Compliance & GRC
Compliance and GRC for banks and financial services in Indonesia
In short
A short map of which OJK regulation applies to your institution, the UU PDP obligations on top of it, and where to find the detailed compliance guide.
Financial institutions in Indonesia answer to more than one regulator at once, and which rules apply depends on what kind of institution you run. This page is a short map of that, not a restatement of the detailed obligations, which live on their own pages. For what GRC and compliance work covers in general, see our Compliance & GRC service page.
Which regulation applies to your institution
| Institution type | Regulation | What it covers |
|---|---|---|
| Commercial banks (Bank Umum) | POJK 11/2022 + SEOJK 29/2022 | IT governance, cyber resilience across five control domains, incident reporting to OJK |
| Rural banks (BPR and BPRS) | POJK 34/2025 (effective 18 December 2026) | IT governance, IT risk management, disaster recovery, periodic IT audit |
| All financial institutions | UU PDP (UU 27/2022) | Personal data protection, 72-hour breach notification, DPO appointment for large-scale processing |
Go deeper for your segment
Commercial banks face the five control domains of SEOJK 29/2022: IT governance, asset management, access control, incident management, and third-party risk, on top of the two incident-reporting clocks. Our commercial bank cybersecurity compliance guide sets out what each domain requires and how a gap assessment turns that into a prioritised roadmap.
Rural banks work to a different regulation with a longer runway. POJK 34/2025 takes effect 18 December 2026 and covers IT governance, risk management, disaster recovery, information security, and periodic IT audit, sized to a BPR's scale rather than a commercial bank's. Our BPR compliance guide under POJK 34/2025 covers the obligations and the transition timeline in full.
Where monitoring and DPO work fit
GRC consulting covers governance, policy, gap assessment, and audit preparation, the parts of compliance that are documented and reviewed rather than run continuously. Continuous monitoring and the OJK incident-reporting clock are handled through our SOC-as-a-Service for banks. The UU PDP appointment obligation and financial-sector DPO duties have their own page, DPO-as-a-Service for banks, since the two are related but not the same programme.
If you are not sure which framework applies to your institution or where the gaps sit, our team can walk through it with you and set out a concrete first step.
References
Reviewed by Naren Krishnan, Cybersecurity Manager
Frequently asked questions
Commercial banks (Bank Umum), including sharia banks, foreign banks operating in Indonesia, and regional development banks, fall under POJK 11/2022 and its implementing circular SEOJK 29/2022. Rural and regional banks (BPR and BPRS) fall under a separate framework, POJK 34/2025, which takes effect 18 December 2026. Payment-system operators licensed by Bank Indonesia sit under their own regulation instead.
Related
Related
Solutions
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.