Indonesia’s payment growth is outpacing compliance controls

At a glance

What this is: This guide explains how Indonesia’s fast-growing payments ecosystem is stretching compliance models that still depend on manual, point-in-time checks.

Why it matters: It matters because payments, identity, and governance teams must align controls to real-time transaction flows, or risk losing oversight as embedded finance and wallet adoption scale.

By the numbers:

• Indonesia's growth is being driven by the rollout of Bank Indonesia’s real-time payment rail BI-FAST, rising mobile wallet adoption, and QRIS, with a CAGR of 17.74% from 2026 to 2031.

👉 Read SumSub's guide on Indonesia’s payment compliance framework

Context

Indonesia’s payments market is expanding faster than the compliance models many providers still use. Real-time payments, mobile wallets, and embedded finance create a control environment where periodic checks miss changes as they happen, especially when transaction volume and merchant reach are scaling at the same time.

The practical issue is not payment innovation itself. It is the mismatch between dynamic payment behaviour and governance processes built for slower systems. For teams operating in this space, continuous compliance and evidence-driven monitoring matter more than annual or quarterly control attestations.

Key questions

Q: How should payment teams govern compliance in real-time payment environments?

A: They should move from periodic review to continuous evidence collection, with controls tied to live payment events, merchant status changes, and exception handling. In real-time environments, governance must keep pace with transaction flow or the compliance record becomes outdated before it is reviewed. The operating model should be event-driven, not calendar-driven.

Q: Why do fragmented compliance tools create risk in fast-growing payment markets?

A: Fragmented tools split the evidence trail across multiple systems, making it hard to prove whether a control was effective at the moment it mattered. That increases audit friction and weakens accountability, especially when payment products scale quickly and the control environment changes faster than manual reconciliation can keep up.

Q: What do teams get wrong about point-in-time compliance checks?

A: They often treat a snapshot as proof that a control is working, when it only shows the control existed at one moment. In fast-moving payment environments, that misses drift, exceptions, and failed escalations that happen between review windows. The result is compliance theatre rather than operational assurance.

Q: How can organisations tell whether continuous compliance is working?

A: They should look for shorter exception resolution times, fewer unresolved control breaches, and evidence that compliance status updates automatically when payment activity changes. If reporting still depends on manual compilation, the process is not yet continuous. Good governance is visible in the speed and completeness of response, not just in documentation.

Technical breakdown

Why point-in-time compliance fails in real-time payment ecosystems

Point-in-time compliance means controls are assessed at a snapshot in time rather than continuously. That model can work when product change is slow, but it breaks down when transactions, merchant onboarding, and wallet usage are changing throughout the day. In a market like Indonesia, where BI-FAST and QRIS compress settlement and acceptance cycles, a delayed control check can leave material gaps between actual risk and recorded compliance state.

Practical implication: replace periodic reviews with continuous monitoring for payment events, merchant status, and exception handling.

How fragmented tools undermine payment governance

Fragmented compliance tooling creates blind spots because different systems hold different pieces of the evidence trail. One tool may track onboarding, another may store risk flags, and a third may record reporting status, but none of them gives a complete operational view. That fragmentation makes it difficult to prove control effectiveness when regulators or internal audit ask how compliance decisions were made across a fast-moving payment flow.

Practical implication: consolidate evidence sources so compliance status, exceptions, and remediation live in one auditable workflow.

What continuous, technology-enabled compliance actually changes

Continuous compliance is not just more frequent reporting. It is a shift from checking whether controls existed to checking whether they were still functioning as the business changed. That matters for embedded finance, mobile wallets, and real-time rails because governance must follow the same pace as the product. The control model becomes event-driven, with alerts, escalation paths, and evidence capture linked to live activity rather than retrospective review.

Practical implication: tie compliance checks to live product events, not calendar-based review cycles.

Breaches seen in the wild

• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous compliance is now the baseline expectation in real-time payment markets. Point-in-time assurance was designed for slower operating models where risk could be reviewed after the fact. That assumption fails when payment flows, wallet activity, and merchant acceptance are changing continuously, because compliance state can go stale before a review cycle finishes. Practitioners should treat compliance as an always-on control function, not a scheduled audit exercise.

