Capacity Building of ITSK Regulator

Article 216 of Law No. 4/2023 on the Development and Strengthening of the Financial Sector broadly defines the scope of financial sector technological innovation (ITSK). ITSK includes payment systems, securities transactions, capital accumulation, investment management, risk management, raising and/or channeling funds, market support, activities related to digital financial assets including crypto assets, and other digital financial services and activities.

Also read:

> When Machines Get Smarter

The last point is very general because everything “digital" will fall within the scope of the ITSK regulation and supervision. The broad definition of ITSK and the progressiveness of ITSK actors pose challenges in terms of regulation and supervision.

Among these is how the ITSK regulator, in this case the Financial Services Authority (OJK) and Bank Indonesia (BI), can build capacity to keep pace with the growth of the ITSK industry. This concerns the number of industry players and the speed of innovation.

With hundreds of fintechs, banks and other financial services institutions that must be regulated, imagine the number of licenses and the intensity of the ITSK supervision that the OJK and BI must carry out. If they stick to the current processes and rely only on currently available internal resources, it will clearly not be enough.

Slow licensing and unclear service-level agreements are among the main complaints of ITSK industry players. On the other hand, less than optimal supervision due to regulators’ limited internal resources will hamper industry continuity and consumer safety.

So, a breakthrough is needed to overcome these. The following are some things that the ITSK regulator can consider to increase its scalability so it can better serve industry players and protect consumers.

Change approach

First, the regulatory approach has fundamentally changed from a rigid and detailed approach (rule-based approach) to a principle-based approach. Because ITSK concerns new things that change quickly, the regulations issued should be in the form of a corridor that is wide enough, yet also safe, to provide a guide for industry players.

For example, what regulators must regulate is the principle of prioritizing systems security, whereas the use of certain security technologies does not need to be regulated. In addition, digital regulation (digitally native regulation) must be realized by making regulations with an understanding and in the context of digital technology, not by simply digitalizing existing conventional regulations.

Second, in line with the first point, partnerships with self-regulatory organizations (SRO) are needed to implement the principle-based approach. The roles of the OJK and BI should be at the macroprudential level. Microtechnical matters should be submitted to the relevant SROs. Thus, regulators can react more quickly according to market and technological developments.

Also read:

> Importance of Technology-Based Regulation and Supervision

> Understanding Discourse on Digital Rupiah

A good example is the regulation on interparty loan pricing (P2P lending) by the OJK. The OJK only provides the corridor that tariffs must be reasonable and not burdensome to consumers. However, the maximum amount of interest and fees that can be applied are determined by the Indonesian Joint Funding Fintech Association (AFPI) as an SRO.

With this kind of delegation, the OJK and BI play more strategic roles without being burdened by fast-changing technical matters. In addition, partnering with SROs can prevent regulators from taking on a dual role as industry players.

Third, outsourcing and certification is necessary to overcome the regulator’s limited internal resources. The OJK and BI, assisted by the relevant SRO, may appoint several companies or certification bodies to assist with licensing and supervision.

For example, the regulator's internal team no longer needs to check, as strictly as before, a company that is certified ISO 27001 for information technology security through a company/institution designated by a regulator or an SRO. Together with SROs and certification bodies, regulators can build other certification modules related to ITSK.

With this approach, the regulator's internal resources will no longer be bottlenecked. This certification scheme also increases the quality standards of companies engaged in ITSK.

Also read:

> Crimes in Digital Financial Transactions

> Quo Vadis” Digital Banks?

Fourth, regtech (regulatory technology) and suptech (supervisory technology) applications are needed. Regulating something laden with technology without using technology is clearly neither effective nor efficient. The use of regtech and suptech in ITSK cannot be avoided and must be done immediately.

For example, regulations on limits and pricing should be automated with regtech. So each time there is a change, the regulator or SRO only needs to change the parameters in the regtech system that are automatically read and followed by the ITSK industry system.

It is time for supervision to use suptech. Industry players’ reporting must be automated and consolidated so that regulators can read the situation and trends of the industry in a comprehensive and timely manner. For example, efforts in anti-money laundering and terrorism financing prevention must also be monitored using a monitoring module embedded in the system of the financial institution being supervised, not just by making routine reports with standard parameters. These things clearly cannot be done manually.

ITSK has great potential to strengthen the financial sector, but carries risks that must be mitigated. Regulators need to find an optimal balance between regulatory progress and ITSK risk management. ITSK’s regulatory and supervisory capacity must be increased with new breakthroughs, so regulators can also act as a facilitator, even an ITSK accelerator.

RICO USTHAVIA FRANS, is a member of the steering committee of the Indonesian Fintech Society.

(This article was translated by Hendarsyah Tarmizi)