The Indonesian Minister of Communication and Informatics (“MOCI”) issued Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (“MOCI Reg. 20”) to regulate the protection of personal data by electronic system providers in Indonesia. This regulation strengthens existing data protection obligations (e.g., data on-shoring for electronic system providers for public purposes, consent of personal data owners), and makes a point to clarify previously grey or unregulated areas (e.g., cross-border transfer requirements, data storing requirements).
General personal data protection regulations in Indonesia and regulations relevant to financial data management in the country overlap somewhat, in that several requirements elaborated in the general data protection regulations are highlighted in the financial data management regulations (e.g., data on-shoring). Despite there being several specific regulations for different types of financial institutions, these regulations do not contain more onerous requirements for financial data management than those already established in the general personal data protection regulations.
Managing Personal and Financial Data
Aside from general data protection laws, data management for financial institutions is largely covered under consumer protection regulations. These include Financial Services Authority (“OJK”) Regulation No. 1/POJK.07/2013 regarding Consumer Protection in the Financial Services Sector (“OJK Reg. 1/2013”); OJK Circular Letter No. 2/SEOJK.07/2014 regarding Consumer Complaint Services and Settlements; Bank Indonesia (“BI”) Regulation No. 16/1/PBI/2014 regarding Consumer Protection in Payment System Services (“BI Reg. 16/2014”); and BI Circular Letter No. 16/16/DKSP regarding Implementing Procedures for Consumer Protection in Payment System Services.
The management of personal and financial data is further regulated for certain financial institutions such as banks and insurance companies in separate regulations. These include:
- OJK Regulation No. 69/POJK.05/2016 regarding Insurance Business Implementation, Sharia Insurance Company, Re-Insurance Company, and Sharia Re-Insurance Company (“OJK Reg. 69/2016”);
- Law No. 7 of 1992 regarding Banking, as lastly amended by Law No. 10 of 1998 (“Banking Law”);
- BI Regulation No. 2/19/PBI/2000 regarding Requirements and Procedures to Grant Written Orders or Approval to Disclose Bank Secrets (“BI Reg. 2/2000”);
- Government Regulation as a Replacement of Law No. 1 of 2017 regarding Access to Financial Information for Taxation Purposes (“Perpu 1/2017”);
- Minister of Finance (“MOF”) Regulation No. 70/PMK.03/2017 regarding Technical Guidance for Access to Financial Information for Taxation Purposes, as lastly amended by MOF Regulation No. 73/PMK.03/2017 (“MOF Reg. 70/2017”); and
- OJK Regulation No. 38/POJK.03/2016 regarding Implementation of Risk Management in the Use of Information Technology by Commercial Banks.
Know Your Client (“KYC”) requirements in Indonesia are grounded in Law No. 8 of 2010 regarding the Prevention and Eradication of the Criminal Act of Money Laundering (“AML Law”). The AML Law requires financial services providers to implement KYC principles in accordance with the provisions stipulated by the supervisory institutions of each financial services provider. The obligation to apply KYC principles shall be implemented at the time of: (i) entering into a business relationship with a service user; (ii) any financial transaction in rupiah currency and/or foreign currency having a minimum value of or equal to IDR 100 million; (iii) any suspicious financial transaction possibly related to criminal acts of money laundering or terrorism funding; or (iv) the reporting party doubts the truthfulness of information reported by the service user.
The KYC procedures at financial services providers must at a minimum accomplish the following: (i) service user identification; (ii) verification of service user; and (iii) monitoring of service user’s transactions.
Given the fast development of the economy and the interwoven nature of personal data and services offered by financial institutions, Indonesia is attempting to improve its data protection regulations in a way that benefits both data owners and data users. While the Indonesian data protection regime still needs detailed and technical implementing regulations, those regulations that are available provide the necessary basic protections, thanks largely to the emphasis on requiring consent.