Cloud compliance
Cloud security and OJK compliance for Indonesian banks
In short
What POJK 11/2022 requires before an Indonesian bank moves workloads to the cloud: data localization, OJK approval for offshore processing, outsourcing reporting, and shared responsibility.
POJK 11/2022 on the implementation of information technology by commercial banks, with implementing circular SEOJK 29/2022, alongside PP 71/2019 on electronic systems.
OJK permits commercial banks to use cloud, but treats it as IT outsourcing: the bank keeps full accountability, manages the arrangement under POJK 11/2022 risk requirements, and obtains OJK approval before placing certain data and workloads outside Indonesia.
Indonesian banks are moving to the cloud for the same reasons everyone else is, but a bank cannot outsource its accountability along with its infrastructure. OJK governs cloud as a form of IT outsourcing under POJK 11/2022, the regulation on the implementation of information technology by commercial banks, carried into detail by SEOJK 29/2022. The cloud provider can run the platform. The bank still answers to OJK for what happens on it.
What changes when a regulated bank goes to the cloud
The cloud security questions a bank faces are not only technical. Three regulatory expectations shape every design decision before the first workload moves.
Accountability stays with the bank
OJK treats cloud as outsourcing. The provider runs the infrastructure, but the bank remains responsible to the regulator and to customers for data protection, availability, and incident handling. Responsibility cannot be contracted away.
Data localization by default
POJK 11/2022 requires OJK approval to store and process certain data and systems outside Indonesia. The starting assumption is onshore, so workloads have to be classified before anything moves to a foreign region.
Outsourcing must be governed
Cloud arrangements fall under IT risk management and outsourcing rules: due diligence on the provider, contractual safeguards, OJK reporting, and the ability to exit or recover if the provider fails.
The obligations to map before migration
A cloud migration plan for a bank is also a compliance plan. These are the obligations that determine whether an architecture is approvable.
| Obligation under OJK rules | Status |
|---|---|
| Retain bank accountability for outsourced IT, including cloud | Mandatory |
| Apply IT risk management to the cloud arrangement under POJK 11/2022 | Mandatory |
| Obtain OJK approval to process or store certain data and systems offshore | Conditional |
| Conduct provider due diligence and put protection clauses in the contract | Mandatory |
| Report IT outsourcing arrangements and plans to OJK | Mandatory |
| Maintain exit, recovery, and business continuity if the provider fails | Mandatory |
Where data is allowed to live
PP 71/2019 lets private electronic system operators place data abroad under conditions, but financial institutions sit under a stricter sectoral regime: banks still follow OJK and Bank Indonesia rules even where the general regulation is more permissive. In practice you decide placement workload by workload, not for the bank as a whole.
A practical path to an approvable cloud
The order of work matters. Compliance gaps found after migration are expensive, so the assessment comes first.
- 1
Workload and data inventory
List every system and dataset bound for the cloud, classify it by sensitivity, and tag the OJK category it falls under. Placement decisions depend on this map, and so does the approval conversation with OJK.
- 2
Shared responsibility gap assessment
Document exactly what the cloud provider secures and what the bank must secure on top: identities, configurations, encryption, logging, and network controls. The gaps in the bank's half are where breaches happen.
- 3
Provider due diligence and contracts
Assess the provider against OJK outsourcing expectations and put the required protection, audit, and exit clauses in writing before committing production workloads.
- 4
Approval and reporting
Prepare the OJK approval case for any offshore processing and align the outsourcing reporting that POJK 11/2022 and SEOJK 29/2022 require for your arrangement.
- 5
Continuous posture management
Misconfiguration is the most common cause of cloud breaches. Monitor cloud configurations against benchmarks continuously rather than auditing once a year, and alert on drift.
Security and compliance are the same project here
For a regulated bank, a secure cloud and a compliant cloud are not two workstreams. The control that satisfies OJK, such as proving who can access customer data and where it is processed, is the same control that prevents the breach. Treating them separately is how banks end up with an environment that passes an audit on paper but leaks in practice.
References
Alpha Code helps Indonesian banks design cloud environments that OJK will approve and that hold up in practice, from workload classification and shared responsibility gap assessments to continuous posture management across AWS, Azure, and Google Cloud.
Reviewed by Rizki Pratama, DevSecOps Engineer
Frequently asked questions
Yes. OJK does not prohibit cloud use by commercial banks. It treats cloud as a form of IT outsourcing and sets conditions: the bank stays accountable for the data and service, the arrangement must be governed by proper risk management under POJK 11/2022, and certain data and workloads need OJK approval before they can be stored or processed outside Indonesia.
Related
Solutions
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.