The digital lending boom and privacy concerns in Indonesia


In the past few years, Indonesia has experienced a substantial increase in the adoption of digital lending platforms, fueled by the rapid expansion of internet access and the widespread use of smartphones. Digital lending, offering the convenience of quick, paperless, and often collateral-free loans, has become increasingly popular among Indonesia’s growing middle class and underserved rural communities. However, as these platforms gain traction, privacy concerns have increasingly come to the forefront. The integration of technology in financial services has indeed revolutionised how consumers access credit, but it also raises significant privacy risks. Personal information, financial data, and other sensitive details that are essential to the digital lending process can be vulnerable to breaches and misuse (Ryan et al., 2021). The issue is not just about the technical vulnerabilities that could lead to data breaches but also about the ethical considerations surrounding the use of personal information for credit assessment and the potential for surveillance.

How does digital lending work in Indonesia?

The term “digital lending” describes the practice of providing credit through electronic means, including websites and mobile applications, from application to disbursement and management. In Indonesia, this sector has flourished primarily due to the high penetration of mobile technology coupled with a significant portion of the population being underbanked (Nuryakin et al., 2019) . This scenario presents a ripe opportunity for fintech companies to bridge the gap, offering financial services to those who previously had limited access to traditional banking.

  • Key players in the market

A variety of players are present in the Indonesian digital lending market, including fintech startups, established banks expanding into digital services, and joint ventures between various financial entities looking to target the underserved market. Notable fintech companies like Investree, Amartha, and KoinWorks are pioneering digital lending in Indonesia, whereas traditional banks have expanded their digital offerings to compete in this new era (Kurniasari et al., 2021).

According to the Financial Services Authority of Indonesia (OJK), the number of registered and licenced digital lending platforms has seen a sharp increase in the past few years. The total loan disbursement through these platforms has grown exponentially, indicating not only a robust market uptake but also the vital role these services play in financial inclusion (Miguel et al., 2020).

  • Who uses digital loans?

Digital loans are particularly appealing to millennials and Gen Z, who are more comfortable with digital technology and often seek faster and more flexible borrowing options without the need to go to an actual bank branch. However, the convenience of accessing loans through a smartphone has also attracted micro, small, and medium enterprises (MSMEs), which form the backbone of the Indonesian economy (Rizki et al., 2023). These businesses often struggle to secure funding from traditional banks due to stringent credit assessments and collateral requirements.

The dark side of convenience

While digital lending platforms offer significant convenience and accessibility, they also present substantial privacy risks. The core of these concerns lies in how these platforms gather, use, and manage personal data (Dian et al., n.d.). Digital lending thrives on data analytics to assess creditworthiness and manage risks, necessitating the collection of vast amounts of personal information from users.

  • Risky data collection practices

Building on the foundational privacy concerns, digital lending platforms often require users to provide a wide array of personal information as part of the loan application process. This can include not only basic identity and financial information but also data extracted from social media profiles, e-commerce transactions, and even geolocation data. While such extensive data collection can enhance credit scoring models, especially for users with thin credit histories, it also raises questions about the necessity and proportionality of the data gathered. The risk of overcollection, where more data than necessary is collected, poses a significant threat to user privacy (Ryan et al., 2021).

  • Questionable consent mechanisms

Following the issue of risky data collection, another significant concern arises with the validity of consent in digital lending transactions. The validity of consent in digital lending transactions is a pressing concern. Users are often required to agree to broad, sweeping terms of service and privacy policies that allow for wide-ranging data collection and usage practices. There are several issues here. First, whether users are truly informed and understand what they are consenting to; and second, whether they have any meaningful choice, especially if access to financial services is contingent upon agreeing to these terms. This situation raises doubts about the voluntariness and informed nature of consent in digital lending.

