Skip to main content

OJK AI Governance Compliance

OJK (Otoritas Jasa Keuangan) has layered its AI governance expectations over two instruments: the binding POJK 11/POJK.03/2022 on IT implementation by commercial banks, and the April 2025 AI Governance for Indonesian Banking guidance ("pedoman"). Combined, these set expectations for AI systems used in Indonesian commercial banking, P2P lending platforms (LPBBTI under POJK 10/POJK.05/2022), and financial services consumer protection workflows under POJK 22/2023.

Pedoman vs POJK

The April 2025 AI Governance document is supervisory guidance ("pedoman"), not a binding regulation (POJK). Its prescriptive weight is supervisory expectation, not statute. OJK may operationalize specific provisions through future POJK or circulars. This page reflects the guidance as published; check the OJK regulations page for updates.

caution

This page is engineering guidance for teams building governed AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for OJK audits or supervisory interactions.

The two OJK instruments that apply today

1. POJK 11/POJK.03/2022 — IT implementation for commercial banks (binding, in force)

POJK 11/POJK.03/2022 requires commercial banks to implement IT governance, risk management, and internal controls covering outsourced technology — including AI systems. Key provisions:

  • IT governance must be approved at the board level
  • Technology risk management must cover operational risk, data security, and outsourcing
  • Internal audit must include IT audit procedures for systems handling customer data
  • Outsourced technology providers are subject to right-to-audit clauses

2. April 2025 AI Governance guidance (supervisory expectation)

The OJK AI Governance for Indonesian Banking guidance establishes three pillars for AI lifecycle governance:

PillarOJK expectationAxonFlow coverage
ReliabilityModel accuracy monitoring, drift detection, testing before deploymentPolicy enforcement on every LLM + MCP call; audit trail captures decision chain and model outputs
AccountabilityAI Committee, defined roles (model owner, data steward, model validator), clear escalation pathsAudit trail with user_id, policy_id, and decision_id for attribution; HITL approval gates for material decisions
Human oversightProportionate human review for customer-impacting decisions, override capabilityHITL approval queues (Evaluation/Enterprise); circuit breaker for emergency shutdown

The guidance also names specific risks for generative AI: deepfakes, black-box models, algorithmic bias, hallucinations, over-reliance on AI outputs, and cyber threats. It expects transparency proportionate to risk, drift and concept-drift monitoring, and vendor right-to-audit provisions.

OJK AI Code of Ethics (refreshed 2025)

Six principles: Pancasila-based, beneficial, fair-and-just, accountable, transparent-and-explainable, resilient-and-secure. Extended in the 2025 refresh to cover generative AI hallucination and sensitive-data leakage risks.

A concrete example: Indonesian bank customer-service copilot on n8n with AxonFlow governance

A commercial bank operating under OJK supervision deploys an AI customer-service copilot through n8n workflows. The copilot handles balance inquiries, product recommendations, and complaint routing — all of which touch customer NIK, NPWP, and bank account data.

What OJK asks the bank to demonstrate:

  • POJK 11/2022 IT governance: the AI system is disclosed in the bank's IT audit, with board-level approval for its deployment and risk classification.
  • AI Governance guidance — reliability: the copilot's model outputs are monitored for accuracy and drift; AxonFlow's policy enforcement catches hallucinated financial advice before it reaches the customer.
  • AI Governance guidance — accountability: the bank has designated a model owner and data steward; every copilot interaction is traceable through AxonFlow's audit trail with user_id and decision_id.
  • AI Governance guidance — human oversight: material decisions (credit recommendations, complaint escalations) go through HITL approval gates; the bank can demonstrate the review trail for any OJK inquiry.

How it maps to AxonFlow tiers:

NeedCommunityEvaluationEnterprise
NIK / NPWP / bank-account detection on inbound customer dataSystem policies (sys_pii_indonesia_nik, sys_pii_indonesia_npwp_*, bank-account patterns) — pattern-based, ~0.7 confidenceSameSame + province-code + checksum validation (~0.95 confidence)
Policy enforcement on every LLM + MCP call (POJK 11/2022 IT governance)YesYesYes
Full audit trail with decision chain (AI Governance accountability pillar)Yes (3-day retention)Same (14-day)Same + 10-year retention (AuditRetentionDays=3650)
HITL on material customer-impact decisions (AI Governance human-oversight pillar)Can emit require_approval decisions; no queueHITL approval queue (24h expiry, 100 pending cap)Production HITL queue + portal
OJK audit export for supervisory reviewNot providedNot providedPOST /api/v1/ojk/audit/export — structured export for OJK review
Retention posture proof (POJK 11/2022 data-handling audit)Not providedNot providedGET /api/v1/ojk/audit/retention — per-data-type retention status
OJK readiness dashboardNot providedNot providedGET /api/v1/ojk/audit/readiness — readiness score across 3 frameworks
UU PDP breach notification (Art. 46)Not providedNot providedPOST /api/v1/ojk/breach/notify — generates Art. 46 compliant notification
Cross-border transfer logging (UU PDP Art. 56)Not providedNot provideddata_residency + transfer_basis fields in audit logs
OJK kill switch for unsafe AI behaviorNot providedNot providedGlobal / organization / system scope shutdown

