Activity-based payments compliance is reshaping Indonesia’s risk model

At a glance

What this is: This whitepaper argues that Indonesia's move to activity-based regulation requires payment providers to replace point-in-time compliance with continuous identity, transaction, and AML monitoring.

Why it matters: It matters because payment, IAM, and fraud teams now need governance that follows the activity, not the corporate entity, and that changes how lifecycle controls, monitoring, and auditability are designed.

By the numbers:

• Indonesia's payment infrastructure market was valued at US$110.69 billion in 2025 and is forecast to reach US$294.85 billion by 2031, growing at a CAGR of 17.74%.
• Indonesia ranks as the second least protected country against fraud out of 112 nations.

👉 Read Sumsub's whitepaper on activity-based regulation for Indonesian payments

Context

Activity-based regulation changes the compliance unit from the legal entity to the specific payment activity being performed. For payment providers, that means the control set must follow onboarding, transaction processing, and AML screening across the customer lifecycle, rather than stopping at a one-time verification event. In identity terms, the governance question is no longer who the customer is at signup, but what that identity is allowed to do continuously.

Indonesia's payment market is expanding quickly, which makes the risk problem larger even as regulatory expectations tighten. Super-app ecosystems and deep service integration mean that a single compromised identity can fan out across multiple payment services, so compliance and fraud controls now overlap with identity assurance, behavioural monitoring, and audit readiness.

The whitepaper's central position is that continuous compliance is becoming the operating model, not an add-on. That is the right framing for a market where fraud pressure, regulatory change, and high transaction velocity all converge on the same issue: static controls cannot keep up with dynamic payment activity.

Key questions

Q: How should payment providers implement activity-based compliance in Indonesia?

A: They should map controls to the payment activity being performed, not just the legal entity holding the licence. That means linking onboarding, transaction monitoring, AML screening, and audit evidence into one continuous workflow so higher-risk activity can trigger deeper review without waiting for periodic checks.

Q: Why does continuous compliance matter for payment providers?

A: Because fraud and risk change after onboarding, and point-in-time checks do not prove that an identity, device, or transaction pattern remains trustworthy. Continuous compliance lets providers update risk decisions as activity unfolds, which is essential when one compromised identity can affect multiple services.

Q: What breaks when compliance stays entity-based instead of activity-based?

A: The programme loses precision. Controls, evidence, and capital treatment stay tied to the company structure even when the regulatory obligation depends on a specific service such as fund transfers or payment gateway activity, which creates gaps in audit readiness and risk ownership.

Q: Who is accountable when a payment activity is non-compliant under activity-based regulation?

A: Accountability shifts to the provider responsible for that activity, even if the service sits inside a larger corporate group or platform ecosystem. The key test is whether the organisation can prove the correct controls were operating for the exact activity at the time it occurred.

Technical breakdown

Entity-based vs activity-based regulation in payments

Entity-based regulation ties obligations to the licensed company, while activity-based regulation ties them to the specific service being delivered. In practice, that means e-money issuance, payment gateway operation, and fund transfer activity each carry distinct control expectations, capital treatment, and evidence requirements. This model forces compliance teams to map governance to transaction context, not just to corporate structure. It also changes how audit trails are built, because the record must show that controls were active for the specific activity at the time it occurred.

Practical implication: Map controls to payment activity classes and evidence them continuously, not only at onboarding or annual review.

Continuous compliance and automated audit trails

Continuous compliance combines identity verification, transaction monitoring, and AML screening into one operating loop so the assurance state stays current after onboarding. The technical shift is from batch checks to event-driven reassessment, where new risk signals can trigger updated review logic without waiting for a scheduled recertification. That architecture matters in high-volume payment environments because risk changes faster than manual case handling can absorb. Automated audit trails become part of the control surface, not just a reporting output.

Practical implication: Design event-driven review workflows so risk changes can update evidence and case handling immediately.

Behavioural intelligence for mule network detection

Threshold rules are weak against mule networks because the fraud pattern is distributed across many low-value actions that look benign in isolation. Behavioural analysis looks for device patterns, network relationships, and transaction sequencing that reveal coordination rather than single-event anomalies. This is especially relevant in ecosystems where one identity can touch multiple services and where micro-transaction layering is used to reduce visibility. Event-driven AML re-screening helps surface those patterns before they become entrenched.

Practical implication: Add behavioural and network-based signals to fraud detection so mule activity is visible across multiple low-risk transactions.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Hugging Face Spaces breach — Hugging Face Spaces breach exposed API keys and authentication tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Activity-based regulation is an identity governance problem, not only a compliance update. Once obligations attach to the action being performed, the control model has to understand transaction context, customer lifecycle state, and ongoing risk changes. That pushes payment teams into a governance pattern closer to continuous assurance than to periodic certification, and it is strongest when identity, fraud, and AML teams operate from the same evidence model. Practitioners should treat activity scope as the new unit of control.

