Indonesia’s Financial Services Authority (Otoritas Jasa Keuangan or “OJK”) has reinforced data governance requirements for commercial banks through Regulation of Members of the Board of Commissioners of OJK No. 1 of 2026 (“PADK OJK No. 1/2026”), an implementing regulation of OJK Regulation No. 11/POJK.03/2022 on The Organization of Information Technology by Commercial Banks. The new rules reflect OJK’s expectation that banks manage data more rigorously as digital banking becomes increasingly central to business operations.
At its core, PADK OJK No. 1/2026 requires banks to manage data across its full lifecycle while applying personal data protection principles in line with applicable laws, including Law No. 27 of 2022 on Personal Data Protection. In practical terms, this means banks must maintain clear controls over how data is collected, processed, stored, shared, retained, and ultimately deleted.
For data collection and processing, banks must ensure that personal data is processed on a valid legal basis. In the banking sector, this will often mean customer or prospective customer consent. PADK OJK No. 1/2026 requires that consent be explicit, properly documented, and presented in clear language. Customers must be informed of the purpose of processing, the legal basis relied upon, and their right to withdraw consent. Automatic consent mechanisms, such as pre-ticked boxes, are not permitted.
The regulation also strengthens requirements for data storage and internal management. Banks must establish a comprehensive data management system within their overall information technology architecture and apply security measures that match the sensitivity and criticality of the data involved. This includes data classification, encryption, role-based access control, authentication mechanisms, key management, and a full data lifecycle framework covering creation, use, storage, archiving, retention, and disposal.
Where data is shared with third parties, banks must have adequate policies, standards, and procedures in place. These must cover the types of data that may be shared, consent requirements, request and disclosure processes, transmission methods, and communication security. Data-sharing arrangements must also be supported by a proper agreement setting out the scope and purpose of processing, the categories of personal data involved, the parties’ respective rights and obligations, and the security measures to be implemented.
PADK OJK No. 1/2026 further requires banks to adopt clear retention policies and to delete personal data once the applicable retention period has expired. In addition, a Personal Data Protection Impact Assessment must be conducted where processing activities present a high risk to data subjects, including the use of new technologies, location or behavioural tracking, large-scale monitoring, or the processing of sensitive personal data.
Taken together, these requirements signal a more disciplined approach to data governance in Indonesia’s banking sector, with personal data protection positioned as a key element of compliance, operational resilience, and customer trust.