Bank Indonesia Regulation Number 6 of 2026 Strengthening Consumer Protection through Information Transparency, Stricter Regulation of Standard Agreements, and Personal Data Protection
Introduction
On 24 June 2026, Bank Indonesia enacted Bank Indonesia Regulation Number 6 of 2026 on Bank Indonesia Consumer Protection (“PBI 6/2026”), which took effect on 30 June 2026. PBI 6/2026 was issued in response to the increasing complexity of the financial sector, particularly as a result of the development of the digital economy, product innovation, and transformation in the payment system and money market sectors. These developments have given rise to various new risks for consumers, including information asymmetry, misuse of personal data, non-transparent business practices, and complaint and dispute resolution mechanisms that have yet to operate optimally. These conditions have the potential to reduce public confidence in the financial system, thereby necessitating improvements to a consumer protection framework that is more adaptive, comprehensive, and risk-based.
PBI 6/2026 establishes a more comprehensive consumer protection policy framework, including the strengthening of the rights and obligations of consumers and providers, the regulation of standard agreements together with the prohibition of clauses that are detrimental to consumers, the protection of personal data and information, the enhancement of financial literacy, the implementation of risk management and market conduct standards for providers, complaint handling mechanisms before Bank Indonesia, dispute resolution, and strengthened inter-agency coordination to improve the accountability, transparency, and effectiveness of consumer protection.
With the entry into force of PBI 6/2026, Bank Indonesia Regulation Number 3 of 2023 on Bank Indonesia Consumer Protection (“PBI 3/2023”) is revoked, as it is no longer considered adequate to accommodate developments in the digital financial ecosystem and the increasing exposure of consumers to risk. Through this regulatory reform, Bank Indonesia seeks to strengthen legal certainty, enhance consumer empowerment, promote providers’ compliance with consumer protection principles, and maintain and increase public confidence in the payment system and the financial system as part of its efforts to support the stability of the Rupiah, the stability of the payment system, and the sustainable stability of the financial system.
Comparison
The following table compares PBI 6/2026 and PBI 3/2023:
|
Aspect |
PBI 6/2026 |
PBI 3/2023 |
|
Standard Agreement Compliance Testing |
Providers are specifically required to conduct a “compliance test” (identification of detrimental clauses, readability assessment, and proportionality assessment of rights and obligations) before a Standard Agreement is used, and such agreement must be approved by the Board of Directors. |
Not regulated. |
|
Cross-Border Data Transfer |
Providers must ensure that the recipient country provides a level of data protection equivalent to or higher than that applicable in Indonesia. Where this requirement is not met, there must be either an inter-company binding agreement or the specific consent of the consumer. |
Not regulated. |
|
Market Conduct Provisions |
PBI 6/2026 strengthens providers’ market conduct standards to prevent non-transparent business practices and reduce information asymmetry between providers and consumers. These measures include prohibiting clauses in standard agreements that authorize providers to unilaterally change tariffs, fees, or service terms, requiring providers to prepare product and/or service information summaries that are truthful, accurate, clear, and not misleading, and requiring providers to implement structured consumer education programs covering information on the benefits, costs, and risks of products and/or services, as well as awareness of various fraud schemes and financial crimes. |
Not regulated. |
|
Requirement to Establish a Dedicated Consumer Protection Unit |
PBI 6/2026 requires every provider to establish a dedicated unit or function responsible for consumer protection. Such unit or function must be established no later than 6 (six) months after PBI 6/2026 entered into force, namely 30 June 2026. The consumer protection unit or function is responsible for the comprehensive implementation of consumer protection, including consumer-related risk management, complaint handling, and monitoring compliance with consumer data and information protection requirements within the provider’s organization. |
Not regulated. |
Key Provisions
Transparency Obligations and Consumer Education
Pursuant to Article 23, providers are required to provide consumers with a summary of product and service information in a transparent, honest, accurate, and non-misleading manner. Such information must be presented in Bahasa Indonesia that is easy to understand and must include details regarding fees, benefits, and the risks associated with the service.
