Simplification and Ease of User Data Verification: The Regulatory Framework for Facial Verification Technology Organizers
0 likes40 views
The document outlines the regulatory framework and benefits of facial verification technology (FVT) in electronic know your customer (e-KYC) processes, emphasizing its role in enhancing security and efficiency for identity verification. It highlights compliance with various legal regulations, including personal data protection, and identifies the steps and requirements for financial institutions to implement FVT. The integration of FVT aims to streamline customer onboarding while minimizing risks of identity theft and fraud, ultimately improving access to financial services, especially for underserved populations.
Simplification and Ease of User Data Verification: The Regulatory Framework for Facial Verification Technology Organizers
- 1. Legal Brief Simplification and Ease of User Data Verification: The Regulatory Framework for Facial Verification Technology Organizers
- 2. A H R P L e g a l B r i e f BACKGROUND Facial Verification Technology and its Relevance to Electronic Know Your Customer Electronic Know Your Customer (“E-KYC”) is a process of identifying and verifying the identity of customers or clients using population data sourced from the Population Administration Agency. In its implementation, E-KYC utilizes facial verification technology to verify the identity of individuals. Legal Basis of Facial Verification Technology Through the utilization of facial verification technology, customers may register with a Financial Institution via application or smartphone without undergoing face-to-face processes. The process ensures compliance with 2 (two) online authentication steps, involving several stages, namely: (i) biometric checking; (ii) OCR; (iii) Face Recognition; and (iv) liveness detection by utilizing user's data that registered in population data Facial Verification Technology a. Settlement of securities transactions; b. Capital raising; c. Investment management; d. Risk management; Law Number 27 of 2022 on Personal Data Protection (“Law 27/2022”) According to OJK Reg. 3/2024, Facial Verification Technology (“FVT”) is classified as one of Financial Sector Technology Innovation (“FSTI”). FSTI refers to technology-based innovations that impact products, activities, services, and business models within the digital financial ecosystem. Minister of Home Affairs Regulation Number 102 of 2019 on Access Rights And Utilization Of Population Data as lastly amended by Minister of Home Affairs Regulation Number 17 of 2023 (“MoHA Reg. 102/2019”) Financial Services Authority Regulation Number 3 of 2024 on Financial Sector Technology Innovation (“OJK Reg. 3/2024”) a. Fundraising and/or fund distribution; b. Market support; c. Activities related to digital financial assets, including crypto assets; and d. Other digital financial services activities. a Art. 1 (3) OJK Reg. 3/2024 a. Governance; b. Risk management; c. Information system security and reliability, including cybersecurity resilience; d. Consumer protection and personal data protection; and e. Compliance with legal regulations. Electronic Know Your Customer Scope of FSTI Principles for FSTI Organizer Facial Verification Technology plays a crucial role in E-KYC processes. It enhances security and efficiency by verifying individuals' identities remotely through biometric data, reducing the risks of identity theft and fraud. This technology streamlines customer onboarding, ensuring compliance with regulatory requirements while offering a seamless and user-friendly experience. List of Digital Financial Innovation Providers From OJK as of June 2021, pg. 9. Digital Financial Innovation registered under E-KYC Cluster E-KYC Providers are categorized as FSTI for other digital financial services activities. Art. 2 (1) OJK Reg. 3/2024 Art. 3 (3) OJK Reg. 3/2024 PT Privy Identitas Digital PT Indonesia Digital Indentity PT Solusi Net Internusa PT Asli Rancangan Indonesia PT Anugrah Pendataan Digital Law Number 4 of 2023 on The Development and Strengthening of the Financial Sector (“Law 4/2023”) Law Number 21 of 2011 on Financial Services Authority (“Law 21/2011”) b c d e f g h a b c d e
