Fintech activities in Indonesia are regulated by three principal authorities, namely: (i) Bank Indonesia (“BI”), (ii) Financial Services Authority (Otoritas Jasa Keuangan – “OJK”), and (iii) The Commodity Futures Trading Regulatory Agency (Badan Pengawas Perdagangan Berjangka Komoditi – “Bappebti”), each of which exercises regulatory authority based on the specific type of fintech activity.

OJK’s authority is governed under Article 6 paragraph (1) of Law No. 21 of 2011 on OJK as lastly amended by Law No. 1 of 2026 (“Law 21/2011”). Under Law 21/2011, OJK has regulatory and supervisory authority over fintech activities in the areas of (i) Financial Sector Technological Innovation (Inovasi Teknologi Sektor Keuangan – “ITSK”), (ii) digital financial asset, and (iii) crypto asset. This authority also covers fintech business models involving fund collection and/or fund distribution, such as peer-to-peer lending.

On the other hand, BI is responsible for overseeing fintech activities operating within the payment system sector as stated in Article 8 of the Law No. 23 of 1999 on BI, as lastly amended by Law No. 1 of 2026. Bappebti supervises commodities fintech in the form of digital gold.

The scope of ITSK is further elaborated under Article 2 of OJK Regulation Number 3 of 2024 on the Implementation of Financial Sector Technology Innovation (‘‘OJK Regulation 3/2024’’), which classifies ITSK activities into the following categories:

a) Settlement of securities transactions;

b) Capital collection;

c) Investment management;

d) Risk management;

e) Fund collection and/or distribution;

f) Market support activities;

g) Activities related to digital financial assets, including cryptocurrency; and

h) Other digital financial services activities.

The characteristics and diversity inherent in digital assets compel regulators to apply different legal approaches tailored to the specific needs of each stage of digital asset development. In addition, continuous innovation presents an ongoing challenge for the law to keep pace with technological advancements. Collectively, these factors create a domino effect, whereby the rapid evolution of innovation in the digital asset sector outstrips the ability of the legal framework to respond adequately. Such regulatory lag ultimately results in protection gaps for consumers.

Moreover, as an illustration of this regulatory gap, Indonesia does not yet have a comprehensive legal framework specifically governing the use of Artificial Intelligence (“AI”). To date, there has only been one regulatory instrument expressly addressing AI, namely Ministry of Communications and Information Circular Letter No. 9 of 2023 on Ethics of Artificial Intelligence (“CR 9/2023”). CR 9/2023 itself provides several ethical values, for instance:

a. inclusivity – to consider equality, justice, and order for the common good in producing information and innovation;

b. humanity – to protect human rights, social relations, belief systems, and individual opinions and thoughts;

c. safety – to consider the security of users and data used to protect privacy and personal data and prioritize the rights of the users of the electronic system so that no party is harmed;

d. transparency – to have transparency of data used to avoid misuse of data; and

e. credibility and accountability – upon public distribution, to have the information produced by the AI to be trustworthy and accountable.

Apart from the provisions set out in CR 9/2023, the use of AI in Indonesia continues to rely largely on interpretative gaps within existing legal frameworks in order to accommodate its implementation. If one considers current developments, AI has already been deployed across various sectors of life, including the financial sector. Conversely, the law has struggled to keep pace and remains largely confined to ethical principles.

In light of the foregoing, from a legal perspective, the principal challenge lies in the ability of the law to keep regulating new technological developments in the field of digital assets, technology, and AI. Such legal challenges further give rise to questions concerning the rights and obligations of the parties in the practical implementation of consumer protection.

Another challenge from a commercial perspective is the weakening economy in Indonesia, which may result in potential Non-Performing Loans (NPL) from P2P debtors. This could pose challenges to the operational of P2P companies. Some P2P companies already encountered this issue during the year 2025. The continuous weakening of the economy may lead to an increase in NPL cases and potentially the destruction of P2P businesses in Indonesia.

Typically, fintech activities necessitate licensing or registration prior to the commencement of business operations. However, the specific licensing requirements and the corresponding regulatory authorities vary depending on the nature of the fintech business. The license is typically issued by the relevant government authorities, as outlined in question number 1.

In the absence of specific regulations governing the fintech activities in question, the operating entity may be required to obtain an ITSK license if its business falls under the ITSK categories as outlined in question number 1.

In summary, fintech businesses in Indonesia would necessitate a license to operate, provided that the relevant authorities have promulgated regulations governing specific fintech activities, such as cryptocurrency, peer-to-peer lending, securities crowdfunding, digital gold, payment systems, and aggregators. Alternatively, they may also be classified under the ITSK regime, provided that they meet the ITSK criteria.

On 12 January 2023, the Government of Indonesia enacted Law No. 4 of 2023 on the Development and Strengthening of the Financial Sector (“P2SK Law”). The P2SK Law serves as the overarching legal framework for the financial industry in Indonesia, consolidating and harmonizing various provisions previously scattered across multiple statutes into a single, comprehensive law. The P2SK Law governs key areas of the financial sector, including banking (including digital banks), financial sector technological innovation (ITSK), digital assets, capital markets, financing institutions, and insurance. However, specific regulations for each fintech activities would still be regulated under implementing regulations issued by each supervising authorities. Consequently, Indonesia does not recognize a single-license regime covering multiple fintech activities.

