Digital Services by Commercial Banks

As public demand for digital-based banking services in Indonesia grows rapidly the past few years, banks are encouraged to continue developing and innovating in this area. In response to the need to develop services in the areas of risk management, consumer data security, and consumer protection, the Financial Services Authority/Otoritas Jasa Keuangan (“OJK”) issues a new regulation on Digital Services by Commercial Banks (“POJK 21/2023”) in December 2023. This regulation has been in effect since 22 December 2023 and it revokes the previous regulation on digital banking service by commercial bank (i.e. OJK Regulation No. 12/POJK.03/2018 (“POJK 12/2018”)), which was the first regulation on digital-based banking service issued by OJK.

The new regulation introduces several new aspects of the implementation of digital services, among others:

1. Digital Services Scope and Terms
   
   POJK 21/2023 defines digital services as banking services provided by the bank using information technology (“IT”) via electronic media to provide customers and/or prospective customers with access to the bank’s products and/or services from the bank’s partners that can be performed independently by customers and/or potential customers.
   
   These digital services are supplied by the bank or its partners under a cooperation agreement. The bank partner can be a financial or non-financial services institution, and the bank is required to ensure that the bank partner is an IT-based financial service provider licensed by the OJK or another authorized authority in accordance with statutory regulations.
   
   
2. While the previous regulation (i.e. POJK 12/2018) expressly prohibits banks to become a marketplace in providing transactional services with the bank’s partners through its application and/or website, the new regulation does not contain this prohibition. Implementation of Digital Services
   
   When conducting business relationships with customers or potential customers via digital services, the bank must identify them and verify the accuracy and suitability of the data, information, and documents provided by the customer and those listed on the customer’s profile. Furthermore, the bank is obligated to use at least two authentication factors, including the “something you are” authentication factor as part of the authentication procedure. The bank can work with third parties to carry out verification via electronic face-to-face meeting mechanisms or electronic non-face-to-face mechanisms.
   
   
3. Cooperation in Digital Services
   
   In providing digital services, the bank is required to have policies and procedures for determining bank partners as well as conduct written cooperation agreements with bank partners using Bahasa Indonesia.
   
   If cooperation is agreed upon, the bank may grant the bank partner access to customer and/or prospective customer data and information via a system or application, subject to approval and in the interests of customers and/or prospective customers, while adhering to the provisions of personal data protection laws and regulations. Furthermore, POJK 21/2023 states that banks are prohibited from guaranteeing or co-guaranteeing the risks originating from bank partners’ products and/or services while delivering its digital services
   
   
4. Customer Protection and Personal Data Protection
   
   The bank that provides digital services must follow consumer protection principles as outlined in the laws and regulations on consumer and public protection in the financial services industry. In accordance with this regulation, the installation of digital services requires the presence of functions and handling mechanisms capable of responding to questions and/or following up on consumer complaints 24 hours a day. Furthermore, the bank must explain to customers why bank partners use the bank’s logo and/or attributes, as well as educate clients on how to adopt proper authentication measures.
   
   In terms of personal data protection, the bank is expected to comply with personal data protection principles while processing personal data in accordance with applicable laws and regulations. The bank is required to acquire consent from customers and/or prospective customers for particular purposes before processing personal data, which is carried out in accordance with the rules of personal data protection laws and regulations. Finally, the bank must provide capabilities that allow clients to manage bank partners’ access to customer data and information independently.

With the enactment of POJK 21/2023 on 22 December 2023, the banks that already provided digital services prior the enactment of the regulation must adjust their policies, standards, and procedures no later than three months after the enactment date, while the adjustment to their IT infrastructure must be completed no later than one year after the enactment date.