- 3. Art. 3 (1) OJK Reg. 3/2024 Art. 3 (2) OJK Reg. 3/2024 The party organizing the FVT consists of: a. Financial Service Institution; and/or b. other parties engaging in activities in the financial sector in accordance with the provisions of laws and regulations. The organizer of FVT shall be in the form of: a. Limited Liability Company or Perseroan Terbatas; or b. other legal entities in accordance with the provisions of laws and regulations. Form of Business Entity Organizing Party a. Family Certificate Number; b. Population Identification Number; c. full name; d. place of birth; e. gender; f. date/month/year of birth; g. blood type; h. religion/belief; i. marital status; j. status in the family; k. physical and/or mental disability; l. education; m. occupation; n. Population Identification Number of biological mother; o. biological mother’s name; p. previous address; q. current address; r. Population Identification Number of biological father; s. biological father’s name FVT Organizer Followed by a consideration of data protection aspect and national security Ministry of Home Affairs of Republic of Indonesia Provides the Right to Access Population Data Art. 2 (1) MoHA Reg. 102/2019 Individual data in the form of quantitative and qualitative data, such as: t. ownership of birth certificate/birth acknowledgement letter; u. ownership of marriage certificate/marriage book; v. marriage certificate number/marriage book number; w. date of marriage; x. ownership of divorce certificate; y. divorce certificate number/divorce letter; z. date of divorce; aa. fingerprint; bb. iris scan; cc. signature; and dd. other personal data elements that are sensitive. Aggregate Population Data a. a collection of data concerning Population Events; b. Important Events; c. gender; d. age groups; e. religion; f. education; and g. occupation Art. 2 (1) (b) MoHA Reg. 102/2019 jo. Elucidation of Art. 58 (3) Law 23/2013 Personal Data Art. 2 (1) (a) MoHA Reg. 102/2019 jo. Art. 58 (2) Law 23/2013 A H R P L e g a l B r i e f INSTITUTIONAL ASPECTS OF FACIAL VERIFICATION TECHNOLOGY ORGANIZER
- 4. Participant Application Financial Services Authority is authorized to require FSTI organizer to request application to be a participant of the Financial Services Authority. Art. 9 (3) OJK Reg. 3/2024 Prospective Participant Other parties engaging in activities within the financial sector Recommendation from the relevant supervisor at the Financial Services Authority is required Submitting application Sandbox application form Testing Plan Supporting Documents Assessment Approval 4 Suitability Criteria Rectification and Re- submission Refusal Art. 9 (2) OJK Reg. 3/2024 Sandbox Participant Sandbox Participant shall conduct trials and development of innovation according to the testing plan submitted to the Financial Services Authority. Sandbox participant shall fulfil the following provisions: a. informing the Financial Services Authority of any changes related to FSTI and participants; b. providing access to all information and/or documents related to the implementation of the Sandbox to the Financial Services Authority; and c. participating in all activities related to the implementation of the Sandbox. Sandbox participant shall submit periodic report and/or whenever necessary on the results of the trial and development of innovation to the Financial Services Authority. Sandbox participant may conduct of the following: a. participate in every coordination and cooperation with authorities, ministries, and other relevant parties related to the implementation of the Sandbox; and b. coordinate and/or collaborate with FSI and/or other relevant parties related to the implementation of the Sandbox under the coordinator of the Financial Services Authority. Trials and Development of Innovation Process The process shall be conducted max. 1 year after obtaining approval (Subject to Financial Services Authority discretion) Sandbox Participant Application Art. 9 (4) OJK Reg. 3/2024 Art. 10 (1) OJK Reg. 3/2024 Art. 13 (1) and (2) OJK Reg. 3/2024 Art. 11 (5) OJK Reg. 3/2024 Art. 11 (3) OJK Reg. 3/2024 Art. 11 (4) OJK Reg. 3/2024 a Sandbox Participant requires to submit a final report with a maximum of 20 (twenty) working days before the end of the Trials and Development of Innovation Process b c 1 2 3 4 a b c 5 6 7 Art. 11 (1) OJK Reg. 3/2024 a b Financial Services Institution A H R P L e g a l B r i e f THE LICENSING PROCEDURE OF FACIAL VERIFICATION TECHOLOGY ORGANIZER (1/2) Note: Please see in Appendix Section (slide 10) for the details of required documents
