Skip to main content

BI Payment System Compliance

Bank Indonesia (BI) regulates payment service providers (PJP) and payment system infrastructure platform teams (PIP) through two parallel instruments: PBI 23/6/PBI/2021 for PJP governance and PBI 23/7/PBI/2021 for PIP governance. Both require internal and external IS (information system) audits, incident reporting, and operational governance controls. QRIS — the national QR payment standard — is further governed by PADG 21/18/PADG/2019, amended by Governor Regulation No. 3/2025 (effective 19 February 2025), covering interoperability, security, and efficiency requirements. Search the BI regulations page for PADG 3/2025 for the current text.

caution

This page is engineering guidance for teams building governed payment AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for BI audits or supervisory interactions.

The BI instruments that apply today

PBI 23/6/PBI/2021 — Payment Service Providers (PJP)

PBI 23/6 establishes governance requirements for payment service providers:

  • IS audit cadence: internal IS audit at least annually; external IS audit when directed by BI or when material system changes occur
  • Incident reporting: PJP must report payment system incidents to BI. Failure to report carries a penalty of IDR 7.5 million per missed report
  • IT governance: board-level oversight of payment system technology, risk management, and outsourcing arrangements
  • Data protection: customer payment data must be processed and stored within Indonesian territory, with exceptions requiring BI approval

PBI 23/7/PBI/2021 — Payment System Infrastructure Operators (PIP)

PBI 23/7 mirrors PBI 23/6 for infrastructure platform teams (switching services, clearing houses, settlement systems):

  • Same IS-audit cadence requirements as PJP
  • Same incident-reporting obligations and penalties
  • Additional requirements for system availability, disaster recovery, and business continuity
  • Infrastructure platform teams face stricter uptime and resilience expectations

QRIS PADG 3/2025 — QR payment interoperability and security

Governor Regulation No. 3/2025 (amending PADG 21/18/PADG/2019) strengthens QRIS governance:

  • Interoperability: QRIS is now interoperable with Malaysia (DuitNow), Singapore (PayNow/NETS), Thailand (PromptPay), China (UnionPay), and Japan (specific schemes). Cross-border QRIS transactions carry additional audit and reconciliation requirements.
  • Security: merchants and acquirers must implement fraud-detection controls; AI-assisted fraud screening falls under the governance framework.
  • Efficiency: BI expects QRIS processors to demonstrate operational efficiency, including transaction-processing times and error rates.

A concrete example: QRIS acquirer with AI fraud detection

A payment service provider operating as a QRIS acquirer deploys an AI fraud-detection model that screens every inbound QRIS payment for anomalies — velocity checks, merchant-category risk, cross-border pattern detection.

What BI asks the PJP to demonstrate:

  • PBI 23/6 IS audit: the fraud-detection AI is covered in the annual IS audit, including model performance metrics, false-positive rates, and change-management records.
  • PBI 23/6 incident reporting: when the AI system incorrectly blocks legitimate transactions above a threshold, the PJP must report the incident to BI.
  • PADG 3/2025 security: fraud-detection controls are part of the QRIS governance framework; the PJP must demonstrate that controls are proportionate to transaction risk.

How it maps to AxonFlow tiers:

Enterprise endpoints for Indonesian compliance are served through a shared OJK compliance module at /api/v1/ojk/*, covering OJK, BI, and UU PDP frameworks through a single API surface with framework-specific parameters.

NeedCommunityEvaluationEnterprise
Bank-account / virtual-account detection (BCA, Mandiri, BRI, BNI)System policies — context-anchored patternsSameSame + enhanced validation
Indonesian mobile number (+62) detectionSystem policies (sys_pii_indonesia_phone)SameSame
Policy enforcement on every LLM + MCP call (PBI 23/6 IT governance)YesYesYes
Full audit trail for IS audit evidence (PBI 23/6 annual IS audit)Yes (3-day retention)Same (14-day)Same + 10-year retention
HITL review on high-value transaction decisionsCan emit; no queueHITL approval queueProduction HITL queue + portal
OJK audit export for BI supervisory reviewNot providedNot providedPOST /api/v1/ojk/audit/export with framework: "BI_PJP"
Incident reporting evidenceNot providedNot providedOJK export with incident-window date filters
QRIS-specific governance templateNot providedNot providedPolicy templates for QRIS fraud-detection workflows
Kill switch for unsafe AI behavior in payment pathsNot providedNot providedGlobal / organization / system scope shutdown

IS audit cadence and AxonFlow's role

BI's IS-audit requirements are annual at minimum, with ad-hoc audits triggered by material system changes. For teams using AI in payment processing, AxonFlow's audit trail and export capabilities map directly to the evidence an IS auditor expects:

IS audit questionAxonFlow evidence surface
What AI decisions were made in this period?Audit trail with decision_id, policy_id, and timestamp
Who approved material decisions?HITL approval records with user_id and approval timestamp
What policies were enforced?Policy-enforcement logs with category, action, and severity
Were PII protections active?PII-detection logs showing NIK/NPWP/bank-account redactions
Was there an incident? When was it detected?Export with incident-window date filters; OJK readiness check

What Community covers

Community is a credible starting point for BI-relevant engineering work:

  • audit logging with decision chain and policy attribution
  • policy enforcement on every LLM and MCP call through the payment-processing workflow
  • Indonesia-relevant PII protection: bank-account patterns for BCA (10-digit), Mandiri (13-digit), BRI (15-digit), and BNI (10-digit), plus Indonesian mobile (+62) detection
  • governed execution paths that IS auditors can review

Industry playbook

QRIS acquirers and merchants

The concrete flow above. AI-assisted fraud detection on QRIS rails benefits from AxonFlow's policy enforcement and audit trail. The annual IS audit requires evidence of model governance; AxonFlow's structured export produces that evidence.

