IT and cybersecurity compliance for rural banks (BPR/BPRS) under POJK 34/2025

For years, a BPR was the bank you knew from the market, the shop, and the local cooperative. The same customers now open accounts from a phone, check balances in an app, and receive transfers from a digital wallet. Core systems, mobile banking, and links to payment providers have become the backbone of service rather than an add-on. Once technology carries that much weight, an outage in the system becomes an outage in the business, and that is what OJK watches. POJK 34/2025 turns that expectation into a concrete set of obligations.

This page explains what POJK 34/2025 covers, who must comply, and the practical steps a BPR can take to be ready before the deadline. It is written for directors, the board of commissioners, IT leads, and compliance officers who need to understand the obligations without reading every article of the regulation.

What POJK 34/2025 is and who it applies to

POJK 34/2025 is a Financial Services Authority regulation that governs the implementation of information technology by BPR and BPRS. Its subjects are the rural and regional banks across Indonesia, whether they already run full digital services or are still early in their digitalisation. Because its scope follows the implementation of information technology in general, the regulation is relevant to nearly all BPR and BPRS, not only the larger institutions.

OJK issued the regulation in December 2025, with an effective date of 18 December 2026. That roughly one-year gap is not a formality. For many BPR, the adjustments it asks for touch the organisational structure, internal policies, contracts with third parties, and technical readiness that cannot be settled in a few weeks. Treating the transition period as a working window, rather than a deadline to defer until the last moment, is the safest way to avoid a scramble as December 2026 approaches.

The main obligations

The regulation sets out several areas that BPR and BPRS must address. The first is IT governance, meaning clear roles, responsibilities, and decision-making for technology at the level of the bank's leadership. The second is IT risk management, which requires the bank to identify, measure, and mitigate the risks that come from using technology. The third is cyber resilience, so the bank can withstand and recover from disruptions or attacks against its systems.

Beyond those, the bank must maintain a disaster recovery plan so that services can be restored when a major disruption occurs. Information security stands as its own area, covering the protection of customer and operational data. POJK 34/2025 also requires periodic IT audit, including external review, so that the assessment of IT controls does not rest on internal judgement alone. There is, in addition, an obligation to report IT incidents to OJK, along with accountability for third-party IT providers, which means the bank remains responsible even when part of its technology is managed by a vendor.

The table below summarises the obligations the regulation makes explicit. Each is recorded as mandatory rather than optional.

Why these obligations make sense for a BPR

Some BPR leaders read the regulation at first as an extra burden. A more useful view is to treat it as a framework for protecting customer trust. When a BPR relies on a core system and digital channels to serve deposits and loans, a prolonged outage or a data breach can damage a reputation built over many years. Tidy IT governance, a tested disaster recovery plan, and orderly incident reporting reduce the chance that the bank runs into an event it cannot explain to its customers or to the regulator.

Accountability for third-party providers is also practical. Many BPR rent their core system and supporting services from vendors. The regulation makes clear that responsibility for the security and continuity of services stays with the bank. In practice, that means vendor contracts should set out security obligations, audit rights, and a clear approach to incident handling, not only service availability.

A path to compliance

There is no single fixed order that suits every bank, but most BPR can follow the same flow. Start by understanding the current position, then improve governance and risk, prepare the ability to withstand and recover, and close with ongoing audit and reporting.

1. 1

   Gap assessment

   Map the current state of IT governance, risk, and security against the obligations of POJK 34/2025, then build a prioritised list.

2. 2

   Improve IT governance and risk

   Set roles and responsibilities, policies, and IT risk management processes at the leadership level.

3. 3

   Prepare DRP and cyber resilience

   Build a disaster recovery plan, strengthen information security, and test the ability to withstand disruption.

4. 4

   Audit and reporting

   Run periodic IT audit with external review and set up the mechanism for reporting incidents to OJK.

The gap assessment at the start matters because it keeps the bank from polishing what is already adequate while overlooking the gaps that actually carry risk. Its output becomes a roadmap that can be taken to the directors and commissioners for budget and time. The next stage, improving governance and risk, usually takes the longest, because it involves changes to policy and working habits rather than only technical settings.

How Alpha Code helps

Alpha Code works alongside BPR and BPRS at each of the stages above. We begin with a gap assessment that compares the bank's practices against the obligations of POJK 34/2025, so leadership gets an honest picture of what is ready and what is not. From there we help shape an IT governance and risk management framework sized to the bank's scale and complexity, without burdening a small team with documents no one will use.

For technical readiness, we help prepare and test the disaster recovery plan, strengthen cyber resilience, and put information security in order across the core system and digital channels. When an incident occurs, our incident response service helps the bank contain the impact, restore services, and assemble the reporting OJK requires. We can also run an IT audit with independent review, so the bank meets the external review obligation while gaining feedback it can act on.

Our approach is proportionate. A small BPR does not need the same structure as a commercial bank, and we adjust our recommendations so they stay practical for the team in place.

Next steps

The 18 December 2026 deadline feels distant, yet governance and technical readiness take longer than people usually expect. Starting with a gap assessment now gives the bank room to improve in stages, plan its budget calmly, and avoid rushed work as the deadline nears. If you want to understand where your BPR or BPRS stands against POJK 34/2025, our team is ready to help you set out a clear and measurable first step.