By : Setyawati Fitrianggraeni, Sri Purnama[i]
Keywords: transnational litigation, regulatory divergence, intellectual property rights, data privacy and security, consumer protection
The fast growth of financial technology (fintech) has transformed how individuals undertake worldwide transactions. This trend is shown by the widespread usage of Quick Response (QR) codes as a payment mechanism. As the prevalence of cross-border transactions increases, nations attempt to build QR payment links to promote seamless payments between customers and businesses. The ASEAN-5 countries want to enhance QR code payments to benefit micro, small, and medium-sized enterprises (MSMEs) and migrant workers. Hence, a memorandum of understanding (MoU) between central banks from ASEAN member states has been inked on regional cross-border payments between countries, which will bring multiplier effects to people and businesses within the region. This agreement was signed in Bali on 14th November 2022, involving Bank Indonesia (BI), Bank Negara Malaysia (BNM), Bangko Sentral ng Pilipinas (BSP), Monetary Authority of Singapore (MAS), and Bank of Thailand (BOT).
Nevertheless, deploying these connections poses several legal issues and possible conflicts from the standpoint of multinational litigation. In light of this setting, it is essential to explore the potential problems from cross-border QR payment links and advise on managing these difficulties and examine Indonesia’s legal and regulatory structure with respect to the possible problems described above.
The disparity in legislative frameworks regulating fintech is one of the significant obstacles that nations confront when adopting cross-border QR payment links. Various countries have different legal and regulatory requirements, which may lead to jurisdiction and relevant legislation conflicts. For instance, for the QR Payment System Regulations, Indonesia has the Bank Indonesia Regulation Number 20/6/PBI/2018 on Electronic Money and Regulation Number 23/6/PBI/2021 on Payment Service Providers, which outlines the roles and responsibilities of payment system operators, electronic money issuers, and merchant acquires in QR code payments. On the other hand, Singapore has the Payment Services Act 2019, which governs payment service providers, including QR code payment services. Certain countries may have tight data privacy rules, whilst others may emphasize anti-money laundering (AML) requirements.
As a QR Payment Linkage agreement member, Indonesia must align its legislation with other ASEAN nations to eliminate conflicts and encourage smooth transactions. This alignment should be made between countries participating in QR payment linkage covering crucial issues like data protection, anti-money laundering, licensing, and cybersecurity. In addition, nations should develop a clear framework for conflict resolution that outlines the applicable law and jurisdiction in the event of a disagreement.
As was previously stated, the QR Payment Linkage enforced in ASEAN will impact a variety of facets. In contrast to the European Union, which already has the Digital Markets Act and the General Data Protection Regulation, ASEAN still needs regional regulations governing the digital economy that its member states must follow. The European Union’s member states use the Digital Markets Act and the General Data Protection Regulation as a reference when drafting digital economic regulations. However, ASEAN already has the ASEAN Digital Masterplan 2025 to steer the organization’s digital cooperation over the next five years to transform the region into a global leader in the digital community and economy.
PROTECTING INTELLECTUAL PROPERTY
Deploying QR payment links across international borders requires using proprietary technology, such as software and algorithms. This generates possible issues over intellectual property rights (IPR) since parties may have differing views of their rights and duties under license agreements.
Law Number 28 of 2014 on Copyright and Law Number 13 of 2006 on Patents have been enacted to safeguard intellectual property rights (IPR) in Indonesia. Nevertheless, implementing the QR Payment Linkage may need additional harmonization of IPR laws and regulations amongst ASEAN nations to reduce the likelihood of patent conflicts. These principles should include the regulation of protecting and enforcing intellectual property in cross-border QR payment systems to reduce IPR-related issues. Licensing agreements should be transparent and explicitly outline the rights and obligations of all parties involved. Additionally, governments should embrace international standards and best practices to enable the recognition and enforcement of IPR across borders.
DATA PRIVACY AND SECURITY
Data privacy and security are key considerations in cross-border QR payment links since they transmit sensitive personal and financial information between borders. Disputes may emerge if a data breach happens, and parties dispute who is accountable for the violation or the magnitude of the damages. Other potential data privacy and security disputes are data collection and processing, cross-border data transfers, breaches, and security incidents, consumer consent, and data usage. Law Number 27 of 2022 on Personal Data Protection (PDP Law) governs the protection of personal data in Indonesia. The PDP Law offers extensive and essential protection for Indonesian personal data. It governs the rights and responsibilities of data subjects, controllers, and processors. The legislation also establishes data subject classes. People, especially those who do business or e-commerce at home, may be classified as controllers of personal data and are legally liable for that data, according to the PDP Law.
