KYC Requirements in Indonesia

The financial sector in Indonesia operates under a strict Know Your Customer (KYC) regulation, which is applied to prevent money laundering, terrorism financing, and other financial crimes. As Indonesiaʼs financial space increases and its rise in financing and cryptocurrency platforms, so is the complexity of its KYC frameworks. For organizations that operate in Indonesia, grasping these obligations is important, especially for long-term credibility and risk management.

What Is KYC and Why Does It Matter in Indonesia?

Know Your Customer (KYC) is a foundational compliance requirement for entities and designated non-financial businesses (DNFBs) in Indonesia. It is significant in securing the financial system by ensuring that entities verify the identities of their clients, assess potential risks, as well as detect suspicious activities early.

Indonesiaʼs KYC framework is under Law No/8 2010 on the Prevention and Eradication of Money Laundering, alongside extra regulations, which have laid out the responsibilities of regulatory entities. These measures include customer due diligence (CDD), ongoing transaction monitoring, and storing customer records. This legislation highlights KYC as a tool for maintaining financial stability and aligning Indonesia with global anti-financial crime standards.

Indonesiaʼs KYC framework is under Law No. 8 of 2010 on the Prevention and Eradication of Money Laundering, with extra regulations having laid out the responsibilities of regulatory entities. These measures include customer due diligence (CDD), ongoing transaction monitoring, as well as storing customer records. This legislation highlights KYC as a tool for maintaining financial stability and aligning Indonesia with global anti-financial crime standards.

Obligations are not limited only to traditional banks; they also apply to a broader range. The broader range includes fintech startups, cryptocurrency exchanges, insurance companies, securities firms, as well as certain non-financial businesses. This approach shows that the regulators recognize that financial risks can now happen to a wider range.

Who Regulates KYC Compliance in Indonesia?

Indonesia enforces its KYC compliance obligations, which are governed under multiple authorities that ensure comprehensive oversight in the countryʼs diverse financial system. Each one of these regulators has distinct responsibilities, and through their cooperation, they effectively prevent financial crime and foster integrity in the national financial system.

The Central Financial Transaction Reporters and Analysis (PPATK), Indonesian Financial Intelligence Unit (PPATK), is the countryʼ leading regulator for anti- money laundering and counter-terrorism financing (CTF). PPATK is responsible for receiving and analyzing Suspicious Transaction Reports (STR), which provide strategic and operational financial intelligence. By doing so, they issue KKYC guidance for both financial and non-financial reporting entities. It also maintains national data and information on high-risk individuals and entities.

The Financial Service Authority, also known as Otoritas Jasa Keuangan (OJK), is responsible for overseeing a broad range of financial institutions, which include banks, insurance firms, securities firms, as well as fintech providers. OJK has established sector-specific KYC and Customer Due Diligence (CDD) standards. They monitor compliance through regular supervisory audits and enforce penalties in cases of failing to comply. This regulatory authority regularly issues rules and provides detailed procedural requirements that are specific to each financial sector under its jurisdiction.

Banks Indonesia (BI) regulates payment systems, remittance services, and electronic money (e-money). Its KYC oversight focuses more on ensuring that entities within the payment system are implementing identity verification and transaction monitoring procedures, which should align with national standards and financial stability goals. Since digital payments have become increasingly common, BIʼs oversight of KYC practices among payment service providers has also significantly developed.

Regulator for Crypto and Commodities, Bappebti, is responsible for regulating Virtual Asset Service Providers (VASPs) and other cryptocurrency platforms within Indonesiaʼs broader AML framework. Because there are potential risks of anonymity and fast fund movement in virtual asset transactions, Bappebti is demanding KYC protocols for crypto exchanges, which include customer verification, transaction monitoring, and ongoing reporting obligations relevant to the digital asset sector.

 KYC Requirements in Indonesia

Customer Due Diligence (CDD)

Customer Due Diligence forms the base of Indonesiaʼs KYC system. Institutions and entities are obligated to utilize CDD before having any business relationship or when transactions exceed the defined threshold. The steps

include:

• Verifying the customerʼs identity, understanding the purpose and motive of the business relationship
• Understanding the purpose and motive of the business relationship
• Conduct a rrisk assessmentdepending on factorssuch ass occupation, geographical exposure, transactiobehavioror, and the source of the fund.

