All Site Content

Bank Indonesia Regulation Concerning Implementation of Risk Management in the Use of Information Technology by Commercial Banks

Sektor : Banking

SubSektor : Bank Umum

Jenis Regulasi : PPBI

Nomor Regulasi : 9/15/PBI/2007

Tanggal Berlaku : 11/30/2007

12/23/2016

Bank Indonesia Regulation Number 9/15/PBI/2007 Concerning Implementation of Risk Management in the Use of Information Technology by Commercial Banks

Summary :

PBI Number 9/15/PBI/2007 on Implementation of Risk Management in the Use of Information Technology by Commercial Banks is drafted as a guideline for risk management in the use of IT which must be followed by Banks to mitigate the risks involved in the use of IT. This is due to the fact that despite the various benefits and advantages for the use of IT in the Banks operational venture and customer service, there are several risks that could impair the Bank and its services to customer, which include operational risks, legal risks, and risks posed on the Banks reputation, aside from other banking risks such as risks of liquidity and credit risks.
Main Items of the Regulation on Risk Management in the Use of Information Technology by Commercial Banks, are as follows:
1. Scope of Risk Management
  Effective risk management in the use of Information Technology must at least encompass:
  1. active observation by the board of Commissioners and Directors;
  2. sufficient policies and procedures on the use of Information Technology;
  3. sufficiency of processes to identify, appraise, observe and control risks in the use of Information Technology; and
  4. internal control systems on the use of Information technology.
2. Implementation of Risk Management in the Use of Information Technology
  In the implementation of risk management measures in the use of Information Technology, Banks should pay attention to the following:
  1. the availability of an Information Technology Steering Committee which is responsible to present recommendations to directors in relation to, amongst others, ensuring that the Information Technology Strategic Plan is in accordance with the Banks strategic business plans;
  2. the availability of policies and procedures in the use of Information Technology that at least encompasses managerial aspects, development and establishment, Information Technology operations, communication networks, information security, Business Continuity Plans, end user computing, electronic banking, and the employment of Information Technology service providers;
  3. the availability of Business Continuity Plans and Disaster Recovery Plans which are tested at least annually;
  4. the carrying out of periodic internal IT audits. Should the Bank be limited in its abilities to carry out such audits, the functions of internal IT audit might be carried out by external auditors;
3. Carrying Out of Information Technology by Information Technology Service Providers
  1. Information Technology might be carried out by Banks themselves or through the employment of Information Technology service providers, as long as the following conditions are met:
    1. Banks are responsible for the application of risk management.
    2. Service providers must be able to guarantee total information security including Banks secrets and personal information of customers.
    3. Service providers must grant access for internal, external and Bank Indonesias auditors.
    4. Service providers must be prepared for early termination if deemed as causing obstruction of observation by Bank Indonesia.
  2. Data Centers and/or Disaster Recovery Centers are to be established domestically. Should any are to be established out of state, prior approval should be obtained, while still conforming to requirements as stated on point 1) above, and the following additional requirements:
    1. Statement from surveillance authorities in the associated country that Bank Indonesia can conduct inspections on the service provider;
    2. Benefit to the Bank outweighs the costs;
    3. Availability of plans by the Bank to improve human resources capabilities related to the carrying out of Information Technology and business transactions or products offered.
  3. Processing of technology-based transactions by out of state service providers can only be carried out with prior approval from Bank Indonesia, while still conforming to requirements as stated in points 1) and 2) above, and the following additional requirements:
    1. Involved activities are not those of inherent banking functions;
    2. Financial administration supporting documents on transactions carried out at the Banks offices within Indonesia are to be maintained at an office of the Bank within Indonesia;
    3. The Banks Business Plans demonstrate efforts to further the role of Banking in Indonesias economic development.
4. Electronic Banking
  Any plan to publish Electronic Banking products which are transactional in nature must be included in the Banks Business Plan and submitted to Bank Indonesia 2 (two) months before said product(s) are published. The report must be complemented with, amongst others, results of analysis conducted by independent parties on the characteristics of the product and sufficiency of Information Technology security. Banks must educate customers on its Electronic Banking products and its security.
Transition Provisions. The following must be conformed to the directives contained in this Regulation of Bank Indonesia, within 12 months since the validation of this Regulation of Bank Indonesia:
1. Policies and procedures in the use of Information Technology and Guidelines for Risk Management in the Use of Information Technology.
2. Agreements on the employment of Information Technology service providers.
3. Information Technology Steering Committee.
4. Establishment of Data Centers, Disaster Recovery Centers and the carrying out of technology based processing by foreign or out of state Information Technology service providers.