Notifications
Clear all
Topic starter
10/06/2026 10:32 pm
TL;DR: Indonesia's payment infrastructure is forecast to grow from US$110.69 billion in 2025 to US$294.85 billion by 2031, while Sumsub says the country is the second least protected against fraud out of 112 nations, making continuous, activity-based compliance a regulatory necessity. Point-in-time checks no longer match the scale or fraud dynamics of modern payment ecosystems.
NHIMG editorial — based on content published by SumSub: From entity to activity-based regulation, what payment providers in Indonesia need to know
By the numbers:
- Indonesia ranks as the second least protected country against fraud out of 112 nations.
Questions worth separating out
Q: How should payment providers implement activity-based compliance in Indonesia?
A: They should map controls to the payment activity being performed, not just the legal entity holding the licence.
Q: Why does continuous compliance matter for payment providers?
A: Because fraud and risk change after onboarding, and point-in-time checks do not prove that an identity, device, or transaction pattern remains trustworthy.
Q: What breaks when compliance stays entity-based instead of activity-based?
A: The programme loses precision.
Practitioner guidance
- Map payment controls to activity classes Build a control inventory that ties onboarding, transaction processing, e-money issuance, payment gateway activity, and fund transfers to distinct governance requirements and evidence sets.
- Replace point-in-time checks with continuous monitoring Connect identity verification, transaction monitoring, and AML screening so risk signals can update the customer state after onboarding and during live activity.
- Add behavioural signals to mule detection Use device behaviour, network patterns, and transaction sequencing to identify coordinated low-value fraud that rule thresholds will miss.
What's in the full report
Sumsub's full whitepaper covers the operational detail this post intentionally leaves for the source:
- Activity-level regulatory mapping for payment gateways, e-money issuance, and fund transfers
- The continuous verification model that links onboarding logic to transaction monitoring and AML screening
- Behavioural and network-based fraud patterns used to identify mule activity across payment ecosystems
- The APAC regulatory comparison that explains why harmonisation is becoming a practical issue for cross-border providers
👉 Read Sumsub's whitepaper on activity-based regulation for Indonesian payments →
Activity-based regulation in Indonesia: what payment teams must change?
Explore further
11/06/2026 2:35 am
Activity-based regulation is an identity governance problem, not only a compliance update. Once obligations attach to the action being performed, the control model has to understand transaction context, customer lifecycle state, and ongoing risk changes. That pushes payment teams into a governance pattern closer to continuous assurance than to periodic certification, and it is strongest when identity, fraud, and AML teams operate from the same evidence model. Practitioners should treat activity scope as the new unit of control.
A few things that frame the scale:
- 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation can lag exposure.
A question worth separating out:
Q: Who is accountable when a payment activity is non-compliant under activity-based regulation?
A: Accountability shifts to the provider responsible for that activity, even if the service sits inside a larger corporate group or platform ecosystem. The key test is whether the organisation can prove the correct controls were operating for the exact activity at the time it occurred.
👉 Read our full editorial: Activity-based payments compliance is reshaping Indonesia's risk model
