Data Protection in the Indonesian Financial Services Sector

By Winnie Y. Rolindrawan and Meta N. Mustikaningrum

The Indonesian Minister of Communication and Informatics (MOCI) issued Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (MOCI Reg. 20) to regulate the protection of personal data by electronic system providers in Indonesia.

This regulation strengthens existing data protection obligations (e.g., data on-shoring for electronic system providers for public purposes, consent of personal data owners) and makes a point to clarify previously grey or unregulated areas (e.g., cross-border transfer requirements, data storing requirements).

General personal data protection regulations in Indonesia and regulations relevant to financial data management in the country overlap somewhat, in that several requirements elaborated in the general data protection regulations are highlighted in the financial data management regulations (e.g., data on-shoring). Despite there being several specific regulations for different types of financial institutions, these regulations do not contain more onerous requirements for financial data management than those already established in the general personal data protection regulations.

Managing Personal and Financial Data

Aside from general data protection laws, data management for financial institutions is largely covered under consumer protection regulations. These include Financial Services Authority (OJK€) Regulation No. 1/POJK.07/2013 regarding Consumer Protection in the Financial Services Sector (OJK Reg. 1/2013); OJK Circular Letter No. 2/SEOJK.07/2014 regarding Consumer Complaint Services and Settlements; Bank Indonesia (BI) Regulation No. 16/1/PBI/2014 regarding Consumer Protection in Payment System Services (BI Reg. 16/2014); and BI Circular Letter No. 16/16/DKSP regarding Implementing Procedures for Consumer Protection in Payment System Services.

The management of personal and financial data is further regulated for certain financial institutions such as banks and insurance companies in separate regulations. These include:

1. OJK Regulation No. 69/POJK.05/2016 regarding Insurance Business Implementation, Sharia Insurance Company, Re-Insurance Company, and Sharia Re-Insurance Company (OJK Reg. 69/2016);
2. Law No. 7 of 1992 regarding Banking, as lastly amended by Law No. 10 of 1998 (Banking Law);
3. BI Regulation No. 2/19/PBI/2000 regarding Requirements and Procedures to Grant Written Orders or Approval to Disclose Bank Secrets (BI Reg. 2/2000);
4. Government Regulation as a Replacement of Law No. 1 of 2017 regarding Access to Financial Information for Taxation Purposes (Perpu 1/2017);
5. Minister of Finance (MOF) Regulation No. 70/PMK.03/2017 regarding Technical Guidance for Access to Financial Information for Taxation Purposes, as lastly amended by MOF Regulation No. 73/PMK.03/2017 (MOF Reg. 70/2017); and
6. OJK Regulation No. 38/POJK.03/2016 regarding Implementation of Risk Management in the Use of Information Technology by Commercial Banks.

Money Laundering