Skip to main content

Cloud compliance

Cloud security and OJK compliance for Indonesian banks

In short

What POJK 11/2022 requires before an Indonesian bank moves workloads to the cloud: data localization, OJK approval for offshore processing, outsourcing reporting, and shared responsibility.

Compliance solutions

POJK 11/2022 on the implementation of information technology by commercial banks, with implementing circular SEOJK 29/2022, alongside PP 71/2019 on electronic systems.

OJK permits commercial banks to use cloud, but treats it as IT outsourcing: the bank keeps full accountability, manages the arrangement under POJK 11/2022 risk requirements, and obtains OJK approval before placing certain data and workloads outside Indonesia.

Authority: Otoritas Jasa Keuangan (OJK)

Indonesian banks are moving to the cloud for the same reasons everyone else is, but a bank cannot outsource its accountability along with its infrastructure. OJK governs cloud as a form of IT outsourcing under POJK 11/2022, the regulation on the implementation of information technology by commercial banks, carried into detail by SEOJK 29/2022. The cloud provider can run the platform. The bank still answers to OJK for what happens on it.

What changes when a regulated bank goes to the cloud

The cloud security questions a bank faces are not only technical. Three regulatory expectations shape every design decision before the first workload moves.

Accountability stays with the bank

OJK treats cloud as outsourcing. The provider runs the infrastructure, but the bank remains responsible to the regulator and to customers for data protection, availability, and incident handling. Responsibility cannot be contracted away.

Data localization by default

POJK 11/2022 requires OJK approval to store and process certain data and systems outside Indonesia. The starting assumption is onshore, so workloads have to be classified before anything moves to a foreign region.

Outsourcing must be governed

Cloud arrangements fall under IT risk management and outsourcing rules: due diligence on the provider, contractual safeguards, OJK reporting, and the ability to exit or recover if the provider fails.

The obligations to map before migration

A cloud migration plan for a bank is also a compliance plan. These are the obligations that determine whether an architecture is approvable.

Obligation under OJK rulesStatus
Retain bank accountability for outsourced IT, including cloudMandatory
Apply IT risk management to the cloud arrangement under POJK 11/2022Mandatory
Obtain OJK approval to process or store certain data and systems offshoreConditional
Conduct provider due diligence and put protection clauses in the contractMandatory
Report IT outsourcing arrangements and plans to OJKMandatory
Maintain exit, recovery, and business continuity if the provider failsMandatory

Where data is allowed to live

PP 71/2019 lets private electronic system operators place data abroad under conditions, but financial institutions sit under a stricter sectoral regime: banks still follow OJK and Bank Indonesia rules even where the general regulation is more permissive. In practice you decide placement workload by workload, not for the bank as a whole.

Classify each workload by data sensitivity and OJK categoryDefault core and customer data to onshore placementSeek OJK approval before processing eligible workloads offshoreKeep supervisory and law-enforcement access availableDocument where every dataset is stored and processedRe-check placement whenever the architecture changes

A practical path to an approvable cloud

The order of work matters. Compliance gaps found after migration are expensive, so the assessment comes first.

  1. 1

    Workload and data inventory

    List every system and dataset bound for the cloud, classify it by sensitivity, and tag the OJK category it falls under. Placement decisions depend on this map, and so does the approval conversation with OJK.

  2. 2

    Shared responsibility gap assessment

    Document exactly what the cloud provider secures and what the bank must secure on top: identities, configurations, encryption, logging, and network controls. The gaps in the bank's half are where breaches happen.

  3. 3

    Provider due diligence and contracts

    Assess the provider against OJK outsourcing expectations and put the required protection, audit, and exit clauses in writing before committing production workloads.

  4. 4

    Approval and reporting

    Prepare the OJK approval case for any offshore processing and align the outsourcing reporting that POJK 11/2022 and SEOJK 29/2022 require for your arrangement.

  5. 5

    Continuous posture management

    Misconfiguration is the most common cause of cloud breaches. Monitor cloud configurations against benchmarks continuously rather than auditing once a year, and alert on drift.

Security and compliance are the same project here

For a regulated bank, a secure cloud and a compliant cloud are not two workstreams. The control that satisfies OJK, such as proving who can access customer data and where it is processed, is the same control that prevents the breach. Treating them separately is how banks end up with an environment that passes an audit on paper but leaks in practice.

References

  1. 1.OJK compliance mapping for cloud (Google Cloud)
  2. 2.Indonesia cloud outsourcing rules (Baker McKenzie)
  3. 3.Government Regulation 71/2019 on electronic systems (Google Cloud summary)

Alpha Code helps Indonesian banks design cloud environments that OJK will approve and that hold up in practice, from workload classification and shared responsibility gap assessments to continuous posture management across AWS, Azure, and Google Cloud.

Reviewed by Rizki Pratama, DevSecOps Engineer

Frequently asked questions

Yes. OJK does not prohibit cloud use by commercial banks. It treats cloud as a form of IT outsourcing and sets conditions: the bank stays accountable for the data and service, the arrangement must be governed by proper risk management under POJK 11/2022, and certain data and workloads need OJK approval before they can be stored or processed outside Indonesia.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.