Skip to main content

Compliance & GRC

Compliance and GRC for banks and financial services in Indonesia

In short

A short map of which OJK regulation applies to your institution, the UU PDP obligations on top of it, and where to find the detailed compliance guide.

Compliance solutions

Financial institutions in Indonesia answer to more than one regulator at once, and which rules apply depends on what kind of institution you run. This page is a short map of that, not a restatement of the detailed obligations, which live on their own pages. For what GRC and compliance work covers in general, see our Compliance & GRC service page.

Which regulation applies to your institution

Institution typeRegulationWhat it covers
Commercial banks (Bank Umum)POJK 11/2022 + SEOJK 29/2022IT governance, cyber resilience across five control domains, incident reporting to OJK
Rural banks (BPR and BPRS)POJK 34/2025 (effective 18 December 2026)IT governance, IT risk management, disaster recovery, periodic IT audit
All financial institutionsUU PDP (UU 27/2022)Personal data protection, 72-hour breach notification, DPO appointment for large-scale processing
Gap assessment against the applicable OJK regulationBoard-level IT governance and policyThird-party and vendor risk reviewAudit and OJK examination preparation

Go deeper for your segment

Commercial banks face the five control domains of SEOJK 29/2022: IT governance, asset management, access control, incident management, and third-party risk, on top of the two incident-reporting clocks. Our commercial bank cybersecurity compliance guide sets out what each domain requires and how a gap assessment turns that into a prioritised roadmap.

Rural banks work to a different regulation with a longer runway. POJK 34/2025 takes effect 18 December 2026 and covers IT governance, risk management, disaster recovery, information security, and periodic IT audit, sized to a BPR's scale rather than a commercial bank's. Our BPR compliance guide under POJK 34/2025 covers the obligations and the transition timeline in full.

Where monitoring and DPO work fit

GRC consulting covers governance, policy, gap assessment, and audit preparation, the parts of compliance that are documented and reviewed rather than run continuously. Continuous monitoring and the OJK incident-reporting clock are handled through our SOC-as-a-Service for banks. The UU PDP appointment obligation and financial-sector DPO duties have their own page, DPO-as-a-Service for banks, since the two are related but not the same programme.

If you are not sure which framework applies to your institution or where the gaps sit, our team can walk through it with you and set out a concrete first step.

References

  1. 1.OJK, POJK No. 11/POJK.03/2022 on Information Technology Implementation by Commercial Banks
  2. 2.OJK, SEOJK No. 29/SEOJK.03/2022 on Cyber Resilience and Security for Commercial Banks
  3. 3.OJK, POJK Nomor 34 Tahun 2025 tentang Penyelenggaraan Teknologi Informasi oleh BPR dan BPRS

Reviewed by Naren Krishnan, Cybersecurity Manager

Frequently asked questions

Commercial banks (Bank Umum), including sharia banks, foreign banks operating in Indonesia, and regional development banks, fall under POJK 11/2022 and its implementing circular SEOJK 29/2022. Rural and regional banks (BPR and BPRS) fall under a separate framework, POJK 34/2025, which takes effect 18 December 2026. Payment-system operators licensed by Bank Indonesia sit under their own regulation instead.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.