Technology Lawyers Indonesia 2026: OJK FSTI, AI Act (1 Mar) & Fintech Compliance

Indonesia’s technology sector entered 2026 facing a regulatory environment unlike any before it, and technology lawyers Indonesia-wide are advising fintechs, platform operators and digital lenders to act now rather than wait for enforcement actions. Between late 2025 and early 2026, at least four major regulatory instruments reshaped obligations for companies operating at the intersection of finance, technology and intellectual property: OJK’s strengthened FSTI governance and fit-and-proper framework, the Minister of Law’s digitalised trademark registration rules and new electronic-systems IP reporting mechanism, Indonesia’s emerging AI governance requirements, and the child-protection obligations under PP TUNAS.

This compliance playbook consolidates every obligation into a single, actionable reference, mapping what changed, who is affected, what contracts and products need updating, and the deadlines that matter most.

Executive Summary: Five Immediate Actions for Compliance Officers

Before diving into the detail, here is the short decision framework every in-house counsel and fintech CTO should apply this week. Start by answering one threshold question: Is your product or service supervised by OJK (financial sector technology innovation) or by Bank Indonesia (payment systems)? The answer determines which governance, reporting and licensing stream applies to your business.

Immediate actions checklist:

• Map your supervisory allocation. Confirm whether OJK or BI is your primary regulator. If your product falls within the Financial Sector Technology Innovation (FSTI) sandbox or registry, OJK’s enhanced fit-and-proper and governance rules apply directly.
• Update vendor due diligence. Review every third-party AI, data-analytics and cloud vendor contract for compliance with OJK cybersecurity guidelines, AI transparency expectations and data-localisation requirements.
• Add product labels and consumer notices. Identify any AI-driven feature (credit scoring, chatbots, robo-advisory) and prepare transparency disclosures. If your platform serves users under 18, map PP TUNAS obligations into your onboarding flow.
• File or verify IP registrations. Use the digitalised trademark filing process under Permenkumham No.5/2026 and audit your electronic-systems IP reporting readiness under Permenkum No.47/2025.
• Prepare FSTI incident-reporting SOPs. Align internal response playbooks with OJK’s Cybersecurity Guidelines for FSTI Providers, including notification timelines and escalation matrices.

Quick Timeline: 2024–2026 Regulatory Milestones for Technology Lawyers Indonesia

The table below summarises the instruments every fintech compliance Indonesia team must track. Each milestone carries specific deadlines and consequences for non-compliance.

OJK FSTI Regulations: What Fintech Teams Must Change Now

The OJK’s evolving FSTI framework is the single most consequential regulatory development for fintech compliance Indonesia companies face in 2026. It reaches beyond traditional peer-to-peer lending into digital assets, crypto-asset competence assessments, robo-advisory services, and any product registered or sandboxed under OJK’s technology innovation cluster.

Scope: Who Is Covered

FSTI obligations apply to every entity that has registered with or received a sandbox licence from OJK to provide technology-driven financial services. This includes peer-to-peer lending platforms, digital insurance distributors, equity crowdfunding operators, digital-asset exchanges and providers of aggregator or comparison services. Industry observers expect OJK to progressively broaden the registry to capture embedded-finance providers and banking-as-a-service platforms during the second half of 2026.

Key obligations at a glance:

• Registration and periodic reporting. All FSTI providers must maintain current registrations and submit periodic reports to OJK on business operations, risk exposures and technology changes.
• Governance structure. Board-level responsibility for technology risk and compliance must be documented and evidenced.
• Consumer protection. Disclosure obligations, complaint-handling mechanisms and fair-lending practices are mandatory.

Fit-and-Proper and Key-Party Reassessments

OJK’s press release (SP 106) on competence and compliance assessments introduced a heightened fit-and-proper regime for directors, commissioners and controlling shareholders of FSTI entities, including those operating in the digital-asset and crypto-asset sectors. The practical effect is that every change in key personnel, whether through a new appointment, resignation or share transfer that results in a change of control, triggers a reassessment obligation.

What to do this week: Audit your current board composition and shareholder register. If any key-party change has occurred since the last OJK assessment, prepare and file updated fit-and-proper documentation immediately.

Governance, Risk and Cybersecurity Controls

OJK’s Cybersecurity Guidelines for FSTI Providers, published in July 2024, remain the operational baseline for technology risk management. The guidelines mandate a structured approach to cybersecurity that includes risk identification, protection measures, detection capabilities, incident response and recovery planning.

