Are Payment Providers in Indonesia Ready to Face a New Compliance Test?
Sumsub’s report looks at the compliance shift facing payment providers in Indonesia as real-time payments grow, fraud tactics evolve, and BI Regulation 10/2025 comes into view.
That works out to roughly 209 million people, a number that explains why digital payments have become more than a convenience layer in the country.
They are increasingly part of the infrastructure needed to bring more people and businesses into the formal financial system.
That access gap also sits behind a sizeable commercial opportunity, with Indonesia’s payments infrastructure market valued at US$110.69 billion in 2025 and forecast to reach US$294.85 billion by 2031, growing at a compound annual growth rate of 17.74% from 2026 to 2031.
Those figures point to a market with substantial room to expand, but they also raise a more difficult question for payment providers.
And as Indonesians move money through real-time rails, wallet ecosystems, QR codes and embedded payment flows inside everyday digital services, compliance can no longer sit behind the growth story.
It has to keep pace and be hand in hand with the market it supports.
Indonesia’s Payment Adoption Story Is Accelerating
Indonesia’s payments momentum is coming from several directions at once.
Bank Indonesia’s real-time payment rail, BI-FAST, is supporting faster fund transfers across the market.
QRIS, the national QR code standard, has simplified merchant acceptance and made QR payments easier to use in daily transactions.
Sumsub’s report also notes that QRIS is now usable for cross-border payments in countries including Thailand and Malaysia, giving Indonesia’s payments infrastructure a wider regional dimension.
Mobile wallets have also become an important access point for users outside Java who previously had limited contact with formal banking.
Providers such as DANA are adding users by layering in features like micro-savings, while government programmes such as SisBerdaya, which provides financial grants to women-led enterprises, are helping reinforce wallet use in daily transactions.
Connectivity improvements are also supporting that shift with initiatives like the Palapa Ring infrastructure project, which has improved 4G access in remote regions, making digital participation more realistic beyond the country’s main urban centres.
Yet, Indonesia’s geography continues to shape how payments work on the ground, and wider access does not always translate into smoother operations for providers.
But Faster Payments Now Creates New Operational Pressure
Sumsub highlights that telecom infrastructure outside Java can still create reliability issues for latency-sensitive transactions.
Even short interruptions can create friction when users and merchants expect payments to clear instantly.
In Indonesia, Payment Service Providers (Penyedia Jasa Pembayaran or PJP) may need fallback mechanisms such as offline QR codes, which add cost and complexity to payment operations.
And the speed of modern payments also leaves less time to detect risk.
Many legacy compliance processes were built for a slower environment, where checks could happen in sequence, and different teams could manage onboarding, screening and monitoring separately.
Plus, real-time payments leave less room for that kind of handoff, especially when suspicious activity can spread quickly across accounts, wallets or platforms.
The growth story in Indonesia, therefore, leads quickly into a tougher question of how payment providers manage risk at the same speed as transactions.
Fraud Brings Another Test for Payment Providers in Indonesia
As if that wasn’t enough, the report describes Indonesia as one of the higher-risk markets globally for payment fraud.
Its large super-app ecosystems create a broad attack surface, where one compromised identity can potentially unlock access to multiple services.
The scale of the problem is already visible in the fraud data.
One, identity fraud rates in Indonesia grew from 1.1% in 2021 to 2.6% in 2024. Two, deepfakes now account for around 5% of fraud attempts, with the figure rising as AI-generated content becomes easier to produce and deploy.
Third, the growing accessibility of Fraud-as-a-Service tools, where a coordinated fraudster group can cause losses of up to US$2.5 million within a month using an initial outlay of around US$1,000.
Indonesian payment providers have a lot on their plates as now, they’re not just dealing with just fake documents or suspicious onboarding attempts.
Sumsub also points out that many of the most damaging risks only become visible once an account starts moving money.
The report points to synthetic identities, mule accounts, QR-based fund dispersal and embedded payment abuse as key typologies.
Across these risks, behaviour becomes the more revealing signal, with suspicious patterns often appearing only after onboarding.
