PADG Number 32 of 2025 Regulates the Payment System Industry, Tightens Licensing, and Strict Sanctions Await!

Introduction

On 24 December 2025, Bank Indonesia issued Regulation of Members of the Board of Governors Number 32 of 2025 on the Regulation of the Payment System Industry (“PADG 32/2025”), which shall take effect on 31 March 2026. This Regulation implements Bank Indonesia Regulation Number 10 of 2025 on the Regulation of the Payment System Industry, in order to ensure alignment of industry regulation with the duties and authorities of Bank Indonesia.

PADG 32/2025 is established to support the maintenance of payment system stability through various key initiatives set out in the Indonesian Payment System Blueprint. Bank Indonesia considers it necessary to provide more detailed implementation guidelines for the application of industry regulation, covering activities, products, industry structure, and risk management, in order to ensure regulatory continuity and to create a sound and competitive ecosystem.

 

Comparison

This Regulation revokes and replaces Regulation of Members of the Board of Governors Number 24/7/PADG/2022 on the Implementation of Payment Systems by Payment Service Providers and Payment System Infrastructure Providers (“PADG 24/2022”). The following table sets out a comparison between PADG 32/2025 and PADG 24/2022:

 

Key Provisions

Performance Assessment through TIKMI (Transaction, Interconnection, Competence, Risk Management, and IT Infrastructure)

Under Article 63, Bank Indonesia designates TIKMI as the standard for performance assessment and classification of Payment System Service Providers (PSPs). Article 64 affirms that the results of the TIKMI assessment serve as a vital reference for Bank Indonesia in granting licenses, making designations, approving product development, granting participation access, and conducting supervision. Bank Indonesia assesses TIKMI using variables such as transaction volume, inter-PSP connectivity, human resource certification, and the reliability of cybersecurity systems. PSPs are required to conduct self-assessments of TIKMI compliance and to submit such assessments periodically to Bank Indonesia.

Industry Structure and Activity Packages (Bundling) for PSPs

Bank Indonesia regulates the industry structure by classifying PSPs into Principal PSPs and Non-Principal PSPs, with such designation based on TIKMI results. Article 84 details the determination of PSP Activity Packages (Bundling), as follows:

1. Package 1: Fund source administration activities (such as electronic money) and payment transaction processing. This package is further divided into Package 1A (exclusively for Principal PSPs) and Package 1B.
2. Package 2: Payment transaction processing activities (such as payment gateways) and fund transfer instruction processing.
3. Package 3: Activities limited to the processing of non-digital fund transfer instructions (remittance).

Stricter Capital Requirements

Pursuant to Article 162, Payment Service Providers (PSPs) and Payment System Infrastructure Providers (PSIPs) are required to meet two types of capital requirements, namely Minimum Paid-Up Capital (Initial Capital) and Capital During the Conduct of Business Activities (Ongoing Capital). Initial Capital ranges from IDR 500 million (for certain Package 3 activities) to IDR 100 billion (for PSIPs). Ongoing Capital is calculated using a capital adequacy ratio (at least 10% of risk-weighted transactions), plus a surcharge of 1.5% to 5% for PSPs with high transaction and interconnection risk profiles.

Regulation of Fund Sources and Electronic Money

Article 21 provides that parties operating closed-loop electronic money with float funds of at least IDR 1,000,000,000.00 (one billion rupiah) are required to obtain a license as a PSP. Furthermore, Article 23 requires PSPs issuing electronic money to place at least 30% of float funds in cash or demand deposits at KBMI 4 (BUKU 4) banks, and no more than 70% in government securities or accounts at Bank Indonesia.

Technological Innovation and Regulatory Sandbox

Bank Indonesia facilitates innovation through a regulatory sandbox as provided under Article 50. The sandbox applies to innovations that have not yet been widely used or that constitute policy innovations. Article 59 stipulates that where a sandbox trial is declared “successful,” participants are prohibited from marketing the product prior to obtaining the relevant license or approval. Conversely, where a trial is declared “unsuccessful,” participants are strictly prohibited from marketing the product or business model.

Cybersecurity and Fraud Risk Management

Under Article 169, PSPs are required to maintain a fraud management system capable of detecting fraudulent activities at the account, network, and transaction levels. PSPs are also required to conduct comprehensive end-to-end information technology audits and security testing (penetration tests) by independent external auditors. Specifically for transactions involving access to fund sources, Article 122 mandates the implementation of two-factor authentication and transaction alerts.

 

Sanctions

Under Article 213, Bank Indonesia is authorized to determine and adjust the type, amount, and timing of sanctions based on the level of violation and its impact. Article 214 further details the forms of sanctions that may be imposed on PSPs, management (Directors/Commissioners), shareholders, and Supporting Service Providers. Such sanctions include written warnings, fines, activity restrictions, temporary suspension of activities or products, and revocation of licenses. In addition, several provisions stipulate specific monetary sanctions for other violations, including:

1. Article 69 paragraph (3): A fine of IDR 5,000,000.00 for PSPs that fail to submit TIKMI self-assessments.
2. Article 75 paragraph (4): A written warning for PSPs that submit SBP and/or RBSP late or fail to submit them.
3. Article 131 paragraphs (5) and (6): A late reporting fine for standard development reports (IDR 500,000.00 per day) and a non-reporting fine (IDR 20,000,000.00).
4. Article 132 paragraph (1): A fine of IDR 30,000,000.00 for PSPs that develop activities or products without Bank Indonesia approval or outside the RBSP.
5. Article 207 paragraph (2): A fine of IDR 5,000,000.00 per report for PSPs that fail to fulfill certain periodic or incidental reporting obligations.

Transitional Provisions

Pursuant to Article 236, the results of the TIKMI assessment of PSPs shall be determined by Bank Indonesia for the first time no later than 1 April 2027. Furthermore, Article 237 provides that parties currently undergoing licensing, designation, or product development approval processes at the time this Regulation comes into force (31 March 2026) are required to promptly adjust to the new requirements set forth in PADG 32/2025.

Other technical implementing regulations, such as guidelines on the implementation of Card-Based Payment Instruments (APMK) and Digital Financial Services (LKD) issued prior to this Regulation, remain valid insofar as they do not conflict with PADG 32/2025.

 

Closing

PADG 32/2025 introduces significant implications for all participants in the payment system industry, ranging from commercial banks to fintech companies. Businesses are now required not only to meet initial capital requirements, but also to maintain ongoing capital, the amount of which may increase in accordance with the company’s risk profile. Furthermore, compliance with TIKMI standards requires companies to strengthen technological infrastructure, human resource competence, and risk management. Failure to comply with these new regulatory requirements may result in a downgrade of business license classification and the imposition of severe sanctions.