- 5. Sandbox Participant Sandbox Final Report Final report submission with maximum of 20 working days before Sandbox innovation development elapsed The final report shall at least include the of the following: a. result of the trial and development; b. fulfillment of key performance indicators; c. identification of failed trial and development of innovations and incidents that occurred during the trial and development; d. assessment of participant’s compliance with statutory regulations; and e. participant’s follow-up plan after the end of the trial and development period. Art. 13 (5) OJK Reg. 3/2024 Conveying the result of the Sandbox Passed Financial Services Authority issuing Result Letter Art. 15 (6) OJK Reg. 3/2024 Passed Sandbox Participant Failed The failed Participant shall: a. cease operational business activities, product innovations, activities, and services that utilize the business model tested and developed in the Sandbox; b. fulfill all obligations to Consumers and other parties and c. implement the exit policy stated in the Testing Plan. License Submission License Submission Process Participant obtains Business License from Financial Service Authority Art. 13 (4) OJK Reg. 3/2024 Art. 17 (2) OJK Reg. 3/2024 Art. 14 (2) (b) OJK Reg. 3/2024 Art. 14 (2) (a) OJK Reg. 3/2024 Art. 15 (7) OJK Reg. 3/2024 8 9 a b 10 A H R P L e g a l B r i e f LICENSING PROCEDURE OF FACIAL VERIFICATION TECHOLOGY ORGANIZER (2/2) Result Letter will be valid for 6 (six) months and may be extended under Financial Services Authority discretion If the Participant does not submit the license within a maximum duration of 3 (three) months from the validation of the Result Letter, the Participant shall conduct the termination of business operations and fulfill all obligations to consumers, third parties, or as required by the Financial Services Authority
- 6. Parties granted to Access Population Data Providers Users Directorate General of Population and Civil Registration Provincial Population and Civil Registration Office District/City Population and Civil Registration Office State Institution Non-Ministerial Government Agencies Indonesia Legal Entities Regional Government Organization Art. 4 (1) MoHA Reg. 102/2019 Art. 6 MoHA Reg. 102/2019 Procedure for Granting Access Rights FVT organizer submits a written application for the utilization of population data to the Directorate General of Population and Civil Registration The Director General of Population and Civil Registration, on behalf of the Minister examines the application from FVT organizer Application is approved Application is rejected FVT organizer and financial institution prepare a Memorandum of Understanding (“MoU”) The MoU is signed by the Minister and the leader of the ministry, non- ministerial government agency, or overseeing non-ministerial government agency of the legal entity. The MoU is followed by a proposed cooperation agreement submitted by the User to the Directorate General of Population and Civil Registration. In the case where an Indonesian legal entity proposes a cooperation agreement without a prior MoU, the Indonesian legal entity first coordinates with the overseeing ministry/ non- ministerial government agency to create the MoU. The content of the cooperation agreement regarding the utilization of Population Data is initiated by the Directorate General of Population and Civil Registration and the User. The cooperation agreement, once agreed upon by both parties, is signed by the Directorate General of Population and Civil Registration with a mid-level or equivalent official. The parties in the cooperation agreement are prohibited from providing Population Data to third parties and using Population Data in a manner not in accordance with the cooperation agreement. Art. 7 MoHA Reg. 102/2019 a b d e f g h FVT organizer, as an Indonesian legal entity, is categorized as a central user. The requirements for granting access rights at the central level are fulfilled by submitting a letter of request from the User's leadership to the Directorate General of Population and Civil Registration. i j A H R P L e g a l B r i e f GRANTING ACCESS RIGHTS FOR THE UTILIZATION OF POPULATION DATA (1/2) Note: Please see in Appendix Section (slide 10) for the details of required documents c.1 c.2
