OJK AI Governance Compliance
OJK (Otoritas Jasa Keuangan) has layered its AI governance expectations over two instruments: the binding POJK 11/POJK.03/2022 on IT implementation by commercial banks, and the April 2025 AI Governance for Indonesian Banking guidance ("pedoman"). Combined, these set expectations for AI systems used in Indonesian commercial banking, P2P lending platforms (LPBBTI under POJK 10/POJK.05/2022), and financial services consumer protection workflows under POJK 22/2023.
The April 2025 AI Governance document is supervisory guidance ("pedoman"), not a binding regulation (POJK). Its prescriptive weight is supervisory expectation, not statute. OJK may operationalize specific provisions through future POJK or circulars. This page reflects the guidance as published; check the OJK regulations page for updates.
This page is engineering guidance for teams building governed AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for OJK audits or supervisory interactions.
The two OJK instruments that apply today
1. POJK 11/POJK.03/2022 — IT implementation for commercial banks (binding, in force)
POJK 11/POJK.03/2022 requires commercial banks to implement IT governance, risk management, and internal controls covering outsourced technology — including AI systems. Key provisions:
- IT governance must be approved at the board level
- Technology risk management must cover operational risk, data security, and outsourcing
- Internal audit must include IT audit procedures for systems handling customer data
- Outsourced technology providers are subject to right-to-audit clauses
2. April 2025 AI Governance guidance (supervisory expectation)
The OJK AI Governance for Indonesian Banking guidance establishes three pillars for AI lifecycle governance:
| Pillar | OJK expectation | AxonFlow coverage |
|---|---|---|
| Reliability | Model accuracy monitoring, drift detection, testing before deployment | Policy enforcement on every LLM + MCP call; audit trail captures decision chain and model outputs |
| Accountability | AI Committee, defined roles (model owner, data steward, model validator), clear escalation paths | Audit trail with user_id, policy_id, and decision_id for attribution; HITL approval gates for material decisions |
| Human oversight | Proportionate human review for customer-impacting decisions, override capability | HITL approval queues (Evaluation/Enterprise); circuit breaker for emergency shutdown |
The guidance also names specific risks for generative AI: deepfakes, black-box models, algorithmic bias, hallucinations, over-reliance on AI outputs, and cyber threats. It expects transparency proportionate to risk, drift and concept-drift monitoring, and vendor right-to-audit provisions.
OJK AI Code of Ethics (refreshed 2025)
Six principles: Pancasila-based, beneficial, fair-and-just, accountable, transparent-and-explainable, resilient-and-secure. Extended in the 2025 refresh to cover generative AI hallucination and sensitive-data leakage risks.
A concrete example: Indonesian bank customer-service copilot on n8n with AxonFlow governance
A commercial bank operating under OJK supervision deploys an AI customer-service copilot through n8n workflows. The copilot handles balance inquiries, product recommendations, and complaint routing — all of which touch customer NIK, NPWP, and bank account data.
What OJK asks the bank to demonstrate:
- POJK 11/2022 IT governance: the AI system is disclosed in the bank's IT audit, with board-level approval for its deployment and risk classification.
- AI Governance guidance — reliability: the copilot's model outputs are monitored for accuracy and drift; AxonFlow's policy enforcement catches hallucinated financial advice before it reaches the customer.
- AI Governance guidance — accountability: the bank has designated a model owner and data steward; every copilot interaction is traceable through AxonFlow's audit trail with
user_idanddecision_id. - AI Governance guidance — human oversight: material decisions (credit recommendations, complaint escalations) go through HITL approval gates; the bank can demonstrate the review trail for any OJK inquiry.
How it maps to AxonFlow tiers:
| Need | Community | Evaluation | Enterprise |
|---|---|---|---|
| NIK / NPWP / bank-account detection on inbound customer data | System policies (sys_pii_indonesia_nik, sys_pii_indonesia_npwp_*, bank-account patterns) — pattern-based, ~0.7 confidence | Same | Same + province-code + checksum validation (~0.95 confidence) |
| Policy enforcement on every LLM + MCP call (POJK 11/2022 IT governance) | Yes | Yes | Yes |
| Full audit trail with decision chain (AI Governance accountability pillar) | Yes (3-day retention) | Same (14-day) | Same + 10-year retention (AuditRetentionDays=3650) |
| HITL on material customer-impact decisions (AI Governance human-oversight pillar) | Can emit require_approval decisions; no queue | HITL approval queue (24h expiry, 100 pending cap) | Production HITL queue + portal |
| OJK audit export for supervisory review | Not provided | Not provided | POST /api/v1/ojk/audit/export — structured export for OJK review |
| Retention posture proof (POJK 11/2022 data-handling audit) | Not provided | Not provided | GET /api/v1/ojk/audit/retention — per-data-type retention status |
| OJK readiness dashboard | Not provided | Not provided | GET /api/v1/ojk/audit/readiness — readiness score across 3 frameworks |
| UU PDP breach notification (Art. 46) | Not provided | Not provided | POST /api/v1/ojk/breach/notify — generates Art. 46 compliant notification |
| Cross-border transfer logging (UU PDP Art. 56) | Not provided | Not provided | data_residency + transfer_basis fields in audit logs |
| OJK kill switch for unsafe AI behavior | Not provided | Not provided | Global / organization / system scope shutdown |
What Community covers
Community gives you a credible starting point for OJK-relevant engineering work:
- audit logging with decision chain and policy attribution
- system and tenant policy enforcement on every LLM and MCP call
- Indonesia-relevant PII protection: NIK, NPWP (legacy 15-digit and new 16-digit), Indonesian mobile (+62), and bank-account patterns for BCA, Mandiri, BRI, and BNI — 8 detection patterns total on the
pii-indonesiacategory - governed LLM and MCP execution paths that are straightforward to review
Community PII detection is pattern-based with approximately 0.7 confidence. The patterns validate structural format (digit count, prefix ranges, context anchors) but do not perform province-code lookups or check-digit validation. Enterprise adds those validations and raises confidence to approximately 0.95.
Industry playbook
Commercial banks (POJK 11/2022)
The concrete flow above. Community covers policy + audit; Evaluation adds the HITL queue for material-decision review; Enterprise adds the structured OJK audit export and readiness dashboard. POJK 11/2022's IT-audit requirement is why the audit trail matters: when a regulator asks how AI decisions are governed, the bank needs to reconstruct what the model saw, what it produced, and who approved it.
P2P lending platforms (POJK 10/POJK.05/2022)
LPBBTI platforms deploy AI for credit scoring, borrower matching, and risk assessment. POJK 10/2022 requires IT governance for these platforms with specific provisions around data protection and outsourcing risk. AxonFlow's policy enforcement and PII detection are directly relevant: NPWP and NIK appear in every credit application, and the audit trail captures the decision chain from application intake through disbursement.
Payment service providers (PBI 23/6/PBI/2021)
Payment service providers regulated by BI also fall under OJK consumer protection rules through POJK 22/2023. See the BI Payment System Compliance page for the BI-specific requirements; the OJK overlay adds consumer-complaint handling and market-conduct supervision.