What Community covers

Community gives you a credible starting point for OJK-relevant engineering work:

  • audit logging with decision chain and policy attribution
  • system and tenant policy enforcement on every LLM and MCP call
  • Indonesia-relevant PII protection: NIK, NPWP (legacy 15-digit and new 16-digit), Indonesian mobile (+62), and bank-account patterns for BCA, Mandiri, BRI, and BNI — 8 detection patterns total on the pii-indonesia category
  • governed LLM and MCP execution paths that are straightforward to review

Community PII detection is pattern-based with approximately 0.7 confidence. The patterns validate structural format (digit count, prefix ranges, context anchors) but do not perform province-code lookups or check-digit validation. Enterprise adds those validations and raises confidence to approximately 0.95.

Industry playbook

Commercial banks (POJK 11/2022)

The concrete flow above. Community covers policy + audit; Evaluation adds the HITL queue for material-decision review; Enterprise adds the structured OJK audit export and readiness dashboard. POJK 11/2022's IT-audit requirement is why the audit trail matters: when a regulator asks how AI decisions are governed, the bank needs to reconstruct what the model saw, what it produced, and who approved it.

P2P lending platforms (POJK 10/POJK.05/2022)

LPBBTI platforms deploy AI for credit scoring, borrower matching, and risk assessment. POJK 10/2022 requires IT governance for these platforms with specific provisions around data protection and outsourcing risk. AxonFlow's policy enforcement and PII detection are directly relevant: NPWP and NIK appear in every credit application, and the audit trail captures the decision chain from application intake through disbursement.

Payment service providers (PBI 23/6/PBI/2021)

Payment service providers regulated by BI also fall under OJK consumer protection rules through POJK 22/2023. See the BI Payment System Compliance page for the BI-specific requirements; the OJK overlay adds consumer-complaint handling and market-conduct supervision.

For the cross-framework view of regulated API families, use the Enterprise Compliance API Surface.

Enterprise Operating Workflow

The licensed workflow surface below is included here so engineers can evaluate both the community baseline and the production operating model from one page.

AxonFlow Enterprise includes a dedicated OJK module for audit-centric regulatory workflows aligned with Indonesian banking supervision. The module covers OJK AI Governance (April 2025 guidance), UU PDP (Law 27/2022), and BI payment system (PBI 23/6 and 23/7) frameworks through a unified API surface.

Requires Enterprise license.

caution

This guide is engineering guidance for teams operating governed AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for OJK audits or supervisory interactions.

What the current module covers

The OJK module registers six routes:

RouteMethodWhat it supports
/api/v1/ojk/audit/exportPOSTCreate an OJK audit export
/api/v1/ojk/audit/export/{id}GETInspect export status and metadata
/api/v1/ojk/audit/retentionGETCheck retention posture by data type
/api/v1/ojk/audit/readinessGETReturn readiness score and checks
/api/v1/ojk/breach/notifyPOSTGenerate UU PDP Art. 46 breach notification
/api/v1/ojk/dashboardGETReturn a combined compliance view

Identity handling:

  • Tenant context (derived from Basic auth credentials) is the preferred tenant identifier
  • X-Org-ID is accepted as a fallback
  • X-User-ID is captured when present for export attribution and traceability

When teams use this module

The OJK surface is useful for:

  • commercial banks preparing for OJK supervisory review of AI systems under POJK 11/POJK.03/2022
  • compliance teams needing structured audit evidence aligned with the April 2025 AI Governance guidance pillars
  • platforms needing UU PDP breach-notification workflow with Art. 46 required fields and 72-hour deadline
  • payment service providers preparing IS-audit evidence for BI review under PBI 23/6
  • teams running cross-border AI workloads that need to log data-residency and transfer-basis for UU PDP Art. 56

Core workflow

The typical operating loop is:

  1. Route governed traffic through AxonFlow so decisions, policy checks, PII detections, and LLM activity are logged
  2. Generate an OJK export for a period, tenant, or incident window
  3. Verify retention status for the relevant record classes
  4. Review readiness findings and close gaps before a supervisory review
  5. Use the breach-notification endpoint when a data incident requires Art. 46 notification