E-money and digital wallet providers

E-money providers (GoPay, OVO, DANA, ShopeePay) regulated under PBI 23/6 deploy AI for fraud detection, customer verification, and transaction routing. AxonFlow's PII detection catches virtual-account patterns in customer data; the audit trail captures the governance chain from verification through disbursement.

Remittance and cross-border payment providers

Cross-border QRIS transactions (now interoperable with 5+ countries) carry additional reconciliation and audit requirements. AxonFlow's data_residency and transfer_basis fields (Enterprise) in the audit log directly support the cross-border governance trail BI expects.

For the cross-framework view of regulated API families, use the Enterprise Compliance API Surface.

Enterprise Operating Workflow

The licensed workflow surface below is included here so engineers can evaluate both the community baseline and the production operating model from one page.

AxonFlow Enterprise supports Bank Indonesia (BI) payment compliance workflows through the shared OJK module. Payment service providers (PJP) under PBI 23/6/PBI/2021 and infrastructure platform teams (PIP) under PBI 23/7/PBI/2021 use the same audit-export and readiness endpoints with the BI_PJP framework parameter.

Requires Enterprise license.

caution

This guide is engineering guidance for teams operating governed payment AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for BI audits or supervisory interactions.

What the module covers for BI compliance

The OJK module serves BI payment compliance through the BI_PJP framework selection:

RouteMethodBI-relevant usage
/api/v1/ojk/audit/exportPOSTIS-audit evidence export with framework: "BI_PJP"
/api/v1/ojk/audit/export/{id}GETTrack export status
/api/v1/ojk/audit/retentionGETVerify retention meets BI expectations
/api/v1/ojk/audit/readinessGETPre-IS-audit readiness check
/api/v1/ojk/dashboardGETCombined posture view

Identity handling follows the same pattern as the OJK module: tenant from Basic auth preferred, X-Org-ID fallback, X-User-ID for attribution.

QRIS audit pattern

For teams running AI on QRIS payment rails (fraud detection, reconciliation, dispute handling), the audit pattern is:

1. Capture governance evidence during normal operation

AxonFlow's policy enforcement and audit trail automatically capture:

  • every LLM and MCP call in the payment-processing workflow
  • PII detections (bank accounts, phone numbers) with action taken (block, redact)
  • policy decisions with category, severity, and decision chain
  • HITL approvals on material transaction decisions

2. Export IS-audit evidence

curl -X POST http://localhost:8080/api/v1/ojk/audit/export \
-H "Content-Type: application/json" \
-H "X-User-ID: is-auditor-1" \
-d '{
"start_date": "2025-07-01T00:00:00Z",
"end_date": "2025-12-31T23:59:59Z",
"data_types": ["policy_violations", "llm_calls", "decision_chain", "pii_redactions"],
"format": "json",
"framework": "BI_PJP",
"redact_pii": true,
"filters": {
"agent_ids": ["qris-fraud-detection"],
"severity": "high"
}
}'

3. Verify retention posture

curl http://localhost:8080/api/v1/ojk/audit/retention

BI does not prescribe a specific retention period in PBI 23/6, but industry practice for IS-audit evidence is 5 years. The OJK module enforces a 5-year minimum retention floor when AXONFLOW_COMPLIANCE_REGION includes ID.

4. Check readiness before IS audit

curl http://localhost:8080/api/v1/ojk/audit/readiness

The readiness check for BI payment compliance evaluates:

  • audit-trail completeness for the IS-audit period
  • PII detection coverage for payment-relevant patterns (bank accounts, phone numbers)
  • policy enforcement coverage across payment-processing agents
  • retention posture against the 5-year floor

Incident reporting evidence

PBI 23/6 requires PJP to report payment system incidents to BI, with a penalty of IDR 7.5 million per missed report. When an AI-related incident occurs in the payment path:

  1. Capture — the audit trail already contains the decision chain and policy actions
  2. Scope — use the export endpoint with incident-window date filters to isolate the affected period
  3. Evidence — the export produces structured evidence that maps to BI's incident-reporting requirements
curl -X POST http://localhost:8080/api/v1/ojk/audit/export \
-H "Content-Type: application/json" \
-d '{
"start_date": "2026-03-10T08:00:00Z",
"end_date": "2026-03-10T12:00:00Z",
"data_types": ["all"],
"format": "json",
"framework": "BI_PJP",
"filters": {
"agent_ids": ["qris-fraud-detection"]
}
}'

If the incident involves personal data, the parallel UU PDP Art. 46 breach-notification workflow also applies — see the UU PDP Compliance Guide for the POST /api/v1/ojk/breach/notify endpoint.

CadenceActionDetail
WeeklyCheck dashboard for payment-AI postureGET /api/v1/ojk/dashboard
MonthlyReview readiness scoreGET /api/v1/ojk/audit/readiness
Annually (minimum)Generate IS-audit evidence exportPOST /api/v1/ojk/audit/export with framework: "BI_PJP"
AnnuallyVerify retention postureGET /api/v1/ojk/audit/retention
On incidentExport incident-window evidencePOST /api/v1/ojk/audit/export with incident date filters
On incidentActivate kill switch if AI behavior is unsafeKill-switch API with system or organization scope

Cross-border QRIS considerations

QRIS is now interoperable with Malaysia, Singapore, Thailand, China, and Japan. For cross-border QRIS transactions processed by AI agents:

  • AxonFlow's data_residency and transfer_basis fields in the audit log capture the cross-border governance trail
  • Use UU PDP Art. 56 cross-border transfer logging in conjunction with BI payment audit exports
  • The OJK_BI_COMBINED framework parameter on the export endpoint produces a unified view across both BI payment and UU PDP cross-border requirements