Delaying AI Adoption in Indonesian Financial Services May Be the Bigger Data Risk
A personal observation based on what I've seen across the industry, not a reflection of my employer's views.
A team lead at an Indonesian bank raises the idea of using AI to speed up internal reporting. The room is interested. Then someone asks: "What happens to our data?"
The conversation shifts from what AI could do for the team to whether the organization is allowed to use it at all. The meeting ends without a next step.
From what I've seen, that scenario plays out across Indonesian banks and insurers more often than people realize. The data concern is the most common point where AI adoption conversations stall.
And the concern is valid. Indonesian financial institutions handle sensitive customer data, operate under OJK's regulatory framework, and now face the enforcement requirements of the Personal Data Protection Law (UU PDP), which became enforceable in October 2024. Teams are right to take data sensitivity seriously.
The problem is that the data concern often becomes a blanket objection. It gets applied to all AI use cases, regardless of whether customer data or regulated information is involved.
Most financial institutions have a large volume of internal content that sits outside the scope of data privacy regulation: standard operating procedures, process documentation, training materials, internal templates, product knowledge bases, and general market research. None of this contains customer data. None of it falls under the sensitive data categories defined by UU PDP.
A bank's operations team can use AI to summarize a 40-page internal procedure manual into a structured onboarding guide. An insurance team can draft training materials from existing policy documentation. A compliance team can consolidate internal process notes into a single reference document. These tasks run on content the organization created for its own use.
That's a practical starting point. Most teams can act on it now.
But there's something that should concern leadership more.
I wrote in a previous article that professionals across Indonesian banks and insurers already use AI tools on their own initiative. They paste documents into chat tools, ask for summaries, and draft internal content. The organization doesn't see that usage and can't govern it.
Most of that informal usage happens on free-tier AI tools. Many free-tier tools may use conversation data for model improvement unless privacy settings are changed, and most users are unlikely to verify those settings before use. That means employees at financial institutions may already be feeding internal content into tools with no data governance, no retention controls, and no contractual protections.
The organization that delays AI adoption because of data concerns may already have a bigger data exposure than the one it's trying to prevent.
Paid AI plans provide more control. Major providers offer paid individual subscriptions where users can configure data privacy settings to prevent their conversations from being used in model training. Once those settings are in place, the data handling profile improves. For low-sensitivity internal content, a paid plan with the right settings may offer a materially safer option, though each institution should evaluate this against its own internal policies and risk classification.
The stronger move is for the organization to provide governed AI tooling at scale. Business and enterprise plans from major providers typically include contractual protections that restrict training on customer data by default, along with stronger administrative and retention controls. When the organization provides the tool, it controls the data governance. When individuals find their own tools, nobody does.
This connects to a broader point. Moving from informal, unmanaged AI usage to organization-wide governed tooling is the same embedded AI step that most Indonesian financial institutions haven't taken.
The data concern is one more reason to take it. Providing governed tools and clear usage policies doesn't require a large transformation program. It does require the institution to acknowledge that AI usage is already happening and decide to bring it under governance.
The range of work teams can safely handle through governed cloud-based AI tools is wider than many Financial Services Industry leaders expect, even without on-premise infrastructure or fully mature governance programs. Internal documentation, process analysis, training content, report structuring, knowledge consolidation. These cover a significant share of the repetitive work that slows teams down across banking and insurance operations.
As organizations mature their governance, they can expand. Internal operational data can move to on-premise or private cloud AI deployments where the institution controls the infrastructure. Customer data and regulated information require formal governance protocols aligned with UU PDP and OJK's AI Governance guideline for banking, published in April 2025. Those steps come later, and they build on the governance muscle the organization develops by starting with lower-risk content first.
IBM's 2025 study found that only 24% of Indonesian businesses report having clear AI governance processes in place. That number tracks with what I see in financial services. But low governance maturity doesn't mean zero AI adoption potential. It means organizations should match their starting point to their current governance level, not wait until governance is complete before starting.
The data concern doesn't block AI adoption in Indonesian financial services. It shapes where organizations begin. And for most teams, the unmanaged risk of doing nothing may be larger than the risk of starting with the right tools on the right content.

Hambali Muslimin
Financial Services, Technology, and Business Strategy Professional. More about me →
Related Articles

Recurring Reports in Indonesian Financial Services Take Hours to Produce and Minutes to Read
Instead of spending days formatting reports, analysts use AI for drafting and focus on judgment. Organizations gain richer analysis with the same people and schedule.

The Step Between ChatGPT and AI Agents That Most Indonesian Financial Services Haven't Taken
There's a step between chat-based AI and autonomous agents that most organizations might have missed. What that step looks like, and what it means for the path to agentic AI.

AI Adoption in Indonesian Financial Services May Not Be a Technology Problem
The real gap of AI adoption in Indonesia's financial services sector and why the first movers won't be the ones with the biggest AI budgets.