Banks in Indonesia are subject to bank secrecy/confidentiality obligations grounded in Law No. 7 of 1992 regarding Banking, as lastly amended by Law No. 10 of 1998 (the “Banking Law”). Under the Banking Law, banks and their affiliates are required to keep confidential information regarding its depositing customers as well as any sum deposited by such customers. This confidentiality obligation does not cover information provided by non-depositing customers.
This is further strengthened by BI Regulation No. 7/6/PBI/2005 regarding Transparency of Information of Bank Products and the Use of Customer Personal Data (“BI Reg. 7/2005”). Under this BI regulation, banks are obligated to ask for written approval from customers before the banks can provide and/or disseminate their customers’ personal data to other parties for commercial purposes, unless stipulated otherwise under the applicable laws and regulations. The personal data of customers thus protected is (i) name of customer; (ii) address; (iii) date of birth and/or age; (iv) phone number; (v) name of the customer's mother; and (vi) other information constituting personal identity and usually provided by customers to banks in utilizing bank products.
Customer approval of a request to provide or disseminate the customer’s personal data to another party must be signed by such customer on a special form made for such purpose. The execution of such consents in an electronic format should be valid under Law No. 11 of 2008 regarding Electronic Information and Transactions, as lastly amended by Law No. 19/2016 (“ITE Law”).
Sharing Personal Data
This initial confidentiality of bank customers’ personal data can be bypassed in certain situations. Under the Banking Law and BI Regulation No. 2/19/PBI/2000 regarding Requirements and Procedures to Grant Written Orders or Approval to Disclose Bank Secrets (“BI Reg. 2/2000”), information covered by the banking confidentiality obligation can be released under several circumstances. These circumstances are (i) for taxation purposes; (ii) to settle the bank’s receivables which have been given to the State Agency for Receivables and Auctions (Badan Urusan Piutang dan Lelang Negara) or the Committee for State Receivables Affairs (Panitia Urusan Piutang Negara); (iii) for the purposes of the court in criminal cases; (iv) for the purposes of the court in civil disputes between a bank and its customer; (v) as an exchange of information between banks; (vi) on the written request, approval or authority of the depositing customer; and (vii) on the request of the valid heir of a deceased depositing customer.
The person or entity receiving the disclosed information would depend on the circumstances justifying such disclosure, e.g. other banks in case of point (v); the heir in case of point (vii); the police, prosecutor, or judge in case of point (iii), etc.
Bank Secrecy and Data Protection Compliance
Bank data management regulations and data protection regulations complement each other. Data protection regulations serve as a foundation and “safety net” for bank data management activities; the banking sector is given the liberty to regulate more specific matters on data management not stipulated in the data protection regulations, while the data protection regulations cover all the bases for the use of personal data that are not specifically regulated in the banking regulations. One example of this is the exceptions for acquiring customer consent for certain disclosures of customer financial data.