Yes, while there are no specific regulations governing cloud use, in respect of information technology, cloud use is generally subject to consumer protection and data privacy rules. Financial institutions must comply with Financial Services Authority (Otoritas Jasa Keuangan (OJK)) Regulation No. 6/POJK.07/2022 on Consumer and Public Protection in the Financial Services Sector. This mandates that information technology must be supported by reliable technology, ensuring the security of personal data that must be routinely monitored. Data privacy rules will be discussed further under Q&A 7 on data privacy and security.

There are also institution-specific rules that apply to the outsourcing of information technology functions for different kinds of financial institutions. For instance, outsourcing for securities companies that are licensed as broker dealers is governed under OJK Regulation No. 50/POJK.04/2020 on Internal Control for Securities Companies that Carry out Business Activities as Broker Dealers ("OJK Regulation 50/2020"). A broker dealers, as defined by OJK Regulation 50/2020, is an entity that conducts trading of securities for its own benefit or for the benefit of other entities. Note that OJK Regulation 50/2020 is not applicable in cases where a company is only licensed to conduct securities underwriting.

Banks adhere to OJK Regulation No. 9/POJK.03/2016 on Prudential Principles of Banks that Partially Outsource Work to Other Parties. This covers the outsourcing of a bank's supporting business activities to other parties, which may include use of technology, such as cloud services.

Note that many financial institutions in Indonesia often enter into cooperation arrangements instead of outsourcing for cloud services. Cooperation between financial institutions and companies that provide cloud services are governed under the specific regulations applicable to such financial institutions.