Data centers and cloud providers in Indonesia have had quite a learning curve in the last ten years, as the government has ramped up regulations on the use of data by financial institutions.
A series of rules have been issued since 2007, with ever more impact on the cloud, starting with initial guidelines first introduced in 2007 in the form of Regulation Number PBI 9/15/2007, Alvin Siagian, vice president and director of NTT Indonesia exaplained at the DCD>Indonesia conference held earlier this month in Jakarta,
Tighter rules for commercial banks
After the 2007 guildelines, many data centers and service providers were caught off guard by the implementation of Government Regulation 82 in 2012 (PP82/2012), which ruled that Indonesians’ financial data should be housed within Indonesia.
As we reported previously, PP82/2012 prohibits financial data from being kept outside the country without prior approval. ”There are exceptions… but with strict requirements,” said Siagian.
But it hasn’t stopped there. Commercial banks should now be getting ready for a new hurdle. More complex than PP82, Regulation 38/POJK.03/2016 on Risk Management in Information Technology Usage by Commercial Banks, has been introduced by Otoritas Jasa Keuangan (OJK), or the Financial Services Authority of Indonesia.
“[The rules] used to be very brief, now it’s very detailed. It covers everything, from customer care all the way down to service level management. From your process, your technology, your resources, they will check that,” he said.
Implications for outsourced providers
And this has implications for outsourced providers, Siagian explained. For one, outsourced or cloud providers serving commercial banks must be ready for independent audits by the Financial Services Authority. This means banks can only work with service providers that are willing to – and capable of, cooperating if they want to achieve compliance.
Banks are expected to keep the Financial Services Authority appraised of their providers and the services they are furnishing – effectively allowing the government agency to audit the service providers directly. And this requirement is no longer negotiable, Siagian asserted, including for banks using providers outside of the country.
There are implications should service providers perform below par, either by breaching their service level agreements (SLAs), violating guidelines stipulated in 38/POJK.03/2016, or being unable to provide pertinent data during an official audit. When that happens, banks will need to prepare an action plan to rectify the situation, or could even be asked to terminate the contract midstream for particularly egregious violations.
The clincher? The indications are that these regulations will eventually be expanded to cover the entire financial services industry, and not just commercial banks, he said.
The road to service excellence
It’s no longer “business as usual” for providers in Indonesia, says Siagian. He noted that the days where providers can hide behind empty promises or proclamations of Tier compliance are numbered, as genuine improvement to standards is forced upon the industry.
[The rules] used to be very brief, now it’s very detailed. It covers everything, from customer care all the way down to service level management. From your process, your technology, your resources, they will check that
Alvin Siagian, NTT Indonesia
To underscore the strictness of the Financial Services Authority’s approach, Siagian explained that when NTT decided to swap a bank’s disaster recovery site with a production site at another location, NTT employees had to accompany the customer to the agency to explain their decision.
Ultimately, raising standards is not a singular activity, but consists of multiple components such as risk management, managing of privacy risks, and the securing of physical data center sites. Customers should have a say if a service provider wants to use a certain subcontractor, and must agree in writing to establish a chain of business trust.
“It is not about the IT; IT is an enabler. It’s about the commitment of the business unit. What is your customer satisfaction?” said Siagian.
Of course, attaining operational and service excellence is more than just choosing the right outsourced provider. Siagian pointed to common mistakes and misconceptions made by businesses, in particular calling out the importance of business analysts to translate business requirements into IT.
“If you don’t have a business analyst in your team, please [hire them]. I see a lot of disconnects between IT and business units,” he said. “When people come to us to outsource, they will ask about power, and cost per square meter of data center,” said Siagian, alluding to the mentality that outsourced providers are charging too much.
So how does one go about choosing the right provider? Siagian suggested directly that stakeholders step up and engage with outsourced providers prior to making a decision. He said: “Get a feel on the process, on the attitudes. [Learn about their] process governance, their best practices,” he said.
And while the onus is on customers to figure out what they need, outsourced providers must be forthright, too. He said: “If you want to outsource, make sure you are clear what your requirements are. Make sure you know what your providers are providing. I always try to be brutally honest, it is a 3, 5 or 10-year contract [after all].”