Since 2018, OJK has introduced a concept called sandbox mechanism to cover new innovations and further improve previously introduced mechanisms. The most recent regulations governing sandbox were implemented pursuant to OJK Regulation 3/2024. According to Article 1 No. 7 of OJK Regulation 3/2024, sandbox is defined as facilities and mechanisms to facilitate trial and development of innovation, provided by OJK to assess the feasibility and reliability of financial sector technology innovation (“ITSK”). Or in other words, the regulatory sandbox is a testing mechanism carried out by the OJK to assess the reliability of a business model of an organizer.

The scope of the sandbox under OJK Regulation 3/2024 includes the granting of:

a) Facilities to conduct an experiment that is conducted within a certain timeframe and limited environment.

b) Facilities to obtain an explanation of the provisions applicable in the financial services sector.

c) Facilities to conduct the development of ITSK at the early stage.

d) Other facilities for the experiment and development of the ITSK.

Every ITSK organizer who wishes to participate as a participant in the sandbox must apply to the OJK. The application includes the sandbox application form, examination plan and other supporting documents.

Numerous ITSK applications have been submitted to the OJK. For the year of 2025, four entities have received the “PASS” clearance from the OJK, entitling them to obtain formal licenses. The majority of these entities are engaged in the business of tokenization.

With respect to supervisory matters concerning fintech companies, OJK and BI generally exercise supervisory authority only for fintech companies that are established and/or is operating in Indonesia. Nevertheless, both authorities may cooperate with foreign supervisory authorities in relation to supervisory matters.

Pursuant to Law 21/2011, OJK may cooperate with supervisory authorities in other jurisdictions for the purposes of: (i) institutional capacity building, including human resources training in the regulation and supervision of financial services institutions; (ii) information exchange; and (iii) cooperation in examinations and investigations, as well as the prevention of crimes in the financial sector.

In relation to technology-based supervision, the OJK does not currently possess such a tool within the fintech industry. However, the OJK has integrated application-based supervision for the banking and capital market sectors. The OJK has developed a platform called SupTech Integrated Data Analytics (OSIDA), which utilizes big data analytics and artificial intelligence to identify risks more effectively. The OJK’s next objectives are to expand the scope of this platform to include fintech businesses. Consequently, it is anticipated that this platform will soon be applied to the fintech industry.

In Indonesia, cryptocurrency is classified as a commodity rather than a currency. Consequently, cryptocurrency cannot be utilized as a means of payment within the country. Specific to tokenization and stablecoin, OJK Regulation No. 27 of 2024 on The Organization Of Trading Of Digital Financial Assets Including Crypto Asset, as lastly amended by OJK Regulation No. 23 of 2025 (“OJK Regulation 27/2024”)stipulates that such token (or tokenization) and stablecoin are interpreted as crypto-assets. Therefore, any transaction regarding stablecoin and token would be treated as crypto-assets in general.

As for Decentralized Finance (“DeFi”), a blockchain-based technology that enables financial transactions to be carried out without the involvement of intermediaries or other centralized institutions, there is no regulations yet regulating DeFi in Indonesia. However, as of 26 October 2021, OJK has published a Blueprint for Digital Transformation in Banking, whereby OJK has set forth several plans for future development in banking. One such plan is the use of blockchain and DeFi in the industry of banking, which may serve to enhance or distort the existing banking institutions.

Generally speaking, OJK has enacted OJK Regulation No. 8 of 2023 concerning the Implementation of Anti-Money Laundering and Counter-Terrorism Financing, and Counter-Proliferation Financing of Weapons of Mass Destruction Programs within the Financial Services Sector (“OJK Regulation 8/2023”) which governs Anti Money Laundering (“AML”) and Combating the Financing of Terrorism (“CFT”). This regulation imposes various obligations and procedural requirements on fintech companies to implement measures to prevent AML and CFT, including:

(i) customer identification and verification;

(ii) identification and verification of the Beneficial Owner;

(iii) refusal of transactions and termination of business relationships;

(iv) ongoing management of ML/TF and proliferation financing risks in relation to customers, countries, products and services, and distribution channels;

(v) maintenance of accurate records relating to transactions, administration of customer due diligence (CDD) processes, and documentation of policies and procedures;

(vi) periodic updating and monitoring.

As far as things go, there are no specific regulations governing AML/CFT when funds / tokens are stored on non-custodial wallets. However, once such non-custodial wallets connect to an exchange or attempts to conduct sales through an exchange, Traders (parties conducting the sales of such assets through an exchange) would be obliged under Article 90 paragraph (2) and (3) of OJK Regulation 27/2024 to conduct customer due diligence as governed by OJK Regulation 8/2023 over the wallet owned by their customer to ensure and prevent that the wallet is not sourced from AML/CFT and Proliferation Financing of Weapons of Mass Destruction Programs.

