Indonesian Fintech Business Update: Data Exchange Cooperation under Indonesian Financial Services Authority (OJK) Regulation No. 10/POJK.05/2022 on Information Technology-Based Co-Funding Services
To accommodate the development of information technology, which is now widely used to develop the financial industry by providing access to funding for the public and business actors through an information technology-based funding service, the Indonesian Financial Services Authority (Otoritas Jasa Keuangan – “OJK”) issued OJK Regulation No. 77/POJK/01/2016 on Technology-Based Fund-Lending Services (“POJK 77/2016”). More recently, OJK issued OJK Regulation No. 10/POJK.05/2022 on Information Technology-Based Co-Funding Services (“POJK 10/2022”) which amended and revoked POJK 77/2016 with the aim of dealing with the development and legal needs of Peer-to-Peer (“P2P”) lending services within Indonesia.
Electronic System of LPBBTI Operation
POJK 10/2022 defines Information Technology-Based Co-Funding (Layanan Pendanaan Bersama Berbasis Teknologi Informasi – “LPBBTI”) (or previously known as P2P) as the provision of financial services to bring together lenders and recipients of funds in conducting conventional or sharia-based funding directly through an electronic system using the internet. The business activities of the LPBBTI operator are related to information technology in every aspect, both in terms of information technology infrastructure, information technology business processes, information technology audits, information technology system design, and others.
POJK 10/2022 requires LPBBTI operators to use electronic systems that they own, control, and manage in carrying out their business activities.1 This means that they must have the ability to develop, modify, and delete their electronic systems and, consequently, must be registered as Electronic System Providers (“ESP”) pursuant to Minister of Communications and Informatics (“MoCI”) Regulation No. 5 of 2020 as amended by MoCI Regulation No. 10 of 2021 on Private-Scope Electronic System Providers.
As stated in POJK 10/2022, each LPBBTI operator is prohibited from having more than 1 (one) electronic system for each type of device operation and 1 (one) website address in conducting its business activities.2 In addition to this, POJK 10/2022 also prohibits LPBBTI operators from outsourcing to third parties work that carries out the function of assessment of funding feasibility and information technology.3
Data Exchange Cooperation
POJK 10/2022 provides that LPBBTI operators can cooperate in exchanging data to improve the quality of LPBBTI, which cooperation must be reported to the OJK.4 POJK 10/2022 defines “data exchange cooperation” as cooperation between LPBBTI and information technology-based support service providers (for example credit information management institutions, alternative providers of telecommunication-based credit scoring or e-commerce providers) in the context of exchanging data.5 Such data exchange includes the exchange of personal data and transaction data.
POJK 10/2022 requires LPBBTI operators to include data exchange in a data confidentiality agreement which contains at least6: (a) the parties, (b) data type, (c) use and disclosure of data, (d) rights and obligations of the parties and (e) period of use and data storage. Although POJK 10/2022 prohibits LPBBTI Operators from outsourcing to third parties funding assessment and information technology, POJK 10/2022 still allows data exchange with other parties such as alternative credit scoring and e-commerce providers. In this matter, the LPBBTI operator itself will carry out the funding assessment function with the help of data exchange from other alternative credit scoring companies. A failure by an LPBBTI operator to comply with such provisions will attract administrative sanctions, such as warnings in writing, limitations of business activities, and/or revocation of permits. Those sanctions may also be accompanied by the blocking of the provider’s electronic system.
Personal Data Protection in Data Exchange Cooperation
LPBBTI operators must carry out data exchange cooperation in accordance with the provisions of laws and regulations regarding personal data. To date, there is still no regulation that specifically regulates personal data protection in Indonesia. However, provisions regarding personal data protection in Indonesia are spread across various laws and regulations, including but not limited to: (a) Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”), (b) MoCI Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (“MoCI Reg. 20/2016”) and (c) POJK 10/2022.
According to GR 71/2019, “Personal Data” means any data on a person that individually or in combination with other information either directly or indirectly through an electronic system or non-electronic system identifies or can identify that person. Data protection by ESP is regulated under MoCI Reg. 20/2016 where such protection includes the ESP’s obligation to safeguard, maintain and secure personal data that has been obtained, collected, processed, analyzed, stored, displayed, published or exchanged, and the deletion of personal data. Any information related to a person’s personal data through an electronic system must only be used with consent from the person concerned. Thus, providers must implement the principle of good personal data protection, which mainly comprises obtaining consent or agreement from the Personal Data owner before utilizing it for various purposes.
Following the aforesaid provision, consent is needed to exchange personal data. It is also mentioned in MoCI Reg 20/2016 that transfer of Personal Data in Electronic Systems can only be carried out: (a) upon approval, unless otherwise specified by the laws and regulations and (b) after the accuracy and conformity with the acquisition and collection of the personal data have been verified. Personal data stored in electronic systems must be verified personal data and must be stored in the form of encrypted data. Furthermore, POJK 10/2022 provides that:
- The LPBBTI operator must store personal data in the electronic system for a minimum of 5 (five) years after the expiration of the business relationship; and
- the obligations of the LPBBTI operator to maintain the confidentiality, integrity, and availability of personal data, transaction data, and financial data managed by them from the time the data is obtained until the data is destroyed. The LPBBTI operator must also guarantee that the obtaining, use, utilization and disclosure of personal data, transaction data, and financial data obtained by it is based on approval of the owner of the personal data, transaction data, and financial data, unless otherwise stipulated by the provisions of laws and regulations.7
When the LPBBTI data exchange cooperation occurs, the LPBBTI operators must secure the Electronic System that carries out procedures and have facilities for security against interference, failure, and loss by providing a security system that includes procedures, prevention systems, and countermeasures against threats and attacks that will cause such disruptions. To further increase the protection of personal data, POJK 10/2022 also provides that an LPBBTI operator who obtains, uses, utilizes or discloses personal data without consent will be subject to administrative sanctions, namely warnings in writing, fines, limitation of business activities and/or revocation of permits.8 This may also be followed by the blocking of the provider’s electronic system.
Conclusion
Although POJK 10/2022 prohibits LPBBTI operators from outsourcing funding assessment and information technology to third parties, POJK 10/2022 still allows data exchange with other parties such as alternative credit scoring and e-commerce providers. In conducting the data exchange cooperation between LPBBTI operators and information technology-based support service providers (for example credit information management institutions, alternative providers of telecommunication-based credit scoring or e-commerce providers), LPBBTI operators must comply with the provisions of laws and regulations regarding personal data protection.
Footnotes
1. Article 42 (1) (2) POJK 10/2022.
2. Article 42 (4) POJK 10/2022.
3. Article 19 (3) POJK 10/2022.
4. Article 40 (1) (5) POJK 10/2022.
5. Elucidation of Article 40 (1) POJK 10/2022
6. Article 40 (4) POJK 10/2022
7. Article 44 (1) c POJK 10/2022
8. Article 49 (1) POJK 10/2022