# AI Governance & Compliance Rules  
## Derived from SE OJK No. 15/SEOJK.03/2017 (BPR/BPRS)

---

## 0. Document Purpose

- This document defines **hard rules, constraints, and guardrails**
- Intended for:
  - AI decision systems
  - Compliance engines
  - Policy validators
  - Fintech / banking automation
- Scope:
  - Micro Banking (BPR/BPRS)
  - Digital cooperation
  - IT governance
  - Core banking systems

---

## 1. Regulatory Assumptions (Hard Truths)

- All BPR/BPRS **must use Core Banking Systems**
- Manual or non-integrated systems are **non-compliant**
- IT responsibility is **non-delegable** from management
- Digital cooperation is **allowed but regulated**
- Security, auditability, and reporting are mandatory

---

## 2. Core Banking Constraints

### RULE-CB-01: Mandatory Core Banking

- IF entity_type IN {BPR, BPRS}
- THEN Core_Banking_System MUST exist
- AND Core_Banking_System MUST be primary transaction system

### RULE-CB-02: Infrastructure by Capital

- IF core_capital < 50B IDR
  - REQUIRE {CBS, Data_Center}
- IF core_capital >= 50B IDR
  - REQUIRE {CBS, Data_Center, Disaster_Recovery_Center}

---

## 3. Transaction Processing Rules

### RULE-TX-01: Same-Day Posting

- IF no_e_banking AND no_ATM
- THEN inter_branch_posting = same_day

### RULE-TX-02: Real-Time Processing

- IF e_banking = true OR ATM_issuer = true
- THEN transaction_processing = online_real_time

---

## 4. Governance & Accountability Rules

### RULE-GOV-01: Board Accountability

- Board_of_Directors MUST:
  - Approve IT strategy
  - Approve IT procurement
  - Monitor IT risk
- Accountability CANNOT be transferred to vendors

### RULE-GOV-02: Commissioner Oversight

- Board_of_Commissioners MUST:
  - Approve fundamental IT changes
  - Evaluate IT risk exposure

---

## 5. Digital Cooperation Guardrails

### RULE-COOP-01: Written Contract Mandatory

- IF cooperation_with_IT_vendor = true
- THEN written_contract = required

### RULE-COOP-02: Minimum Contract Clauses

Contracts MUST include:
- Scope_of_service
- Roles_and_responsibilities
- SLA
- Data_ownership
- Confidentiality
- Audit_access (Bank + OJK)
- Business_continuity
- Disaster_recovery
- Risk_and_liability

---

## 6. Vendor Eligibility Constraints

### RULE-VENDOR-01: Legal Entity Requirement

- IT vendors MUST be:
  - legal_entity = true

### RULE-VENDOR-02: Competency Requirement

- Vendor MUST have:
  - certified_IT_personnel OR
  - proven_experience OR
  - relevant_education

### RULE-VENDOR-03: Operational Guarantees

- Vendor MUST guarantee:
  - system_functionality
  - maintenance
  - incident_resolution

---

## 7. Due Diligence Rules

### RULE-DD-01: Pre-Cooperation Assessment

Before cooperation:
- financial_health MUST be assessed
- technical_capability MUST be assessed
- security_readiness MUST be assessed
- compliance_readiness MUST be assessed

---

## 8. Information Security Constraints

### RULE-SEC-01: CIA Principle

All systems MUST ensure:
- confidentiality
- integrity
- availability

### RULE-SEC-02: Mandatory Controls

Security controls MUST include:
- access_control
- physical_security
- logical_security
- backup_and_restore_testing
- incident_response
- data_retention

---

## 9. Disaster Recovery Rules

### RULE-DR-01: DR Plan Mandatory

- Disaster_Recovery_Plan MUST exist
- DR_Plan MUST be documented
- DR_Plan MUST be tested periodically

### RULE-DR-02: Vendor Support

- IF vendor_involved = true
- THEN vendor MUST support DR execution

---

## 10. IT Audit Rules

### RULE-AUDIT-01: Annual Audit

- IT_Audit MUST be conducted
- Frequency >= once_per_year

### RULE-AUDIT-02: Audit Scope

Audit MUST include:
- Core_Banking_Compliance
- IT_Governance
- Board_Responsibilities

---

## 11. Regulatory Reporting Rules

### RULE-REP-01: Routine Reporting

- Annual IT audit report MUST be submitted to OJK

### RULE-REP-02: Incident Reporting

- IF critical_incident_detected = true
  - notify_OJK <= 1_working_day
  - written_report <= 7_working_days

### RULE-REP-03: Cooperation Reporting

- New IT cooperation MUST be reported
- Deadline <= 10_working_days after effective operation

---

## 12. Change Management Constraints

### RULE-CHG-01: Controlled Change

- All system changes MUST:
  - be authorized
  - be tested
  - be documented
  - have audit_trail

### RULE-CHG-02: Major Change Oversight

- IF change_type = fundamental
- THEN Board_of_Commissioners approval REQUIRED

---

## 13. AI System Usage Boundaries

### AI MUST NOT:

- Approve IT outsourcing without contract validation
- Recommend vendors without due diligence
- Ignore security or audit requirements
- Bypass board-level approval flows
- Suppress regulatory reporting obligations

### AI MAY:

- Assist compliance checks
- Validate contract completeness
- Monitor SLA & incidents
- Flag non-compliance risks
- Generate audit & regulatory reports

---

## 14. Enforcement Priority (AI Weighting)

Priority order:
1. Regulatory compliance
2. Data security
3. Operational continuity
4. Governance accountability
5. Business efficiency

---

## 15. Regulatory Source

- SE OJK No. 15/SEOJK.03/2017
- POJK No. 75/POJK.03/2016

---