TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Demystifying digital banking services regulation
The crucial part of personal data protection is when banks cooperate with their partners in delivering digital services to customers, as the data will be shared with the partners.
Change Size
Cashless society: A buyer makes a purchase using a Quick Response Indonesian Standard (QRIS) code during a micro, small and medium enterprise trade show in Cibinong, Bogor regency, West Java, on June 20, 2023. (Antara/Yulius Satria Wijaya)
T
he Financial Services Authority (OJK) recently released on its website the draft regulation on digital services by commercial banks to invite responses and commentary from the public before it can be finalized. Once finalized, this regulation will supersede the prevailing regulation that was issued in 2018.
The regulation, if it comes into force, is expected to mitigate risks arising from the rapid growth of information technology (IT) in the banking sector, including those with respect to the misuse of technology, as well as data privacy. The following are our initial observations.
First, the draft still adopts the principles-based approach, in which it does not go into detail in terms of the type of technology that banks should use. The draft requires banks to possess adequate IT infrastructure and implement responsible innovation principles that would eventually benefit their customers.
We suppose this is the proper approach when it comes to regulating IT aspects, which have the sky as the limit. Keeping up with the IT pace, lawmakers should incorporate fundamental principles that banks should adhere to, as opposed to detailed requirements.
Second, the draft puts emphasis on personal data protection albeit lacking some details. The draft imposes obligations on banks to implement personal data protection principles as set out in laws and regulations. This is a brand-new provision that is not available under the current regulation.
Banks are required to have grounds to process customers’ personal data. The draft suggests that the preferred ground for banks is by obtaining informed consent that is explicitly provided by customers for specific purposes to banks.
However, one would consider that the crucial part of personal data protection is when banks cooperate with their partners in delivering digital services to customers, as the data will be shared with the partners. The draft attempts to address the issue by incorporating specific provisions on personal data protection in the mandatory cooperation agreement between the bank and its partner. In that agreement, the bank and its partner must only use the customers’ personal data in compliance with laws and regulations. There must also be specific provisions as to who will bear the responsibility for the security of the customers’ personal data.
