1. What is the current legal landscape for Fintech in your jurisdiction?

Fintech sector in Indonesia is formally addressed as technological innovation in the financial sector (Inovasi Teknologi Sektor Keuangan or “ITSK”). The term means technology-based innovation that has an impact on a product, activity,
service and business model within the digital financial ecosystem, which is analogous to the term “Fintech” as commonly used by the general public.

OJK Regulation No. 3 of 2024 on the Organisation of Financial Sector Technology Innovation (“OJK Regulation 3/2024”) is the main sectoral implementing regulation for ITSK, and it applies to both parties in the sandbox phase and ITSK providers that are already registered and/or licensed by OJK.

The regulation integrates a sandbox–to–licensing pipeline, where Fintech or ITSK models first enter an OJK sandbox and, once proven and aligned with existing regulatory frameworks, proceed into the relevant licensing regime. Sandbox is a facility and mechanism to facilitate trial and development of innovation provided by the OJK in order to assess the feasibility and reliability of a Fintech model.

In addition to OJK Regulation 3/2024, the authority has established several regulatory frameworks for specific ITSK models, such as P2P lending, cryptocurrency trading, Buy-Now-Pay-Later (“BNPL”), alternative credit scoring, IT-based crowdfunding, and financial services aggregators. These targeted regulations enable OJK to issue business licences for these business models based on pre-determined requirements. However, several types of Fintech models remain unregulated and for unregulated ones, OJK still allows participation and registration as sandbox participants.

Apart from the OJK regime, Fintech actors who engage in payment system must adhere to the regulations issued by Bank Indonesia (“BI”). The latest umbrella regulation governing all payments system actors constitutes BI Regulation No. 10 of 2025 on Payment System Industry Regulation (“BI Regulation 10/2025”) which shall come into effect on 31 March 2026 and applicable to all payment system service providers which consist of (a) the payment service providers (Penyedia Jasa Pembayaran or “PJP”), (b) the payment system infrastructure providers (Penyedia Infrastruktur Sistem Pembayaran or “PIP”), and (c) the supporting providers who organize supporting activities for PJP and PIP.

On the other hand, while the Indonesian regulations governing Fintech business models are proliferating, notable gaps remain, particularly in the areas of data privacy and Artificial Intelligence (“AI”). Indonesia’s primary data protection framework, Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), was enacted in October 2022 and entered into full force and effect as of October 2024. While the PDP Law establishes foundational principles, including lawful bases for processing, data subject rights, obligations on data controllers and processors, and cross-border data transfer requirements, its practical implementation remains in complete. To date, the Indonesian government has yet to enact the implementing regulations necessary to operationalize many of the PDP Law’s provisions in detail. These includes, among other, regulations on the establishment and role of the Data Protection Authority, detailed technical standards for data security along with specific procedures for data breach notification. This gap creates a paradoxical situation whereby, companies processing personal data are legally obligated to comply with the PDP Law, yet the detailed rules and standards for their compliance will ultimately remain undefined. In the absence of implementing regulations, operators are left to interpret broad statutory obligations without clear regulatory guidance, increasing the risk of inadvertent non-compliance and inconsistent industry practice.

In terms of AI, the regulatory gap is arguably even more pronounced as Indonesia currently lacks a dedicated AI law or binding regulatory framework. The most relevant instrument remains Circular Letter No. 9 of 2023 on the Ethics of Artificial Intelligence (“Circular Letter”) issued by the Ministry of Communication and Digital (formerly the Ministry of Communication and Informatics). While a useful articulation of high-level principles, the Circular Letter is, by nature, non-binding and aspirational. It focuses on ethical guidance and governance recommendations rather than establishing legal standards, enforceable obligations or clear liability rules.

This creates a significant “grey area” for Fintech operators deploying AI solutions, as they must navigate the intersection of more general laws, such as Law No. 11 of 2008 on Electronic Information and Transaction as amended (“EIT Law”), consumer protection regulations, and OJK’s existing conduct-of-business requirements — without the benefit of AI-specific legal guidance. While OJK has begun to address AI indirectly through its ITSK framework and sandbox regime, this falls short of the comprehensive, cross-sectoral AI regulatory framework that the scale and pace of AI adoption now demand, especially in the Fintech sector.