The sample governance matrix below maps OJK requirements to internal roles:

Technology lawyers Indonesia practitioners frequently encounter situations where fintechs have outsourced critical infrastructure to cloud providers without adequate contractual protections. The OJK framework expects documented evidence that outsourced services are subject to the same governance, security and incident-reporting standards as in-house systems.

AI Regulation Indonesia 2026: Obligations, Labelling and Product Risk Management

Indonesia’s approach to AI governance has been developing rapidly, driven by a combination of executive-level policy initiatives and sector-specific regulatory expectations. For fintechs deploying AI-driven features, credit scoring algorithms, anti-fraud detection, customer-service chatbots, or robo-advisory tools, the compliance landscape demands attention now.

Indonesia’s Emerging AI Governance Framework

Indonesia has been building its AI governance framework through a combination of presidential-level policy directives and sector-specific regulatory guidance rather than through a single omnibus “AI Act” comparable to the European Union’s model. The country’s National AI Strategy (Stranas KA) established a policy foundation, and subsequent instruments from ministries and regulators have begun translating that strategy into binding or quasi-binding obligations for specific sectors. Industry observers expect the framework to continue evolving through ministerial regulations, OJK circulars and Komdigi (Ministry of Communications and Digital) technical guidelines rather than through a single legislative instrument.

For fintech compliance Indonesia teams, the practical implication is clear: even without a single codified “AI Act,” binding obligations already exist across multiple regulatory streams. OJK expects FSTI providers to manage AI-related risks within their broader governance frameworks. Early indications suggest that transparency, explainability and non-discrimination will form the core pillars of any consolidated AI regulation Indonesia 2026 companies must meet.

Key obligations at a glance:

• Transparency. Disclose to consumers when AI is used in decision-making that affects their financial interests (e.g., credit scoring, insurance underwriting).
• Explainability. Maintain documentation sufficient to explain AI-driven decisions to regulators and, where required, to affected consumers.
• Non-discrimination. Test and document that AI models do not produce discriminatory outcomes based on protected characteristics.
• Data governance. Ensure training data is lawfully collected, appropriately anonymised where required, and subject to retention and deletion policies.
• Human oversight. Maintain human-in-the-loop or human-on-the-loop mechanisms for high-risk decisions.

Transparency, Labelling and Timelines

Fintechs should treat 1 March 2026 as a practical compliance trigger date for AI transparency measures, regardless of whether a single legislative instrument carries that exact date. The convergence of OJK’s FSTI governance expectations, the broader AI governance framework and Komdigi’s digital-content guidelines creates a de facto obligation to label AI-generated outputs and disclose automated decision-making to end users.

What to do this week: Audit every product feature that uses AI or machine learning. For each, prepare a plain-language consumer disclosure statement and integrate it into the user interface. Document the model’s purpose, data sources and testing methodology in an internal AI register.

Contract and Vendor Due Diligence Implications for AI

Every AI vendor contract should now include clauses addressing the obligations described above. The following sample language is provided for illustration only and should be adapted to specific circumstances with legal advice:

“The Vendor warrants that all AI models supplied under this Agreement have been tested for bias, are accompanied by documentation sufficient to explain outputs to regulators, and comply with applicable Indonesian transparency and data-governance requirements. The Vendor shall promptly notify the Client of any material change to model architecture, training data or performance metrics.”

Minister of Law: Trademark Registration Digitalisation and IP Reporting

Two ministerial instruments have reshaped how technology companies manage intellectual property in Indonesia’s digital ecosystem. Together, they streamline trademark filing and create an entirely new enforcement mechanism for IP infringements on electronic platforms.

Permenkumham No.5/2026: Digital Trademark Registration

Permenkumham No.5/2026 updated the administrative framework for trademark registration, moving toward a fully digitalised filing and processing system. For technology lawyers Indonesia practitioners advising startups and scale-ups, this means several practical changes:

• E-filing is now the default. Trademark applications, renewals and administrative filings are processed through the Ministry’s electronic portal.
• Streamlined timelines. The regulation introduces updated administrative processing timelines, reducing procedural uncertainty for applicants.
• Digital evidence. Supporting documents, including specimens of use, can be submitted electronically, eliminating the need for physical filings in most cases.

What to do this week: Review all pending and planned trademark filings. Migrate any paper-based applications to the digital portal. Ensure your IP team or external agents have portal access credentials and are trained on the new submission process.

