Bank Customer Data Leaked? Here’s What You Need to Know!

Banks are required to maintain the confidentiality of all customer data and personal information, including names, addresses, dates of birth, phone numbers, and other identification data, whether individual or corporate. This obligation aligns with Article 40 (1) of Law No. 10 of 1998 concerning Banking, reinforced by OJK Circular Letter No. 14/SEOJK.07/2014 on Confidentiality and Security of Consumer Personal Data, and Article 2 of Bank Indonesia Regulation No. 2/19/PBI/2000 of 2000 concerning Requirements and Procedures for Granting Written Orders or Permits to Disclose Bank Secrets. Customer data may not be disclosed to third parties without written consent, except as required by applicable law.

Common Types of Violations

  • Disclosure of customer data without consent (by employees or systems).
  • Data leaks due to cyber-attacks (cyber breaches) without adequate mitigation.
  • Offering third-party products without customer consent (e.g., insurance or loans).

Losses When Customer Data Leaks

Data leaks can result in various types of harm, including:

  • Financial Losses: identity theft, account breaches, or fraudulent financial transactions.
  • Psychological Losses: stress, anxiety, loss of sense of security.
  • Reputational Damage: dissemination of sensitive information that tarnishes an individual’s or corporation’s reputation.

Sanctions for Banks That Leak Customer Data

If a bank violates its obligation to maintain customer confidentiality, it may be subject to administrative, civil, and/or criminal sanctions:

1.     Administrative Sanctions (OJK)

OJK has the authority to impose administrative sanctions on banks found negligent in protecting customer data, as regulated under:

  • Article 3 of OJK Regulation No. 22 of 2023 on Consumer and Community Protection in the Financial Services Sector

Article 3 Highlights:

  • Financial Service Providers (PUJK) must apply consumer protection principles in conducting their business activities.
  • Consumer protection in the financial services sector includes:
    1. adequate education;
    2. transparency and openness of product and/or service information;
    3. fair treatment and responsible business conduct;
    4. protection of consumer assets, privacy, and data;
    5. effective and efficient complaint handling and dispute resolution;
    6. enforcement of compliance; and
    7. healthy competition.
  • PUJK that violates paragraph (1) may be subject to administrative sanctions, including:
  1. written warnings;
  2. restrictions on products and/or services and/or business activities, partially or wholly;
  3. suspension of products and/or services and/or business activities, partially or wholly;
  4. dismissal of management;
  5. administrative fines;
  6. revocation of product and/or service licenses; and/or
  7. revocation of business licenses.
  • Sanctions under paragraph (3) b–g may be imposed with or without a prior written warning under paragraph (3) a.
  • Administrative fines under paragraph (3) e may be imposed up to IDR 15,000,000,000 (fifteen billion rupiah).

2.    Civil Sanctions

Customers have the right to file civil lawsuits based on unlawful acts under Article 1365 of the Indonesian Civil Code (KUHPerdata), which states:

“Every act that violates the law and causes harm to another person obliges the person who, due to their fault, caused the loss, to compensate for such loss.”

Customers may claim compensation for:

  • Financial damages
  • Reputation recovery if defamation occurs.
  • Court orders compelling the bank to improve its data security systems.

3.    Criminal Sanctions

If the data disclosure contains criminal elements, the responsible parties (including bank personnel) may be prosecuted under the Banking Law and/or the Personal Data Protection Law. Penalties include up to 5 years’ imprisonment and/or a fine of IDR 5 billion, in accordance with Article 67 (1), (2) of Law No. 27 of 2022 on Personal Data Protection.

Article 67:

  • Any person who intentionally and unlawfully obtains or collects personal data that does not belong to them with the intent to benefit themselves or others, causing harm to the data subject as referred to in Article 65 (1), shall be punished with imprisonment of up to 5 (five) years and/or a fine of up to IDR 5,000,000,000 (five billion rupiah).
  • Any person who intentionally and unlawfully discloses personal data that does not belong to them as referred to in Article 65 (2), shall be punished with imprisonment of up to 4 (four) years and/or a fine of up to IDR 4,000,000,000 (four billion rupiah).

Legal Remedies for Customers Whose Privacy Is Violated

  • Submit an official complaint to OJK for facilitated resolution.
  • File a Civil Lawsuit If suffering financial, psychological, or reputational harm, customers can sue under Article 1365 of the Civil Code for damages and restoration of rights.
  • Report to the Police If there are criminal elements, customers may report the case to law enforcement for investigation and prosecution.

Legal Basis:

  • Indonesian Civil Code (KUHPerdata)
  • Law No. 27 of 2022 on Personal Data Protection
  • OJK Circular Letter No. 14/SEOJK.07/2014 on Confidentiality and Security of Consumer Personal Data
  • OJK Regulation No. 22 of 2023 on Consumer and Community Protection in the Financial Services Sector
  • Law No. 10 of 1998 on Banking

Writer:

  • Muhammad Arief Ramadhan, S.H.
  • Dina Normanza Sibagariang

Editor:

  • Parwira Agusfia, S.H., M.H.
Data Nasabah Bank Bocor? Perhatikan Hal Berikut!

Leave a Comment

Your email address will not be published. Required fields are marked *