OJK Sets Regulatory Framework for Alternative Credit Scoring

The Innovative Credit Scoring (“ICS”) industry has long played an integral role alongside the conventional Financial Information Services System (Sistem Layanan Informasi Keuangan – “SLIK”) and Credit Information Management Agency (Lembaga Pengelola Informasi Perkreditan – “LPIP”) in providing credit scoring services. ICS has stepped in to bridge the gap, offering credit scoring to unbanked and underbanked communities by using alternative data sources. Until last year, ICS had been operating under the oversight of the Financial Services Authority (Otoritas Jasa Keuangan – “OJK”) within the regulatory sandbox as a digital financial innovation, without any specific regulations addressing it. ICS providers assess creditworthiness using alternative data sources, including telecom usage (mobile credit, internet activity, calls, and messages), health records, social media interactions, and digital transaction history. These data points are gathered and analyzed through Artificial Intelligence (AI) and machine learning techniques.

Under the newly introduced framework for Financial Sector Technological Innovation (Inovasi Teknologi Sektor Keuangan or "ITSK") under Law No. 4 of 2023 concerning Development and Strengthening of the Financial Sector, as further elaborated in OJK Regulation No. 3 of 2024 concerning the Implementation of Financial Sector Technological Innovation (“OJK Reg 3/2024”), OJK has taken a decisive step to bring the business model of ICS under its regulatory and supervisory scope. To solidify this move, OJK issued OJK Regulation No. 29 of 2024 concerning Alternative Credit Scoring (“OJK Reg 29/2024”), providing a clear regulatory framework for ICS industry players, which is now formally referred to as Alternative Credit Scoring (“ACS”). The regulation aims to ensure business certainty of ACS, while promoting the secure and legal use of alternative data.

Requirements for ACS Operators

In order to conduct ACS business activities, entities must obtain an ACS business license and meet the following criteria:

1. Legal Entity – ACS operators must be in the form of limited liability company (perseroan terbatas). ^[1]
2. Capitalization – Mandatory paid-up capital of ACS operators is at least Rp5 billion. ^[2]
3. Foreign Ownership – Both Indonesian and foreign individuals and business entities may own ACS operators ^[3]. However, there are restrictions on foreign ownership, with a maximum of 85% (eighty-five percent) of the paid-up capital allowed for foreign individuals or entities, whether directly or indirectly ^[4], though this restriction does not apply to ACS companies that are publicly listed. ^[5]
4. Organizational Structure – ACS operators must have at least 2 (two) directors and 1 (one) commissioner, with at least 1 (one) of the directors is experienced in the industry of ACS, information technology, or financial services industry. ^[6] Further, the directors may only have a concurrent position as directors, commissioners, or executives in a non-profit entity. ^[7]
5. Foreign Workers – Foreign workers are permissible to be employed by ACS operators with certain conditions, such as holding positions one level below the board of directors and/or as experts or consultants, with a maximum tenure of three years per position, as well as provided that they have relevant expertise and comply with applicable laws and regulations. ^[8] Foreign workers are prohibited from holding positions in human resources and compliance functions. ^[9]
6. Fit and Proper Test – The main parties of the ACS operators, including controlling shareholders, directors, and commissioners, must pass OJK’s fit and proper test before obtaining approval. ^[10]

How the Business of ACS is Implemented

• Products of ACS

The main product of ACS operators is a credit score, which is the result of the alternative data processing by ACS operators, describing the eligibility, condition, or profile of consumer for consideration of financial services institution in providing financial services to them. ^[11]

As the concept suggests, OJK prohibits ACS operators to produce credit score based on credit or financing data acquired, either directly or indirectly. ^[12] Instead, credit scores must be generated exclusively from proprietary methods, models, or innovations that analyze alternative data. ^[13] To safeguard consumer privacy, ACS operators are obligated to implement encryption or other methods towards the process and data relating to the credit score. ^[14]

Beyond credit scoring, ACS operators may engage in other activities involving the processing of alternative data that offer added value to its users, such as information in the form of warnings, fraud indications, individual profile mapping, as well as individual monitoring and evaluation. ^[15] For such products, ACS operators must first obtain prior approval from the OJK. ^[16]

• Scope of Activities

In order to produce the aforementioned products, the scope of activities conducted by ACS operators includes: ^[17]

