Commercial banks are subject to various obligations that relate to different activities that involve the organization of IT within their institutions. Said banks obligations are divided into different areas, specifically: IT management, IT architecture, risk management, cyber defense and security, data processing and personal data protection.
In response to increasing levels of operational risk in the form of cyber risk that are resulting from the high levels of access and connectivity of third parties during the utilization of information technology (“IT”) within the banking sector, the Financial Services Authority (Otoritas Jasa Keuangan – “OJK”) is working to increase the quality of banking operations through the organization of information technology. In order to achieve this goal, the OJK recently issued Regulation No. 11/POJK.03/2022 on the Organization of Information Technology by Commercial Banks (“OJK Regulation 11/2022”).
The issuance of Regulation 11/2022 has now simultaneously repealed and replaced Regulation of the OJK No. 38/POJK.03/2016 on the Implementation of Risk Management During the Utilization of Information Technology by Commercial Banks and its amendment (“OJK Regulation 38/2016”).
OJK Regulation 11/2022 has primarily been issued with the overall aim of mitigating cyber risk resulting from the utilization of information technology by commercial banks (“Banks”) through the optimization of resources provided by Banks. Due to the broad scope of this new regulation, the discussion set out in this newsletter has been limited to Obligations of Banks and Reporting Procedures.
In addition to the above-mentioned matters, it is important to note that OJK Regulation 11/2022 also sets a number of provisions that address the utilization of electronic systems and the processing of IT-based transactions, controls and internal audits relating to the organization of IT within Banks, the provision of IT services by Banks and evaluations of the digital maturity levels of Banks.
Obligations of Banks
Under OJK Regulation 11/2022, Banks are required to comply with a number of obligations relating to the various IT organization activities that are implemented within their institutions. These Bank obligations are summarized below:
- IT Management Within Banks
- Banks must implement good IT management
Banks must conduct the following activities at the least, among others: (i) Strategic evaluations, strategic briefings and strategic monitoring; (ii) Synchronization, planning and organization of all units related to IT support; etc.
- Banks must determine the authorities and responsibilities of their boards of directors (“BoD”), boards of commissioners (“BoC”) and other relevant officials
Said authorities and responsibilities of BoD and BoC encompass the following, among others: (i) BoD: determination of strategic IT planning, policies, standards and procedures for the organization and utilization of IT; (ii) BoC: evaluation, direction, and monitoring of strategic IT plans.
- Banks must have an IT directing committee
Said committee is responsible for issuing recommendations to the BoD on aspects such as strategic IT plans and that are in line with the relevant Bank’s corporation, policies and IT standards and procedures, and so forth.
- Banks must have an IT organizing task force
Said task force is responsible for the management of IT, including planning, development, operations and the monitoring of IT organization within Banks.
- IT Architecture Within Banks
- Banks must have an IT architecture
The IT architectures of Banks should be comprehensively drawn up through processes of planning, design, implementation, and control. During preparations of said architecture, various factors should be taken into consideration, including the relevant corporation plan and the business processes of Banks, as well as many other factors
- Banks must draw up strategic IT plans that support their corporation plans
Strategic plans must be submitted to the OJK by no later than November of the year prior to the first period of the relevant plan’s implementation
- Implementation of Risk Management During IT Organization Within Banks
- Banks must implement effective risk-management strategies
Risk management should be implemented in an integrated manner during all stages of IT organization. Banks should implement the following risk-management measures at the least: risk identification, risk calculation, risk monitoring and risk control.
- Banks must ensure that information security measures are implemented effectively and efficiently
Information security should be implemented in relation to human resources, processes, and technologies, as well as physically throughout the overall IT organizational environments of Banks
- Banks must draw up Disaster Recovery Plans
Banks are also obliged to engage in annual trials of their Disaster Recovery Plans in relation to all applications and infrastructure that are categorized as critical in accordance with the relevant business risk analyses. Said plans must be evaluated on an annual basis at least.
- Banks that operate any sharia business units must have systems in place capable of generating separate reports that address sharia business unit activities.
- Cyber Defense and Bank Security
- Banks must ensure that they have adequate cyber defenses in place
Banks should implement the following processes at the least: identification of assets, threats and risks; protection of assets; detection of cyber incidents; and the mitigation of and recovery from cyber incidents.
- Banks must conduct self-assessments of their levels of cyber-security maturity
Self-assessments should be conducted annually for positions at the end of December. The results of said evaluations must be submitted to the OJK.
- Banks must test their cyber security
Cyber-security testing should be based on: (i) Vulnerability analyses, which should be implemented regularly; and (ii) Scenarios, which should be implemented on an annual basis at the least
- Banks must establish units or functions for the management of cyber security and defense
Said units or functions should operate independently
- Data Processing and Personal Data Protection
- Banks must process their data effectively in order to achieve their business objectives
Data processing should be conducted through a consideration of various aspects, which should include the following at the least: ownership and management of data, data quality, data processing systems and supporting resources for data processing
- Banks must implement the principle of personal data protection
Banks must stipulate the following aspects, among others, at the least: (i) Personal data classification; (ii) Rights and obligations of parties involved in exchanges of personal data; (iii) Personal data security, etc.
It should be noted that any failure to comply with the above-listed regulations will result in the imposition of administrative sanctions in the form of written reprimands. Moreover, any failure to comply with the relevant provisions after written reprimands have been issued will result in the imposition of further administrative sanctions ranging from a prohibition on the introduction of any new Bank products to the temporary suspension of certain business activities.
By way of comparison, OJK Regulation 38/2016, as its title suggests, only addressed various arrangements that related to the implementation of risk management during the utilization of IT by Banks.
OJK Regulation 11/2022 introduces various provisions that address mandatory reporting of the organization of IT by Banks, as detailed in the table below:
- IT Organization Reports
Banks must submit reports on any IT development plans that they will implement during the following year. Any changes that are made to said reports should be submitted by no later than June of the following year.
Deadline: November of the year prior to the implementation of the relevant IT development plan.
- Update Reports
Banks must report the most recent condition of their IT organization.
Deadline: 15 business days after the end of the reporting year
- Pre-Notification Reports on Incidents
Pre-notifications must be submitted by electronic means to the OJK and should contain all available information on any IT incident that has the potential to cause significant losses and/or that has resulted in actual significant losses or operational disruption to Banks
Deadline: 24 hours after the identification of any IT incident
- IT Incident Reports
IT incident reports are a part of conditional reports and should address potential significant losses in terms of the financial conditions of Banks.
Deadline: Five business days after the identification of any incident
- Realization Reports
These reports must encompass the following elements: (i) The utilization of the electronic systems of overseas data centers and/or disaster recovery centers; (ii) The processing of overseas IT-based transactions; and/or (iii) Activities that are undertaken as providers of IT services.
Deadline: Three months after implementation
All reports should be submitted via electronic means to the OJK and any failure to submit reports in accordance with the applicable procedures will result in the imposition of administrative sanctions in the form of written reprimands. Further provisions that address reporting formats and submission procedures will be regulated under a forthcoming Regulation of the OJK.
Written by Ahmad Jamal Assegaf and Marchel Tarsingot. Please click on the download button below to read this publication