- 7. Mechanism for Utilization of Population Data Mechanism Remarks Card Reader Usage The utilization of the personal data of citizens is based on cooperation contracts Users must first procure a card reader from a producer that has been certified by the relevant ministry/agency. The card reader can only be utilized after it has first been activated by the Ministry of Home Affairs via the Directorate-General. For this purpose, users Secure Access Module cards must undergo pre-personalization and personalization processes which are initiated by the Ministry of Home Affairs via Directorate General. Card readers may be integrated into the web service application. Web Service and Web Portal Access Personal data that may be utilized by users through web service and web-portal access comprise the following: (i) ID numbers; (ii) family registration numbers; (iii) biometrics, including fingerprints, iris scans and portrait photos; and (iv) combinations of population data elements. This data may only be read and may only be saved if users have first obtained approval from the relevant data owners. However, any Indonesian legal entities which are majority-owned by foreign parties are only allowed to access personal data in order to verify the suitability of search data. The utilization of the personal data of citizens via web service and web portal access is conducted using applications and/or electronic devices via the use of closed network media. Users must provide the closed network media required based on cooperation contracts and must issue written statements affirming that they will maintain the confidentiality of all personal data Web service and web portal access may be implemented via joint platforms, which will be provided by, and which will serve as an intermediary between the state agency and the relevant Indonesian legal entities. Any such platforms must first be officially approved by the Director-General. Utilization of Population Data Individual data refers to data utilized by Users which has been consolidated and cleaned by the Minister via the Director-General of Population and Civil Registration (“Directorate-General”). The consolidated and cleaned individual data is sourced from the Population Administration System or Sistem Informasi Administrasi Kependudukan connected to the Ministry of Home Affairs data centre and stored in a Data Warehouse managed by the Ministry of Home Affairs. Art. 19 MoHA Reg. 102/2019 a. Card Reader Usage b. Web Service Access c. Web Portal Access a b c Art. 21 MoHA Reg. 102/2019 Art. 23 MoHA Reg. 102/2019 Art. 24 (1) MoHA Reg. 102/2019 Art. 24 (2) and (3) MoHA Reg. 102/2019 Art. 25 MoHA Reg. 102/2019 Art. 29 (1) and (2) MoHA Reg. 102/2019 Art. 29 (3) and (4) MoHA Reg. 102/2019 Art. 28 (1) and (2) MoHA Reg. 102/2019 Art. 34 MoHA Reg. 102/2019 Funding of Access Rights of Population Data Reporting and Supervision The Central User is required to provide Data Feedback to the Directorate General of Population and Civil Registration. Every User accessing Population Data is prohibited from charging fees to the public. Art. 38 (1) MoHA Reg. 102/2019 The utilization of Population Data by the Directorate General is charged to the state revenue and expenditure budget. Art. 38 (A) MoHA Reg. 17/2023 Art. 39 (1) MoHA Reg. 102/2019 The central user is required to periodically report the utilization of Population Data every 6 (six) months in June and December or whenever necessary to the Minister through the Directorate General. Minister through the Directorate General oversees the utilization of Population Data by central, provincial, and district/city users. Art. 40 (3) MoHA Re.g 102/2019 Art. 44 (1) MoHA Reg. 102/2019 A H R P L e g a l B r i e f GRANTING ACCESS RIGHTS FOR THE UTILIZATION OF POPULATION DATA (2/2)
- 8. Significant Positive Impacts on the Credit Ecosystem from the Implementation of FVT, includes: 1 Efficiency: The FVT process enables financial institutions or other businesses to verify customer identities quickly and efficiently, reducing the time required for manual processes. 2 Enhanced Security: By using digital technology and biometrics, FVT can enhance security in the customer identification process, reducing the risk of identity fraud or deception. 3 Expanded Access: FVT enables access to financial services or other businesses for individuals who may find it difficult or expensive to verify their identities traditionally, such as those living in remote areas or with limited access to official identity documents. 4 Enhanced the Accuracy of Data: FVT process can enhance the accuracy of customer data by leveraging technology to verify their identity information. 