Illicit and Illegal Loans Through Traveloka PayLater Raise Concerns over Data Misuse

Accessing financial products using smartphones and technology-enabled platforms has now become a habit for many Southeast Asians. A bank-like service is just a few clicks away. However, recently complaints about possible misuse of user data stored by Traveloka revealed a serious problem of data security practices that lag behind the proliferation of easily accessible features. Right now, victims have to deal with damaged personal credit scores, but the bigger data protection issue has yet to be addressed.

When Rachmat Haryanto applied for a new credit card in 2019, he was surprised when the bank rejected his application. The bank says he has a credit score or credit scoring which is bad, but Haryanto is sure he has no outstanding bills. He checked his credit history and found two unpaid bills that were marked as debts to Caturnusa Sejahtera Finance, a company assigned by Traveloka to operate the BNPL service (Buy Now Pay Later).

Haryanto is a photographer, and he travels a lot for errands. Often, he booked flight tickets and hotel rooms through Traveloka, but he never signed up for the service PayLater company. "Bank Indonesia blacklisted me for two outstanding bills, one for IDR 8 million (USD 561) and another for IDR 10 million (USD 710), on Traveloka PayLater," Haryanto told KrASIA.

Ready to file a complaint, Haryanto contacted the Indonesian financial services authority, OJK. The representative who spoke to him told him to contact Traveloka directly and resolve the issue. “The bank also advised me to ask disclaimer from these companies so that the bill can be written off to improve my credit score so that I can re-apply for a credit card,” said Haryanto.

He finally did that. He visited the Traveloka office in Jakarta to report the error and asked the company to fix the problem immediately. “The data in the billing details is not completely accurate. While my name and ID card number are correct, the job information, address, and mobile number are incorrect. So it turns out, it only takes a name and ID number to misuse the data," he told KrASIA. Traveloka resolved the issue and issued a written rebuttal at Haryanto's request.

A bad credit score, whatever the root cause, makes it difficult for individuals to apply for credit cards, loans, mortgages, and other financial services offered by banks.

Haryanto's case is not just outlier. After he wrote about his experience in a letter published by local media Detik, more people said they were having the same problem. “To this day, many people contact me to share similar experiences.”

Another customer who goes by the name “Ridu” on Twitter recently shared his experience via a tweet thread. Like Haryanto, Ridu's credit card application was rejected because his credit was bad. “As it turned out, I had three unpaid transactions from May 2019, all from Caturnusa,” he told KrASIA.

Ridu's thread caught the attention of Traveloka, which reached out to the user and asked for a screenshot of his credit score report, as well as a photo of his ID card and selfie for verification. A few hours after Ridu sent the material, Traveloka sent him an email to apologize for the misuse of his personal data. Ridu's "debt" is written off by the company.

A common theme in the case of Haryanto, “Ridu,” and other Traveloka users whose credit scores have dropped for no apparent reason is that none of them signed up for the Traveloka PayLater service facilitated by Caturnusa. Also, none of these users have ever received an invoice or been contacted by a debt collector. Those who find their debt owed only find out when they look at their credit score after their application with a financial institution is rejected. This raises the question: who uses Traveloka customer data to formulate transactions in Caturnusa records? And why do they do this?

Haryanto assumed. “From the many conversations I have with other victims and people who are familiar with fintech and technology companies, there is an allegation that Caturnusa takes data from Traveloka users to make these transactions so that they have a healthy activity and transaction cycle on the platform. But again, this is just speculation," he said.

“Ridu” believes that this is the most likely reason behind the “debt” he carries. “Another victim who contacted me said that their transaction also took place in 2019. And I found that Traveloka did not require ID verification and photos at that time [for service PayLater]," he said.

Apart from vertical PayLater, Traveloka also offers insurance products to its users by partnering with companies such as Chubb and Astra Life.

Traveloka has not responded to KrASIA's confirmation request regarding this matter.

How do fintech operators manage user data?

The Indonesian Consumers Foundation said 33,5% of the complaints it received in 2020 targeted financial service providers, the largest portion by sector in terms of overall volume. Most consumers accuse these businesses of misusing or exploiting their user data, particularly pointing to lenders peer-to-peer illegal.

Fintech companies often say that they use customer data for risk analysis, fraud detection, and to customize services based on user activity and preferences. In 2018, OJK set the rules about how fintech companies can take advantage of their customers' data—all financial service providers must maintain the confidentiality, integrity, and accessibility of customers' personal, transaction and financial data from the time the company obtains the data up to the point in time when it is deleted from their servers. The service provider must also obtain consent from the user for the use of the data, and clearly explain its purpose and limitations. In addition, the data collection method must ensure confidentiality and security.

All fintech platforms with a valid license from the OJK, such as Traveloka PayLater, must comply with these regulations. It is currently unclear how the series of unlicensed loans were issued through the Traveloka PayLater service.

Indonesia struggles with weak protection personal information in the public and private sectors. There were at least seven major data breaches in 2020, including those involving big tech companies such as Tokopedia and Bukalapak, as well as the General Elections Commission (KPU). In May, the servers of BPJS Kesehatan, the state health and social security agency, were allegedly hacked, resulting in the data of 279 million Indonesians, including the dead, being posted on a hacker forum.

-This article was first released by KRASIA. Re-released in Indonesian as part of the collaboration with DailySocial