In light of evolving technological innovation and information systems in Indonesia, especially those related to e-commerce and the financial technology industry, the Indonesian government seeks to more properly regulate electronic payment systems and transactions in Indonesia. This spirit is reflected in the 14th Economic Policy Package announced on 10 November 2016. In this vein, Bank Indonesia recently issued Regulation No. 18/40/PBI/2016 concerning the Implementation of Payment Transaction Processing ("Regulation"). Effective from 9 November 2016, the Regulation recognizes providers of payment gateway and e-wallet services, among others, as Payment System Service Providers (Penyelenggara Jasa Sistem Pembayaran—"Service Providers") in Indonesia, and licensing, approval and reporting requirements now apply to these services.
What the Regulation says
All payment gateway Service Providers, and e-wallet Service Providers that have (or plan to have) at least 300,000 active users1, must obtain a Service Provider license from Bank Indonesia. While e-wallet Service Providers with less than 300,000 active users do not require a Bank Indonesia license to carry out their e-wallet business activities, such companies are required to file regular reports to Bank Indonesia which cover information on, among others, company profile, general overview of the company's e-wallet activities, number of all users and revenue target (please see below regarding periodic and incidental reports).
A bank or a non-bank limited liability company can apply for a payment gateway or e-wallet Service Provider license. Specifically for payment gateway activities, the non-bank limited liability company must conduct activities in the field of information technology and/or payment systems. In addition, both payment gateway and e-wallet Service Providers must satisfy the feasibility requirements under the Regulation with assessment based on a variety of factors including, among others:
- the company's legality (e.g. due establishment of the company) and profile;
- operational readiness (e.g. business location, infrastructure, human resources, user acceptance test on the relevant system);
- system security and reliability;
- risk management (e.g. legal and settlement risks, disaster recovery and business continuity plan); and
- consumer protection.
Service Providers that have obtained licenses from Bank Indonesia for their activities must also seek approval from Bank Indonesia to expand their business activities in the following manners:
(i) development of payment system activities, such as:
- an issuer2 or an acquirer3 that wants to provide payment gateway services, or
- an e-money issuer that wants to provide e-wallet services.
(ii) development of ongoing payment system products (e.g. features, types, services, and/or facilities).
(iii) cooperation with other parties (namely with another Service Provider(s) or Payment Transaction Supporting Provider(s) (Penyelenggara Penunjang Transaksi Pembayaran)4.
Implementing payment gateway and e-wallet services
Consistent with Bank Indonesia's intention to maintain principles of prudence and adequate risk management in the financial technology industry, Service Providers are subject to various obligations and limitations including, among others:
(i) Management: Service Providers must implement (i) effective and consistent risk management, (ii) information system security standard5, (iii) domestic payment transaction processing, and (iv) consumer protection measures6.
(ii) Reporting: Service Providers must submit both periodic and incidental reports to Bank Indonesia on the implementation of payment transaction processing. For the purpose of periodic reports, the relevant information system must be audited by an independent auditor at least once every three years.
(iii) Currency: Service Providers are prohibited from conducting payment transaction processing using virtual currency (such as bitcoin). Bank Indonesia does not recognize virtual currency as a valid currency and means of payment in Indonesia, and as such, any risk associated with utilization of virtual currency shall be borne solely by the user.
(iv) Maximum balance: While the Regulation itself is silent on the maximum balance that a user can have in their e-wallet, a frequently asked questions list (FAQs) issued by Bank Indonesia to supplement the Regulation indicated that an e-wallet could contain up to IDR10 million. We expect this will be further stipulated in Circular Letter(s) to be issued by Bank Indonesia.
Any bank or non-bank limited liability company that intends to engage in payment gateway or e-wallet services may need to apply for licenses under this Regulation. Meanwhile, existing providers of payment gateway and e-wallet services that have not obtained any Service Provider license to date will need to prepare and submit their license applications to Bank Indonesia within six months of the Regulation taking effect (that is, by or before 9 May 2017). Within this same time period, existing Service Providers that have obtained relevant licenses before this Regulation took effect, and expanded their activities to provide payment gateway and e-wallet services (such expansion having been acknowledged by Bank Indonesia), should submit their business activity reports to Bank Indonesia.
Bank Indonesia is expected to specify further details and specific procedures for Service Provider license applications, feasibility requirements, and approvals in Circular Letter(s) to be issued, hopefully, in the near future. In the broader context of the financial technology industry, we are also looking forward to the Indonesian Financial Services Authority (Otoritas Jasa Keuangan) issuing a regulation regarding information technology-based lending services.
Click here to download PDF.
1 The Regulation defines "active users" as people who are (i) transacting regularly using e-wallet or (ii) transacting using e-wallet at least once in one month.
2 A bank or non-bank limited liability company issuing e-money or cards (e.g. credit cards, debit cards).
3 A bank or non-bank limited liability company, which (i) cooperates with a merchant so that the merchant can process
a transaction using e-money or card issued by a party other than the acquirer and (ii) is responsible for settling the payment to the merchant. 4 This includes companies providing supporting services such as card printing, payment personalization, data center and disaster recovery center.
5 This includes the requirement to obtain a system security certification regarding fraud detection.
6 For example, protection of consumers' data and information and operating a consumer help desk.