Parties of the MOU should enact rigorous data protection legislation in line with international norms, such as the General Data Protection Regulation (GDPR), to solve data privacy and security problems. This legislation should also regulate mechanisms for cross-border data sharing, ensuring that data transfers adhere to strict privacy and security standards. Clear legal frameworks should be in place for managing disputes relating to data breaches, including the distribution of blame and the computation of damages.
ANTI-MONEY LAUNDERING AND COUNTER-TERRORIST FUNDING
Cross-border QR payment links may be susceptible to money laundering and terrorist funding since they allow smooth cross-border transactions. Tracing and prosecuting illegal actions may be challenging if nations have differing AML and counter-terrorist funding (CTF) legislation.
Law Number 8 of 2010 on the Prevention and Eradication of Money Laundering and Law Number 9 of 2013 on the Prevention of the Funding of Terrorism have been adopted in Indonesia. Bank Indonesia has also established laws governing financial institutions’ AML and CTF compliance. It will be vital to align these rules and regulations with other ASEAN nations’ AML and CTF frameworks to provide a uniform approach to combating illegal activity in cross-border QR payment transactions. Governments should also develop procedures for information exchange and collaboration among law enforcement authorities, enabling effective investigations and prosecutions of unlawful operations. A clear dispute resolution structure should be in place to handle problems connected to AML and CTF legislation.
CONSUMER DEFENSE AND DISPUTE RESOLUTION
Disputes may emerge between customers, merchants, and payment service providers during international QR payments. These conflicts may entail concerns such as unauthorised transactions, fraud, and chargebacks. Addressing these conflicts may be challenging since parties may be situated in various countries, and relevant laws and regulations may vary, especially in the area of inadequate consumer protection regulations, lack of clarity in cross-border liability, and inconsistent dispute resolution procedures.
Law Number 8 of 1999 on Consumer Protection is Indonesia’s fundamental legislation regulating consumer protection. It may be necessary to alter or augment this legislation to address consumer protection concerns relating to cross-border QR payment transactions. In addition, the implementation of accessible and open dispute resolution processes, as well as collaboration with other ASEAN nations in the enforcement of consumer protection legislation, will be crucial for the settlement of issues between consumers, merchants, and payment service providers.
Governments should enact comprehensive consumer protection legislation that embraces cross-border QR payment transactions to provide consumer protection and successful dispute resolution. These rules should clearly explain the rights and duties of customers, merchants, and payment service providers in case of disputes. Also, nations should implement clear and accessible dispute resolution processes, such as Ombudsman services or alternative dispute resolution (ADR) techniques like mediation and arbitration, to assist in resolving disagreements.
QR payment transactions can, of course, lead to different disputes among ASEAN member countries. In the event of a cross-country dispute, the parties to the dispute will be faced with problems such as choice of law and forum. Moreover, ASEAN still needs regional regulations that its member countries can directly use in resolving cross-border disputes. Therefore, the transnational litigation that occurs undoubtedly depends on the initial agreement made by the parties by looking at the predetermined dispute resolution agreement.
STANDARDISATION AND INTEROPERABILITY
The effectiveness of cross-border QR payment links primarily relies on the interoperability of systems and the standardization of technology. If countries adopt incompatible systems or adhere to common technical standards, disputes may arise, making it easier for consumers and merchants to transact without friction.
Bank Indonesia has previously established the Indonesian QR Code Standard (QRIS) for QR code-based domestic transactions. Integrating QRIS for QR code standards of other ASEAN nations will be essential for ensuring interoperability and frictionless cross-border transactions.
Countries should work to create common technical standards and guidelines for cross-border QR payment systems to overcome interoperability and standardization concerns. This may be done via involvement in international standard-setting organizations, such as the International Organization for Standardization (ISO) and the Financial Action Task Force (FATF). By implementing these standards, nations may guarantee the seamless operation of cross-border QR payment connections and limit the risk of conflicts.
No particular case precedents in the ASEAN-5 countries, especially Indonesia, address cross-border QR payment linking concerns. Nevertheless, as the QR Payment Linkage evolves and cross-border QR payments become more widespread, the Indonesian legal and regulatory environment must change to manage conflicts and issues appropriately. By doing so, Indonesia can help pave the path for a more connected and smooth financial system throughout the ASEAN region.
Implementing cross-border QR payment linkages among the ASEAN-5 (Indonesia, Malaysia, Philippines, Singapore, and Thailand) countries presents significant opportunities for fostering regional economic integration, promoting financial inclusion, and enhancing the overall digital payment ecosystem. Nonetheless, it also introduces possible global litigation concerns, such as regulatory divergence, intellectual property rights, data privacy and security, anti-money laundering and counterterrorism, consumer protection and dispute resolution, interoperability, and standardization.