OJK Regulation 27/2024 does not yet regulate the issuance of cryptocurrencies, including the issuance of stablecoins. Currently, cryptocurrency trading activity in Indonesia is limited to crypto assets that are listed as tradable assets in accordance with Bappebti Regulation No. 11 of 2022 on the Determination of the List of Tradable Crypto Assets in the Physical Market for Crypto Assets, as most recently amended by Bappebti Regulation No. 1 of 2025 (“Bappebti Regulation 11/2022”).

On the other hand, OJK Regulation 27/2024 governs cryptocurrencies custodian. According to OJK Regulation 27/2024, the party performing the custodial function is referred to as a Digital Financial Asset Custodian (Pengelola Tempat Penyimpanan Aset Keuangan Digital / “Crypto Custodian”). Pursuant to the regulation, Crypto Custodians are entrusted with responsibilities that include safeguarding digital financial assets, ensuring secure storage systems, and maintaining the integrity and availability of assets under their custody.

OJK Regulation 27/2024 sets out several requirements for entities seeking to operate as Crypto Custodians, including the following:

(i) Legal Form and Capitalization

Crypto Custodians shall be established as limited liability companies (Perseroan Terbatas) and satisfy minimum paid-up capital requirements of IDR 250,000,000,000 (two hundred fifty billion Rupiah).

(ii) Organizational Structure and Personnel

Pursuant to Article 36, Crypto Custodians are required to maintain an organizational structure comprising, at a minimum, IT, legal, and digital financial asset custody governance divisions. They must also employ personnel holding recognized professional certifications, including Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).

(iii) System Requirements

The regulation further prescribes system-related requirements, including obligations to implement configurations that: (i) Provide robust technical safeguards for Digital Financial Assets through segregated storage mechanisms, at minimum including hot storage, cold storage, multi-signature wallets, and smart contract wallets; (ii) Prevent the receipt and/or transfer of unidentified Digital Financial Assets by implementing authorization controls over Crypto Traders; and (iii) Facilitate custody exclusively for types of Digital Financial Assets listed in the official Digital Financial Asset registry.

In relation to data privacy protection and cybersecurity, the Government of Indonesia has enacted Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”) on 17 October 2022. The PDP Law serves as the primary legal basis governing the processing and use of personal data by any entity. In parallel, the Government has also enacted Government Regulation No. 71 of 2019 concerning the Operation of Electronic Systems and Transactions (“GR 71/2019”), which regulates Electronic System Providers and establishes core obligations for the use of electronic systems in Indonesia.

Together, the PDP Law and GR 71/2019 form the foundational framework applicable to all entities utilizing electronic systems in Indonesia, including fintech companies. Furthermore, personal data protection and cybersecurity requirements are also further elaborated in the specific regulatory frameworks applicable to each category of fintech company. For example, Crypto Asset Traders, pursuant to OJK Regulation 27/2024, are required to be registered and licensed as Electronic System Providers and are subject to personal data protection obligations, among others: (i) obtaining consumer consent; (ii) informing consumers of limitations on the use of their data and information; (iii) notifying consumers of any changes in the purpose of data processing where such changes occur; and (iv) ensuring that the methods of data collection are secure and lawful.

Beyond these specific obligations, OJK has also continued to maintain updates on the current applicable regulations to ensure business resilience within the fintech industry and consumer protection to increase trust and activity for fintech businesses, such as through OJK Regulation No. 22 of 2023 on Consumer and Public Protection in the Financial Services Sector.

Given the above, we are of the view that there is a positive trend by the Government to support fintech businesses through the issuance of new regulations and tighter oversight, which would allow a for a more regulated industry and better consumer protection.

Pursuant to OJK Regulation 27/2024, several parties are recognized in the implementation of digital financial asset trading, namely: (i) exchanges; (ii) clearing, guarantee, and settlement institutions; (iii) custodians; (iv) traders; and (v) other parties as determined by the OJK. Based on the foregoing classification, cryptocurrency and blockchain companies fall within the category of “traders,” being business entities that conduct the trading of crypto-assets, either for their own account and/or by facilitating consumers. OJK Regulation 27/2024 further stipulates that parties involved in digital financial asset trading – including traders – are required to implement, inter alia:

• good corporate governance principle;
• risk management;
• market integrity;
• information system security and reliability, including cyber resilience;
• consumer protection;
• prevention of money laundering, terrorism financing, and proliferation financing;
• personal data protection; and
• compliance with prevailing laws and regulations.

Accordingly, traders are generally required to comply with and implement the above principles in conducting their business activities, including for the purpose of detecting and preventing fraudulent transactions, as well as ensuring readiness for regulatory audits, inquiries, and enforcement actions.

In addition to the foregoing principles, certain requirements must be satisfied for a crypto-asset to be eligible for trading. One such requirement is the prior assessment of the relevant crypto-asset. In total, 19 assessment methods must be applied in such evaluation. Based on the results of this assessment, the exchange shall determine the list of digital financial assets setting out the names of crypto-assets eligible for trading. In this regard, traders should ensure that they trade only those crypto-assets included in the list of digital financial assets.

