Indonesia requests non-bank financial institutions to place data centres inside country
Published 29 March 2021
Financial Services Authority of Indonesia (OJK) has issued a new regulation that prohibits non-bank financial institutions to place their data centres and disaster recovery centres outside the country’s borders.
They can host their data centres overseas, only after receiving approvals from the authorities.
Indonesian authorities have formulated a regulation, denoted as POJK 4/2021, regarding the implementation of risk management in the use of information technology by non-bank financial institutions (NBFIs). Insurance companies, pawnshops, pension funds, fintech businesses, and social security administration bodies are among the types of institutions being regulated.
POJK 4/2021 has been taking into effect since March 17, amid the increasing IT adoption in the country’s financial sector. Accordingly, based on the size of the company’s assets, NBFI will have to operate a data centre or back up its data generated from IT deployments.
Companies with assets up to IDR 500 billion (about $34,6 million) are only required to back up data, while companies with larger assets from IDR 1 trillion (about $69,3 million) or the majority of their business operations are carried out using IT are required to have both a data centre and a disaster recovery centre.
Geographical factors are among the most strictly regulated provisions. “NBFIs are required to place its data centre and disaster recovery centre in the territory of Indonesia,” Binis quoted a statement from the authority on March 22.
Promulgated by Indonesian Ministry of Law and Human Rights and stipulated by OJK Board of Commissioners, POJK 4/2021 only allows abroad placements of data centres when NBFI meets a number of conditions related to the regulations of its country of origin, the specific business practices of its parent company, or the scale of its customers.
Chairman of the OJK Board of Commissioners Wimboh Santoso wrote in a summary of POJK 4/2021 that its issuance solves the lack of regulations regarding risk management in the use of IT in various types of NBFIs. He also underlinded that the country encourages companies to use IT in order to boost productivity and business, though it is critical to pay attention to risk management measures to prevent potential hazards to its consumers.
As companies are increasingly exploiting technologies such as machine learning to operate the big data of consumers, nations are beginning to look at the information as a new national resource and enhance security over this asset. Last year, Nikkei Asia reported that Asian countries have been some of the most active in this movement, with five out of eight countries requiring to localise the storage of data collected, within their borders. Experts say that this is an effort of nations to manage the impact of the rapid digitalisation owing to the pandemic.
In 2019, Vietnam issued the Law on Cybersecurity, which requires onshore and offshore service providers to store data of Vietnamese users in Vietnam. The regulation, however, is said to decrease the country’s competitiveness in terms of foreign investments. Last year in India, a group of 30 companies, including Microsoft and Siemens, also announced in a joint statement that the proposed personal data protection law in the country would stifle competition.