One-Time KYC Is No Longer Enough
Fraud increasingly reveals itself through behaviour, which leaves any compliance model built mainly around onboarding with obvious blind spots.
Sumsub argues in the report that one-time checks are losing ground because they verify a customer at account opening, but do not follow how that customer behaves once transactions begin.
Risk can change quickly after that point, as customers start moving larger volumes, deal with unfamiliar counterparties or show patterns that were not visible at the start.
An account that first looked legitimate can also be taken over or repurposed as part of a mule network.
Real-time payments make that weakness more exposed.
Fast-moving transactions can leave providers vulnerable when monitoring lags behind, especially when teams only review fraud signals after suspicious activity has already spread across accounts, wallets or platforms.
Visibility becomes even harder when providers keep customer checks, transaction monitoring and AML screening in separate tools.
Manual review processes also become harder to scale as transaction volumes grow, while periodic screening may not be fast enough to respond to new fraud patterns.
Seen through that lens, activity-based regulation and payment fraud risk belong in the same conversation.
Once regulation follows the activity, compliance also has to follow the activity.
Compliance Needs to Become a Continuous Cycle
Once regulation moves closer to payment activity, compliance has to move with it.
Budi Gandasoebrata, Vice Chairman II of the Indonesia Fintech Association, AFTECH, puts it plainly in the report:
Budi Gandasoebrata
“Compliance can no longer be treated as a one-time administrative step at the beginning, but must evolve into a continuous and connected process throughout the lifecycle of payment activities.”
His point fits the direction of Indonesia’s payments market.
Real-time and integrated systems are making static controls less useful, while providers now need a clearer view of how customers behave once transactions begin and relationships change.
Sumsub frames this through a continuous verification model that brings together customer checks, transaction-level risk assessment, behavioural monitoring, AML screening and risk-based escalation.
The aim is to apply more scrutiny where the risk is higher, while keeping the journey smoother for lower-risk users.
With that model in place, providers can prepare more effectively for regulatory review because their controls leave a clearer record of how decisions were made and how risks were managed across specific users or payment flows.
Integrated Verification Can Help Close the Gaps
But continuous compliance depends on whether payment providers can keep the different pieces of risk management connected.
Sumsub’s report argues that integrated verification can help providers close the gaps that emerge when compliance functions operate in silos.
A single risk view helps providers connect what they know about a customer at the start with what they learn as transactions begin to move.
An onboarding decision, for example, does not have to sit apart from later monitoring, while new signals from device behaviour, transaction patterns or AML screening can update the customer’s profile over time.
The report also notes that Sumsub’s platform supports ID checks, device intelligence, transaction monitoring, AML and sanctions screening, chargeback prevention, address verification and fraud prevention.
It cites verification speeds of under 20 seconds for user verification, 4.5 seconds for doc-free onboarding and under 59 seconds for Proof of Address verification.
The value for providers lies in keeping those checks connected as payment activity grows, so compliance can follow the customer and the transaction rather than remain locked inside separate systems.
What Payment Providers Should Do Now
Indonesia’s shift under BSPI 2030 and BI Regulation 10/2025 gives payment providers a practical starting point.
They need to understand the payment activities they perform and how those activities affect licensing and capital requirements.
That review should also cover fintech firms and embedded payment operators if they carry out regulated payment activities.
Once that scope is clear, controls need to sit inside the customer journey rather than around it.
Risk-based checks can help providers keep onboarding smoother for lower-risk users while applying deeper scrutiny where the customer profile or payment activity requires it.
Monitoring also needs to be designed early, not added only after volumes rise.
Providers should make sure transaction controls cover both customers and counterparties, with reviews triggered by relevant events rather than fixed schedules alone.
Disconnected systems will become harder to defend as fraud moves through real-time and embedded payment flows.
Sumsub frames continuous verification as one way for payment providers in Indonesia to connect onboarding signals with later transaction activity.
In Indonesia’s next payments phase, trust will need to move as quickly as the money does.
Featured image: Edited by Fintech News Indonesia based on images by Supertramp and Faraz Ali via Magnific.
