank, including information on any problems that the Bank may be facing. 3. If the document administrative checks referred to in item 2.a and on￾site visit as referred to in item 2.b have been made, and after taking into account the recommendation of the Bank or Non-Bank Institution supervisory authority, Bank Indonesia shall take the following actions: a. issuance of licence, if:

1. results of the administrative checks referred to in item 2.a indicate that the submitted documents are complete, truthful and satisfy the requirements of Bank Indonesia;
2. results of the on-site visit as referred to in item 2.b indicate that the submitted documents are truthful and satisfy requirements and that operational readiness is achieved; and
3. the supervisory authority of the Bank or Non-Bank Institution recommends implementation of the plan of the Bank or Non-Bank Institution for continuation of CPBI activities. b. rejection if:
4. results of the administrative checks referred to in item 2.a indicate that the documents submitted by the applicant are

59 incomplete, untruthful and/or fail to satisfy the requirements of Bank Indonesia; 2) results of the on-site visit as referred to in item 2.b indicate any untruthfulness or failure to satisfy requirements in the submitted documents and/or lack of operational readiness; and/or 3) the supervisory authority for the Bank or Non-Bank Institution does not recommend the Bank or Non-Bank Institution for continuing CBPI activities. 4. If any matters require follow up action, the licensing period as referred to in number 1 may be extended. Bank Indonesia shall inform the applicant in writing of such extension of the licensing period. IX. SUPERVISION, CPBI ACTIVITY REPORTS AND PROCEDURE FOR IMPOSITION OF FINANCIAL PENALTIES A. Supervision of Management of CBPI Activities

1. Goal of Supervision The goal of supervision is to ensure the efficient, expeditious, secure and reliable management of CBPI activities, with attention to customer protection.
2. Scope of Supervision

60 Bank Indonesia shall conduct the supervision of CBPI management activities conducted by: a. Principals; b. Issuers; c. Acquirers; d. CBPI Clearing Providers; and e. CBPI Settlement Providers. 3. Focus of Supervision Supervision of the management of CPBI shall focus on: a. implementation of risk management; b. regulatory compliance, including truthfulness and accuracy of submitted information and reports; and c. implementation of customer protection. 4. Supervision Methods a. Bank Indonesia shall conduct the supervision of the management of CBPI activities by means of:

1. research, analysis and evaluation, among others based on periodic reports, incidental reports, data and/or other information obtained by Bank Indonesia from other parties, and discussed with the parties as referred to in number 2.

61 2) on-site visits of the parties referred to in number 2 to verify the truthfulness of data against realities in the field and to examine the physical facilities, systems, supporting applications and database. If necessary, on-site visits may also be made to the parties cooperating with parties as referred to in number 2. 3) consultative meeting with the parties referred to in number 2 to obtain information on the managed activities and provide recommendations. 4) guidance for parties as referred to in number 2 shall include guidance for making changes. b. For the purpose of supervision, the parties referred to in paragraph (2) are required to provide:

1. information and/or data pertaining to the management of CBPI activities, whether in hard copy or soft copy form; and
2. opportunity during on-site visits to examine the management of CBPI activities, physical facilities, system, supporting applications and the database. c. Bank Indonesia may assign another party on behalf of and in the name of Bank Indonesia to conduct on-site visits of parties as referred to in number 2.

62 B. CBPI Activity Management Reports

1. Periodic Reports a. Periodic reports are reports that must be submitted in writing and/or on-line on a complete, truthful, accurate and timely basis by the parties referred to in item A.2 as appropriate for the period of the individual report. These periodic reports consist of the monthly report, quarterly report and annual report. b. Types of Periodic Reports The periodic reports that must be submitted by parties as referred to in item A.2 cover the following:

1. Principals a) Annual report, presenting at least information in regard to: (1) work plan and target 1 (one) year forward, including plans for product development and cooperation with other parties; (2) outcome of the work plan in the previous year; (3) members participating in the network of the Principal; and (4) description and amounts of fees charged to members.

