Debt Collection in the Financial Services Sector: Regulatory Compliance and Personal Data Protection Risks in Indonesia

Debt collection in Indonesia is legally permitted, but subject to strict regulatory controls. A creditor’s right to pursue repayment arises from contractual default under the Indonesian Civil Code. In practice, however, collection activities in the financial services sector must comply with OJK Regulation Number 22 of 2023 on Consumer and Public Protection in the Financial Services Sector (“OJK Reg 22/2023”), which regulates the manner, timing, and conduct of debt collection, including limitations on the use of third-party collectors and prohibitions against intimidation, harassment, or improper disclosure of debtor information. For regulated financial institutions, these requirements are frequently tested through consumer complaints and supervisory audits, so maintaining a clear audit trail and training front-line staff and collectors are critical.

The regulatory landscape has further evolved with the enactment of Law Number 27 of 2022 on Personal Data Protection (“PDP Law”). Under the PDP Law, debt collection activities constitute personal data processing and must comply with principles of lawful basis, purpose limitation, and data minimisation. Collection practices involving third parties contact, dissemination of debt information, or reputational pressure carry heightened compliance risks, including administrative sanctions and potential criminal exposure. The PDP Law lens also pushes institutions to tighten privacy notices, access controls, and data-sharing practices with any internal teams or third-party collection vendors.

This article highlights how debt collection should be assessed not only from a contractual and regulatory perspective, but also through the lens of personal data protection obligations applicable to financial institutions and their appointed collectors.

1. Debt Collection Practice, and Regulatory Framework under Indonesian Law

   In Indonesia, debt collection within the financial services sector is not merely a commercial activity, but a regulated enforcement process. The primary framework is set out in Articles 60–66 of OJK Reg 22/2023, which governs how and when collection may be conducted once a debtor is in default (wanprestasi).

   As a general rule, collection must be preceded by a formal written warning issued in accordance with the underlying contract. The warning must clearly set out the debtor’s outstanding obligations and relevant payment details, reflecting the regulatory expectation that collection be grounded in transparency and verifiable contractual facts.

   Financial institutions (Pelaku Usaha Jasa Keuangan – “PUJK”) may undertake collection internally or appoint third-party debt collectors. Any cooperation must be formalized in a written agreement, and the financial institution remains fully accountable for the conduct of its appointed collectors.

   OJK Reg 22/2023 also establishes clear conduct boundaries. Collection activities must not involve threats, intimidation, harassment, reputational pressure, or contact with parties other than the debtor. Restrictions on timing, location, and manner of communication further emphasize that collection is permitted only as a controlled and proportionate engagement with the consumer.

   In short, Indonesian law permits debt collection, but only within a structured, documented, and accountable regulatory framework.

2. Debt Collection from the Perspective of the Personal Data Protection Law

   Under the PDP Law, debt collection must be understood as an activity that inherently involves personal data processing. Issuing reminders, contacting debtors, recording payment history, disclosing outstanding amounts, and engaging third-party collectors all constitute forms of collection, use, disclosure, and storage of personal data. As a result, debt collection is no longer assessed solely as a contractual enforcement mechanism, but must comply with the substantive and procedural requirements of the PDP Law. This also means treating the debtor as a data subject with enforceable rights, ensuring appropriate information/notice is provided, and applying safeguards proportionate to the sensitivity and volume of the data processed.

   1. Lawful Basis Requirement (Article 20 of the PDP Law)

      Article 20 paragraph (2) of the PDP Law requires that every processing activity be supported by a lawful basis. In the context of debt collection, two bases are generally relevant:

      1. Performance of a Contract, Article 20 paragraph (2)(b) of the PDP Law permits processing that is necessary for the performance of a contract to which the data subject is a party. This provides the primary justification for proportionate and direct collection efforts against the debtor. Processing under this basis should remain closely connected to administering and enforcing the credit relationship, and should not be stretched to justify broader dissemination of debt information.
      2. Legitimate Interest, Article 20 paragraph (2)(f) of the PDP Law allows processing based on the legitimate interests of the personal data controller, provided such interests do not override the rights and freedoms of the data subject.

      By contrast, reliance on consent under Article 20 paragraph (2)(a) of the PDP Law is tough to implement in the debt collection context. Given the imbalance of position between creditor and debtor, and the debtor’s right to withdraw consent at any time, consent does not provide a stable or reliable legal basis for enforcement activities. As a result, consent is not a stable or reliable lawful basis for debt collection, and may conflict with the creditor’s need to process personal data to pursue contractual enforcement and legitimate recovery efforts. Accordingly, consent is generally better treated as supplementary (e.g., for optional communication channels) rather than the primary lawful basis for collection.