Furthermore, with respect to traders themselves, Article 45 of OJK Regulation 27/2024 provides that, in order to conduct trading activities, traders must satisfy several requirements. One such requirement is the establishment of trading procedures, which must at least regulate: (i) definitions and terms; (ii) consumer registration processes; (iii) representations and warranties; (iv) obligations and liabilities; (v) data updating procedures; (vi) transaction procedures; (vii) transaction fees and withdrawal limits; (viii) transaction security; (ix) consumer complaint services; (x) consumer dispute resolution; (xi) implementation of AML, prevention of terrorism financing, and counter-proliferation financing programs in the financial services sector; (xii) disclosure of terms and conditions where the trader takes positions for its own account; and (xiii) force majeure. Provided that such matters are properly drafted and effectively implemented, traders will be better positioned to detect and prevent fraudulent transactions.

Generally, the United States’ H-1B and digital nomad visas do not directly impact the hiring capabilities of fintech companies in Indonesia. However, they may influence the hiring process, as selective candidates might prefer to work in the United States rather than Indonesia if both opportunities arise. The hiring of international talent or foreign workers in Indonesia are subject to Law No. 6 of 2011 on Immigration, as lastly amended by Law No. 63 of 2024 (“Immigration Law”) and Law No. 13 of 2023 on Manpower, as lastly amended by Law No. 6 of 2023 (“Manpower Law”).

Immigration Law

According to Article 8 paragraph (2) of the Immigration Law, it is stipulated that every foreign national entering Indonesia must possess a valid and unexpired visa. Immigration law categorised several types of visas to meet the needs of foreign nationals entering the country. Particularly, for foreign nationals intending to work in Indonesia. Pursuant to Article 39 paragraph (1) of the Immigration Law, the appropriate visa for foreign nationals who want to work in Indonesia is Limited Stay Visa (Visa Tinggal Terbatas).

The application process for a Limited Stay Visa for international talents in Indonesia is governed by the Regulation of Ministry of Law and Human Rights No. 22 of 2023 on Visa and Residence Licenses, as amended by Regulation of Ministry of Law and Human Right No. 11 of 2024 (“MOLHR Regulations 22/2023”). According to Article 34 paragraph (1) of the MOLHR Regulation 22 of 2023, applications for Limited Stay Visas, particularly for foreign workers, shall be submitted to Immigration Officials. This provision also outlined the required supporting documents that must accompany the application. Furthermore, the application may be submitted either by the foreign worker themselves or by their guarantor.

Manpower Law

Further, any employment of foreign workers in Indonesia is also subject to provision under the Manpower Law. Pursuant to Article 42 of the Manpower Law, employers that intending to hire foreign workers shall obtain an approved Foreign Worker Utilisation Plan (“RPTKA”) authorised by the Ministry of Manpower. To obtain this approval, employers shall submit an application to the Ministry of Manpower. The supporting documents required for the application are outlined in Article 12 paragraph (2) of Government Regulation No. 34 of 2021 on the Employment of Foreign Workers (“GR 34/2021”). However, Regulation of the Ministry of Manpower No. 8 of 2021 on Implementation Regulation of GR 34/2021 on the Employments of Foreign Workers exempts technology-based startup companies from applying for the RPTKA if they only employ expatriates for a specific period (no longer than three months).

Under GR 34/2021, there are obligations for the employers that shall be complied, among others as stated under Article 7 paragraph (1) of the GR 34/2021 that the employers of foreign workers must appoint Indonesian nationals as Assistants to foreign workers employed for technology transfer and skill transfer from foreign workers; conduct education and job training for appointed Assistant in accordance with the qualifications of the position occupied by foreign workers; and repatriate foreign workers to their home countries after their employment agreements expire.

To conclude, fintech companies in Indonesia are not directly impacted by the recent changes to the H-1B and digital nomad visa regimes. Nevertheless, fintech companies are still required to comply with Indonesian immigration and manpower laws in order to attract and employ foreign technology talent.

Currently, Indonesia does not permit cross-border trading of cryptocurrency assets. Consequently, the new geopolitical or sanctions may not have any impact on Indonesian cryptocurrency markets. However, in general, Indonesia implements Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPFWMP) programs, as detailed in question 8.