Permenkum No.47/2025: Electronic Systems IP Reporting

Minister of Law Regulation No.47/2025 established a new reporting and verification mechanism for IP infringements occurring on electronic systems. This regulation is significant because it creates a government-mediated pathway for IP owners to report infringements directly and for platform operators to receive, and act upon, Ministerial recommendations.

The reporting flow works as follows:

• Step 1, IP owner reports. The rights holder submits an infringement report to the Ministry, accompanied by evidence of ownership and the alleged infringement.
• Step 2, Ministerial verification. The Ministry verifies the report and, if substantiated, issues a recommendation to the relevant platform operator or electronic-system provider.
• Step 3, Platform action. The operator must accept and act on the Ministerial recommendation, which may include removing or restricting access to infringing content.

The table below summarises reporting obligations by entity type:

Product Labelling, Consumer Notices and Child Protection Under PP TUNAS

PP No.17/2025, widely known as PP TUNAS, introduces comprehensive obligations to protect children in Indonesia’s digital space. With enforcement phase-in beginning around 28 March 2026, platforms that serve or may be accessed by users under 18 must prepare now.

Age Verification and Product Restrictions

PP TUNAS requires platform operators to implement age-verification mechanisms and to grade features based on their suitability for minors. This is not a passive obligation: platforms must actively prevent underage users from accessing age-restricted features and content.

Key obligations at a glance:

• Age gates. Implement robust age-verification at registration and at access points for restricted features.
• Features grading. Classify platform features and content into age-appropriate categories.
• Parental controls. Provide accessible tools for parents or guardians to monitor and restrict their children’s platform activity.
• Reporting obligations. Maintain internal processes for reporting and escalating child-safety incidents.

UX and Product Changes for Compliance

For fintech platforms, PP TUNAS compliance will require product-team involvement. Onboarding flows must incorporate age verification before account activation. Any feature that involves financial transactions, lending, investment or access to mature content must be gated behind verified age checks. Product teams should plan for additional UI elements: age-verification screens, parental-consent capture flows and a feature-classification layer that maps each product module to the appropriate age bracket.

What to do this week: Assemble a cross-functional team (product, legal, engineering, UX) to audit your platform for PP TUNAS readiness. Identify features that require age gating, design parental-control interfaces and build the classification logic into your content management or feature-flagging system.

Contracts and Vendor Due Diligence: A Playbook for Technology Lawyers Indonesia

The cumulative effect of OJK FSTI regulations, AI governance requirements and MoL instruments means that vendor contracts drafted before 2025 are almost certainly incomplete. Every fintech should conduct a contract-review exercise focused on the obligations described in this playbook.

Minimum Vendor Due Diligence Checklist

Before onboarding any new technology vendor, or renewing an existing contract, the following due diligence items should be completed and documented:

Sample Contract Clauses (For Illustration Only)

The following clause snippets address the most common gaps identified in fintech vendor agreements. They are provided for illustration purposes and must be tailored to the specific transaction:

• Audit right. “The Client shall have the right, upon reasonable notice and no more than [frequency] per year, to audit or appoint an independent third party to audit the Vendor’s compliance with the security, governance and reporting obligations set out in this Agreement and applicable OJK regulations.”
• Incident notification. “The Vendor shall notify the Client of any Security Incident within [24/48] hours of detection, providing: (a) a description of the incident; (b) the data or systems affected; (c) remediation steps taken or planned; and (d) a preliminary root-cause assessment.”
• AI transparency. “Where the Vendor provides AI-enabled services, the Vendor shall maintain and make available to the Client, upon request, documentation describing: the model’s purpose and intended use, training data sources, bias-testing methodology and results, and any material changes to the model since deployment.”
• Indemnity for regulatory non-compliance. “The Vendor shall indemnify and hold harmless the Client against any fines, penalties, costs or losses arising from the Vendor’s failure to comply with applicable Indonesian regulatory requirements, including but not limited to OJK, Komdigi and Ministry of Law regulations.”

Incident Reporting, Enforcement Risk and Civil/Criminal Exposure

Fintech compliance Indonesia teams must maintain clear internal escalation paths to multiple regulators. The regulatory landscape is not monolithic, different agencies have jurisdiction over different aspects of technology-related incidents.