Enhanced Due Diligence (EDD)

When a customer or transaction is perceived as a high risk of money laundering or terrorist financing, Enhanced Due Diligence (EDD) measures are required. The EDD procedure includes:

• Stricter identity verification
• Increased scrutiny of the customerʼs backgrounds, source of funds, and transaction history
• Increased ongoing monitoring

The main focus of utilizing EDD is identifying Politically Exposed Persons (PEP), a category that includes people from high-positioned officials and anyone who could be related to them. Financial institutions are required to have systems where PEPs are detected smoothly during onboarding and then reassessed their status throughout the business relationship.

Ongoing Monitoring

KYC compliance does not end after onboarding. Institutions are also expected to conduct regular and consistent monitoring of customer accounts and transactions to detect errors or suspicious behavior of the customer, which includes:

•  Monitoring transaction consistency with the customerʼs known profile
•  Investigating unusual activity
•  Filing Suspicious Transaction Reports 8STRs

Ongoing monitoring depends on technology such as automated alerts and behavioral analytics to intervene timely manner.

Record-Keeping Obligations

In order to support regulatory oversight and potential law enforcement actions, financial institutions are required to store and maintain KYC records and transaction information for at least a minimum of 5yearsa after the end of the customer relationship. The records must include:

• Customer identitcartrion documents
• Verification and risk assessments documentation
• Records of transactions and due diligence measures that were taken

Sector-Specific KYC Requirements

Banking Sector

In the banking sector, institutions are most likely to be subjected to the strictest KYC requirements. Because of their central position in the financial system, banks are required to utilize full Customer Due Diligence (CDD) protocols for all customer onboarding activities. This includes comprehensive identity verification for both individuals and legal entities. Assessment of the purpose and risk profiling is done according to the guidelines of the OHJ and Bank Indonesia. Banks are also required to apply enhanced due diligence if high risk is identified, as well as maintain a robust transaction monitoring system in order to prevent errors or suspicious behavior.

Fintech Sector

The fintech sector, which includes fintech lenders, p2p lending platforms, and other digital financial services, is governed by KYC requirements. Under OJK CCircular No. 12/SEOJK.03/2022, fintech firms and entities are obligated to implement e-KYC processes that allow for a secure remote customer verification. These processes should be applied depending on the risk levels with different products, transaction volume, and user demographics, which ensures the customer onboarding process is both compliant and user-friendly.

Cryptocurrency Sector

VASPs that are operating within Indonesia must comply with AML and KYC rules that address the clear risks associated with virtual asset transactions. Customer identity should be verified before any trading activities. VASPs are also obligated to maintain detailed records of all customer interactions and be prepared to report suspicious transactions to the Indonesian Financial Intelligence Unit (PPATK).

Insurance and Securities Sectors

Insurance companies are obligated to assess customer suitability and verify identities on policy purchases, specifically for life insurance products, which involve large or long-term contracts. On top of that, they must verify the identities of investors, investment objectives, and monitor for any potentially suspicious patterns such as layering, wash trading, or abnormal fund movements.

How Sanction Scanner Supports KYC in Indonesia

Sanction Scanner helps regulated entities across sectors to meet their KYC and AML obligations according to PPATK, OJK, Bank Indonesia, and Bappebti requirements. Our automated tools are available to help you stay compliant, reduce manual work, and improve detection accuracy.

Key capabilities:

• Real-Time Sanctions & PEP Screening

Instantly screen individuals and entities against global, ASEAN, and domestic watchlists such as UN, OFAC, EU, and Indonesia political exposure lists.

• Customer Risk Scoring Engine

Automatically assess customer risk depending on factors such as jurisdiction, transaction volume, occupations, and the behavior or account.

• Adverse Media Monitoring (in Bahasa & English)

Monitor real-time news sources and online content for potential reputational threats and risks that could be linked to customers.

• STR Reporting Support for PPATK

Simplify STR generation, which allows for audit-ready templates, resulting in timely and accurate submission to PPATK.