63 b) Information Technology Audit Report prepared at least 1 time (once) every 3 (three) years, with the scope of audit including but not limited to: (1) network security; (2) data security; (3) application and system security; (4) control over access to system and data; (5) regular network monitoring and testing; and (6) written procedure for information technology security. 2) Issuers a) The Monthly CBPI Activity Report consists of: (1) Monthly ATM Card and/or Debit Card Issuer Report; (2) Monthly Credit Card Issuer Report, (3) Monthly Fraud Report; and (4) Monthly Credit Card Collectibility Report, as follows: (a) in the case of a Non-Bank Institution acting as Credit Card Issuer, the Monthly Credit Card Collectibility report consisting of the following classifications:

64 i. Current, if payment is executed promptly, account behaviour is good and the account has no arrears and complies with the credit terms; ii. Special Mention if repayment of principal and/or interest is in arrears up to 90 (ninety) days; iii. Sub-Standard if repayment of principal and/or interest is in arrears exceeding 90 (ninety) calendar days and up to 120 (one hundred and twenty) days; iv. Doubtful if repayment of principal and/or interest is in arrears exceeding 120 (one hundred and twenty) calendar days and up to 180 (one hundred and eight) days; or v. Loss if repayment of principal and/or interest is in arrears exceeding 180 (one hundred and eighty) days. (b) In the case of a Bank acting as Credit Card Issuer, the Monthly Credit Card Collectibility Report shall be delivered as

65 stipulated in the Circular Letter of Bank Indonesia concerning asset quality assessment for Commercial Banks. b) Quarterly Report on Handling and Resolution of Customer Complaints; and c) Information Technology Audit Report prepared at least 1 time (once) every 3 (three) years, with the scope of audit including but not limited to: (1) network security; (2) data security; (3) application and system security; (4) control over access to system and data; (5) regular network monitoring and testing; (6) written procedure for information technology security. 3) Acquirers a) Monthly Acquirer Report; and b) Information Technology Audit Report prepared at least 1 time (once) every 3 (three) years, with the scope of audit including but not limited to: (1) network security; (2) data security; (3) application and system security;

66 (4) control over access to system and data; (5) regular network monitoring and testing; and (6) written procedure for information technology security. 4) CPBI Clearing Provider a) Quarterly CBPI Clearing Activity Report b) Report of the Information Technology Audit conducted at least 1 time (once) every 3 (three) years, with the scope of audit including but not limited to: (1) network security; (2) data security; (3) application and system security; (4) control over access to system and data; (5) regular network monitoring and testing; and (6) written procedure for information technology security. 5) CBPI Settlement Provider a) Quarterly CBPI Settlement Activity Report; and b) Information Technology Audit Report prepared at least 1 time (once) every 3 (three) years, with the scope of audit including but not limited to: (1) network security;

67 (2) data security; (3) application and system security; (4) control over access to system and data; (5) regular network monitoring and testing; and (6) written procedure for information technology security. 2. Incidental Reports a. Incidental reports are written notifications/reports that must be submitted truthfully to Bank Indonesia by the parties referred to in item A.2., whether at the request of Bank Indonesia or at the initiative of these parties. An incidental report may be made by delivering a document at the request of Bank Indonesia. b. Types of Incidental Reports

1. Notification of Planned Cooperation with Other Party a) Any Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider intending to enter into cooperation with another party is required to submit written notification to Bank Indonesia subject to the following provisions: (1) Written notification of planned cooperation by a Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider with the other party must be submitted to Bank Indonesia no later

68 than 30 (thirty) working days before the agreement is signed; (2) Written notification of planned cooperation by a Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider with the other party as referred to in number (1) shall state at least the following: (a) data/information/company profile of the other party intending to cooperate with the Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider; (b) underlying rationale for entering into cooperation; (c) effective date of plan for launching of cooperation; (d) time frame for the planned cooperation. (3) Written notification of planned cooperation by the Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider with the other party as referred to in number (1) must enclose documents consisting of: (a) photocopy of draft business arrangements between the Principal, Issuer, Acquirer,

69 Clearing Provider and/or Settlement Provider and other parties; (b) photocopy of the draft agreement of cooperation between the Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider and the other party; (c) results of information technology audit conducted by an independent auditor, if the other party to cooperate with the Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider is a company providing CBPI transaction processing facilities; (d) photocopy of certification issued by the Principal for the other party intending to cooperating with the Issuer or Acquirer, if the Issuer or Acquirer is a member of the Principal. (e) data confidentiality statement by the other party cooperating with the Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider;

