Unpacking The Fintech Regulatory Sandbox Framework in Indonesia: Risks Management and The Data Privacy Imperative
To accommodate Indonesia’s quickly growing fintech industry, regulators have opted for a regulatory sandbox mechanism that bases the country’s regulatory response to innovation on the results of live experiments. While they offer clear benefits, regulatory sandboxes can also be risky regulatory instruments. This paper assesses the promises and pitfalls of the sandbox, focusing on the digital financial innovation (DFI) sector, a responsibility of Indonesian Financial Services Authority (Otoritas Jasa Keuangan, or OJK). The paper focuses on sandbox governance, its risk management mechanism, and co-regulation. Sandboxes should be evaluated based on their effects on the firms that pass through their process, but this information is not collected in Indonesia. Instead, this paper considers (1) to what extent innovative technologies, products, and services have been developed to companies’ full potential; (2) how participating firms cope with the post-exit mechanism; (3) to what extent the sandbox provides a mechanism for dialogue and adaptation of legislative solutions; and (4) how risks are managed in the sandbox. We identify three challenges to the effectiveness of the DFI sandbox in Indonesia: contribution to an uneven playing field for DFI operators, a lack of clarity about the desired outcomes of the sandbox and how firms are meant to exit the sandbox, and insufficient resources for the sandbox to operate as intended. These challenges increase the potential that the sandbox framework creates legal uncertainty, imposes burdensome costs, and fails to prevent consumer harm. Regulatory and governance improvements are essential to ensure the effectiveness of the sandbox framework. To this end, we make four policy recommendations. - The newly passed Law on Finance should be used to support the OJK sandbox framework and provide clear parameters for issuing licenses, defining the goals of an OJK license, and improving the regulatory environment through input from the sandbox. Inter-agency coordination is required and should be accomplished through leadership from authority figures and the implementation of the Law on Finance. - The co-regulatory approach between regulators, relevant ministries, and AFTECH should be strengthened to improve collaboration regarding the roles of data protection officers, risk assessments, the sandbox exit mechanism, and setting and evaluating sandbox goals. - OJK must allocate sufficient resources to the sandbox process, specifically sandbox committees and representatives of operators applying to the sandbox, in order to ensure OJK can fulfill its supervisory obligations in the fintech space.