Skip to main content
← BlogDevSecOps

DevSecOps in Indonesian Fintech: Meeting OJK Requirements While Moving Fast

How Indonesian fintechs can satisfy OJK security expectations without slowing down, by building security gates into the CI/CD pipeline and shifting left.

R
Rizki Pratama · DevSecOps Engineer
June 3, 2026·4 min read

Indonesian fintechs live with a tension every engineering team knows. The market rewards speed, shipping features faster than the incumbent banks, while the regulator rewards control. For a long time those two goals felt opposed: you either moved fast or you stayed compliant. DevSecOps is how modern teams stop choosing between them. By building security into the delivery pipeline rather than bolting it on at the end, you can ship often and prove control at the same time.

The OJK expectations that shape fintech delivery

If you operate as a bank, the anchor regulation is POJK 11/POJK.03/2022 on information technology implementation by commercial banks. It sets the expectations for IT governance, IT risk management, and using systems that are tested and secure before they reach production. Its companion circular, SEOJK 29/SEOJK.03/2022 on cyber resilience and security, makes the security side concrete: regular cyber security testing including vulnerability assessment and penetration testing, a dedicated cyber security unit kept independent of IT operations, and a tight incident reporting clock, with an initial notification to OJK within 24 hours and a detailed report within five days.

Fintech lenders sit under a different but parallel regime. The peer-to-peer lending rules in POJK 10/POJK.05/2022, now superseded by POJK 40/2024, carry their own requirements for secure electronic systems, audit trails, and data handling. The common thread across all of these is that the regulator expects you to demonstrate control continuously, not to produce a one-time audit and move on.

The good news is that these expectations map cleanly onto a well-built pipeline.

A pipeline with security built in

The core idea of DevSecOps is to place automated security checks at each stage of the delivery pipeline, so that insecure code is caught by a machine in minutes rather than by an auditor months later. Each gate also produces evidence, which is exactly what a regulator wants to see. Explore the pipeline below to see what each gate does and which OJK expectation it supports.

None of these gates is exotic. Secrets scanning, dependency scanning, static and dynamic analysis, infrastructure and container scanning, and runtime monitoring are all available as mature tools, many of them open source. The discipline is in wiring them into the pipeline so they run on every change and block a release when they find something serious. A practical adoption order is to start with secrets and dependency scanning, which are high signal and low noise, then add static analysis, then container and infrastructure scanning.

Why shifting left pays off

The phrase shift left means finding and fixing problems as early in the development cycle as possible. The reason is economic. A defect caught while a developer is still writing the code costs very little to fix. The same defect found in production costs far more, because now it involves an incident, a rollback, customer impact, and possibly a regulatory report.

These multipliers are commonly cited estimates rather than precise measurements, but the shape is consistent across every study: the cost of a fix rises steeply the later you find it. For a regulated fintech, the production end of that curve is even steeper, because a security defect that reaches production can trigger the 24-hour incident clock and the reputational damage that follows.

Moving fast without breaking compliance

The objection engineers raise is that all this checking must slow them down. The data says the opposite. The DORA research into software delivery performance consistently finds that the highest-performing teams deploy more frequently and recover faster, while also failing less often. Speed and stability rise together when the safety checks are automated rather than manual.

The teams that struggle are the ones relying on manual review gates and end-of-cycle security testing, which create a bottleneck and still let defects through. Automating the checks removes the bottleneck and improves quality, which is why a mature DevSecOps pipeline lets a fintech move quickly and satisfy OJK at the same time.

At Alpha Code, we help Indonesian fintechs design and operate secure delivery pipelines that produce the evidence OJK asks for as a by-product of shipping. If your security testing still happens at the end, that is the first place to shift.

On This Page
The OJK expectations that shape fintech deliveryA pipeline with security built inWhy shifting left pays offMoving fast without breaking compliance
Written By
R
Rizki Pratama
DevSecOps Engineer

Rizki builds secure delivery pipelines for Indonesian fintechs, embedding OJK-aligned controls without slowing release velocity.

LinkedIn