English | 中文 | 下载审德中文简介 

Mar

24

QR Code Explained

A phone is no longer ‘just’ a phone today. From music to meal-planning, they can now add to our lives in a variety of ways. Of course, many people use smart phone technology to make payments for daily purchases such as food and beverages with a little something called a ‘QR (Quick Response) Code’. Just scan the code on your smartphone screen and you are good to go with the tasty treats you are buying. The perks don’t stop there—you will often also enjoy a discounted price or even cashback. The vendors who accept QR Code payments vary in business types and sizes, from fancy restaurants in big shopping malls to food stalls (warungs) behind your office building.

While this magical mechanism makes are our lives easier, have you ever wondered what the QR Code really is? Has it ever crossed your mind to consider what regulations apply to it in Indonesia? At SLF, we have the answers.

First of all, there are no express laws and regulations that specifically regulate a QR Code. However since QR Codes are considered one of the payment methods or systems, they fall within the domain of banking and finance. More precisely, since QR Codes also employ technology, they simultaneously fall within the financial technology (fintech) category.

Basically, there are two government institutions responsible for all monetary matters, including fintech, in Indonesia: the Central Bank of Indonesia (BI) and the Financial Services Authority (OJK). The question is: which one is responsible for regulating and supervising QR Codes? To answer such a question, we first must explain the differentiations between BI and OJK as follows:

  1. The main role of OJK based on Law No. 21 of 2011 concerning Financial Services Authority (“Law No. 21/2011”) is to arrange an integrated regulatory and supervision system towards overall activities in the financial services sector. In order to accomplish this, OJK has a main duty to regulate and supervise financial services activities in the banking sector, capital market sector, and financial industry non-bank (IKNB) sector.
  2. The main role of BI based on Law No. 23 of 1999 concerning Bank Indonesia as lastly modified by Law No. 3 of 2004 concerning Modification of Law No. 23 of 1999 concerning Bank Indonesia (“Law of BI”) is to achieve and maintain the stability of the Rupiah’s value. In order to accomplish this, BI focuses on 3 (three) main duties which are as follows: (i) determine and execute monetary policy; (ii) regulate and maintain a constant payment system; and (iii) maintain the stability of the finance system.

Based on the distinctions in their main roles, BI deals with economics in a macro perspective and OJK deals it in a micro perspective. Therefore, the usage of QR Codes as payment systems means they fall under the purview of BI.

Based on our verbal communication with BI, they provided several important pieces of information regarding the usage of QR Codes as follows:

  1. BI is currently in the process of enacting a BI Regulation concerning QR Codes; however, they are unable to give us the exact date when the regulation would be enacted.
  2. For companies already using QR Codes, there is more detail. Since there is no specific regulation up to the date this article was published, BI may check whether such companies have a business license to conduct business activities (e.g. electronic money) and allow them, at its own discretion, to use QR Codes as far as the companies comply with the periodic report requirements, which include QR Code activity, mandated under the main business license.
  3. Lastly, BI recommended that any company who wishes to obtain a license from BI to use QR Codes submit an application request for QR Code usage in accordance with the existing applicable laws and regulations which are deemed to be the closest in connection to the business model and circumstances of the applicant.

More closely related to Financial Technology, BI has enacted BI Regulation No. 19/12/PBI/2017 concerning the Arrangement of Financial Technology (“PBI 19/2017”). In this PBI 19/2017, Financial Technology is defined as the usage of technology in a finance system which produces new products, services, technology, and/or business models and may affect monetary stability, finance system stability, and/or efficiency, fluency, security, and reliability of payment systems.

Further, in Article 3 paragraph (1) of PBI 19/2017, it stipulates that the scope of the Arrangement of Financial Technology includes the following categories:

  1. Payment systems;
  2. Market support;
  3. Investment management and risk management;
  4. Loan, financing, and capital procurement; and
  5. Other financial services.

Thus based on the categories above, the usage of QR Codes for payment systems falls under letter (a.).

In addition, the usage of QR Codes for payment systems as an Arrangement of Financial Technology under Article paragraph (1) letter (a.) shall satisfy the criteria of Article 3 paragraph (2) of PBI 19/2017 as follows:

  1. May be innovative;
  2. May affect the existing financial products, services, technologies, and/or business model;
  3. May provide benefits to society;
  4. May be used widely; and
  5. Other criteria which are established by BI.

