Strategies to monetize personal data have created opportunities for business innovation, including companies for credit ranking, marketing strategies, public health surveillance, and even penalty and reward mechanisms. Innovative credit scoring (ICS), which uses non-traditional personal data to estimate the creditworthiness of potential borrowers, is one such business innovation. There are about 19 ICS operators in Indonesia that help traditional and non-traditional lenders to estimate the capacity and willingness of potential borrowers to repay loans. Using non-traditional data to generate a credit score facilitates financial inclusion, especially for previously unbanked households. Despite this substantial benefit, the business model also carries inherent risks to data privacy, artificial intelligence and machine learning, and market monopolies.

To address inherent risks in ICS, the Indonesian Financial Services Authority (OJK) as the regulator pursued a co-regulatory approach with the establishment of a regulatory sandbox. The Indonesian Fintech Association (AFTECH) also collaborates with OJK as the ICS umbrella organization. The self-regulatory function of AFTECH complements the supervision of fintech entities through the enforcement of a code of ethics among ICS operators. In addition, the Personal Data Protection Law (PDPL) aims to provide legal clarity for the personal data management of ICS companies.

However, relevant articles in the law are not aligned with existing practices because of thecomplexity of each of these risks. Opaque decision-making must be addressed and responsibilities between the self-regulatory organization and government authorities must be clarified.

Procedural and substantive policy reforms would help to address these risks and uncertainties.OJK should reassess the effectiveness of the sandbox programs and provide sufficient regulatory clarity whether business models have been cleared to enter the market. An independent Data Protection Authority (DPA) needs to perform regular checks on the data used and shared by data controllers and ICS companies as data processors. Risk-based co-regulation should be adopted in the process of developing derivatives and implementation guidelines of the PDPL. OJK should clarify regulations regarding types of data, data use, and data protection officers, and specify how liability falls on data controllers and data processors. Finally, OJK should actively collaborate and coordinate their actions with the Commission for the Supervision of Business Competition (Komisi Pengawas Persaingan Usaha/ ‘KPPU’) to optimize the benefits of ICS for digital consumers.