Bank Indonesia's Payment System Continuity Framework
Bank Indonesia (BI) regulates Indonesia's payment systems through PBI (Peraturan Bank Indonesia) 23/2021 on Payment System Providers. BI's mandate is to ensure the stability and integrity of national payment systems, which are critical infrastructure for the Indonesian economy. PBI 23/2021 establishes availability and resilience requirements for payment system operators and participants, covering the Sistem Kliring Nasional Indonesia (SKNBI), BI-FAST (instant transfer system), and Real-Time Gross Settlement (RTGS) system.
Payment system continuity is fundamentally a systemic risk issue—a major payment system outage can disrupt the entire financial system and the broader economy. Unlike business continuity for a single organization, payment system continuity is about national financial infrastructure. BI's supervisory focus is on whether payment system operators can maintain 99.5% annual availability and recover from disasters within strict recovery time objectives.
PBI 23/2021 Availability Requirements
PBI 23/2021 establishes a 99.5% annual availability requirement for critical payment systems. While 99.5% may sound high, it translates to approximately 43.8 hours of allowable downtime per calendar year—a very tight operational window. This means that even a single 24-hour outage consumes more than half of the annual availability allowance.
The regulation specifies a 2-hour Recovery Time Objective (RTO) for core payment processing systems. If a payment system component fails, the operator must recover it within 2 hours, including the time needed to detect the failure, activate the backup system, and restore transaction processing. RPO (Recovery Point Objective) for payment transaction data is similarly stringent—the system must not lose more than a small time window of transactions.
Mapping PBI Requirements to ISO 22301
PBI 23/2021 does not reference ISO 22301, but the regulation's technical requirements map directly to ISO 22301 clauses. A payment system operator implementing ISO 22301 certification for payment system continuity must demonstrate that the BCMS addresses each PBI requirement. The following table shows the mapping:
| PBI 23/2021 Requirement | ISO 22301 Clause | Implementation Evidence |
|---|---|---|
| BCM Policy for payment systems | Clause 5.2: Policy | BCMS policy explicitly covering payment system scope and 99.5% availability target |
| Critical activity identification | Clause 8.2: BIA | BIA identifying payment processing as critical, with explicit RTO/RPO targets |
| 2-hour RTO for core payment systems | Clause 8.3: BC Strategies | ICT continuity plan with documented, tested RTO of 2 hours or less |
| Annual DR testing | Clause 8.5: Exercises | DR exercise records with BI-compliant format and evidence of 2-hour recovery |
| Incident notification to BI | Clause 8.4: BCPs | BCP communication procedures with 1-hour BI notification requirement |
The 2-Hour RTO Challenge
A 2-hour RTO for payment systems is operationally demanding. It requires hot standby data centers with automated failover, zero or near-zero data loss during switchover, and pre-positioned critical system components at the backup location. Unlike traditional disaster recovery, which might accept a 4-8 hour RTO, payment system RTO must be measured in minutes.
To achieve 2-hour RTO, payment system operators typically implement a combination of technologies: database replication with continuous synchronization, application clustering with load balancing across geographically distributed sites, and monitoring systems that detect failures and trigger failover automatically. Testing is essential—the documented RTO is only credible if verified through realistic, full-scale DR exercises.
DR Testing Requirements
PBI 23/2021 mandates annual disaster recovery testing for critical payment systems, with formal reporting to Bank Indonesia. The following table outlines the testing requirements that BI expects:
| Test Type | BI Requirement | Test Frequency | Evidence Format |
|---|---|---|---|
| Data Center Failover | Full failover to DR site, with all critical systems | Annual | BI DR test report format with timestamp and recovery time |
| Application Recovery | Core payment application recovery and data sync | Annual | Recovery time evidence, data integrity verification |
| Data Integrity Test | Verify transaction data integrity post-recovery | Annual | Data reconciliation report comparing primary and DR systems |
| Communication Test | Test BI notification procedure during incident | Annual | Communication log showing timely BI notification |
Reporting to Bank Indonesia
When a payment system incident occurs, operators must notify Bank Indonesia within 1 hour. This is not a guideline—it is a regulatory requirement. The notification must specify the nature of the incident, estimated time to recovery, impact on system availability, and customer communication steps. Organizations often underestimate the importance of pre-drafted communication templates. When an incident is occurring, stress and competing priorities make it difficult to compose clear, accurate notifications. Templates prepared in advance ensure that the BI notification requirement is met even under crisis conditions.
Integration with ISO 22301
Payment system operators using ISO 22301 as their BCMS framework should make PBI 23/2021 requirements explicit in the BCMS scope statement, BIA, and strategic objectives. The BCP should incorporate BI notification procedures and pre-drafted communication templates. Exercise programs should include payment system-specific scenarios aligned with PBI expectations. This integration ensures that BI supervisory expectations are built into the BCMS from the start, rather than treated as a separate compliance layer.
| KEY IDEA | Bank Indonesia's 2-hour RTO for core payment systems is not a target—it is a regulatory requirement. Failure to achieve it during an incident, without being able to demonstrate compensating factors and a remediation plan, creates supervisory risk. |
| IMPORTANT | The 1-hour notification requirement to Bank Indonesia when a payment system incident occurs must be pre-built into your BCP. Under stress, organizations without a pre-drafted notification procedure and clear authorization often miss this window, creating a secondary regulatory issue on top of the incident itself. |
| BITLION INSIGHT | BI-FAST participation has expanded significantly since 2021, bringing many smaller payment institutions under BI payment system continuity requirements for the first time. These organizations often need to build BCMS capability from scratch while also meeting BI's technical DR requirements. |