The Double-Edged Sword of Digital Bank

The digital banking industry in Indonesia is experiencing explosive growth, fueled by widespread technology adoption across the country. According to a report by Bank Indonesia, the value of digital banking transactions in 2023 reached Rp58,478.24 trillion, marking a 13.48 percent growth compared to the previous year. 

Bank Indonesia Governor Perry Warjiyo, as reported by Bisnis.com, predicted that the growth of digital banking transactions will surge to Rp71,584 trillion, or 23.2 percent, in 2024.

Digital banking is a service that allows customers to conduct transactions using gadgets or other digital devices, without the need for a physical bank office. Digital banks in Indonesia emerged in 2014 when the Financial Services Authority (OJK) enacted Regulation Number 19 of 2014 concerning Office-less Financial Services in the Framework of Inclusive Finance.

Bank Jenius became the first digital bank established in 2016 following the ratification of this regulation. It was soon followed by other digital banks such as Bank Jago, Blu by BCA, TMRW by UOB Indonesia, Line Bank, PermataME, Sea Bank, Aladin Bank, Livin by Mandiri, and DigiBank.

Digital banks offer several advantages, including inclusive financial services, 24-hour availability, and reaching a broader range of consumers. This increased accessibility also boosts viability among other banks.

Customers also benefit from various features in digital bank applications, such as the ability to separate accounts for daily needs and savings, low administrative fees, and the convenience of contactless transactions.

It’s not surprising that digital banking has attracted many customers. According to Kontan, Jenius Bank had 5.2 million users in 2023. Blu BCA had around 1.7 million customers, and Bank Jago recorded 10.2 million users in the same year, as reported by Antara.

However, in a study titled “Personal Data Protection Law in Digital Banking Governance in Indonesia,” published in the Studia Iuridica Lublinensia Journal, Wardah Yuspin, S.H., M.Kn., Ph.D., an Islamic banking observer and lecturer at the Faculty of Law, Universitas Muhammadiyah Surakarta (UMS), highlighted that the digital banking industry is skating on thin ice regarding personal data protection.

“Because all customer data is submitted online, it is vulnerable to misuse,” she said in a virtual interview on Tuesday (07/18/2024).

One example involves a customer with the initials AW, who fell victim to a break-in that resulted in losses exceeding Rp50 million. The incident began on September 7, 2020, when AW received a call from a scammer pretending to be from the contact center of a digital bank. The fraudster claimed there would be a system update and that ATM cards needed to be replaced. Trusting the caller, AW provided details of her personal data.

Another case involves the break-in of WC's digital account, resulting in a loss of approximately Rp21.9 million and a time deposit of Rp220 million. The incident began on July 10, 2021, when WC received a call from a WhatsApp number. The caller, mirroring tactics from a previous case, claimed there would be tariff adjustments and instructed WC to fill in their details on a fake website. Trusting the caller, WC complied. When WC later attempted to withdraw the savings, WC discovered the fraudsters had already raided their account.

Our discussion deepened when Wardah mentioned minimal public awareness of protecting personal data. The simplest example, she noted, is the casual sharing of cellphone numbers.

“For example, when someone asks for someone's cellphone number or WhatsApp contact, they should first ask permission from the number owner,” she explained. 

Indonesia has passed Law Number 27 of 2022 concerning Personal Data Protection. However, implementing the PDP Law has not been accompanied by the establishment of a personal data supervisory institution. “If the institution has not been formed, who will oversee customer personal data?” Wardah said skeptically.

Article 59 of the Personal Data Protection Law outlines the responsibilities of the supervisory institution, which include formulating and determining personal data protection policies and strategies, controlling and processing personal data, and supervising the implementation of personal data protection. Additionally, the institution is tasked with enforcing administrative law in cases of violations of the Personal Data Protection Law and facilitating out-of-court dispute resolution.

The establishment of a personal data supervisory institution has been on the agenda of the Ministry of Communication and Information Technology (Kominfo), as mandated by the Personal Data Protection Law. However, according to the plan, the institution will now be formed in the third quarter of 2024, a delay from the initial plan of the second quarter of 2024, as reported by Antara on Friday (28/6/2024).

Wardah stated that Kominfo has been monitoring personal data. According to her, this does not align with Kominfo’s primary responsibilities. Moreover, Kominfo is also dealing with other pressing issues, such as online gambling, that need immediate attention. In her view, establishing and legalizing a dedicated personal data supervisory institution is urgent and must be expedited.

