Yes. As of April 2025, OJK formally requires banks to implement AI governance frameworks, including AI-powered transaction monitoring. Not a recommendation. Not the best practice. A regulatory obligation with specific model documentation, bias testing, and human oversight requirements attached.
If you're a banking IT lead, compliance officer, or fintech founder still treating this as something to "think about later," this article is your wake-up call.
What Exactly Did OJK Mandate in April 2025?
On April 29, 2025, Indonesia's Financial Services Authority (OJK) published the Buku Panduan Tata Kelola Kecerdasan Artifisial Perbankan Indonesia, the AI Governance Guidance for Indonesian Banks.
This isn't a suggestion document. OJK positioned it as the minimum benchmark for the entire banking sector when developing and deploying AI systems.
The guidance covers the full AI lifecycle from the moment a bank starts designing a model, all the way through testing, deployment, live monitoring, and audit. It's built around three core principles:
- Reliability. AI outputs must be consistent and aligned with the bank's objectives.
- Accountability. Roles, responsibilities, and auditability must be clearly defined.
- Human oversight. Humans must remain in the loop for high-stakes decisions.
OJK didn't write this in isolation. The framework draws on the EU AI Act, BCBS (Basel Committee) guidance, and supervisory practices from Singapore, Japan, and the United States. The intent is clear. Indonesia wants its banking AI to be interoperable with global standards and regulators in other jurisdictions will be watching.
AI Transaction Monitoring: What's Mandatory vs Recommended
Here's where it gets specific. The guidance distinguishes between what banks must do and what is considered good practice.
Mandatory requirements include:
- Continuous monitoring of AI models for data drift, concept drift, and performance errors
- Threshold-based alerts when model behavior changes
- Scheduled review cycles for all deployed AI systems
- Defined escalation paths where humans must approve, override, or review AI decisions
- Documented delegations of authority across AI roles (model owner, validator, data steward, auditor)
- Vendor contracts that include data protection clauses and rights for OJK to audit third-party models
Recommended (but strongly implied) practices include:
- Establishing a dedicated AI Committee or integrating AI oversight into an existing risk committee
- Assigning role profiles across legal, compliance, risk, data science, security, and customer experience
- Providing explainability to customers when AI decisions materially affect them. For example, credit denials or account flags
Which Banks Are Most Affected?
All commercial banks operating in Indonesia fall under this guidance. But the operational impact isn't evenly distributed.
Large state-owned and tier-1 banks generally have existing AI infrastructure teams, model risk frameworks, and compliance muscle. Many were already moving toward these standards before the April 2025 mandate. They will spend most of their energy on documentation alignment and audit readiness.
Tier-2 Banks and Fintechs: The Window Is Narrowing
For tier-2 banks and licensed fintech lenders, the pressure is more acute.
Many of these institutions built their AI capabilities quickly to keep pace with market growth, often with lean teams, limited model documentation, and informal governance. Under OJK's new framework, that approach is no longer viable.
Consider the backdrop: between 2022 and early 2024, synthetic identity scams, phishing, and loan fraud cost Indonesian banks over IDR 2.5 trillion. OJK responded, not just with the AI governance guidance, but also with enforcement issuing 147 enforcement actions in 2024 related to fraud prevention deficiencies, including fines and operational suspensions.
For fintech lenders specifically, the stakes are compounded. OJK has also mandated anti-fraud strategy implementation and AML compliance as part of broader P2P lending reforms. AI isn't just a governance question, it's increasingly the backbone of regulatory compliance itself.
What Needs to Be Prepared Technically?
If you're building toward OJK compliance, the technical preparation maps to three areas.
Model Documentation, Audit Trail, and Human-in-the-Loop
Model documentation is where most institutions fall short first. OJK expects banks to maintain records across the full AI lifecycle, not just what the model does today, but how it was designed, what data it was trained on, how it was validated before deployment, and how it has performed since.
This means:
- Model cards or equivalent documentation for each AI system in production
- Pre-deployment testing records, including bias and fairness assessments
- Version history when models are retained or updated
Audit trails need to be continuous and machine-readable. OJK requires monitoring for concept drift (when the world changes and the model's assumptions no longer hold) and data drift (when incoming data patterns shift). If your fraud detection model was trained on 2022 transaction patterns, it needs to be regularly evaluated against current behavior and those evaluations need to be logged.
Human-in-the-loop is perhaps the most operationally demanding requirement. OJK mandates that banks clearly define where humans must approve, override, or review AI decisions. This isn't just about having a human technically available. It means documented workflows, defined thresholds, and evidence that human review actually happens.
For fraud detection and AML use cases, this typically means the AI flags, a human analyst reviews above a certain risk threshold, and that review is logged with a timestamp and outcome.
How to Start Building an OJK-Compliant System?
If you're starting from scratch or retrofitting existing systems, the path forward is clearer than it might seem. OJK has given you the framework. What you need is the infrastructure to execute against it.
Start by mapping every AI system your institution currently uses. Fraud scoring, credit assessment, transaction monitoring, KYC automation, each one needs to be inventoried and assessed against the governance requirements.
Then ask three questions for each system:
- Is it documented? Can you show OJK how this model was built, trained, and validated?
- Is it monitored? Do you have automated alerts if performance degrades or data patterns shift?
- Is there a human in the loop? Is there a defined, auditable process for human review of high-risk outputs?
For fraud detection and AML compliance, specifically which is where OJK has been most explicit and most active in enforcement, this is not a build-it-yourself exercise for most institutions. The combination of real-time monitoring, behavioral analytics, model explainability, and audit logging requires purpose-built infrastructure.
That's where a partner with deep experience in OJK-compliant AI systems makes the difference between a compliance project that works and one that creates more documentation debt than it resolves.
The bottom line: OJK has moved from encouraging AI adoption to requiring it to meet a governance standard. The April 2025 guidance isn't the end of this journey. OJK has already signaled further updates to its AI ethics code to address generative AI and emerging risks.
Banks and fintechs that treat this as a documentation exercise will find themselves revisiting compliance every year. Those that build the right systems and oversight workflows now will find that compliance becomes a byproduct of doing things well.
Build an OJK-Compliant Fraud Detection System in 6 Weeks.
Reaching compliance does not have to be a long and complicated journey. If you are considering how to implement fraud detection and AML monitoring that meets OJK April 2025 requirements, with everything in place from day one, it might be the right time to start exploring what that could look like for you.
If it helps, we are here to walk you through it. Step by step, at your pace.
