Urgency of Digital Transaction Security Standards

TEMPO IMPACT - Indonesia’s national banking industry faced a serious test in 2025 when a digital security disruption incident targeted one of the transaction processing channels. The incident did not directly target customer accounts but infiltrated the intermediary layer (middleware) that is part of the interbank fund transfer process.

From that point, funds were redirected to several special accounts and some were subsequently transferred to crypto assets. This scheme made tracking more complex because the funds moved quickly across various channels.

Indeed, digital transformation has made financial transactions faster, easier, and more connected. However, behind this convenience, security is the primary foundation that cannot be compromised.

As the Regulator and Supervisor of the Payment System, Bank Indonesia (BI) has conducted an evaluation of last year’s incident. “The evaluation results identified vulnerabilities in the bank’s Information Technology (IT) infrastructure that are susceptible and potentially exploitable by fraudsters,” said the Head of the Payment System Surveillance and Consumer Protection Department of BI, Anton Daryono.

These vulnerabilities, according to Anton, have been requested to be repaired in accordance with applicable standards and best practices used by Payment System Service Providers (PSP). According to him, under the Principles for Financial Market Infrastructures (PFMI) framework, BI manages risks arising from participants (participant-generated risk). “Therefore, our attention is not only on the security of the core system but also on strengthening controls and mandatory security standards that must be met by all participants.”

BI has asked the bank that experienced the hacking incident to make several improvements, particularly related to the reliability of the information technology infrastructure for the payment system (IT SP) and the operational services of the payment system (SP). “The bank has been asked to strengthen aspects of information system security and cyber resilience, including enhancing governance, prevention, detection, response, and recovery related to cyber incidents,” he said.

Banks, he continued, have also been asked to strengthen management of cooperating parties for SP services. These improvements are continuously monitored by Bank Indonesia. In addition, BI is also continuing to strengthen regulations governing BI-FAST participation, particularly from a security perspective.

The General Chairman of the National Banks Association (PERBANAS) for the 2024-2028 period, Hery Gunardi, said that the steps taken by the banks are to make improvements and developments in line with the regulator’s directives to effectively increase the level of security.

Based on Otoritas Jasa Keuangan (OJK) Circular Letter Number 29/SEOJK.03/2022 on Cyber Resilience and Security for Commercial Banks, the regulator has established several assessment matrices, including: Inherent Risk Assessment Matrix related to Cyber Security, Risk Management Quality Assessment Matrix related to cyber security, Cyber Resilience Process Implementation Quality Assessment Matrix, Cyber Security Maturity Level Assessment Matrix.

“All the above assessment matrices are continuous processes that are measurable, supervised, and reported to the OJK according to the established reporting schedule. This step is also our joint commitment with the regulator to create quality banking services that are safe and comfortable,” said Hery.

Meanwhile, the Chairman of the Indonesian Payment System Association (ASPI), Santoso Liem, said that financial transaction intermediary institutions as Payment System Infrastructure Providers (PIP) are required to implement strict security standards according to their role in bridging interbank transactions, including meeting international security standard certifications.

According to him, security in the middleware layer, both between intermediary institutions and Payment Service Providers (PJP) and between PJP and BI-FAST infrastructure, must refer to the same standards to avoid risk gaps in the integration process.

Intermediary institutions are required to comply with security principles and regulations issued by BI. They must undergo IT audits and penetration tests by registered IT auditors with ASPI. “Financial transaction intermediary institutions must also implement fraud detection systems to detect transaction anomalies and immediately inform connected member banks, so that prevention or transaction delays can be carried out, even up to payment channel closures,” he said.

As a partner of BI, said Santoso, ASPI encourages all stakeholders to base their actions on Bank Indonesia Regulation (PBI) Number 2 of 2024 on Information System Security and Cyber Resilience for Payment System Providers, Money Market and Foreign Exchange Market Players, and Other Parties Regulated and Supervised by Bank Indonesia; Bank Indonesia Regulation Number 10 of 2025 on Payment System Industry Regulation (PBI PISP); and Board of Governors Member Regulation Number 32 of 2025 on Payment System Industry Regulation. “These regulations must be implemented by all stakeholders for collective security in our digital transaction space. So the regulations are already comprehensive,” said Santoso.

The Chairman of the OJK Board of Commissioners, Friderica Widyasari Dewi, said that digital innovations, including in payment systems and banking services, do drive efficiency and financial inclusion, but at the same time also present new risks, including cybercrime and digital fraud. According to her, strengthening digital literacy, information technology governance, and synergy among authorities are key in anticipating these risks.

“We are synergising to build a young generation that can become successors to have digital innovations. But of course, there must also be consumer protection aspects. Especially how to anticipate various risks that arise from this digitalisation,” she said.