2. What three essential pieces of advice would you give to clients involved in Fintech matters?

• Clients involved in Fintech matters should be in active communication with regulators, namely OJK and/or BI, especially as more innovation in this sector warrants active feedback from industry stakeholders in drafting regulations that will shape the industry. Fintech regulation evolves quickly—what is “unregulated” today may be regulated tomorrow. It is essential to align the view with the regulator, as they often have a strict interpretation of the law.
• Existing Fintech players need to modify their business operations to comply with new regulations set to take effect in 2025, including BI Regulation 10/2025 and OJK Regulation No. 32 of 2025 on the Organization of BNPL.
• Clients should also implement data privacy compliance and have internal policies regarding ethical use of AI, presenting as industry leaders in applying robust data security measures and AI governance despite the lack of regulatory framework in Indonesia.

3. What are the greatest threats and opportunities in Fintech law in the next 12 months?

In terms of opportunities, Fintech clients may appreciate that there is room for active involvement in shaping the industry alongside other market players and regulators. As technology is rapidly evolving and new products and/or services in Fintech continues to launch, many will fall into the unregulated areas. For instance, the provision of Earned Wage Access services, although it can be categorized as Fintech, it is not currently regulated under Indonesian laws and regulations and key players in the industry are in active communication with regulators in order to shape regulations regarding the service.

Fintech companies are expected to closely monitor forthcoming draft OJK regulations that will define the legal status of specific business activities, such as the public offering of cryptocurrency.

Although the marketization of crypto derivatives is now permitted under OJK Regulation No. 23 of 2025 on the Amendment of OJK Regulation No. 27 of 2024 on the Organization of Trading of Digital Financial Assets Including Crypto Assets, there remains no regulatory framework to govern the trading of non-fungible tokens (NFTs), rendering this activity unregulated. In 2022, OJK nevertheless clarified that NFT trading does not fall within its regulatory and supervisory authority, as it considers that NFTs cannot be classified as financial instruments.

4. How do you ensure high client satisfaction levels are maintained by your practice?

At ABNR, client satisfaction is anchored in our commitment to being more than just reactive legal advisors — we position ourselves as a strategic partner to our clients, particularly in fast-evolving sectors like Fintech.

We strive to stay ahead of innovation and regulatory expectations in the Fintech sector by maintaining our standing as a recognized thought leader in the Fintech sector. We maintain good relationship with regulators and are committed to continually monitor regulatory updates, including actively providing comments and recommendations in the drafting of new regulations and/or guidelines to OJK and/or BI. We believe that through closely monitoring both industry innovations as well as active participation in the drafting of regulations, ABNR is able to provide comprehensive and holistic view to our clients.

Ultimately, high client satisfaction comes from clients knowing they can rely on us — not just for answers, but for the accurate answers at the right time. We invest in long-term relationships, take time to understand each client’s business deeply, and remain accessible and responsive as their needs evolve. Our goal is for every client to feel that ABNR is not merely their outside counsel, but an extension of their own team.

5. What technological advancements are reshaping Fintech law and how can clients benefit from them?

Expansion of Digital Financial Assets Category

Current regulations prioritize the functional and technological attributes of digital financial assets, departing from the earlier focus on individual coin names. These provisions broadly define such assets as those that are issued, maintained, transferred, or transacted through distributed ledger technology or comparable platforms, thereby affording substantial scope for the emergence of novel digital financial asset types, provided they undergo exchange analysis and are incorporated into the authorized digital financial asset list maintained by the licensed financial digital exchange. Rather than necessitating legal approval for each asset individually, this regulatory model permits Fintech players to ensure their offerings meet the general standards stipulated in OJK regulations, subsequently enabling collaboration with a licensed exchange for review and listing.

AML/CFT Technology and “Regtech” for Digital Assets

Digital‑asset and high‑velocity fintech environments require sophisticated AML/CFT and KYC technology (biometrics, liveness detection, on‑chain analytics, pattern recognition). Indonesian regulatory framework increasingly assumes the existence of such technological capabilities, proven by OJK regulations that provide KYC processes and enhanced due diligence of customers as mandatory obligations of any financial services institutions in Indonesia. Particularly, crypto-related regulations explicitly govern the prevention of money laundering, terrorism financing, and proliferation financing as a core obligation in digital financial asset trading by requiring organizers to implement AML/CFT programs.

The Clients may benefit by commercializing this Regtech opportunity by providing technological infrastructure and services related to identity‑verification, transaction‑monitoring, and blockchain‑analytics solutions for the purpose of implementing AML/CFT measures, to the licensed digital financial asset trading organizers. In this way, the Clients will position themselves as the providers of critical compliance infrastructure under the current cryptocurrency regulatory framework.