  • Use of personal information for decision-making

Digital lending platforms leverage algorithms and data analytics to make lending decisions. While this can increase efficiency and access to credit, it also introduces the risk of decisions being made based on inaccurate, biassed, or inappropriate data. There are concerns about transparency and fairness in automated decision-making processes, particularly regarding how personal data is weighted and interpreted (Marwick, 2018). Furthermore, the potential for data misuse where personal information is used for purposes beyond credit assessment, such as targeted marketing or even sold to third parties without explicit consent, compounds privacy concerns.

Cases of the privacy challenges faced by the digital lending industry in Indonesia,

  • Case study 1: Unauthorised data access and harassment

In one notable incident in 2018, a digital lending platform named RupiahPlus was found to have granted its collection agents unauthorised access to borrowers’ personal data, including contacts, photographs, and social media profiles (Kominfo, 2018). The agents used this information to harass borrowers who were late on their repayments, contacting friends and family members of the borrowers and threatening to expose their debt status. This case, widely reported in local media, raised significant concerns about the ethical use of personal data and the lack of safeguards to prevent such abuses. Despite the fact that the regulator found the platform guilty of unethical debt collection, the majority of the issue is with the consent mechanism or user agreement, which most people simply click OK without reading. It highlighted the urgent need for digital lending platforms to implement strict access controls and for regulatory bodies to enforce compliance with privacy standards.

  • Case study 2: A data breach leading to identity theft

Another critical incident that happened in 2020 involved a data breach at a prominent digital lending platform in Indonesia (KreditPlus), where the personal data of896.169 users was leaked online (Indonesia: Kominfo Asks KreditPlus to Submit Clarification in Response to Alleged Data Breach, 2022). The exposed data included sensitive information such as national identification numbers, addresses, bank account details, phone numbers, emails, and even close relative names. The data was found to be shared and sold on the RaidForums site. This breach not only compromised the privacy of the affected individuals but also exposed them to the risk of identity theft and financial fraud. This case study serves as a stark reminder of the cybersecurity risks inherent in digital lending and the catastrophic impact of data breaches on individuals’ lives and financial security.

Regulatory framework for privacy in digital lending

Indonesia’s regulatory landscape for digital lending has evolved to address the growing concerns around data privacy and security. However, despite existing regulations, there are notable gaps that continue to challenge the efficacy of these measures (Febryana, 2023) .

The primary regulatory body overseeing the fintech sector, including digital lending, is the Financial Services Authority of Indonesia (Otoritas Jasa Keuangan, OJK). The OJK mandates that all digital lending platforms register and receive licencing before operating, which is intended to ensure adherence to data protection and consumer privacy laws (Dian et al., n.d.). Moreover, the OJK has issued specific regulations aimed at improving transparency and accountability among digital lenders. For example, regulations require these platforms to disclose their data usage policies clearly and provide users with options to consent to data sharing​.

Despite these regulations, implementation and enforcement have been inconsistent. The rapid growth of the fintech sector has outpaced the ability of regulatory frameworks to adapt, leading to significant challenges. For instance, the rise of illegal online lending platforms has exposed regulatory loopholes that allow these entities to operate outside the formal oversight of the OJK. These platforms often fail to comply with data protection laws, resulting in breaches of privacy and aggressive collection practices that further victimise borrowers​​.

Additionally, Indonesia lacks a comprehensive law specifically dedicated to personal data protection, similar to the General Data Protection Regulation (GDPR) in the European Union (Febryana, 2023). Currently, several different laws touch on aspects of data privacy, but there is no unified framework providing clear guidelines and protections. Efforts are underway to draft and pass a dedicated Personal Data Protection Bill, which aims to consolidate these laws and provide a more robust framework for protecting consumer data in the digital era​​.

Impact of privacy issues

The impact of privacy issues in Indonesia’s digital lending ecosystem is far-reaching, affecting not only individual consumers but also the integrity of the financial sector as a whole.

