After a lengthy discussion with business players (mainly
startups in the payment systems sector, such as e-money issuers
and payment gateway providers), at the end of 2017, Bank
Indonesia issued regulation No. 19/12/PBI/2017 on the
Organisation of Financial Technology (the Fintech
In general, the Fintech regulation imposes an obligation on
fintech players that provide or will provide fintech services
to register with/submit an activity report to Bank Indonesia,
the Indonesian Central Bank. Certain exceptions to the
registration requirement apply to fintech players that fall
under the supervision of different authorities. An example is
the popular online peer-to-peer (P2P) lending players which
fall under the supervision of the Indonesian Financial Services
Another feature the fintech regulation introduces is the
regulatory sandbox for fintech players. Below is a brief
introduction to these initiatives.
First regulation to mention the regulatory sandbox
The Fintech regulation is the first regulation issued by an
Indonesian authority that explicitly refers to the regulatory
sandbox. Before it, the OJK issued Regulation No.
77/POJK.01/2016 on IT-based Money Lending Services (the P2P
lending regulation) regulating P2P lending service providers
(that are open to 85% for foreign share ownership). This
regulation introduces a registration process before P2P lending
services providers can apply for a business licence. A
registration certificate is far less burdensome to obtain than
a business licence, yet P2P lending services providers can
operate fully upon obtaining a registration certificate, but
they must have applied for a business licence within a
Although not explicitly stated in the regulation, according
to a variety of sources, the above gap between registration and
obtaining a business licence was once claimed to be the OJK's
version of a regulatory sandbox, because it provides space for
these businesses to operate under minimal regulatory
requirements for a year before they must play according to the
stricter rules which apply to obtaining a business licence.
However, Bank Indonesia's version of the regulatory sandbox is
different from that of the OJK. Currently, the OJK is in the
process of preparing another regulation that may be similar to
Bank Indonesia's regulatory sandbox.
In Bank Indonesia's version, the regulatory sandbox is a
space where fintech players, including foreign companies, can
try out their products, services, technology or business
models, in a very limited manner (eg for a limited period, with
limited coverage and for a limited number of users). In that
sense, while fintech players can try out their products, they
cannot fully operate like services providers covered by the P2P
lending regulation during this registration phase.
Why the regulatory sandbox matters
In the fintech business, products often develop faster than
the regulations. It is not uncommon for fintech products to not
clearly fall under any of the Bank Indonesia categories of
payment system services (eg payment cards, e-money (which is
overseen by a new regulation issued on 4 May 2018), digital
wallets, payment gateways, switching services providers and
proprietary channels). The regulatory sandbox provides
businesses with a chance to find out whether or not their
products fall under a certain business classification, and
therefore if they require a licence.
In a number of public awareness events, the players have
expressed the expectation that participants in the regulatory
sandbox, if they pass the test, have an advantage in the
licensing procedure as they have met Bank Indonesia's
expectation that they will comply with the prevailing
regulations during the trial period. This incentive is fairly
important from a commercial perspective as in practice,
obtaining a licence to provide payment system services can be
How to become eligible for the regulatory sandbox
The Fintech regulation introduces a criteria-based
regulatory sandbox (instead of an application-based one),
meaning that not everyone is eligible for the initiative. To be
determined eligible, fintech players must first be registered
with Bank Indonesia or have filed a report on their business
activities if they have held a licence as a payment systems
services provider before the fintech regulation was issued.
Bank Indonesia will then assess a variety of criteria,
including whether: (i) the fintech involves the element of a
payment system under the jurisdiction of Bank Indonesia; (ii)
it is innovative; (iii) it can benefit customers/the economy;
(iv) it is non-exclusive; (v) it can be widely used; (vi) it is
equipped with risk identification and mitigation; and (vii) any
other criteria Bank Indonesia considers important.
Preparing for the regulatory sandbox
If from their registration Bank Indonesia determines that
certain players are likely to be eligible for the regulatory
sandbox, it will invite the players to make a presentation on
the business model and risk management, and to submit certain
documents (the company profile and the business to be tested in
After assessing the presentation and documents submitted to
it, Bank Indonesia will issue a decision on its eligibility.