As previously elaborated in question number 12, the use of foreign workers in Indonesia is governed by several key regulations, among others: (i) the Immigration Law; (ii) the Manpower Law; and (iii) GR 34/2021. With respect to workforce mobility, the Immigration Law stipulates that foreign individuals seeking entry into Indonesian jurisdiction must possess: (i) valid visa; (ii) passport; and (iii) residence permit. In the context of employment, the Immigration Law primarily regulates foreign workers under the limited stay visa category, which is accompanied by a limited stay permit. Currently, there is no specific regulatory framework governing remote-work permits for foreign nationals working for companies in Indonesia. In addition, the Manpower Law sets forth requirements relating to the employment of foreign workers. Pursuant to Article 42 of the Manpower Law, any company intending to employ foreign workers must obtain an approved Foreign Worker Utilization Plan (Rencana Penggunaan Tenaga Kerja Asing / “RPTKA”) from the Minister of Manpower. The Manpower Law further provides that foreign workers are restricted from holding certain positions and, in principle, may only occupy roles designated by the Ministry of Manpower, as stipulated under Ministerial of Manpower Decree No. 288 of 2019 on Certain Positions Eligible for Foreign Workers. Furthermore, GR 34/2021 imposes additional obligations on employers of foreign workers, including the requirement to: (i) appoint an Indonesian employee as a counterpart to the foreign worker; and (ii) implement education and training programs for the Indonesian counterpart, particularly in relation to technology transfer and skills transfer. In light of these regulatory requirements, fintech companies seeking to avoid talent shortages or workforce deployment delays should undertake proactive immigration and workforce planning, including the timely processing of visas and RPTKA approvals. Furthermore, companies should establish structured technology and knowledge transfer programs to ensure that expertise brought by foreign workers is effectively and efficiently transferred to Indonesian personnel. Consequently, the aforementioned requirements must be compiled once a company intends to employ foreign workers in Indonesia. To circumvent the protracted process and considering that fintech activities can be conducted remotely, companies may consider employing the talent to conduct the work remotely, thereby eliminating the need for the talent to work in Indonesia. This approach allows companies to avoid complying with the aforementioned requirements for employing foreign workers in Indonesia.

Immigration requirements and visa restrictions may significantly affect the timelines and operational strategies of fintech companies seeking to enter multiple jurisdictions, as each jurisdiction imposes distinct rules and procedures governing the employment of foreign personnel (e.g Indonesia’s immigration framework provides only a limited stay visa category for foreign workers). Furthermore, workforce considerations are fundamental to fintech operations. For example, in Indonesia, OJK Regulation 27/2024 requires Crypto Trader companies to employ personnel holding the Certified Information Systems Security Professional (CISSP) certification. The regulation further allows Crypto Traders to engage external experts where such certified personnel are not available internally.

Given that foreign workforce utilization rules, fintech-specific staffing requirements, and immigration regimes vary across jurisdictions, these factors may materially influence the timing and feasibility of launching fintech operations in Indonesia or other markets. Accordingly, fintech companies must carefully assess and develop compliance strategies aligned with applicable foreign laws and regulatory requirements to ensure that their planned operational launches proceed in a legally compliant and commercially viable manner.

Under Indonesian IPR regime, algorithms and smart-contract code enjoys intellectual property protection as a copyright under Article 40 paragraph (1) and Article 59 paragraph (1) of Law No. 28 of 2014 on Copyrights (“Copyrights Law”), as Indonesia explicitly considers it as a “creation” in science, arts, and linguistics borne through inspiration, power, imagination, expressed in a valid form, covering for: (i) computer programs (compilation of instructions that are expressed in language, code, schemes, or other forms for the computer to conduct a certain function or to reach a certain result), and (ii) compilation of creation or data, whether in the form readable by a computer program or other medias. This, in practice, provides the creator with the exclusive economic and moral rights to the algorithms and smart-contract code that they created.

Such objects, however, are generally barred from being considered as a form of invention available for patent rights, per Article 4 of Law Number 13 of 2016 on Patent as lastly amended by Law Number 65 of 2024 on the Third Amendment of Law Number 13 of 2016 on Patent (“Patent Law”), albeit with certain exceptions.

In this vein, Article 4 of Patent Law and its elucidation provides a limit on computer programs ineligible for a patent, such as those that consist solely of the program itself without having technical characteristics, technical effects, or problem-solving capabilities. This is different if the problem-solving result involves a computer, computer network or programmable equipment in its implementation. Such cases may be considered inventions and still fall within the scope of patent. An example is when the Global Positioning System (GPS) was first invented, as they used a proprietary program to solve navigation.

In addition to the copyrights, the fintech companies may also consider registering the algorithms and software under trade secrets. Trade secrets in Indonesia is regulated under Law No. 30 of 2000 on Trade Secrets, as amended by Law No. 1 of 2026. The trade secrets itself is defined as information in the field of technology and/or business that is not made public, economically valuable, and its confidentiality is protected by the owner.

With respect to the statutory framework governing trademarks in Indonesia, the prevailing laws have, in principle, it have been accommodated various mechanisms to protect the rights of trademarks owner through the regulations under Law No. 20 of 2016 on Trademarks and Geographical Indications, as amended by Law No. 1 of 2026 (“Trademark Law”).

However, notwithstanding the rapid development of artificial intelligence in the technology sector, particularly with the emergence of features such as impersonation, deepfakes, and synthetic media fraud, Indonesia unfortunately does not yet have a comprehensive regulatory framework governing these risks. At present, Indonesia primarily relies on ethical guidelines for AI governance, as reflected in CR 9/2023, which, among other principles, requires AI providers to comply with and respect protections afforded under intellectual property laws. Further explanation on this matter is elaborated on Question 2.

Accordingly, one of the key measures fintech companies may adopt to safeguard their intellectual property is to register their IP rights in accordance with applicable Indonesian laws and regulations. By registering their intellectual property in Indonesia, rights holders obtain a legal basis for asserting exclusive rights and enforcing protections over their proprietary.

Fintech companies may collaborate with third parties for the development, management, or operation of technologies used in their financial services activities. Accordingly, in practice, there are several preventive measures that fintech companies can implement to retain ownership of their technology and to prevent potential disputes arising from such collaborations.