In addition, Article 18 requires providers to actively implement structured consumer education programs covering product information as well as awareness of fraud schemes and financial crimes.
Strengthening the Regulation of Standard Agreements
PBI 6/2026 provides stronger protection for consumers against unfair contractual provisions. Pursuant to Article 66, Providers are prohibited from using standard agreements containing clauses that:
· transfer the Provider’s obligations or liabilities to the Consumer;
· grant the Provider the unilateral right to add, amend, or reduce the benefits of a product after it has been agreed upon;
· restrict the Consumer’s right to bring legal action against the Provider in the event of a dispute; or
· disclose Consumer data to third parties without the Consumer’s consent.
In addition, Article 67 requires Providers to conduct a compliance test on standard agreement documents. At a minimum, the compliance test must include:
· identification of clauses that have the potential to disadvantage Consumers;
· assessment of readability and comprehensibility;
· assessment of the proportionality of the allocation of rights, obligations, and responsibilities; and
· assessment of the reasonableness of fees, penalties, and amendments to contractual clauses.
Providers must ensure that every standard agreement that has undergone the compliance test receives approval from the Board of Directors or an equivalent governing body before it is used.
Consumer Data and Privacy Protection
Pursuant to Articles 70 and 71, Providers may collect and use Consumer data only after obtaining the relevant Consumer’s prior written consent. Providers are also required to explain the purpose for which the data is collected, together with the consequences thereof.
Furthermore, Article 79 provides that where a Provider intends to transfer Consumer data overseas, the Provider must ensure that the destination country affords a level of data protection equivalent to or higher than that applicable in Indonesia, or that the transfer is supported by a valid inter-company agreement.
Complaint Handling System and Compensation
Articles 42 and 46 provide that every Provider is required to establish a dedicated unit or function to handle Consumer complaints free of charge. The Consumer Protection unit or function may be combined with another unit or function, among others, where the Provider has limitations in human resources and the scale of its business activities.
Providers are liable for financial losses suffered by Consumers where such losses are proven to result from negligence or system failures attributable to management, employees, or third parties (such as vendors or agents) engaged by the Provider.
Furthermore, Article 47 provides that the burden of proving the existence or absence of such fault rests entirely with the Provider, rather than the Consumer.
Transitional Provisions
Pursuant to Article 124, financial service providers are required to comply with all provisions of this Regulation within a maximum period of 6 (six) months from 30 June 2026.
During this six-month period, Providers must revise or align all existing standard agreements already in circulation to ensure compliance with the new provisions and must establish a dedicated Consumer Protection unit for companies that have not previously established such a unit.
Where these obligations are not fulfilled upon the expiry of the transitional period, Providers will be subject to graduated administrative sanctions, commencing with written warnings, administrative fines, and prohibitions on marketing products, up to the most severe sanctions in the form of the dismissal of directors and the permanent revocation of business licenses.
Closing
PBI 6/2026 strengthens consumer protection within the regulatory authority of Bank Indonesia through a more comprehensive, preventive, and governance-based approach. These reforms not only expand Providers’ obligations to provide transparent information, prepare fair standard agreements, and protect Consumers’ personal data, but also strengthen institutional arrangements through the mandatory establishment of Consumer Protection units or functions, the implementation of market conduct standards, and more accountable complaint handling mechanisms.
For Providers, the implementation of PBI 6/2026 requires comprehensive adjustments to internal policies, operational procedures, and governance arrangements within the prescribed transitional period. Providers should evaluate all existing standard agreements, strengthen personal data protection systems, improve the transparency of product and service information, and ensure organizational readiness to comply with all new obligations in order to mitigate the risk of administrative sanctions.
Related Regulations
Click a regulation to view details.
Log in to comment
Log inWhat is
Veritask is an integrated AI-powered legal platform that helps with regulatory research, document preparation, and compliance management in one dashboard.
Free Subscription
Subscribe to receive a free weekly email with the latest legal analysis.