   2. Principles of Lawful and Limited Processing (Articles 16 and 18)

      Even where a lawful basis exists, Articles 16 and 18 of the PDP Law impose substantive limitations on how personal data may be processed. In practical terms, these principles require discipline around accuracy, retention, and security, e.g., verifying the debt status and outstanding amount before communications, keeping data only as long as necessary for recovery/dispute handling and mandatory recordkeeping, and restricting access to authorised personnel.

      1. Article 16 of the PDP Law requires processing Personal Data to be lawful, fair, and transparent.
      2. Article 18 of the PDP Law mandates the purpose limitation and data minimisation.

      Accordingly, Personal Data obtained when the credit relationship was established may only be used for purposes consistent with that original objective, namely, administering and enforcing the credit relationship. Processing must be limited to what is strictly necessary.

      Practices such as contacting family members or employers, sharing debt information through electronic platforms, repeatedly pressuring the debtor, or threatening reputational consequences are generally inconsistent with the principles of purpose limitation and data minimisation. These actions go beyond the original purpose for which the personal data was collected and may not meet the lawful basis requirement under Article 20 of the PDP Law. This may also contravene the consumer protection conduct standards under OJK Reg 22/2023, increasing the risk of overlapping regulatory and enforcement exposure.

   3. Controller Responsibility and Outsourcing

      The involvement of third-party debt collectors does not diminish obligations under the PDP Law. Financial institutions act as personal data controllers and remain responsible for ensuring that appointed collectors, as data processors process personal data strictly in accordance with documented instructions and lawful purposes. At a minimum, the outsourcing arrangement should be supported by a written data processing agreement covering confidentiality, permitted purposes, security measures, subcontracting controls, breach notification, and data return/deletion at the end of engagement.

      Failure to implement appropriate contractual safeguards, supervision mechanisms, access controls, and off-boarding procedures may expose the controller to administrative sanctions for non-compliance with its data protection obligations.

3. Criminal Exposure from Debt Collection Practices under the Personal Data Protection Regime

   Debt collection misconduct is no longer viewed solely as a regulatory compliance issue. Criminal liability may arise, in particular, where personal data is misused through electronic communications.

   This risk is evidenced by The Central Jakarta District Court Decision No. 597/Pid.Sus/2021/PN Jkt.Pst, where the court convicted a former fintech collection employee who unlawfully retained debtor data and used it to conduct fictitious and threatening debt collection via electronic messaging. The defendants were prosecuted under Article 28 paragraph (1) in conjunction with Article 45 paragraph (2) of Law Number 19 of 2016 on Electronic Information and Transactions (“EIT Law”) (noting that at the time of the conduct, the PDP Law had not yet been enacted) for intentionally transmitting misleading electronic information that caused losses to victims.

   Although the case was decided under the EIT Law, its factual pattern is highly relevant under the current data protection framework. The unauthorised possession of customer data after termination of employment, the use of debtor contacts information without lawful authority, and threats to disclose Personal Data would today fall squarely within the scope of unlawful personal data processing under the PDP Law. Pursuant to Articles 65 and 67 of the PDP Law, unlawful acquisition or collection of Personal Data for personal benefit that causes loss to the data subject may be punishable by imprisonment of up to 5 (five) years and/or a fine of up to IDR 5,000,000,000, while unlawful disclosure of Personal Data may be punishable by imprisonment of up to 4 (four) years and/or a fine of up to IDR 4,000,000,000.

   Importantly, Article 70 of the PDP Law extends criminal liability to corporations. Where such offences are committed by or on behalf of a corporation, sanctions may be imposed not only on responsible management, controlling parties, or beneficial owners, but also on the corporation itself. A corporation may be subject to criminal fines of up to 10 (ten) times the maximum statutory fine, in addition to supplementary penalties such as confiscation of unlawful gains, business suspension (in whole or in part), prohibition from certain activities, closure of business operations, payment of compensation, revocation of licence, or even corporate dissolution.

   Under the PDP Law, debt collection activities constitute Personal Data processing and must be supported by a valid lawful basis and limited to legitimate purposes. Disclosure or use of debtor information beyond what is strictly necessary for contractual enforcement may trigger administrative sanctions and, in serious cases, criminal consequences. Separately, under Article 60 of OJK Reg 22/2023, violations of debt collection standards by PUJK may also result in sectoral administrative sanctions, including written warnings, restriction or suspension of products, services, or business activities (in whole or in part), dismissal of management, administrative fines, revocation of product or service licences, and ultimately revocation of the business licence.

   For financial institutions, the implication is clear: improper collection methods can generate layered liability, regulatory sanctions, civil claims, and potential criminal prosecution. Debt collection must therefore be assessed not only from a recovery perspective, but through a strict personal data protection and risk management lens. From a practical compliance standpoint, PUJK should implement written SOPs, train staff and vendors, conduct ongoing monitoring, and maintain records showing the lawful basis and proportionality of collection actions.