In relation to safeguarding technology ownership, fintech companies must, prior to entering into any collaboration with third parties, ensure the inclusion of contractual clauses that protect the company’s rights and interests, particularly in respect of its technology. A common approach is to ensure that both newly developed technologies and the existing technologies are protected under intellectual property provisions. Intellectual property rights in technology may take the form of patents. Furthermore, such rights may be safeguarded through contractual clauses that expressly stipulate the non-transfer of intellectual property rights and/or impose limitations on the use of the technology as governed under the relevant cooperation agreement.

Measures to prevent the misuse of a fintech company’s technology should ideally be implemented prior to engaging in cooperation with third parties. As a general practice, before executing a cooperation agreement, the parties may enter into a Non-Disclosure Agreement (NDA). An NDA typically covers proprietary information belonging to a party, in this context, a fintech company may possess information closely related to its technology. Therefore, the risk of misuse of information related to fintech operations may be mitigated by ensuring that the NDA contains comprehensive clauses governing the use, disclosure, and protection of information that may be associated with the company’s technology.

In addition, other preventive measures that fintech companies may undertake to protect their technology include ensuring that any technology developed (if applicable) is protected through patent registration. By securing patent protection, a fintech company can ensure that its inventions are legally protected and that the company retains exclusive rights to use and commercialize the technology. Further explanation on this matter is elaborated on Question 17.

In general, it would depend on which type of intellectual property concerns such a fintech company. Intellectual property such as copyrights for software and algorithms would not require registration for it to be recognized – albeit it is still recommended to register it, whereas other rights such as marks for brands or patents for inventions inherently require registration for it to be recognized.

Nevertheless, in any event, fintech companies should promptly follow the procedures to obtain protection for their intellectual property as Indonesia’s intellectual property framework adopts a “first-to-file” principle. By doing so, the fintech company can prevent and address intellectual property infringement issues.

Upon identifying any misuse of their technology, fintech companies may initiate legal proceedings against the perpetrator. Consequently, legally safeguarding their intellectual property would provide them with a strategic advantage in the event of such unfortunate occurrences.

Distributed infrastructure refers to a series of computers operating independently to achieve a common objective under a centralized control mechanism. Meanwhile, decentralized code bases refer to a series of computers operating independently without a single centralized control. Based on such distinction, distributed infrastructure and decentralized code bases are, in general, protected under two different intellectual property rights regimes, namely:

Copyrights.

Article 1 number 9 of the Law No. 28 of 2014 on Copyright (“Copyright Law”) defines a computer program as a set of instructions expressed in the form of language, code, scheme, or in any other form intended to cause a computer to perform specific functions or achieve particular results. In this regard, Article 40 of the Copyright Law classifies computer programs as protected works under the Copyright Law. Accordingly, distributed infrastructure and decentralized code bases, insofar as they constitute computer programs, are eligible for copyright protection.

Patent.

Patent Law essentially provides protection for inventions in the form of an inventor’s idea embodied in a specific technological problem-solving activity, whether in the form of a product and/or process, or the improvement and/or development thereof, including systems, methods, and uses. In the context of distributed infrastructure and decentralized code bases as computer programs, Article 4 of the Patent Law stipulates that computer programs may enjoy patent protection where they are novel and serve as a technical solution to a problem. Therefore, if such distributed infrastructure and decentralized code bases function as technical solutions to specific problems, such programs may be eligible for patent protection.

Based on the foregoing, distributed infrastructure and decentralized code bases may, in principle, be protected under both copyright and patent regimes. However, it should be noted that patent protection is territorial in nature, as recognized under Article 4 paragraph (2) of the Paris Convention. Accordingly, in order to obtain and enforce patent rights in Indonesia, fintech companies must first file a patent application in Indonesia in accordance with the applicable laws and regulations.

In addition to the copyrights, the fintech companies may also consider registering the algorithms and software under trade secrets. Trade secrets in Indonesia is regulated under Law No. 30 of 2000 on Trade Secrets, as amended by Law No. 1 of 2026. The trade secrets itself is defined as information in the field of technology and/or business that is not made public, economically valuable, and its confidentiality is protected by the owner.

When they are licensing or selling software, smart contracts, or AI models, fintech companies would also have to keep IP protection in mind in order to protect their business interests. Such would inevitably require them to also understand the local laws within the designated country to ensure compliance.

Other than registering and obtaining protection for their IP as mentioned above, such IP protection can also be obtained through clear and firm provisions in the licensing agreement or sales agreement. For example, the agreement may include mechanisms for monitoring the use of the product, transfer or acknowledgment of IP ownership, as well as provisions allowing the license to be revoked if the licensee fails to comply with applicable laws and regulations. Through this, fintech companies can safeguard ownership and the integrity of their technology while ensuring compliance with the laws of the various jurisdictions in which their products are used.

