BI Payment System Compliance

Bank Indonesia (BI) regulates payment service providers (PJP) and payment system infrastructure operators (PIP) through two parallel instruments: PBI 23/6/PBI/2021 for PJP governance and PBI 23/7/PBI/2021 for PIP governance. Both require internal and external IS (information system) audits, incident reporting, and operational governance controls. QRIS — the national QR payment standard — is further governed by PADG 21/18/PADG/2019, amended by Governor Regulation No. 3/2025 (effective 19 February 2025), covering interoperability, security, and efficiency requirements. Search the BI regulations page for PADG 3/2025 for the current text.

caution

This page is engineering guidance for teams building governed payment AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for BI audits or supervisory interactions.

The BI instruments that apply today

PBI 23/6/PBI/2021 — Payment Service Providers (PJP)

PBI 23/6 establishes governance requirements for payment service providers:

IS audit cadence: internal IS audit at least annually; external IS audit when directed by BI or when material system changes occur
Incident reporting: PJP must report payment system incidents to BI. Failure to report carries a penalty of IDR 7.5 million per missed report
IT governance: board-level oversight of payment system technology, risk management, and outsourcing arrangements
Data protection: customer payment data must be processed and stored within Indonesian territory, with exceptions requiring BI approval

PBI 23/7/PBI/2021 — Payment System Infrastructure Operators (PIP)

PBI 23/7 mirrors PBI 23/6 for infrastructure operators (switching services, clearing houses, settlement systems):

Same IS-audit cadence requirements as PJP
Same incident-reporting obligations and penalties
Additional requirements for system availability, disaster recovery, and business continuity
Infrastructure operators face stricter uptime and resilience expectations

QRIS PADG 3/2025 — QR payment interoperability and security

Governor Regulation No. 3/2025 (amending PADG 21/18/PADG/2019) strengthens QRIS governance:

Interoperability: QRIS is now interoperable with Malaysia (DuitNow), Singapore (PayNow/NETS), Thailand (PromptPay), China (UnionPay), and Japan (specific schemes). Cross-border QRIS transactions carry additional audit and reconciliation requirements.
Security: merchants and acquirers must implement fraud-detection controls; AI-assisted fraud screening falls under the governance framework.
Efficiency: BI expects QRIS processors to demonstrate operational efficiency, including transaction-processing times and error rates.

A concrete example: QRIS acquirer with AI fraud detection

A payment service provider operating as a QRIS acquirer deploys an AI fraud-detection model that screens every inbound QRIS payment for anomalies — velocity checks, merchant-category risk, cross-border pattern detection.

What BI asks the PJP to demonstrate:

PBI 23/6 IS audit: the fraud-detection AI is covered in the annual IS audit, including model performance metrics, false-positive rates, and change-management records.
PBI 23/6 incident reporting: when the AI system incorrectly blocks legitimate transactions above a threshold, the PJP must report the incident to BI.
PADG 3/2025 security: fraud-detection controls are part of the QRIS governance framework; the PJP must demonstrate that controls are proportionate to transaction risk.

How it maps to AxonFlow tiers:

Enterprise endpoints for Indonesian compliance are served through a shared OJK compliance module at /api/v1/ojk/*, covering OJK, BI, and UU PDP frameworks through a single API surface with framework-specific parameters.

Need	Community	Evaluation	Enterprise
Bank-account / virtual-account detection (BCA, Mandiri, BRI, BNI)	System policies — context-anchored patterns	Same	Same + enhanced validation
Indonesian mobile number (+62) detection	System policies (`sys_pii_indonesia_phone`)	Same	Same
Policy enforcement on every LLM + MCP call (PBI 23/6 IT governance)	Yes	Yes	Yes
Full audit trail for IS audit evidence (PBI 23/6 annual IS audit)	Yes (3-day retention)	Same (14-day)	Same + 10-year retention
HITL review on high-value transaction decisions	Can emit; no queue	HITL approval queue	Production HITL queue + portal
OJK audit export for BI supervisory review	Not provided	Not provided	`POST /api/v1/ojk/audit/export` with `framework: "BI_PJP"`
Incident reporting evidence	Not provided	Not provided	OJK export with incident-window date filters
QRIS-specific governance template	Not provided	Not provided	Policy templates for QRIS fraud-detection workflows
Kill switch for unsafe AI behavior in payment paths	Not provided	Not provided	Global / organization / system scope shutdown

IS audit cadence and AxonFlow's role

BI's IS-audit requirements are annual at minimum, with ad-hoc audits triggered by material system changes. For teams using AI in payment processing, AxonFlow's audit trail and export capabilities map directly to the evidence an IS auditor expects:

IS audit question	AxonFlow evidence surface
What AI decisions were made in this period?	Audit trail with `decision_id`, `policy_id`, and timestamp
Who approved material decisions?	HITL approval records with `user_id` and approval timestamp
What policies were enforced?	Policy-enforcement logs with category, action, and severity
Were PII protections active?	PII-detection logs showing NIK/NPWP/bank-account redactions
Was there an incident? When was it detected?	Export with incident-window date filters; OJK readiness check

What Community covers

Community is a credible starting point for BI-relevant engineering work:

audit logging with decision chain and policy attribution
policy enforcement on every LLM and MCP call through the payment-processing workflow
Indonesia-relevant PII protection: bank-account patterns for BCA (10-digit), Mandiri (13-digit), BRI (15-digit), and BNI (10-digit), plus Indonesian mobile (+62) detection
governed execution paths that IS auditors can review

Industry playbook

QRIS acquirers and merchants

The concrete flow above. AI-assisted fraud detection on QRIS rails benefits from AxonFlow's policy enforcement and audit trail. The annual IS audit requires evidence of model governance; AxonFlow's structured export produces that evidence.

E-money and digital wallet providers

E-money providers (GoPay, OVO, DANA, ShopeePay) regulated under PBI 23/6 deploy AI for fraud detection, customer verification, and transaction routing. AxonFlow's PII detection catches virtual-account patterns in customer data; the audit trail captures the governance chain from verification through disbursement.

Remittance and cross-border payment providers

Cross-border QRIS transactions (now interoperable with 5+ countries) carry additional reconciliation and audit requirements. AxonFlow's data_residency and transfer_basis fields (Enterprise) in the audit log directly support the cross-border governance trail BI expects.

The BI instruments that apply today​

PBI 23/6/PBI/2021 — Payment Service Providers (PJP)​

PBI 23/7/PBI/2021 — Payment System Infrastructure Operators (PIP)​

QRIS PADG 3/2025 — QR payment interoperability and security​

A concrete example: QRIS acquirer with AI fraud detection​

IS audit cadence and AxonFlow's role​

What Community covers​

Industry playbook​

QRIS acquirers and merchants​

E-money and digital wallet providers​

Remittance and cross-border payment providers​

Related docs​