Mayapada Tower I, 12th and 14th Floor
Jl. Jend. Sudirman Kav. 28
Jakarta, 12920
Indonesia
To align with the implementation of OJK Regulation No. 3 of 2024 on the Implementation of Technological Innovations in the Financial Sector (Inovasi Teknologi Sektor Keuangan or “ITSK”), Indonesia’s Financial Services Authority (Otoritas Jasa Keuangan or “OJK”) issued Circular Letter No. 4/SEOJK.07/2025 regarding the Reporting Obligations of Licensed ITSK Providers (“OJK CL 4/2025”).
OJK CL 4/2025 established a structured reporting framework for ITSK providers holding an OJK-issued business license. This framework mandates the submission of annual business plans and other periodic reports, ensuring that ITSK providers maintain transparency and compliance with regulatory standards.
Stakeholders subject to the reporting requirements under OJK CL 4/2025 include ITSK providers, encompassing entities such as Alternative Credit Rating Providers (Pemeringkat Kredit Alternatif or “PKA”), Financial Services Aggregation Providers (Penyelenggara Agregasi Jasa Keuangan or “PAJK”), and other ITSK providers holding an ITSK provider business license issued by the OJK. In accordance with OJK CL 4/2025, ITSK providers are obligated to fulfil the reporting requirements detailed below.
Annual Business Plans
In line with OJK CL 4/2025, ITSK providers are required to submit annual business plans. These plans must include, at a minimum, information regarding technology capacity enhancement, infrastructure, human resources, business performance improvement plans, strategies for achieving set targets within defined timeframes, and provisions for reserving a portion of the ITSK provider’s profits to ensure financial sustainability.
In preparing the annual business plan, the ITSK provider must appoint a member of its Board of Directors (“BOD”) to be responsible for the preparation and submission of the plan. The annual business plan shall be submitted to the OJK no later than November 10 of the year preceding the implementation year.
ITSK providers are permitted to amend the annual business plan once per year. Such amendment must be finalized by June of the current year and reported to the OJK at least 30 working days prior to the implementation of the changes. The report must include the reasons for the changes.
Mandatory Reports
In addition to the submission of annual business plans, ITSK providers are also obligated to submit mandatory periodic and incidental reports. Similar to the preparation of annual business plans, ITSK providers are required to appoint a member of their BOD to be responsible for the submission of the reports.
There are three types of periodic reports, which are as follows:
1. Monthly reports
Monthly reports must at least contain financial data and other relevant information and shall be submitted within 10 working days after the end of each reporting period.
2. Semester reports
Semester reports must at least contain the realization of the annual business plan and the implementation of risk and prudential management practices. The realization of annual business plan shall include information regarding achievements related to the annual business plan, including the focus and priorities of the annual business plan, along with a comparison of the initial plan and the actual outcomes, deviations from the realization of the annual business plan, and the follow-up actions to be taken by the ITSKS provider to improve the achievement of the annual business plan’s objectives.
The deadline for the submission of the first semester report is set at July 31 of the current year and the deadline for the submission of the second semester report is January 31 of the following year.
3. Annual reports
Annual reports must at least contain financial statements that have been audited by a public accountant who is registered with the OJK, as well as a governance report. Annual reports shall be submitted no later than April 30 of the following year.
In addition to periodic reports, ITSK providers are also required in certain circumstances to submit incidental reports, as follows:
1. Reports related to changes in business activities
This includes changes related to the products and/or activities that pertain to the ITSK provider’s business model or partnerships. Such reports must contain a brief description of the change, the background of the change, as well as any supporting documents. The report shall be submitted no later than five working days after the occurrence of the change.
2. Reports related to institutional aspects
This includes changes to shareholding composition, management of the company, office address, articles of association, and/or bylaws. Such reports must be submitted no later than five working days after the occurrence of the change.
3. Reports related to incidents
This includes incidents involving fraud not conducted by the ITSK provider, force majeure, legal disputes, and cyberattacks. Such reports must contain at least a brief description of the event, measures taken to respond to the incident, future mitigation plans, as well as any supporting documents.
Reports related to incidents shall be submitted no later than five working days after the occurrence of the incident. Specifically for cyberattacks, ITSK providers must also provide an initial notice regarding the cyberattack within 24 hours after the incident is known to the ITSK provider. This notice must be delivered in writing to the OJK supervisor and sent via electronic means.
4. Other reports requested by the OJK under certain circumstances
In certain circumstances, the OJK may require ITSK providers to submit specific reports. Examples include compliance reports and transaction reports, which ITSK providers were required to submit during the Covid-19 pandemic.
In addition to the above periodic and incidental reports, the OJK may also ask ITSK providers to provide other reports. ITSK providers and digital financial asset traders are also required to report their implementation of anti-fraud strategies.
The aforementioned reports, i.e., annual business plans, periodic reports, and incidental reports, shall be sent via electronic means through the OJK’s reporting system. If the system is unavailable or is experiencing technical errors, the reports shall be submitted via email or shall be sent physically to an address designated by the OJK.
Conclusion
Entities classified as ITSK providers and holding an ITSK provider license are subject to the reporting obligations established by the OJK under OJK CL 4/2025.
To ensure compliance, ITSK providers must adhere to the deadlines set by the OJK and appoint a member of their BOD to be in charge of the preparation and submission of the required reports.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.