5 Convenience: Customers can avoid time-consuming manual activities such as filling out forms and submitting documents because FVT process can typically be completed online more quickly and easily. NIK Verified Name Verified Date of Birth Verified Place of Birth Verified Address Verified Selfie Photo Verified The Common Practice in the Facial Verification Technology Implementation Finance: In finance, verification technology is used in different ways, e.g., opening bank accounts, application for credit, verifying identities for online banking, authenticating financial transactions, and preventing fraud. E-commerce: In online shopping, verification technology can make transactions safer. For example, users can pay by using facial verification as an extra security step, making payments safer and reducing the risk of payment fraud. Banking: Just like in finance, bank also uses verification technology for different purposes, e.g., opening new accounts, verifying customer identities, and authenticating transactions. Healthcare: In healthcare, verification technology secures access to electronic medical records, ensuring only authorized staff can access sensitive information. The implementation of FVT has been adopted across various industries. Below are the examples of industries utilizing verification technology. Facial Verification Technology 1 2 3 4 Customer filling out the information Optical character Recognition process Customer taking a photo selfie Liveness detection of customer Biometric verification of customer Database verification Verification result of the customer A H R P L e g a l B r i e f IMPLEMENTATION OF FACIAL VERIFICATION TECHNOLOGY Submitting Identity Card to the system
- 9. In carrying out its responsibilities, a FVT organizer is required to adhere to several obligations concerning the safeguarding of customers' personal data, as follows: a) Must maintain the integrity and availability of personal data, transaction data, and financial data it manages from the time the data is obtained until it is destroyed. b) Must maintain the confidentiality and security of consumer data and/or information. c) Must obtain consent before processing personal data. d) Must convey limitations on the use of data and information to consumers. e) Must inform consumers of any changes in the purpose of using data and information if there are changes in the purpose of using data and information. f) The media and methods used to obtain data and information are guaranteed confidentiality, security, and integrity. g) Must supervise every party involved in the processing of personal data. h) Must protect personal data from unauthorized processing. Art. 51 jo. Art. 52 Law 27/2022 jo. Art. 38 OJK Reg. 3/2024 Violations of the obligations of a FVT organizer may result in the following administrative sanctions: a) Written warning; b) Temporary or partial suspension of activities, including cooperation implementation; c) Revocation of consent; d) Cancellation of registration; and/or e) Revocation of permits. Administrative sanctions from letter b to letter e may be imposed with or without prior issuance of a written warning. Art. 35 jo. Art. 38 OJK Reg. 3/2024 The Obligation of Facial Verification Technology Organizer A FVT organizer that has obtained business licenses must have both a data center and a disaster recovery center. Both the data center and the disaster recovery center must be located within the territory of Indonesia. Art. 34 OJK Reg. 3/2024 Art. 46 Law 27/2022 The failure in the protection of personal data may result FVT organizer or data controller in the following administrative sanctions: a) written warning; b) temporary suspension of personal data processing activities; c) deletion or destruction of personal data; and/or d) administrative fines. In maximum amount of 2% (two percent) of the annual revenue or annual earnings for the violation. Art. 57 Law 27/2022 In the event of a failure in the protection of personal data, a verification technology organizer or data controller must provide written notification within 3 x 24 (three days in twenty-four hours) to: (i) the data subjects; and (ii) the relevant authorities. The notification must include details such as: a. The details of the personal data that have been leaked. b. A detailed description and explanation of when and how the personal data was leaked. c. Plans will be implemented to address and recover the leaked personal data by the FVT organizer or the data controller. Consequences Regarding Data Leaks Dispute settlement on personal data protection may be conducted through: a. arbitration; b. courts (both civil and criminal). If necessary to protect personal data, court proceedings may be conducted in closed sessions.; or c. other alternative dispute resolution institutions. The procedural law applicable to the dispute settlement and/or legal proceedings of personal data