Because of the diversity of legal systems and regulatory frameworks within the ASEAN-5, these nations must collaborate to handle possible issues and provide a standardized, compliant, and safe environment for cross-border QR payment transactions. This can be accomplished through various means, including the alignment of regulations, the development of regional agreements and frameworks, the promotion of best practices and international standards, and the improvement of cooperation and coordination among relevant authorities and stakeholders.
Ultimately, the effective implementation of cross-border QR payment links within the ASEAN-5 nations is contingent on their ability to traverse the intricacies of transnational litigation and develop a solid legal and regulatory framework to manage possible conflicts. By collaborating to build thorough dispute resolution processes and integrate their separate legal systems, the ASEAN-5 nations can assure the continuous expansion of their digital payment ecosystems and improve the region’s overall financial environment.
Laws and Regulations
Memorandum of Understanding on Cooperation in Regional Payment Connectivity, signed by Bank Indonesia, Bank Negara Malaysia, Bangko Sentral ng Pilipinas, Monetary Authority of Singapore, and Bank of Thailand, signed on 14 November 2022.
Bank Indonesia Regulation Number 20/6/PBI/2018 on Electronic Money.
Bank Indonesia Regulation Number 23/6/PBI/2021 on Payment Service Providers.
ASEAN Digital Masterplan 2025.
EU Regulation 2022/1925, commonly referred to as the Digital Markets Act.
Law Number 28 of 2014 on Copyright.
Law Number 13 of 2006 on Patents.
Law Number 27 of 2022 on Personal Data Protection.
EU Regulation 2016/679, commonly referred to as the General Data Protection Regulation.
Law Number 8 of 2010 on the Prevention and Eradication of Money Laundering.
Law Number 9 of 2013 on the Prevention of the Funding of Terrorism.
Law Number 8 of 1999 on Consumer Protection
Books and Journals
Normalita Destyarini, Falah Al Ghozali, Muhamad Rois, “Legal Protection Quick Response Code as a Payment System”, Conference Paper, 3rd International Conference of Health, Science and Technology (ICOHETECH), LPPN Universitas Duta Bangsa Surakarta, Indonesia – September 2022
Articles and Official Publications
IMF, Regional Economic Outlook: Asia and Pacific: List of Definitions, https://www.imf.org/-/media/Websites/IMF/imported-flagship-issues/external/pubs/ft/reo/2016/apd/eng/pdf/_areo0516definitionspdf.ashx#:~:text=%E2%80%9CASEAN%2D5%E2%80%9D%20refers%20to,Philippines%2C%20Singapore%2C%20and%20Thailand, accessed on 16 March 2023.
Bank Indonesia, The Implementation of Cross-Border QR Payment Linkage, Press Release No. 24/232/DKom, https://www.bi.go.id/en/publikasi/ruang-media/news-release/Pages/sp_2423222.aspx, accessed on 16 March 2023.
Vincent Fabian Thomas, “ASEAN-5 expand QR-code payments to benefit MSMEs, migrant workers”, TheJakartaPost, accessed through https://www.thejakartapost.com/business/2022/11/15/asean-5-expand-qr-code-payments-to-benefit-msmes-migrant-workers.html on 15th March 2023.
The information contained in this Legal Insight is not intended to provide legal opinion or views of the Anggraeni and Partners law offices against a particular legal issue.
Neither party may assume that he or she should act or cease to act or choose to act on a particular matter based on this information without seeking advice from professionals in the field of law in accordance with certain facts and circumstances it faces.
For further information, please contact:
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
Junior Legal Research Analyst
Research Group Transnational Litigation and Tort Law
[i] Setyawati Fitrianggraeni is a Managing Partner at Anggraeni and Partners, Indonesia, Assistant Professor at the Faculty of Law University of Indonesia, and PhD Candidate at the World Maritime University, Malmo, Sweden and Sri Purnama is a Junior Legal Research Analyst from Anggraeni and Partners. Writers thanks Dr Hary Elias for his time to provide feedback on the article
 Normalita Destyarini, Falah Al Ghozali, Muhamad Rois, “Legal Protection Quick Response Code as a Payment System”, Conference Paper, 3rd International Conference of Health, Science and Technology (ICOHETECH), LPPN Universitas Duta Bangsa Surakarta, Indonesia – September 2022, accessed through https://ojs.udb.ac.id/index.php/icohetech/article/download/2169/1783 on 16th March 2023.