Export audit data

The export request supports date windows, output format, framework labeling, and typed filters.

curl -X POST http://localhost:8080/api/v1/ojk/audit/export \
-H "Content-Type: application/json" \
-H "X-User-ID: compliance-ops-1" \
-d '{
"start_date": "2026-01-01T00:00:00Z",
"end_date": "2026-03-31T23:59:59Z",
"data_types": ["policy_violations", "llm_calls", "decision_chain", "pii_redactions", "cross_border_transfers"],
"format": "json",
"framework": "OJK_AI_GOVERNANCE",
"include_archived": false,
"redact_pii": true,
"filters": {
"agent_ids": ["customer-copilot"],
"severity": "high",
"include_model_info": true
}
}'

The framework field accepts: OJK_AI_GOVERNANCE, UU_PDP, BI_PJP, or OJK_BI_COMBINED for a cross-framework export.

The data_types field accepts: policy_violations, llm_calls, decision_chain, hitl_oversight, pii_redactions, cross_border_transfers, or all.

Check export progress

curl http://localhost:8080/api/v1/ojk/audit/export/exp_67890

The response includes export_id, status, framework, summary metadata, and, for larger exports, a download_url plus expiry metadata when cloud storage is configured.

Check retention posture

The retention endpoint returns per-data-type retention status, including configured days, oldest and newest record timestamps, total and archived record counts, storage usage estimates, and compliance status.

curl http://localhost:8080/api/v1/ojk/audit/retention

This is the endpoint compliance teams should use before claiming an audit window is fully defensible. For Indonesian banking, the 5-year minimum retention floor applies when AXONFLOW_COMPLIANCE_REGION includes ID.

Check readiness before a supervisory review

curl http://localhost:8080/api/v1/ojk/audit/readiness

The readiness response is built around:

  • ready — boolean overall readiness
  • score — 0-100 readiness score
  • checks — array of individual checks with name, description, status, and optional details
  • recommendations — actionable items to close gaps

The readiness scoring evaluates across the three OJK AI Governance pillars (reliability, accountability, human oversight) and flags gaps in:

  • audit-trail completeness for the assessment period
  • PII detection coverage (are Indonesia patterns active?)
  • HITL approval-gate configuration for material decisions
  • retention posture against the 5-year floor
  • policy enforcement coverage across active tenants

Generate a breach notification (UU PDP Art. 46)

When a data incident requires notification under UU PDP Art. 46, the breach endpoint generates the notification template:

curl -X POST http://localhost:8080/api/v1/ojk/breach/notify \
-H "Content-Type: application/json" \
-H "X-User-ID: compliance-lead-1" \
-d '{
"data_types_involved": ["nik", "npwp", "bank_account"],
"discovery_timestamp": "2026-03-15T14:30:00Z",
"estimated_subjects_affected": 1200,
"remediation_steps": [
"Revoked compromised API credentials",
"Enabled additional PII redaction policies",
"Initiated forensic audit of affected tenant"
]
}'

The response includes:

  • notification_id — unique identifier for tracking
  • notification_deadline — calculated as 72 hours from discovery_timestamp
  • recipient — currently "MOCDA" (until the DPA is constituted)
  • statusdraft, sent, or acknowledged
  • All Art. 46 required fields pre-populated for review before sending

OJK kill switch

The kill switch provides emergency shutdown at three scopes:

  • Global — stops all AI processing across the organization
  • Organization — stops AI processing for a specific tenant or business unit
  • System — stops a specific AI system (identified by system_id)

This maps to the OJK AI Governance guidance's human-oversight pillar requirement for override capability on AI systems that impact customers. The kill switch is implemented through the circuit breaker API — see HITL & Circuit Breaker API Reference for the POST /api/v1/circuit-breaker/trip endpoint.

Dashboard

curl http://localhost:8080/api/v1/ojk/dashboard

The dashboard endpoint provides a combined compliance view across recent exports, readiness posture, active kill switches, and breach-notification status. Useful when compliance teams want one compact view instead of calling individual endpoints.

For production teams running banking or payment workloads under OJK supervision:

CadenceActionEndpoint
WeeklyCheck readiness score and close gapsGET /api/v1/ojk/audit/readiness
MonthlyReview dashboard for compliance postureGET /api/v1/ojk/dashboard
QuarterlyGenerate audit export for supervisory reviewPOST /api/v1/ojk/audit/export
QuarterlyVerify retention postureGET /api/v1/ojk/audit/retention
On incidentGenerate breach notification within 72hPOST /api/v1/ojk/breach/notify
On incidentActivate kill switch if unsafe behavior detectedKill-switch API