Continuous compliance closes the gap between authentication and accountability. Static onboarding checks do not prove that a user, account, or device remains suitable for higher-risk payment activity later in the lifecycle. The article's core signal is that evidence must be maintained as the activity unfolds, because fraud often appears after the first verification event. Practitioners should re-evaluate whether their current controls can prove ongoing legitimacy, not just initial acceptance.

Behavioural intelligence is becoming a governance layer, not only a fraud layer. When fraudsters use mule account networks and layered micro-transactions, rule-based detection alone is too shallow to preserve confidence in the control environment. That means identity assurance, transaction monitoring, and AML screening now function as one linked governance system. Practitioners should align these teams around shared risk signals and shared audit artefacts.

Regional harmonisation will matter more as payment activity scales across borders. The article points to differing maturity levels across APAC, which means terminology, evidence expectations, and control mapping can diverge even when the underlying payment risk looks similar. That creates compliance friction for providers that operate across markets. Practitioners should design for portability in control evidence and policy interpretation.

Continuous compliance creates an audit expectation that point-in-time programmes cannot satisfy. Once regulators expect live evidence, a programme built around annual review cycles will look incomplete even if its individual controls are sound. The governance shift is from proving that controls exist to proving that controls remain active for the duration of the activity. Practitioners should measure their programmes by evidence continuity, not by checklist completion.

From our research:

• 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation can lag exposure.
• The governance lesson extends beyond payments, and the lifecycle angle is covered in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Continuous evidence is becoming the minimum viable control model for regulated payment ecosystems. As regulators tie obligations to activity rather than entity, programmes built on annual attestations will struggle to show that controls were effective at the moment the activity occurred. Teams should prepare for a world where audit evidence must be generated as part of operations, not reconstructed after the fact.

Behavioural detection will increasingly sit alongside identity governance in fraud-heavy markets. When one identity can fan out across multiple services, the line between identity assurance and fraud control blurs quickly. Payment teams should plan for shared telemetry across onboarding, transaction monitoring, and AML so that risk assessment stays aligned across the lifecycle.

The structural problem is not just more fraud, it is more fragmented accountability. Activity-based regulation forces providers to prove which control protected which activity, and that discipline will spread into other regulated digital services over time. Practitioners should use this shift to test whether their current governance can survive a regulator asking for live, activity-specific evidence.

For practitioners

• Map payment controls to activity classes Build a control inventory that ties onboarding, transaction processing, e-money issuance, payment gateway activity, and fund transfers to distinct governance requirements and evidence sets.
• Replace point-in-time checks with continuous monitoring Connect identity verification, transaction monitoring, and AML screening so risk signals can update the customer state after onboarding and during live activity.
• Add behavioural signals to mule detection Use device behaviour, network patterns, and transaction sequencing to identify coordinated low-value fraud that rule thresholds will miss.
• Automate audit trail generation Ensure every high-risk activity leaves a continuously maintained record that can satisfy Bank Indonesia and OJK documentation expectations without manual reconstruction.
• Align fraud, AML, and identity teams on shared escalation rules Define when a risk signal should trigger re-screening, review, or restriction so the same event does not get handled inconsistently across teams.

Key takeaways

• Indonesia's move to activity-based regulation changes the control unit from the company to the payment action, which makes static compliance models obsolete.
• The scale of the market and the country's fraud exposure mean that identity verification, transaction monitoring, and AML must operate as one continuous governance system.
• Practitioners should redesign evidence, escalation, and review processes so they can prove control effectiveness during the activity, not only after it.

Key terms

• Activity-based regulation: A regulatory model that attaches compliance obligations to the specific service or transaction being performed rather than only to the legal entity. For payments, this means controls, evidence, and capital expectations follow the activity itself, which forces continuous operational governance instead of one-time certification.
• Continuous compliance: A control approach that keeps verification, monitoring, and audit evidence current as business activity happens. In payment environments, it connects onboarding, transaction monitoring, and AML screening so compliance can respond to changing risk rather than relying on periodic checks that age quickly.
• Mule network: A coordinated fraud structure in which multiple accounts, devices, or identities are used to move funds or obscure the origin of suspicious activity. The network effect makes isolated thresholds ineffective, so detection must look at behavioural patterns, relationships, and transaction sequences across the lifecycle.
• Automated audit trail: A machine-maintained record of control actions, decisions, and risk events that can be reviewed after the fact without manual reconstruction. For regulated payments, it is part of the operating control environment because it proves which safeguards were active for a specific activity at a specific time.

Deepen your knowledge

Activity-based compliance, identity verification, and continuous monitoring are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for regulated payment activity, it is worth exploring.

This post draws on content published by SumSub: From entity to activity-based regulation, what payment providers in Indonesia need to know. Read the original.