Upon being determined eligible, the fintech player must submit
a scenario proposal for the product testing, which must
include, among other things, the products to be tested, the
testing period, the target, the limitations on coverage, the
customers and other limitations.
Starting your regulatory sandbox
Bank Indonesia will review the scenario proposal it receives
and decide whether or not to approve it. The testing period
given can be up to six months as of the date of the decision,
and can be extended once under certain circumstances for up to
six months. During the testing period, the fintech player may
only engage in the business activities specified in the
While fintech players eligible for the regulatory sandbox
benefit from a more lenient regulatory regime, they are
expected to apply appropriate consumer protection principles,
risk management, prudential principles, and to comply with the
prevailing laws and regulations.
During the testing period, Bank Indonesia will assist and
review the company's activities, the result of which will be
used as a basis for deciding on the outcome of the testing.
The outcome of the testing
The testing should result in one of three decisions: (i) a
pass; (ii) a fail; or (iii) another status determined by Bank
If the result is a pass, Bank Indonesia will categorise the
business, ie whether or not it is a payment system business. If
so, the fintech player must apply for a business licence in the
appropriate category before it can continue selling its
products/services. If it is not (if, for example, it is a P2P
lending business), Bank Indonesia will refer the result to the
relevant authority (eg the OJK).
The regulatory sandbox regime does not prohibit participants
from applying for a business licence at the same time as they
participate in the sandbox. If they do so, fintech players
which pass the test can continue marketing their products until
their licence is issued. This way, applying for a licence while
participating in the regulatory sandbox would seem more
advantageous as the business can continue marketing its
products/services after passing the test, but pending the
issuance of a licence.
If the result is a fail, the fintech player will not be able
to market its products/services further.
Fintech players which pass the test and are categorised as
payment system services providers must identify their role
according to the category. Currently, the categories are
defined in Bank Indonesia Regulation No. 18/40/PBI/2016 on
Processing Payment Transactions. Under this regulation, payment
system services providers include: (i) payment card (ATM, debit
and credit cards) players (ie acquirers, issuers, principals,
end settlement and clearing processors); (ii) chip-based and
server-based e-money providers (ie issuers, acquirers,
principals, end settlement and clearing processors); (iii)
funds transmitting businesses; (iv) payment gateway providers;
(v) switching services providers; (vi) digital wallet
providers; (vii) proprietary channels; and (viii) other payment
system services providers.
In addition to the requirement to establish a limited
liability company, certain businesses are subject to foreign
share ownership restrictions. Currently, foreign parties can
hold up to 20% of the shares in principals (e-money and payment
card providers), end-settlement and clearing processors, as
well as switching service providers.
Partner, Makarim & Taira S.
T: +6221 5080 8300, 252 1272
Maria Sagrado has extensive high-level experience in
structuring foreign investment and financial
transactions. She represents the interests of numerous
foreign clients investing in Indonesia, including
companies and investors from China, the US, the UK,
Singapore and the EU.
Maria's well-rounded experience in relevant
corporate and commercial practices enable her to
comprehensively advise and guide foreign clients
entering into local investments or transactions in
Indonesia, with due consideration for the various
aspects involved. She has represented clients in
various sectors including FinTech such as peer-ro-peer
lending and payment system operators. She is actively
involved in the FinTech Association in Indonesia.
Associate, Makarim & Taira S.
T: +6221 5080 8300, 252 1272
Yanuar Pribadhie is an Associate at Makarim &
Taira S. He practices international and corporate law,
and has worked extensively in matters involving
technology, media and telecommunication, banking and
finance, intellectual property, corporate and foreign
investment. He is heavily involved in the drafting of
some regulations related to fintech in Indonesia and is
active in the FinTech Association.
He has represented and assisted in a number of local
and foreign investments and acquisitions. He has
co-authored articles relating to the Indonesian
e-commerce regulation and copyright law, among others.
Together with his team, he has represented major
clients in payment system and start-up companies.