# Regulatory Summary for Banking IT Systems & Digital Infrastructure  
**POJK No. 75 of 2016 – IT Implementation Standards for Rural Banks (BPR) and Sharia Rural Banks (BPRS)**

## 1. Regulatory Scope
- Regulates **information technology (IT) governance and implementation** for:
  - Rural Banks (BPR)
  - Sharia Rural Banks (BPRS)
- Applies to:
  - Core banking systems
  - Digital banking services
  - Supporting IT infrastructure
- Acts as the **baseline IT compliance regulation** for micro banks.

## 2. Objectives of IT Implementation
IT implementation must ensure:
- Operational efficiency
- Data accuracy and integrity
- System reliability and availability
- Customer data confidentiality
- Support for safe digital banking services

> IT is treated as a **critical banking infrastructure**, not a supporting tool.

## 3. IT Governance Requirements
Banks must establish IT governance that includes:
- Clear IT strategy aligned with business strategy
- Defined roles and responsibilities:
  - Board of Directors
  - IT management
- Written IT policies and procedures

Key governance areas:
- System planning and development
- Change management
- Vendor and third-party management
- IT risk oversight

## 4. Core Banking System Requirements
Banks must use IT systems that:
- Accurately record all transactions
- Support real-time or near real-time processing
- Maintain complete audit trails
- Prevent unauthorized access

> Core banking systems must be auditable and regulator-ready.

## 5. Information Security
Mandatory information security controls include:
- User access management
- Authentication and authorization
- Data encryption (where applicable)
- Logging and monitoring of activities
- Protection against malware and cyber threats

> Security controls are mandatory, not optional.

## 6. IT Risk Management
Banks must identify and manage IT risks, including:
- System failure
- Data loss
- Cybersecurity threats
- Third-party system risks

Risk management must cover:
- Risk identification
- Risk measurement
- Risk mitigation
- Ongoing monitoring

## 7. Business Continuity & Disaster Recovery
Banks are required to:
- Establish Business Continuity Plans (BCP)
- Maintain Disaster Recovery Plans (DRP)
- Perform periodic testing of backup and recovery procedures

Minimum requirements:
- Regular data backups
- Defined recovery time objectives (RTO)
- Alternative processing locations if needed

## 8. Third-Party & Vendor Management
If using third-party IT providers:
- Banks remain fully responsible for compliance
- Contracts must define:
  - Data ownership
  - Security obligations
  - Audit rights
- Third-party systems must meet POJK IT standards

> Outsourcing does not transfer regulatory responsibility.

## 9. IT Audit & Reporting
Banks must conduct:
- Periodic internal IT audits
- External audits when required
- Corrective actions for identified weaknesses

Audit scope includes:
- System security
- Data integrity
- Compliance with IT policies

## 10. Relevance to Digital & Micro Banking Systems
This regulation is the foundation for:
- Core banking system architecture
- Digital banking platform security
- API and third-party integration controls
- Audit-ready system design
- Regulatory-compliant cloud or on-premise setups

> POJK No. 75 of 2016 defines **how digital micro banking systems must be built and operated** in Indonesia.