70 (f) photocopy of draft agreement of cooperation implemented by the other party with third parties, if any. b) Principals, Issuers, Acquirers, Clearing Providers and/or Settlement Providers are required to report in writing to Bank Indonesia about any launching of cooperation with the other party no later than 10 (ten) working days after the date of signing the agreement of cooperation. 2) Notification of New Product a) Any Issuer of Credit Cards, ATM Cards and/or Debit Cards intending to release a new Credit Card, ATM Card and/or Debit Card product must submit written notification to Bank Indonesia no later than 45 (forty-five) working days prior the release of the new product. b) This written notification must enclose documents consisting at least of: (1) business plan; and (2) explanation of the new product characteristics. c) The business plan referred to in item b)(1) shall include, among others, information on the revenue target to be achieved with the new product.

71 d) Explanation of the characteristics of new products as referred to in item b)(2) shall include, but not be limited to, explanation of transaction flow, enhancement of system security and differences between the new product and former product. 3) Incident Reports a) Principals, Issuers, Acquirers, Clearing Providers and/or Settlement Providers are required to submit incident reports, namely reports on system malfunction and remedial measures taken, such as: (1) network failure in processing CBPI transactions; (2) incidents of fraud. b) The above incident reports shall be submitted to Bank Indonesia at the earliest opportunity after the incident by means of telephone of facsimile, followed by a written report no later than 3 (three) working days after the incident. 3. The annual report of a Principal as referred to in item 1.b.1)a) must be delivered to Bank Indonesia in written hard copy and received by Bank Indonesia no later than the 15th day of February of the following year. If the 15th day of February falls on a Saturday,

72 Sunday or public holiday, the report must be received by Bank Indonesia 1 (one) working day after that date. For example: The report for the period of January until December 2009 must be received no later than 15 February 2010. 4. In the event of any change/amendment in data and/or information in documents submitted with a licence application to Bank Indonesia, such as change of name, office address, change in management (Board of Directors and/or Board of Commissioners), amendment to documents concerning business arrangements, amendment of provisions prescribing the rights and obligations of the parties, amendment to agreement of cooperation and change in parties joined in cooperation and amendment to procedure and mechanism for resolution of disputes, the Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider must notify Bank Indonesia in writing of such change/amendment no later than 20 (twenty) working days after execution of the change/amendment. 5. For the purpose of supervision pertaining to management of CBPI activities, Bank Indonesia has power to request data, information and/or reports other than the reports referred to in number 1 and number 2. 6. The notification/reporting procedure as referred to in item 1.b.2)a), item 1.b.2)b), item 1.b.3)a), item 1.b.4)a) and item 1.b.5)a) and financial penalties shall be guided by the Bank Indonesia regulatory

73 provisions concerning Commercial Bank head office reports and the regulatory provisions concerning reports of management of card￾based payment instrument activities by Rural Banks and Non-Bank Institutions. 7. The Information Technology Audit Report as referred to in item 1.b.1)b), 1.b.2)d), 1.b.3)b), 1.b.4)b) and item 1.b.5)b) must be received by Bank Indonesia no later than 20 (twenty) working days after the publication of the Information Technology Audit Report. C. Procedure for Imposition of Financial Penalties

1. Any financial penalty imposed on a Bank pertaining to management of CBPI activities shall be imposed by Bank Indonesia by debiting the settlement account of the Bank at Bank Indonesia.
2. Any financial penalty imposed on Non-Bank Institution pertaining to the management of CBPI activities shall be imposed by Bank Indonesia by conveying a letter stating the financial penalty to the Non-Bank Institution, including information on the amount of the financial penalty and procedure for payment to Bank Indonesia. X. DEVELOPMENT AND PROVISION OF CPBI SYSTEM INTEROPERABILITY WITH OTHER CBPI SYSTEMS In order to improve efficiency and smooth operation and provide more extensive benefits to transacting customers, it is necessary to engage in the development of system interoperability for processing of CBPI transactions