Fragmentation creates governance debt even when individual controls look adequate. A market can appear well controlled while evidence is split across onboarding, monitoring, and reporting tools that do not reconcile cleanly. That gap is especially visible in fast-growing payment ecosystems where product expansion outpaces control integration. The practitioner lesson is that auditability depends on joined-up evidence, not isolated control ownership.

Indonesia’s payment growth is exposing a compliance architecture problem, not just a scaling problem. The article’s central signal is that real-time rails, QR standardisation, and embedded finance change the operating tempo of governance itself. Frameworks such as NIST Cybersecurity Framework 2.0 remain relevant because the issue is control effectiveness under change, not just control existence. Teams should re-evaluate whether their compliance model can keep pace with product velocity.

Technology-enabled compliance is becoming a category requirement rather than a maturity differentiator. When manual review is the only way to evidence control performance, growth forces a choice between coverage and speed. In this market, the old trade-off increasingly means losing both. Practitioners should assume that scalable payment governance will need automation, evidence correlation, and exception handling built into the operating model.

From our research:

• Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the next step for teams that need to connect continuous governance with lifecycle control.

What this signals

Continuous compliance will increasingly define whether payment programmes can scale without losing control. For teams building around real-time rails and embedded finance, the key question is no longer whether controls exist, but whether they can update at the speed of the business. That shift favours event-driven evidence, exception automation, and tighter correlation between operations and compliance.

Fragmentation in the control stack is becoming a governance risk, not just an operational inconvenience. When evidence is split across manual tools and point-in-time reviews, the organisation inherits delay, ambiguity, and weak accountability. That is exactly the kind of environment where compliance drift hides until it becomes visible to auditors or regulators.

The practical signal for practitioners is simple: if your compliance process cannot show a live relationship between product activity and control status, it will struggle in a market moving at real-time speed. For broader control context, teams should align governance design with NIST Cybersecurity Framework 2.0 and keep lifecycle evidence connected to the operating model.

For practitioners

• Map compliance controls to real-time payment events Tie onboarding, transaction monitoring, and exception handling to BI-FAST, wallet, and QRIS activity so governance updates as the system changes, not after the fact.
• Replace fragmented evidence stores with a single control record Consolidate audit evidence from risk, operations, and compliance teams into one workflow that shows who approved what, when, and on which payment activity.
• Automate exception escalation for payment rule breaches Trigger alerts and remediation tasks when merchant status, transaction patterns, or reporting obligations drift outside policy so reviewers do not rely on manual discovery.
• Benchmark governance cadence against product velocity Check whether your review cycle can still keep pace with the rate of payment product change, especially where embedded finance and mobile wallets are scaling quickly.

Key takeaways

• Indonesia’s payments growth is outpacing the compliance methods many providers still rely on, especially where real-time rails and mobile wallets change risk continuously.
• Fragmented tools and manual reviews create evidence gaps that make it harder to prove control effectiveness when regulators or auditors ask for it.
• Teams need continuous, technology-enabled compliance tied to live payment activity if they want governance to keep pace with product velocity.

Key terms

• Point-in-time Compliance: A compliance model that evaluates controls at a single moment rather than continuously. It can confirm that evidence existed on a given date, but it cannot show whether the control remained effective as systems, transactions, or access patterns changed afterwards.
• Continuous Compliance: A governance approach that ties control monitoring, evidence collection, and exception handling to live operational activity. In payment environments, it replaces periodic checks with an always-on view of whether controls are still functioning as the business changes.
• Embedded Finance: Financial services delivered inside a non-bank product or workflow, such as payments inside a platform or app. It increases governance complexity because compliance responsibilities move across product, operations, and partner boundaries while transaction speed stays high.
• Control Fragmentation: A condition where compliance evidence, monitoring, and approvals are spread across disconnected tools or teams. Fragmentation makes it harder to reconcile the full control picture, which weakens auditability and delays response when a payment process drifts out of policy.

Deepen your knowledge

Payment compliance in real-time environments is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning governance to fast-moving payment systems, it is worth exploring.

This post draws on content published by SumSub: Indonesia's regulatory framework for payments and the move toward continuous compliance. Read the original.