Presently, Indonesia has yet to issue a regulation specified for AI. Consequently, parties are still relying on other regulatory frameworks in an attempt to grasp its application within industries, among others, Law No. 11 of 2008 on Information and Electronic Transaction, as lastly half repealed by Law No. 1 of 2026 (“ITE Law”) and Government Regulation No. 71 of 2019 on the Organization of Electronic Systems and Transactions (“GR 71/2019”). Financial technology companies would also be required to adhere to the specific regulations applicable to their operations. For instance, peer-to-peer companies are mandated to implement anti-fraud strategies in accordance with Article 5 of OJK Regulation 12/2024. This regulation outlines that the implementation of anti-fraud strategies comprises four key pillars: prevention, detection, investigation, reporting, and sanctions, as well as supervision, evaluation, and follow-up measures.

As aforementioned, the applicable laws and regulations on AI are still limited to gaps of interpretation in accommodating the use of AI and ethical principles as per CR 9/2023 and the guidelines provided by OJK particularly in fintech, as further elaborated in Question 25. According to such interpretation gaps and ethical principles, the applicable laws and regulation in Indonesia mandates that fintech companies hold the responsibility for the utilization of AI and are liable for any losses occuring due to the use of such AI. However, any losses shall be borne by the user, should such losses occur due to the user’s negligence.

In consideration of the above, Indonesia has yet to introduce any specific regulation for evidence on algorithmic fairness, explainability, and bias mitigation for automated credit and AML decisioning systems. However, by complying with the available ethical principles, fintech companies may provide evidence for its algorithmic fairness, explainability, and bias mitigation.

As discussed in Question 16, depending on the proprietary AI model, it may enjoy protection through copyright or patent should they fulfil the criteria of such right. Such would, in essence, provide the rights creator with exclusive economic and moral rights over the AI’s usage. Regarding protection, infringement of intellectual property in using an AI, please refer to the answers in Question 17, 18, and 19.

In regard to the implication of using AI and third-party AI tools, Article 21 paragraphs (3) and (4) of ITE Law divides the impact of losses resulting from the use of electronic agents into two categories. Firstly, if the loss arises due to the fault of the third-party who provided the AI tools, the loss will be the responsibility of the third party. Alternatively, if the loss arises due to the negligence of the service user, the loss will be borne by the service user. Therefore, the implications will depend on the context in a case-by-case basis.

For example, if the loss arises due to the negligence of the consumer who fault fully inputted data to the AI, the loss will remain the responsibility of the consumer. On the other hand, if the fintech company negligently provides a faulty program to the AI, then they would be responsible for the damages caused.

As aforementioned, presently Indonesia has yet to specifically regulate of the usage of AI, and the existing regulations are still limited to its ethical principles. In this vein, OJK has issued a the Ethical Code Guideline for Responsible and Trustworthy AI within the Fintech Sector, which was constructed pursuant to the study conducted to several globally applicable guidelines, for instance, the Organization for Economic Co-operation and Development (OECD) AI Principle and National Institute of Standards and Technology AI Risk Management Framework. Within such guidelines, several principles are set to abide by fintechs business actors, namely:

• Beneficial – Fintech business actors shall on its effort to develop and utilize AI based application to provide added value to, for instance: (i) the business operations; (ii) welfare of the consumer; and (iii) ability of the consumer in decision making. In essence, utilization of AI shall be beneficial to both the fintech business actors and consumers.

• Fair and accountable – Fintech business actors are responsible to ensure that the business model and AI based applications developed and utilized would not cause any loss to the consumer. For instance, fintech business actors are obligated to develop a risk mitigation to ensure that the algorithm, code, input data, and other supporting instruments to the AI based applications are relevant and proportional to the purpose of such AI based applications. Should there be any losses that occur against the consumer, fintech business actors shall bear the responsibility of such losses.

• Transparent and explicable – Fintech business actors are responsible to ensure that all the work and other processes conducted by the AI are transparent to the consumer, starting from the input and output generated by the AI. Although in essence, even if AI is designed to work independently, fintech business actors shall have the knowledge, control, and responsibility of the processes within the AI based application (human-on-the-loop). Should fintech business actors appoint a third party in developing the AI based application, the fintech business actors still bear the responsibility of such application against the consumer.

• Robustness and security – In consideration of the above, fintech business actors shall ensure the robustness and security of the AI based application utilized by taking into account several factors, among others: (i) ensure that the AI based application are not vulnerable to cyber-attacks and has a recovery mechanism from cyber-attacks, this includes the periodical testing and validation, whether from processes or security perspective; (ii) ensure that any third party appointed to develop the AI based application are the expert and has the ability to develop the necessary AI program from the business model; (iii) has measurable and testable standards regarding AI safety.

To this end, the above guidelines remain in ethical principles, which may present certain limitations when applied in practice. Nevertheless, it may at least be inferred that Indonesian regulators do not oppose the use of AI in Indonesia, including within the fintech sector. However, it must be noted that the implementation of AI must be carried out in the interest of the fintech business actors and the consumers themselves, and that the fintech business actors shall remain fully responsible for any AI embedded in or developed as part of their products and services.