Therefore, companies running an electronic money business with QR Codes as one of their methods for payment fulfill the above criteria. No doubt, QR Codes are an innovative technology that provide benefits to society, offering simpler and more accessible payment methods.

To avoid any confusion, the Financial Technology of BI is different than the Financial Technology of OJK under OJK Regulation No. 13/POJK.02/2018 concerning Digital Finance Innovation in the Financial Services Sector (“POJK 13/2018”). As we mentioned above, PBI 19/2017 is limited in its scope to only as follows:

  1. Payment systems;
  2. Market support;
  3. Investment management and risk management;
  4. Loan, financing, and capital procurement; and
  5. Other financial services.


While POJK 13/2018 under Article 3 is limited in its scope to only as follows:

  1. Transaction settlements;
  2. Equity crowd funding;
  3. Investment management;
  4. Fund collection and channeling;
  5. Insurance;
  6. Market support;
  7. Support to other digital finance; and/or
  8. Other financial service activities.

Based on the above distinctions, the regulations do not overlap, especially since payment systems defined by PBI are different than transaction settlements defined by POJK.

We hope we’ve clarified and provided a deeper understanding into QR Code regulation in Indonesia. It may just give you a deeper appreciation for the ease at which you can buy your favorite snack or sneaker. Unquestionably, the Fintech industry in Indonesia is evolving rapidly, prompting the government to continously update regulatory and supervisory mechanisms. We at Schinder Law Firm are best positioned to support your fintech business’ sustainable growth with our bespoke specialised legal services.

About the author:

 

GEOFFREY AURYN JAURISSAAkbar Muhammad Zainuri
Akbar received his Sarjana Hukum (LLB) in 2012 from Universitas Trisakti. Subsequently, he earned his Magister Hukum (LLM) in transnational law in 2014. While at university, Akbar was actively involved in Student Executive Body where he served as Vice Head of Foreign Affair Department.

Let Us Be Your Guide.
Our thorough understanding of local culture
ensures that your business will be in compliance
with all laws and regulations and receive
a warm welcome in the community.

Dear valued Visitor,

Data is a valuable currency in this new world. In the midst of digital transformation, the Indonesian government has taken the final decision to pass the Pelindungan Data Pribadi (PDP) Bill by September 2022. The PDP Law applies to all businesses established in Indonesia and puts the consumer in control. The task of complying with this regulation falls upon businesses.

The PDP Law affects a variety of business operations, including how your sales team prospect and how marketing initiatives are managed. Businesses have had to reassess their business procedures, applications, and forms. Additionally, all businesses that work with personal data should designate a Data Protection Officer (DPO) or data controller to oversee PDP compliance.

In line with this spirit, it gives us great pleasure to announce and share with all our esteemed clients and business associates that Schinder Law Firm is prepared to assist your company to understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. Our Privacy, Data Protection, and Cybersecurity practice group is a pioneer in providing data privacy law services in Indonesia. Personal data protection services include but are not limited to:

  • Assessing the existing systems, processes, and controls, etc.
  • Providing provide gap assessment on the existing systems, processes, and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDP Law
  • Developing policies, best practices, and procedures
  • Advising on the security of personal data and managing data breaches
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role, and responsibilities of a data protection officer
  • Advising on cross-border transfers of personal data
  • Carrying out data protection impact assessments and data protection audits
  • Recommending other necessary corrective actions in order to comply with the PDP Law
  • Training on the PDP Law tailored to clients’ businesses

We look forward to many more opportunities in the year ahead with your continued support and trust. For consultation, please send us a WhatsApp or Email.

Warmest regards,
Naz Schinder
Managing Partner

Keep Up with the New Law in Indonesia: Personal Data Protection

  • Assessing the existing systems, processes and controls, etc.
  • Providing provide gap assessment on the existing systems, processes and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDPL.
  • Developing policies, best practices and procedures.
  • Advising on security of personal data and managing data breaches.
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role and responsibilities of a data protection officer.
  • Advising on cross-border transfers of personal data.
  • Carrying out data protection impact assessments and data protection audits.
  • Recommending other necessary corrective actions in order to comply with the PDPL.
  • Training on the PDPL tailored to clients’ businesses.
Privacy, Data Protection and Cyber Security
We help our clients to understand the impact of the Personal Data Protection Law (PDPL) on their companies and take the required measures to comply with the law.