Data Protection & Banking Confidentiality in Indonesia: Implications of POJK 44/2024 for the Banking Industry and Affiliated Parties

By Setyawati Fitrianggraeni and Agnes Wulandari*

Personal data protection and banking confidentiality are crucial aspects in the banking industry. The Financial Services Authority Regulation (POJK) Number 44 of 2024 concerning Banking Confidentiality (“POJK 44/2024”) is expected to increase public trust and ensure banking data security, especially in facing the challenges of digitalization and data protection. The Financial Services Authority (OJK) continues to strengthen related regulations by issuing POJK 44/2024, which regulates aspects of banking confidentiality and exceptions to its disclosure. POJK 44/2024 was issued as a follow-up to the mandate of Article 40A paragraph (2) of Law Number 7 of 1992 concerning Banking, as amended several times, most recently by Law Number 4 of 2023 concerning Financial Sector Development and Strengthening (UU PPSK).

Key Points in POJK 44/2024

Below are several important points regulated in POJK 44/2024 regarding personal data protection and banking confidentiality, including:

1. Definition and Scope of Banking Confidentiality, including clarification that debtor customers or facility recipient customers are not included in Banking Confidentiality, but their confidentiality is still maintained in accordance with applicable laws and regulations, including laws on personal data protection and OJK regulations on consumer and financial sector community protection [1];
2. Obligations of Banks and Affiliated Parties to keep confidential information regarding Depositing Customers and their Deposits and/or Investor Customers and their Investments [2];
3. Matters exempted from Banking Confidentiality [3];
4. Banks’ obligation to have internal procedures regarding the disclosure of Banking Confidentiality and the requirement for Banks to document all requests and provisions for disclosure of Banking Confidentiality information [4];
5. Mechanisms for disclosing Banking Confidentiality for exceptions that require permission or coordination with OJK [5] and those that do not require permission from OJK [6];
6. Limitations on the purpose of information exchange between Banks, the obligation of Banks receiving information to keep the received information confidential, and the prohibition of information exchange conducted for marketing purposes [7]

Matters Exempted from Banking Confidentiality

T he confidentiality obligations as regulated in POJK 44/2024 do not apply to the following matters or conditions

1. Judicial interests in civil cases between Banks and Customers, Customers with Customers, and related to Customers [8].
2. Judicial interests in criminal cases [9]:
3. Requests from curators appointed based on commercial court decisions regarding bankruptcy or requests from liquidators appointed based on court determinations in the context of asset settlement [10];
4. Requests, approvals, or authorization from Depositing Customers and/or Investor Customers made in writing [11];
5. Requests from legal heirs of Depositing Customers and/or Investor Customers who have passed away  [12];
6. Information exchange between Banks  [13];
7. Fulfilling mutual assistance in criminal matters [14];
8. Requests for financial information for taxation purposes based on the provisions of laws and regulations and their implementing regulations [15];
9. Interests of other institutions for the purpose of state administration at the central level and public interest in accordance with duties and authorities in the law [16]
10. Interests of carrying out tasks in the monetary, macroprudential, and payment system fields by Bank Indonesia [17];
11. Interests of carrying out tasks in the field of deposit insurance and resolution by the Deposit Insurance Corporation;[18].
12. Implementation of inter-country authority agreements that have been signed reciprocally; and
13. Settlement of receivables that have been submitted to the State Receivables Affairs Committee[19].

Application of Personal Data Protection Principles

Obligations related to Bank Confidentiality and Affiliated Parties must also be considered through the application of basic principles of personal data processing. These principles include information security, transparency, and efforts to prevent potential misuse of customer data

In addition to POJK 44/2024 and Law Number 27 of 2023 concerning Personal Data Protection, there are also other policies and legal products that support personal data protection practices in the banking sector, including: (i) OJK Regulation Number 22 of 2023 concerning Consumer and Community Protection in the Financial Services Sector, which requires financial service businesses to maintain the confidentiality and security of consumer data; (ii) OJK Regulation Number 11/POJK.03/2022 of 2022 concerning Information Technology Implementation by Commercial Banks; and (iii) OJK Circular Letter Number 24/SEOJK.03/2023 concerning Assessment of the Digital Maturity Level of Commercial Banks. These regulations require banks to implement risk management in the use of information technology to protect customer data. With these regulations, it is expected that protection of personal data and banking confidentiality will be strengthened, so that customer trust in the national banking system can be maintained.

Sanctions

The sanctions imposed by POJK 44/2024 related to violations of Banking Confidentiality provisions are Administrative Sanctions. Administrative Sanctions include written warnings, downgrading of governance factor assessments in bank soundness level assessments, and prohibition as a primary party in accordance with the Financial Services Authority Regulations regarding reassessment for primary parties of financial service institutions. For Affiliated Parties, there are prohibitions on providing services to banks and submitting proposals to the authorized agencies to revoke or cancel business licenses as service providers for Banks. In addition to the sanctions mentioned above, there are also administrative sanctions in the form of fines.

Footnotes :

[1] Penjelasan Pasal 2 POJK 44/2024

[2] Pasal 2 POJK 44/2024

[3] Pasal 3 POJK 44/2024

[4] Pasal 4 POJK 44/2024

[5] Pasal 10 POJK 44/2024

[6] Pasal 18 POJK 44/2024

[7] Pasal 23 ayat (2) POJK 44/2024

[8] Pasal 19 POJK 44/2024

[9] Pasal 7 POJK 44/2024

[10] Pasal 20 POJK 44/2024

[11] Pasal 21 POJK 44/2024

[12] Pasal 22 POJK 44/2024

[13] Pasal 23 POJK 44/2024

[14] Pasal 8 POJK 44/2024

[15] Pasal 13 POJK 44/2024

[16] Pasal 24 POJK 44/2024

[17] Pasal 25 POJK 44/2024

[18] Pasal 15 POJK 44/2024

[19] Pasal 9 POJK 44/2024

DISCLAIMER :

This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:

During the preparation of this work, the author(s) may use AI-assisted technologies for readability. After using this tool/service, the author(s) reviewed and edited the content as needed for the purposes of the publication.

No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.

Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.

No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.

No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.

No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.

By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.

For further information, please contact:

WWW.AP-LAWSOLUTION.COM

P: 6221. 7278 7678, 72795001

H: +62 811 8800 427

Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law.

S.F. Anggraeni

Managing Partner

[email protected]

Agnes Wulandari

Senior Associate

[email protected]