What to Report, to Whom, and When

• OJK. Cybersecurity incidents affecting FSTI providers must be reported to OJK in accordance with the Cybersecurity Guidelines. This includes data breaches, system outages affecting customer access and any incident that could materially impact consumers or system integrity.
• Ministry of Law (Kemenkumham). IP-related violations on electronic systems should be reported through the Permenkum 47/2025 mechanism. Platform operators who receive Ministerial recommendations must act within the specified timeframe.
• Komdigi. Content-related violations, including those involving child safety under PP TUNAS, should be reported through Komdigi’s existing channels.
• PPATK. Where a technology-related incident overlaps with suspected money laundering or terrorism financing (e.g., fraud exploiting a fintech platform), suspicious-transaction reporting obligations to PPATK remain in full force.

Enforcement Risk and Civil/Criminal Exposure

Non-compliance carries consequences across multiple dimensions. OJK can impose administrative sanctions ranging from written warnings through to licence suspension or revocation. The Ministry of Law’s IP-reporting regime creates a pathway to mandatory content removal, and failure to comply with Ministerial recommendations may expose operators to further regulatory action. PP TUNAS obligations, once enforcement begins, are expected to carry administrative penalties for non-compliant platforms.

Beyond regulatory sanctions, civil liability may arise where consumers suffer loss due to inadequately governed AI systems or cybersecurity failures. Criminal exposure is possible under Indonesia’s Electronic Information and Transactions Law (UU ITE) for certain categories of data misuse or content violations. The likely practical effect of these overlapping enforcement mechanisms will be to increase compliance costs, but early investment in governance structures is significantly less expensive than reactive remediation after an enforcement action.

Practical Annexes: Sample Checklist, Contract Snippets and Governance Matrix

Annex 1: 12-Point Compliance Checklist

1. Confirm OJK or BI supervisory allocation for each product line.
2. Complete or update FSTI registration and periodic reporting.
3. Conduct fit-and-proper reassessments for all key parties (directors, commissioners, controlling shareholders).
4. Implement cybersecurity controls per OJK Cybersecurity Guidelines for FSTI Providers.
5. Build and maintain an internal AI register covering all AI/ML features.
6. Deploy consumer-facing AI transparency disclosures in product interfaces.
7. Conduct bias testing on AI models and document results.
8. Migrate trademark filings to the digitalised portal under Permenkumham No.5/2026.
9. Establish internal notice-and-takedown procedures aligned with Permenkum No.47/2025.
10. Implement age-verification gates and features grading under PP TUNAS.
11. Update all vendor contracts to include audit rights, incident notification, AI transparency and regulatory-indemnity clauses.
12. Test incident-reporting SOPs through a tabletop exercise covering OJK, MoL, Komdigi and PPATK notification pathways.

Annex 2: Contract Clause Snippets (Summary Reference)

Refer to the full clause illustrations in the Contracts and Vendor Due Diligence section above. At minimum, every vendor agreement should include:

• Audit right (annual, with third-party option)
• Incident notification (24–48 hour window)
• AI transparency and documentation obligation
• Regulatory indemnity
• Sub-contractor flow-down provisions
• Data localisation and deletion commitments

Annex 3: Key Agency Contacts and Links

• OJK (Financial Services Authority): ojk.go.id, FSTI registration, governance and incident reporting
• Ministry of Law and Human Rights (Kemenkumham): peraturan.go.id, trademark e-filing, IP instruments
• Komdigi (Ministry of Communications and Digital): komdigi.go.id, content regulation, child protection, electronic systems
• PPATK (Financial Intelligence Unit): ppatk.go.id, suspicious-transaction reporting

Conclusion: Why Technology Lawyers Indonesia Practitioners Are Essential to 2026 Compliance

The 2025–2026 regulatory cycle has fundamentally changed the compliance baseline for fintechs and platform operators in Indonesia. OJK FSTI regulations demand board-level governance and robust cybersecurity controls. AI regulation Indonesia 2026 requirements, however they ultimately consolidate, already impose transparency, explainability and vendor-management obligations. The Minister of Law’s instruments have digitalised trademark registration and created a new IP-enforcement pathway that platform operators cannot ignore. And PP TUNAS brings child protection squarely into the fintech product-development lifecycle.

No single compliance officer, CTO or general counsel can navigate these overlapping obligations alone. The role of experienced technology lawyers Indonesia-based or internationally qualified, with deep regulatory knowledge and transactional capability, is not merely helpful; it is operationally essential. Companies that invest in structured compliance now will be far better positioned than those that respond reactively to the enforcement actions that industry observers expect to accelerate through the remainder of 2026.

Sources

1. OJK Press Release SP 106, FSTI Digital Assets Competence and Compliance Assessment
2. OJK Cybersecurity Guidelines for FSTI Providers (July 2024)