04 Oct 2022
Indonesia’s OJK Moves to Beef Up Consumer Protection in Financial Services Sector

A. Introduction

Against a backdrop of widespread unauthorized disclosure of personal data and dubious business practices that frequently leave consumers of financial services aggrieved or out of pocket, the Indonesian Financial Services Authority (“OJK”) has issued a new regulation to beef up consumer protection in the sector.

The regulation, (No. 6/POJK.07/2022 on Consumer and Public Protection in the Financial Services Sector (“POJK 6”))1 replaces the previous regulation on the issue (the “Previous Regulation”),2 which dated back to 2013 and had been rendered more or less ineffective by the rapid pace of technological change in the sector, including the stellar rise of fintech.

Under POJK 6, a “consumer” is defined as a party that entrusts funds to or utilizes the services of a financial services institution. Thus, the term “consumer” not only encompasses individual consumers but also institutional consumers of financial services.

The overall objective of consumer and public protection under POJK 6 is to heighten awareness and understanding about, and boost legal certainty in respect of, the products and services that are offered to consumers by financial services providers (“Providers”).


B. Key features of POJK 6


  1. Scope

    POJK 6 expands the scope of a Provider to include:

    1. Commercial banks

    2. Rural credit/finance banks

    3. Securities brokers

    4. Investment managers

    5. Pension funds

    6. Insurance companies

    7. Reinsurance companies

    8. Finance companies

    9. Infrastructure finance companies

    10. Venture capital companies

    11. Government pawnshops

    12. Private pawnshops

    13. Guarantee companies

    14. Microfinance institutions*

    15. Indonesian export finance institutions*

    16. Other Financial Services Institutions or parties engaged in fund accrual, distribution, or fund management in the financial services sector, plus those subject to OJK supervision pursuant to the prevailing law, including providers of IT-based joint funding services, PT Permodalan Nasional Madani (Persero) and crowdfunding providers (collectively, “Other Service providers”)*

      *These were not defined as Providers by the Previous Regulation


  1. Prohibitions

    POJK 6 has widened the restrictions imposed on how a provider conducts its business by imposing a range of prohibitions on Providers, such as:

    1. Pressuring a prospective consumer to purchase a product or service as a result of a cooperation activity with only one Provider

      POJK 6 stipulates that if Provider A engages in collaboration with another Provider to provide referrals, Provider A is now required to offer the consumer a choice of products and/or services from at least two different Providers, subject to a number of limited exceptions.

      For example, if an insurance company has a bancassurance arrangement with Bank X, under which Bank X markets the products of the insurance company, Bank X must also offer the consumer similar insurance products from at least one other insurance company.

    2. Requiring consent to receive offers products and/or services as a pre-condition for availing of a Provider’s products and/or services

      A Provider is prohibited from imposing pre-conditions for the use of the Provider’s products/services that would require or ‘force’ consumers to consent to receiving offers of the Provider’s products and/or services.

      For example, it would be prohibited under POJK 6 for Bank A to impose standard account opening requirements that compel consumers to give their consent to receiving offers of the Bank’s other products, such as credit cards, loans, etc.


A Provider is also prohibited from taking the following actions, unless: (i) the consumer gives consent, or (ii) the action is required by law:passing on a consumer’s personal data to a third party;

  1. requiring a consumer to agree to share personal data as a condition of using a product or service;
  2. continuing to use a consumer’s personal data after they have terminated a product or service agreement;
  3. using the personal data of a prospective consumer after an application to use a product or service has been rejected by a Provider;
  4. continuing to use personal data of a prospective consumer who has withdrawn their application to use a product or service;offering a product or service to a prospective consumer directly via a personal communications device.
  5. This wide-ranging prohibition is reinforced by the prohibition in section 2.b above (Providers prohibited from requiring consumers to consent to receiving marketing offers).


  1. Prohibited Standard Agreement Clauses

    POJK 6 expands the list of clauses in the Previous Regulation that may not be included in standard agreements (standard agreements are pre-drafted agreements that are offered mainly to individual consumers on a take it or leave it basis, and are typically used for retail mortgages, personal loans, life insurance policies, etc.). The new prohibitions in POJK 6 include clauses that:

    1. grant authority to the Provider to limit or restrict the application of particular clauses;

    2. permit the Provider to unilaterally interpret the agreement;

    3. enable the Provider to limit their liability for the errors or negligence of employees and third parties acting on behalf of the Provider;

    4. restrict the right of a consumer to claim against the Provider in the event of a dispute related to the agreement; and/or

    5. restrict the evidence that may be submitted by a consumer in the event of a dispute related to the agreement.

  2. Dedicated Consumer Protection Function & Compliance

    A Provider is required to establish a dedicated unit or function to deal with consumer and public protection within 6 months of the issuance of POJK 6 (i.e., before 18 October 2022). The Board of Directors of the Provider is responsible for compliance with POJK 6, and the Provider must have an appropriate mechanism for compliance reporting to the Board of Directors.

  3. Reporting Obligations and Sanctions

    A Provider is required to self-assess their compliance with the provisions of POJK 6 in an annual report to the OJK, to be submitted by 30 September of each year.

    Failure to submit a report by the deadline will leave the Provider liable to penalties of between Rp 100,000 and Rp 10 million per day of delay in the case of most providers, such as commercial banks, securities brokers, investment managers, pension funds, insurance companies, fintech lenders, etc.

    Failure to comply with the substantive consumer-protection obligations imposed by POJK 6 will result in a Provider being liable to a set of hierarchical administrative sanctions that include written reprimands, freezing of operations, revocation of product licenses, and, ultimately, revocation of business license.

C. ABNR Commentary

As POJK 6 considerably expands the existing list of consumer-protection obligations, Providers may need to adjust their standard procedures and agreements to ensure compliance. For example, a Provider is no longer lawfully permitted to use data belonging to a consumer who has terminated their relationship with the Provider. Should it subsequently wish to enter into a new relationship with a former consumer, POJK 6 suggests that the Provider will need to seek personal data and consent from the former consumer once again. This also applies to information sharing when a consumer terminates their relationship with a Provider, even where the consumer had consented to information sharing while the relationship persisted.


We note that POJK 6 applies to all banks licensed to operate in Indonesia, including branch offices of foreign banks. Even though such branches do not deal directly with Indonesian individuals or expatriates living in Indonesia, they are still subject to POJK 6’s requirements as it broadly defines the term “consumer” to include both individual and institutional consumers. Thus, should a branch office have an Indonesia-specific account-opening agreement or a universal account-opening agreement that is used in Indonesia, it should take steps to ensure that it does not contravene POJK 6.


Recognized as a leading Indonesian law firm for banking & finance across all of the international directories and ranked as a tier 1 firm for fintech by Chambers Fintech Guide 2022, our Banking, Finance & Fintech Practice is ideally placed to help you comply with Indonesia’s financial sector regulatory regime. Should you have any queries on what changes, if any, may be required in your operations and documentation in the wake of POJK 6, please do not hesitate to contact: partner Ms. Yanny Suryaretina (, senior associate Mr. Rully Hidayat (, and associate Ms. Nesya Ashari (


This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law. 

1 Peraturan OJK No. 6/POJK.07/2022 tentang Perlindungan Konsumen dan Masyarakat di Sektor Jasa Keuangan.

2 OJK Regulation No. 1/POJK.07/2013 on Consumer Protection in the Financial Services Sector (Peraturan Otoritas Jasa Keuangan Nomor: 1/POJK.07/2013 tentang Perlindungan Konsumen Sektor Jasa Keuangan)