# SE OJK No. 15/SEOJK.03/2017 ## IT Governance Guidelines for Micro Banking & Digital Cooperation (BPR/BPRS) --- ## 1. Regulation Identity - **Authority**: Otoritas Jasa Keuangan (OJK) - **Regulation Type**: Surat Edaran (Circular Letter) - **Number**: 15/SEOJK.03/2017 - **Year**: 2017 - **Legal Basis**: POJK No. 75/POJK.03/2016 - **Scope**: - Bank Perkreditan Rakyat (BPR) - Bank Pembiayaan Rakyat Syariah (BPRS) --- ## 2. Regulatory Objective - Establish **minimum IT standards** for BPR/BPRS - Ensure: - Operational stability - Data security - Governance accountability - Safe digital cooperation with third parties - Support gradual **digital transformation of micro banking** --- ## 3. Core Banking System (CBS) Requirements ### 3.1 Mandatory CBS Usage - Every BPR/BPRS **must use a Core Banking System** - Manual or fragmented systems are **not allowed** ### 3.2 Infrastructure Based on Core Capital - **Core Capital < IDR 50 Billion** - Core Banking Application - Data Center - **Core Capital ≥ IDR 50 Billion** - Core Banking Application - Data Center - Disaster Recovery Center (DRC) --- ## 4. Transaction Processing Rules - CBS must support inter-branch transactions: - **Same-day posting** - If no e-banking or ATM services - **Online & real-time** - If providing: - Electronic banking - ATM services - Debit card services --- ## 5. IT Governance & Accountability ### 5.1 Board Responsibilities - **Board of Directors** - Fully responsible for IT implementation - Must ensure IT supports business strategy - **Board of Commissioners** - Supervises major IT changes - Evaluates IT-related risk exposure ### 5.2 IT Function Responsibilities - Responsible unit or personnel must: - Implement IT policies - Monitor system performance - Ensure security & availability - Document all system changes - Report IT conditions to management --- ## 6. Policies & Procedures (Mandatory) Each BPR/BPRS must have documented policies covering: - IT development & procurement - IT operations - Network communication - Information security - Disaster recovery planning - IT audit - Cooperation with IT service providers --- ## 7. Digital Cooperation & IT Outsourcing ### 7.1 Written Agreement Requirement - All cooperation with IT vendors **must use written contracts** - Applies to: - Core Banking vendors - Cloud / hosting providers - Fintech or IT service partners ### 7.2 Minimum Contract Clauses Contracts must define: - Scope of service - Roles & responsibilities - Service Level Agreement (SLA) - Data ownership & confidentiality - Security obligations - Audit access for BPR/BPRS & OJK - Business continuity & disaster recovery - Risk mitigation & liability --- ## 8. IT Vendor Eligibility Rules IT vendors must: - Be a **legal entity** - Have **competent IT personnel**, proven by: - Certifications - Experience - Formal education - Guarantee: - System functionality - Maintenance services - Incident resolution --- ## 9. Due Diligence for Digital Cooperation Before cooperation, BPR/BPRS must assess: - Vendor financial condition - Technical capability - Information security readiness - Compliance with regulations - Support & after-sales service --- ## 10. Information Security Requirements Mandatory controls include: - Access management - Logical & physical security - Data backup & restore testing - Incident response procedures - Data retention rules Security must ensure: - Confidentiality - Integrity - Availability --- ## 11. Disaster Recovery & Business Continuity - Must have a **Disaster Recovery Plan (DRP)** - DRP must: - Define recovery roles - Be documented - Be tested periodically - IT partners must support DR execution --- ## 12. IT Audit Requirements - IT audit is **mandatory** - Frequency: **at least once per year** - Can be conducted by: - Internal audit - External auditor Audit scope includes: - Core Banking compliance - IT governance effectiveness --- ## 13. Reporting Obligations to OJK ### 13.1 Routine Reports - Annual IT audit report - Submitted according to OJK timelines ### 13.2 Incidental Reports Must be reported: - Major IT changes - New IT cooperation - Critical incidents - Security breaches Critical