74 between one Principal, Issuer and Acquirer and another Principal, Issuer and Acquirer. On a technical level, this task can be performed by the Principal by stipulating rules and criteria or standards so that each Issuer using the network of that Principal is able to provide its Card Holders with access over equipment bearing the insignia or logo of the Principal. This facility is not only of benefit to Card Holders, but also offers economies in transaction processing by Acquirers, thereby enabling unnecessary investment among Acquirers to be avoided. In the long-term, the costs savings on transaction processing are expected to stimulate overall growth in economic activity. A Principal, Issuer and Acquirer may simplify a system or application by enhancing the originally designed system to ensure that the enhanced system has interoperability with systems developed by other parties. Simplification of a system by the parties may take place under an agreement executed by the industry itself. To support implementation, Bank Indonesia may require the parties to conform to and bring their systems into line with the criteria and requirements agreed by the industry. XI. MISCELLANEOUS PROVISIONS A. Matters of a technical and micro nature in the management of CBPI activities, other than as stipulated in this Circular Letter of Bank Indonesia, may be regulated and agreed by the CBPI industry itself (Self￾Regulatory Organisation - SRO). Such self-regulation by the CPBI

75 Industry shall be supplementary to and is not permitted to conflict with the Bank Indonesia regulatory provisions. In the event that an SRO has agreed and adopted a regulation, each member enrolled in the SRO or related party to the SRO must comply with and observe the agreed regulation. B. Application for CBPI licence, reports, other information and/or correspondence shall be delivered by the head office of the Bank or Non￾Bank Institution to: Bank Indonesia, attn: Directorate of Accounting and Payment Systems Building D 2nd floor, Bank Indonesia Office Complex Jl. M.H. Thamrin No. 2 Jakarta – 10350 XII. TRANSITIONAL PROVISIONS A. A Bank or Non-Bank Institution having conducted activities as CBPI Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider prior to the enactment of this Circular Letter of Bank Indonesia and not having received a licence or recognition from Bank Indonesia is required to obtain a licence from Bank Indonesia. Applications for licences must be submitted by Banks or Non-Bank Institutions no later than 90 (ninety) calendar days commencing from the date of enactment of this Circular Letter of Bank Indonesia. Requirements and procedures for licensing

76 from Bank Indonesia shall be guided by this Circular Letter of Bank Indonesia. B. A Bank or Non-Bank Institution having conducted activities as CBPI Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider prior to the enactment of this Circular Letter of Bank Indonesia and licensed or recognised by Bank Indonesia shall report its activities to Bank Indonesia and comply with the requirements as CBPI Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider no later than 180 (one hundred and eighty) calendar days after the date of enactment of this Circular Letter of Bank Indonesia. C. A Non-Bank Institution having conducted activities as Principal, Issuer, Acquirer, Clearing Provider and/or Settlement Provider within the territory of the Republic of Indonesia prior to the enactment of these regulatory provisions and not incorporated as an Indonesian legal entity shall become incorporated as an Indonesian legal entity no later than 2 (two) years after the date of enactment of this Circular Letter of Bank Indonesia. XIII. CONCLUDING PROVISIONS With the enactment of this Circular Letter of Bank Indonesia: A. Circular Letter of Bank Indonesia Number 7/59/DASP dated 30 December 2005 concerning Procedures for Management of Card-Based Payment Instrument Activities,

77 B. Circular Letter of Bank Indonesia Number 7/60/DASP dated 30 December 2005 concerning Customer Protection, Prudential Principles and Security Enhancement in Management of Card-Based Payment Instrument Activities; C. Circular Letter of Bank Indonesia Number 8/18/DASP dated 23 August 2006 concerning Amendment to Circular Letter of Bank Indonesia Number 7/60/DASP dated 30 December 2005 concerning Customer Protection, Prudential Principles and Security Enhancement in Management of Card-Based Payment Instrument Activities; D. Circular Letter of Bank Indonesia Number 10/20/DASP dated 8 May 2008 concerning Second Amendment to Circular Letter of Bank Indonesia Number 7/60/DASP dated 30 December 2005 concerning Customer Protection, Prudential Principles and Security Enhancement in Management of Card-Based Payment Instrument Activities; and E. Circular Letter of Bank Indonesia Number 10/7/DASP dated 21 February 2008 concerning Supervision of the Management of Card-Based Payment Instrument Activities, are revoked and declared no longer valid. The provisions in this Circular Letter of Bank Indonesia shall come into force on 13 April 2009. 2009. For the public to be informed, it is ordered that this Circular Letter of Bank Indonesia be promulgated in the State Gazette of the Republic of Indonesia. Kindly be informed.

78 BANK INDONESIA, SWD. MURNIASTUTI DIRECTOR OF ACCOUNTING AND PAYMENT SYSTEMS