1. Acquisition and collection of alternative data

In order to acquire alternative data, ACS operators may do it through: (i) partnering with eligible data provider through a partnership agreement; and/or (ii) other alternative data sources, such as social media data, of which is permitted to be acquired directly without any partnership. ^[18] Furthermore, ACS operators, either acting as controller and/or processor of the alternative data is mandated to adhere to laws and regulations regarding personal data protection. ^[19]

2. Processing and analysis of alternative data

In conducting these activities, ACS operators shall use the technology and model that it developed by themselves. ^[20] In light of the foregoing, there are obligations which must be adhered to by ACS operators, which essentially are to: (i) safeguard the confidentiality, entirety, and availability of Alternative Data until its destruction; (ii) ensure proper authentication, verification, and validation to prevent unauthorized access or changes to the data; (iii) obtain consent from data owners before processing alternative data; (iv) provide a communication channel for consumer complaints; and (v) promptly notify users in writing of any breaches in data confidentiality.

The credit score generated by ACS operators must meet the following minimum criteria: ^[21]

1. Presented in Bahasa Indonesia, except when needed by consumers, in which case it may be bilingual;
2. Displayed using symbols, letters, colours, and/or numbers; and

3. Accompanied by an explanation of the credit score.



3. Distribution of business activity results.

Products of ACS operators are prohibited to be distributed to parties other than the users, which include the following parties: ^[22]

1. Financial services institutions;
2. LPIP;
3. Consumers; and/or
4. Other parties, including: (i) law enforcement officers and/or public institutions for the execution of duties in accordance with the laws and regulations; and (ii) individuals with no credit history or those with limited credit history.

Given above scope of activities, the provisions of OJK Reg 29/2024 do not apply to alternative data processing carried out independently by financial services institutions and solely for their own purposes. ^[23]

Mandatory Regulatory Compliance

OJK mandates that ACS operators must adhere to the following regulatory compliance:

1. Electronic System Operator Certificate (Tanda Daftar Penyelenggara Sistem Elektronik – TD PSE) – ACS operators who have obtained business license from the OJK shall register as a electronic system operator to the Ministry of Communications and Digital Affairs at the latest of 30 calendar days since the issuance of business license from OJK. ^[24] However, this obligation shall be exempted if the relevant ACS operators have obtained TD-PSE in accordance with the ACS business activity prior to obtaining ACS operator business license from OJK. ^[25]
2. Personal Data Protection – ACS operators, whether acting as data controllers or processors, must comply with Indonesia’s personal data protection laws when processing and analysing alternative data. ^[26]
3. Consumer Protection – ACS operators are obligated to implement the consumer protection principles in conducting its business activities by subject to the applicable OJK regulations pertaining to consumer protection. ^[27]
4. Anti-Fraud Measures – ACS operators must develop and implement effective anti-fraud strategies in accordance with OJK regulations. ^[28]
5. Association Membership – Pursuant to Article 21 of OJK Reg 3/2024, ACS operators, as an ITSK organizer, is obligated to become a member of ITSK organizers association.
6. Data Center & Disaster Recovery Center - ACS operators must ensure that both their data center and disaster recovery center are located within Indonesia. ^[29]

Aside from the above, ACS operators are also obligated to adhere to the laws and regulations regarding immigration and taxation. ^[30]

Administrative Sanctions

Any non-compliance with the provisions of OJK Reg 29/2024 shall be subject to administrative sanctions of: (i) written warning; (ii) temporary suspension of part or all activities, including cooperation agreements; (iii) administrative fines of up to Rp1 billion; (iv) inclusion of main parties in the list of disreputable individuals in the financial sector; and/or (v) revocation of business license.

Transitional Actions for Industry Stakeholders

With the enactment of OJK Reg 3/2024, ICS was classified as ITSK, requiring its organizers to obtain a business license. However, as the necessary regulations and infrastructure were not yet in place, ICS organizers were instructed to register with OJK as ITSK organizers. Accordingly, with the enactment of OJK Reg 29/2024, the following follow-up actions are required for ICS organizers, as well as other parties: ^[31]

1. ICS organizers already registered with OJK are required to apply for an ACS operator business license no later than 18 December 2025;
2. ICS organizers currently in the OJK registration process may continue without affecting their timeline for a business license application;
3. ICS organizers registered with OJK that have foreign ownership exceeding the permitted limit must conduct adjustments within 1 (one) year of obtaining a business license; and
4. Parties other than ACS operators that have been conducting ACS business activities prior to the enactment of OJK Reg 29/2024 are required to apply for an ACS operator business license no later than 18 December 2025.