AI Regulation Tracker / Regulator guidance
Indonesia's OJK Sets AI Governance Benchmark for Banks Using AI
Indonesia's financial regulator has published guidance telling banks how to govern artificial intelligence across its full lifecycle. It is soft law, not a binding rule, but it sets the supervisory bar every AI-using bank will now be measured against.
Indonesia's financial regulator has told the country's banks how it expects them to govern artificial intelligence. On April 29, 2025, the Otoritas Jasa Keuangan (OJK) published "Artificial Intelligence Governance for Indonesian Banks," a guidance handbook announced through what is reported as Press Release SP 67. The document does not carry the force of a binding regulation. It does something quieter and, for compliance teams, just as consequential: it defines the standard supervisors will use to judge whether a bank's AI is being run responsibly.
What the guidance actually says
The framework asks banks to treat AI not as a single product but as a system with a life. It sets out a six-stage lifecycle: initiation, design, model development, testing, implementation, and periodic evaluation or audit. At each stage, banks are expected to apply three governing principles: accountability, human oversight, and reliability. In plain terms, a bank should always know who owns an AI decision, keep a human meaningfully in the loop, and be able to show the model performs as intended. The guidance applies to both standard AI systems and more advanced ones, which brings newer generative and machine-learning tools inside the same expectations.
OJK has framed the document as a floor, not a ceiling. The authority has said it intends the guidance as a minimum benchmark for the banking sector. That framing matters. It signals that a bank falling short of the six-stage, three-principle structure is falling below what OJK considers baseline good practice, even though no single article imposes a fine for doing so.
Soft law that sits on hard law
The most important thing to understand is what this instrument is not. It is not a POJK, the binding regulation format OJK uses when it wants direct enforceability. There is no penalty schedule attached to the guidance itself, and OJK has positioned it as a benchmark rather than a mandate.
But it does not float free. The guidance complements OJK's existing binding rules on information technology and cyber resilience, including its IT-governance regulation for commercial banks. A bank that ignores AI governance can still find itself in breach of those underlying binding rules when an AI system fails, leaks data, or produces decisions it cannot explain. The soft-law guidance, in effect, tells banks how to stay on the right side of the hard law that already applies to their technology.
Benchmarked against the world's AI rulebooks
OJK did not draft the framework in isolation. According to the guidance, it is benchmarked against the European Union's AI Act, the work of the Basel Committee on Banking Supervision, and the approaches taken by the United States, China, Singapore, and Japan. The lifecycle-and-principles structure echoes the risk-based logic of the EU AI Act, which classifies AI systems by risk and attaches duties accordingly.
For a US reader, this is the cross-border angle worth noting. The guidance binds behavior inside Indonesia, so a US bank operating there, or a US technology vendor selling an AI credit or fraud model to an Indonesian bank, will be expected to meet it. Because the framework borrows from the EU model and the Basel Committee's global bank-supervision work, it also reads as a preview of where AI governance for regulated finance is converging internationally. A bank building AI controls to satisfy OJK is building controls that will look familiar to European and Basel-aligned supervisors too.
What it does not do
The guidance does not license AI, certify individual models, or create a new fine. It does not replace the DPIA, model-validation, or cyber obligations a bank already carries. And it does not, on its own, make any single AI use unlawful. What it changes is expectation. After April 29, 2025, a bank that cannot describe how it governs an AI system across its lifecycle is no longer meeting the standard its regulator has publicly set. For institutions still treating AI oversight as an engineering matter rather than a governance one, that is the shift to absorb.
Frequently Asked Questions
What changed with Indonesia's OJK AI governance guidance?
On April 29, 2025, OJK published "Artificial Intelligence Governance for Indonesian Banks," guidance that asks banks to govern AI across a six-stage lifecycle under three principles: accountability, human oversight, and reliability. It is a minimum benchmark rather than a binding regulation, but it complements OJK's existing binding IT and cyber rules.
Who does this guidance affect?
Banks licensed in Indonesia that build or deploy AI in areas such as credit scoring, fraud detection, and customer service, along with the technology vendors and foreign institutions that supply AI systems to those banks.
Is the guidance legally binding?
No. It is regulatory guidance, or soft law, not a binding POJK, and it carries no standalone penalty. OJK expects it to serve as the minimum benchmark for the sector, and it complements binding IT and cyber-resilience rules that a bank can still breach if its AI fails.
How does it compare to the EU AI Act?
The guidance is benchmarked against the EU AI Act, the Basel Committee, and the approaches of the US, China, Singapore, and Japan. Its risk-based, lifecycle structure echoes the EU model, so controls built for OJK will look familiar to EU and Basel-aligned supervisors.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.