Bank Indonesia has strategic authority to maintain the stability of monetary conditions in Indonesia through monetary policy. One concern is the risk is the emergence of shadow banking where fintech companies channel funds from the public. In the long term, this situation can impact the operational conditions of the banking system. One of Bank Indonesia’s mandates is to supervise the provision of services by fintech companies (peer-to-peer lending) to align with the national financial and payment vision and mission, including establishing interlinks between fintech and banking to avoid risks posed by shadow banking. Interlinking works if each party is willing to share customer data. If Bank Indonesia requires fintech companies to share customer or user data, it must be based on clear and specific legislation. This is crucial because user data falls under personal data, and the state must guarantee the protection of its citizens’ personal data. This article discusses the importance of legislation regarding the legitimacy of Bank Indonesia’s authority to regulate interlinks between fintech companies and Bank Indonesia, as well as banking institutions, to avoid shadow banking. The article employs a normative legal approach using literature and legal sources.