In principle, Indonesia has not yet developed a specific legal doctrine governing the use of AI. In practice, the law often requires interpretation in order to accommodate the use of AI. One such interpretation concerns the term “electronic agent,” which has been construed to include AI, as explained in Question No. 22. Pursuant to such interpretation, Article 21 of ITE Law provides that an AI operator shall be responsible for transactions carried out through AI. If a loss arises due to the failure of the AI to operate properly, the AI operator shall be liable for such loss. However, an exception applies where the loss results from the negligence of the user, in which case the user shall bear responsibility for such loss.

Furthermore, the Technology Assessment and Appliction Agency (Badan Pengkajian dan Penerapan Teknologi) has developed the National Strategy on Artificial Intelligence 2020 – 2024 (Strategi Nasional Kecerdasan Artifisial Indonesia 2020 – 2045 – “Stranas KA”). The Stranas KA was subsequently continued and has served as a foundational guideline for the development of ethical principles as reflected in CR 9/2023 and the guidelines issued by the OJK, as discussed in Question No. 25. From the foregoing, it can be observed that Indonesian law tends toward placing responsibility for the management and deployment of AI on fintech business actors. Regardless of whether such fintech business actors develop the AI internally or through the appointment of a third party, liability remains with the fintech business actors. Accordingly, fintech business actors may potentially be exposed to both civil and criminal liability. Nevertheless, a loss shall be borne by the user if such loss arises due to the user’s negligence.

In light of the absence of clear parameters defining the scope of liability, fintech business actors are advised to exercise their best efforts in the development and deployment of AI within their products and services. One such measure includes compliance with the ethical principles set out in CR 9/2023 as well as the guidelines issued by the OJK.

Several instances do come to mind in regard to fintech disruption in Indonesia, with the most significant being the growth of digital payments, peer-to-peer lending, and cryptocurrencies. First, in the context of digital payments, business actors have started to provide digital payments mechanisms, which continue to spread from city to city across Indonesia. Parties may now simply take a picture of a QR code, instead of being required to carry cards – making a large move for Indonesians into a digital wallet system.

Secondly, peer-to-peer lending has proven to be particularly beneficial for the public or business actors categorized as micro to small enterprises, as unlike banks, peer-to-peer lending generally offers loan mechanisms that are simpler as compared to when borrowing from banks. Though certain thresholds are still required to be fulfilled (such as data submission and verification), it currently remains inseparable from day to day and micro transactions for Indonesians every day.

Additionally, in terms of cryptocurrency, although there has not been significant regulatory development, there is already a tendency to provide more facility, such as the establishment of licensing for cryptocurrency businesses. Interests for Indonesians are currently among the rise, and more and more have decided to invest in cryptocurrency and using domestic cryptocurrency exchange platforms to achieve their investment goals.

Nevertheless, OJK through its sandbox mechanism, continues to facilitate the advancement of technological developments, especially in the financial sector. Such would inevitably (and hopefully) lead to the creation of more comprehensive regulations and business opportunities in the future.

In comparison with other jurisdictions, Indonesia does not have a specific regulations governing initial coin offerings (“ICO”). Based on circulating news reports, the OJK is reportedly in the process of developing regulatory provisions concerning ICO.

Such would be beneficial, given that when referring to data published by the OJK, as of November 2025, there were approximately 19.5 million crypto asset consumers, comprising both individuals and business entities. The data further indicates a consistent month-to-month increase throughout 2025, which shows that Indonesia possesses substantial potential as a viable market for crypto assets. Therefore, the introduction of an ICO regulatory framework would allow for a significant legal development in supporting fintech innovation in Indonesia, and consequently allow for more opportunities for growth in such sector.

Accordingly, on 19 September 2025, OJK published a regulatory framework draft for the Offering of Digital Financial Assets in Indonesia. Within this framework, there are two categories of digital financial assets are recognized as eligible for trading, such as: Tokenized Assets and Crypto Assets.

Tokenized Assets refer to assets that are digitally represented through a process of tokenization. Meanwhile, Crypto Assets are further classified into Backed Crypto Assets, namely crypto assets whose value is supported by underlying assets such as fiat currency or other valuable assets and Unbacked Crypto Assets, which do not have any underlying asset. Meanwhile, assets eligible for tokenization must meet specific criteria. They must constitute as tangible assets, beneficial rights over an asset, and/or intangible assets or other rights, excluding digital financial assets themselves or assets that exist solely in digital form. In addition, such assets must provide economic benefits to consumers, be under the control of the issuer, and must not be subject to dispute or encumbrance. The draft regulation also expressly stipulates that financial derivatives and Crypto Assets may not be tokenized, with the objective of preserving market integrity and mitigating excessive risk.

Fundamentally, the proposed regulatory framework on the Offering of Digital Financial Assets is designed to ensure that the offering, distribution, and trading of digital assets in Indonesia are conducted in an orderly, fair, transparent, and efficient manner. This principle requires all market participants to implement sound governance practices, uphold consumer protection standards, manage risks responsibly, and ensure cybersecurity resilience, as well as compliance with anti-money laundering and counter-terrorism financing regulations. Within this scope, the regulation applies comprehensively to all categories of Digital Financial Assets, encompassing both Crypto Assets and Tokenized Assets, thereby establishing consistent and accountable operational standards across the digital asset ecosystem.