Notifications
Clear all
Topic starter
10/06/2026 10:42 pm
TL;DR: Indonesia’s payments market is growing at a 17.74% CAGR from 2026 to 2031, driven by BI-FAST, mobile wallets, and QRIS, while compliance still relies on fragmented tools and manual point-in-time checks, according to SumSub. The gap is now operational, not theoretical: payments teams need continuous, technology-enabled governance rather than periodic review cycles.
NHIMG editorial — based on content published by SumSub: Indonesia's regulatory framework for payments and the move toward continuous compliance
Questions worth separating out
Q: How should payment teams govern compliance in real-time payment environments?
A: They should move from periodic review to continuous evidence collection, with controls tied to live payment events, merchant status changes, and exception handling.
Q: Why do fragmented compliance tools create risk in fast-growing payment markets?
A: Fragmented tools split the evidence trail across multiple systems, making it hard to prove whether a control was effective at the moment it mattered.
Q: What do teams get wrong about point-in-time compliance checks?
A: They often treat a snapshot as proof that a control is working, when it only shows the control existed at one moment.
Practitioner guidance
- Map compliance controls to real-time payment events Tie onboarding, transaction monitoring, and exception handling to BI-FAST, wallet, and QRIS activity so governance updates as the system changes, not after the fact.
- Replace fragmented evidence stores with a single control record Consolidate audit evidence from risk, operations, and compliance teams into one workflow that shows who approved what, when, and on which payment activity.
- Automate exception escalation for payment rule breaches Trigger alerts and remediation tasks when merchant status, transaction patterns, or reporting obligations drift outside policy so reviewers do not rely on manual discovery.
What's in the full article
SumSub's full guide covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of Indonesia’s payment regulatory landscape and where the main compliance obligations sit.
- The guide’s explanation of BI-FAST, QRIS, and embedded finance from a market-participant perspective.
- The paper’s detailed discussion of why point-in-time checks are failing in fast-moving payment operations.
- The downloadable English and Bahasa Indonesia versions for teams that need to share the material internally.
👉 Read SumSub's guide on Indonesia’s payment compliance framework →
Indonesia payments compliance is changing fast, what should teams do?
Explore further
11/06/2026 2:51 am
Continuous compliance is now the baseline expectation in real-time payment markets. Point-in-time assurance was designed for slower operating models where risk could be reviewed after the fact. That assumption fails when payment flows, wallet activity, and merchant acceptance are changing continuously, because compliance state can go stale before a review cycle finishes. Practitioners should treat compliance as an always-on control function, not a scheduled audit exercise.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How can organisations tell whether continuous compliance is working?
A: They should look for shorter exception resolution times, fewer unresolved control breaches, and evidence that compliance status updates automatically when payment activity changes. If reporting still depends on manual compilation, the process is not yet continuous. Good governance is visible in the speed and completeness of response, not just in documentation.
👉 Read our full editorial: Indonesia’s payment growth is outpacing compliance controls