  • Consumer impact: For consumers, the consequences of privacy breaches can be severe. The exposure of personal data can lead to financial fraud and identity theft, where malicious actors use stolen identities to commit fraud or acquire more loans (Mega, 2023). This not only leads to financial loss but can also damage an individual’s credit history and financial standing, making it harder to secure loans or financial services in the future. Moreover, the psychological impact of aggressive debt collection practices, often resulting from compromised personal information, can lead to significant emotional distress for borrowers and their families.
  • Lender impact: Lenders themselves also face negative repercussions from privacy issues. A breach can diminish consumer trust, reducing the willingness of potential customers to engage with digital platforms. Furthermore, incidents of privacy infringement or data breaches can lead to costly legal challenges and fines, especially if the lenders are found to be in violation of regulatory standards. This can affect their operational costs and brand reputation, ultimately impacting their competitive edge in the market.
  • Ecosystem impact: On a broader scale, privacy issues can undermine the overall health of the financial ecosystem. The lack of consumer confidence in digital financial services can slow the adoption of innovative financial technologies, hindering progress towards financial inclusion. Additionally, frequent incidents of data misuse and privacy violations can prompt stricter regulations, potentially stifling innovation and growth within the sector.

The implications of privacy issues highlight the need for robust privacy protections and effective regulatory enforcement to ensure the security of consumer data and the sustainability of the digital lending landscape.


In closing, the rise of digital lending in Indonesia underscores a transformative shift in financial accessibility and consumer behaviour, marked by the intersection of technology and finance. Yet, this advancement brings to the forefront critical considerations regarding privacy. The collection and use of personal data for credit assessment, as necessary as they are for the functionality of digital lending, must be tempered with stringent protections to guard against breaches and misuse. This balance is not merely a technical necessity but a fundamental aspect of consumer rights and trust.

The regulatory efforts by OJK, while a positive step towards formalising the digital lending space, reveal the need for a more cohesive and robust framework akin to international privacy standards. The journey towards such comprehensive legislation is underway, signalling a commitment to safeguarding consumer data in this digital era.

Furthermore, the impacts of privacy issues resonate beyond individual consumers, influencing lenders’ reputability and the broader financial ecosystem. It’s a ripple effect where the breach of a single data point can erode trust across the entire digital financial landscape, hindering innovation and progress towards financial inclusion.

Therefore, the concluding message is clear: the potential of digital lending is immense, but its sustainability hinges on the ethical stewardship of personal data. As Indonesia navigates through the complexities of this sector, the importance of privacy remains unchallenged, demanding ongoing vigilance and proactive regulatory evolution. It is with a forward-looking lens that the digital lending industry, consumers, and regulatory bodies must collaborate to foster a secure and equitable financial future. One that not only embraces technological advancement but also upholds the sacredness of personal privacy as a vital component of its growth.


Dian, Masitoh, & vol. (n.d.). Data Protection in financial technology services: Indonesian legal perspective.

Febryana. (2023). Balancing Personal Data Protection and Peer-to-Peer Lending Regulation: A Comparative Analysis of the European Union and Indonesia.

Indonesia: Kominfo Asks KreditPlus to Submit Clarification in Response to Alleged Data Breach. (2022, December 19). DataGuidance. Retrieved April 10, 2024, from

Kominfo, P. (2018, July 23). Fintech Lending Langgar Aturan Lakukan Persekusi Digital. Website Resmi Kementerian Komunikasi dan Informatika RI. Retrieved April 10, 2024, from

Kurniasari, F., Andy, & Ardi. (2021). The role of financial technology to increase financial inclusion in Indonesia.

Marwick. (2018). Privacy at the margins| understanding privacy at the margins—introduction.

Mega. (2023). Unveiling the Dark Side of Fintech: Challenges and Breaches in Protecting User Data in Indonesia’s Online Loan Services.

Miguel, Lilik, Ari, Rudi, Narayan, & ncial. (2020). Mobile technologies, financial inclusion and inclusive growth in East Indonesia.

Nuryakin, Natanael, & Lovina. (2019). Financial technology in Indonesia: A fragmented instrument for financial inclusion.


Ryan, Indra, & Betty. (2021). Detection of fintech P2P lending issues in Indonesia.

Studio. (n.d.). Woman With Text Projected on Her Face. Retrieved April 10, 2024, from

Be the first to comment

Leave a Reply