"As we know, the numerous tasks and responsibilities of Kominfo have made it difficult for them to focus on personal data protection," said the researcher from the UMS Islamic Economic Law Research Center.

In line with the government’s guidelines, the Financial Services Authority of the Republic of Indonesia (OJK) has implemented several regulations for digital banks. For instance, Article 24 of Regulation Number 12/POJK.03/2021 on Commercial Banks mandates that digital banks must ensure the security of customer data.

OJK also released other regulations, such as Regulation Number 13/POJK.03/2021 concerning the Implementation of Commercial Bank Products, and Regulation Number 14/POJK.03/2021 concerning Amendments to Regulation Number 34/POJK.03/2018 on Reassessment for the Main Parties of Financial Services Institutions.

The OJK regulations benefit the growth of the country’s digital banking industry by allowing digital banks to create efficient, professional, and user-friendly solutions.

However, Wardah sees weaknesses in this regulation for digital banking customers in Indonesia. There are three weaknesses. Firstly, OJK regulations have limited binding force, as evidenced by the fact that they have not been widely adopted by digital banks in Indonesia.

However, during her research, Wardah identified two challenges related to the OJK Regulation for digital banking customers in Indonesia. The first challenge was that the OJK Regulation at that time did not specifically address protecting customers’ personal data. This issue was later addressed in the updated PDP Law of 2022.

Secondly, Wardah’s analysis revealed that the regulation on the protection of customers’ personal data in the OJK Regulation did not fully address compensation for customers' losses.

“The compensation rules must consider who is at fault. If the bank fails to safeguard personal data, and this can be proven, then the bank should be held responsible. However, if the fault doesn't lie with the bank, they cannot be held accountable,” she added.

Seeing this, Wardah encouraged the public to understand the importance of protecting their personal data. She advised against sharing personal information such as cellphone numbers, home addresses, and photos of their homes on social media. Additionally, she urged the government to strictly enforce personal data protection regulations.

“To build a robust digital banking system in Indonesia, strict legal rules on data protection are essential. Data protection is fundamental to the operations of digital banks, so it is crucial and should be regulated by a separate law,” she said.

Despite the slow progress in raising awareness about protecting personal data, the Indonesian government’s introduction of the Personal Data Protection Law demonstrates its commitment to ensuring the security of its citizens’ data.

In the research, Wardah noted that Indonesia’s efforts to protect its citizens’ personal data align with policies adopted by other countries. The research, indexed by Scopus Q2, includes several examples of nations that have strengthened personal data protection, such as the European Union, with its General Data Protection Regulation (GDPR) passed in 2018.

The primary function of the GDPR is to give consumers control over their personal data collected by companies. This includes basic information like name, address, and ID number; web data such as location, IP address, cookies, and Radio Frequency Identification (RFID); health and genetic data; biometric data; ethnic and racial data; political opinions; and sexual orientation.

“In the European Union, the protection of personal data is multi-tiered. Each country has its own supervisory body, and there is also a supervisory body at the European Union level,” explained the Doctor of Islamic Banking Law at the University of Leeds.

In Asia, Hong Kong was the first to comprehensively regulate its citizens’ personal data privacy. Since 1995, Hong Kong has enforced the Personal Data Privacy Ordinance (PDPO), which underwent significant amendments in 2012. The Privacy Commissioner for Personal Data (PCPD) oversees the regulations.

The principles of protecting the right to privacy of personal data in Hong Kong include limiting the purpose of data collection, using and disclosing personal data in accordance with the purpose and consent of the owner, ensuring the accuracy of personal data, limiting the duration of personal data storage by third parties, and requiring personal data managers to protect against unauthorized access.

Malaysia has the Personal Data Protection Act Number 709 of 2010 (PDPA Malaysia). This regulation prohibits the transfer of personal data outside Malaysia unless permission is granted by the Malaysian Minister of Communications. Additionally, countries receiving the data must ensure personal data protection that is equivalent to that provided by the PDPA.

Efforts to protect personal data remain a significant task that the Indonesian Government must address. In addition to establishing a personal data supervisory institution, Wardah advocates for increased public education on the importance of securing personal data.

“In the past, oil was the most important commodity, now, personal data has become the most valuable commodity,” she said. “Whoever owns the data is the master.”

Writer: Gede Arga Adrian

Editor: Al Habiib Josy Asheva

Designer: Salsabila Kamila Wardah

Translator: Farizal Luqman Majid