protection is carried out based on the applicable procedural law according to the provisions of the regulations. In the case of evidence submission in the dispute settlement on personal data protection, there are valid evidence instruments, including but not limited to: a. evidence as referred to in procedural law; and b. other evidence in the form of electronic information and/or electronic documents in accordance with the provisions of the regulations. Dispute Settlement Art. 64 Law 27/2022 FVT organizers are prohibited from providing consumer data and/or information to third parties, except: a) if consumers give consent; and/or b) if FVT organizers are required by legal regulations to provide consumer data and/or information to third parties. ! A H R P L e g a l B r i e f SAFEGUARDING CUSTOMERS’ DATA
- 10. 2b. Testing Plan shall at least include of the following: a. explanation of the product innovation, activities, services, and/or business models to be tested and developed; b. identification of potential risks associated with the product innovation, activities, services, and/or business models to be tested and developed; c. plan for implementing risk mitigation for potential risk referred to in letter b; d. limitations on the implementation of testing and development of innovations, including the required testing period, consumer targets and profiles, number of consumers, testing and development partners, number of transactions, and other measurable limitations; e. consumer protection framework, including at least consumer complaint services and compensation mechanism; f. capital and resource readiness for conducting testing and development of innovations; g. exit policy and transition policies if the innovations tested and developed cannot be continued after the Sandbox process; h. testing and development scenarios for product innovations, activities, services, and/or business models to be tested and developed; and i. key performance indicators for testing and development scenarios and innovation development as referred to in letter h. Art. 9 (5) OJK Reg. 3/2024 3. Suitability criteria for innovations to participate in the Sandbox shall include: a. innovations that have a scope in the financial services sector to be used by consumers, partners, and/or the community in Indonesia; b. innovations that exhibit novelty and/or have significant distinguishing features from previous endeavors in the financial sector; c. innovations that provide benefits, enhance services, and add value to consumers, the community, and/or the financial sector ecosystem; d. innovations that are ready for testing and development; e. innovations that require testing and development support, and have not been subject to prior regulations and supervision under existing provisions in the financial sector; f. other criteria set by the Financial Services Authority. Art. 10 (1) OJK Reg. 3/2024 Users who are Indonesian legal entities must submit a written request for access rights along with supporting documents as additional requirements, including: a. Articles of incorporation/articles of association/articles of organization and their amendments; b. Business domicile certificate; c. Business license certificate; d. Decree from the ministry overseeing legal affairs regarding the approval of the Indonesian legal entity; e. Written recommendation from the supervisory and regulatory authority for business activities of the Indonesian legal entity. Art. 15 (1) and (2) MoHA Reg. 102/2019 A H R P L e g a l B r i e f SELECTED RELEVANT PROVISIONS Referral from Slide 4 Referral from Slide 6
- 11. We will continue to follow the developments on this topic and provide additional information as it becomes available. If you have any questions on this topic, please contact: Ahmad Arif arif@ahrplaw.com Hanif Julianto Firman hanif@ahrplaw.com Hany Areta Athayalia hany@ahrplaw.com This publication has been prepared by AHRP for educational and informational purposes only. The information contained in this publication is not intended and should not be construed as legal advice. Due to the rapidly changing nature of law, AHRP makes no warranty or guarantee concerning the accuracy or completeness of this content. You should consult with an attorney to review the current status of the law and how it applies to your circumstances before deciding to take any action. World Capital Tower 19th floor Jl. Mega Kuningan Barat No.3, Kuningan Jakarta 12950 Indonesia P: +6221 50917915 +6221 50917916 E: office@ahrplaw.com www.ahrplaw.com