 ASEAN, officially the Association of Southeast Asian Nations, is a political and economic union of 10 member states in Southeast Asia, which promotes intergovernmental cooperation and facilitates economic, political, security, military, educational, and sociocultural integration between its members and countries in the Asia-Pacific. ASEAN-5 refers to Indonesia, Malaysia, the Philippines, Singapore and Thailand. This classification is referring to International Monetary Fund definition, accessed through https://www.imf.org/-/media/Websites/IMF/imported-flagship-issues/external/pubs/ft/reo/2016/apd/eng/pdf/_areo0516definitionspdf.ashx#:~:text=%E2%80%9CASEAN%2D5%E2%80%9D%20refers%20to,Philippines%2C%20Singapore%2C%20and%20Thailand on 16th March 2023.
 The statement is released from Bank Indonesia, the central bank of Indonesia, as can be seen on the Press Release Number 24/232/DKom, accessed through https://www.bi.go.id/en/publikasi/ruang-media/news-release/Pages/sp_2423222.aspx on 16th March 2023.
 This MoU derives from the previous Letter of Intent to form a QR Payment Linkage Multilateral Agreement with the central banks of Malaysia, Thailand, Singapore, and the Philippines. This Letter of Intent is signed by Bank Indonesia, the central bank of Indonesia, in November 2021. This linkage is closely aligns with the G20’s work on cross-border payment roadmap to drive faster, cheaper, more transparent, and inclusive cross-border payments.
 Vincent Fabian Thomas, “ASEAN-5 expand QR-code payments to benefit MSMEs, migrant workers”, TheJakartaPost, accessed through https://www.thejakartapost.com/business/2022/11/15/asean-5-expand-qr-code-payments-to-benefit-msmes-migrant-workers.html on 15th March 2023.
 For instance, Singapore has the Personal Data Protection Act (PDPA), which governs the collection, use, and disclosure of personal data, whilst Thailand has the Personal Data Protection Act (PDPA) B.E. 2562 (2019) which shares similarities with the European Union’s General Data Protection Regulation (GDPR). The lack of harmonized data protection framework across the ASEAN-5 countries could create challenges in ensuring compliance and addressing cross-border data privacy disputes.
 The AML and CTF regulations may differ in the ASEAN-5 countries. Indonesia has enacted Law Number 8 of 2010 on the Prevention and Eradication of Money Laundering and Law Number 9 of 2013 on the Prevention and Eradication of the Financing of Terrorism, whilst other countries like Malaysia and Singapore have their respective AML/CTF regulations under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act (AMLA) and the Terrorism (Suppression of Financing) Act. Divergent AML and CTF regulations can lead to disputes over enforcement, cooperation, and reporting obligations.
 The ASEAN-5 countries may have varying licensing requirements for payment service providers, which could make it difficult for providers from one country to operate in another country. For instance, in Malaysia, the Central Bank of Malaysia requires payment service providers to obtain a license under the Financial Services Act 2013, whilst in the Philippines, the Bangko Sentral ng Pilipinas regulates payment service providers under the National Payment Systems Act. Divergent licensing requirements could lead to disputes over market access and barriers to entry.
The Digital Markets Act (DMA) is a ground-breaking European law aiming to prevent large online platforms that connect consumers with content, goods, and services from abusing their market power. The European Union (EU) believes that strict regulation of big technology companies, the so-called gatekeepers of the digital economy, will lead to more competition and choice, greater innovation, better quality, and lower prices.
Some examples of potential IPR disputes in the context of QR payment linkages include patent infringement, trademark confusion, copyright infringement, and trade secret misappropriation.
Whilst Singapore’s Personal Data Protection Act (PDPA) provides a comprehensive framework for data protection, other countries may have less stringent regulations. Disputes may arise over whether certain data collection and processing practices comply with the various data protection laws of the ASEAN-5 countries.
Data transfer regulations may differ amongst the ASEAN-5 countries, leading to disputes over the legality of transferring personal data to another country with potentially less stringent data protection standards.
Countries may have different requirements for obtaining consumer consent to use their data, as well as restrictions on how that data may be used. Disputes could arise if a QR payment service provider is found to be using consumer data without proper consent or in a manner that violates the data protection laws of one or more ASEAN-5 countries.
The alignment should at the very least regulates compliance with AML/CTF regulations (customer due diligence, transaction monitoring, reporting requirements, and sanctions), inconsistencies in AML/CTF Risk Assessment (high-risk or low-risk transactions), reporting and information sharing, and enforcement and cooperation.
Regulations may differ regarding disclosures, fees, liability for unauthorised transactions, and recourse mechanisms for consumers.
It may be unclear which payment service provider, jurisdiction, or regulatory authority is responsible for addressing the consumer’s concerns.
Some examples of potential disputes related to interoperability and standardisation in the context of QR payment linkages are divergent technical standards, incompatible payment infrastructure, and varying regulatory requirements.