Skip to main content
BiometricsMar 28, 2026

Indonesia's Biometric SIM Mandate: What It Means for Developers and Digital Services

OS
Open Soft Team

Engineering Team

Indonesia’s Biometric SIM Mandate: The Short Answer

Starting July 1, 2026, every new SIM card registration in Indonesia must include biometric facial recognition verification. This is mandated by KOMDIGI (Ministry of Communications and Digital Affairs) Regulation No. 7 of 2026, replacing the previous NIK (Nomor Induk Kependudukan) number-only verification system. The regulation caps prepaid SIM ownership at 3 cards per person and requires telecom operators to integrate with Indonesia’s Digital Population Identity (IKD) platform.

For developers and digital service providers, this means a fundamental shift in how identity verification is implemented across Indonesia’s digital ecosystem — affecting everything from mobile app onboarding to e-KYC flows.

Timeline and Key Milestones

The rollout follows a phased approach that developers must plan around:

DateMilestone
March 15, 2026KOMDIGI Regulation No. 7/2026 officially published
April 1, 2026Technical specification documents released to operators
May 1, 2026Sandbox testing environment opens for integration partners
June 1, 2026Mandatory certification deadline for biometric SDK providers
July 1, 2026Enforcement begins — all new SIM registrations require biometric verification
January 1, 2027Existing SIM re-verification deadline for high-risk accounts
July 1, 2027Full re-verification deadline for all existing prepaid SIMs

Operators who fail to comply face penalties of up to Rp 50 billion ($2.9 million) per violation, with potential license revocation for repeated non-compliance.

Technical Requirements

The regulation specifies precise technical standards that biometric systems must meet:

Facial Recognition Accuracy

  • False Accept Rate (FAR): Must not exceed 0.001% (1 in 100,000)
  • False Reject Rate (FRR): Must not exceed 5%
  • Overall accuracy: 95% or higher under standard conditions
  • Processing time: Maximum 3 seconds from capture to verification result
  • Liveness detection: Mandatory — systems must detect presentation attacks including printed photos, screen replays, and 3D masks

Integration with IKD Platform

The Digital Population Identity (Identitas Kependudukan Digital / IKD) platform, managed by the Directorate General of Population and Civil Registration (Dukcapil), serves as the authoritative identity database. All biometric verification must cross-reference against IKD records.

The integration flow works as follows:

  1. Capture: User’s face is captured via the operator’s app or kiosk
  2. Liveness Check: Real-time liveness detection confirms a live person
  3. Feature Extraction: Facial features are extracted and encoded into a biometric template
  4. IKD Query: Template is sent to the IKD platform for 1:1 verification against the NIK-linked biometric record
  5. Result: IKD returns a match/no-match response with a confidence score
  6. Audit Log: The entire transaction is logged for regulatory compliance

Data Protection Requirements

All biometric data handling must comply with UU PDP (Undang-Undang Pelindungan Data Pribadi), Indonesia’s Personal Data Protection Law enacted in 2022:

  • Biometric templates must be encrypted with AES-256 at rest
  • All transmissions must use TLS 1.3 or higher
  • Raw biometric data (facial images) must not be stored after template extraction
  • Data retention: Verification logs kept for 5 years, then securely deleted
  • Users have the right to request deletion of their biometric data
  • Cross-border transfer of biometric data is prohibited without explicit KOMDIGI approval

Impact on App Developers and Digital Services

Mobile App Developers

If your app involves SIM-based authentication (OTP verification, SMS-based login), you need to understand that your users will have undergone biometric verification at the SIM level. This creates opportunities:

  • Higher trust baseline: SIM-verified users have confirmed their identity biometrically
  • Reduced fraud: Fake accounts using disposable SIMs become significantly harder to create
  • Streamlined KYC: For fintech and e-commerce apps, the SIM biometric verification can serve as a first factor in your e-KYC flow

Telecom Integration Partners

Companies providing identity verification services to telecom operators must:

  • Obtain KOMDIGI certification for their biometric SDK by June 1, 2026
  • Pass ISO/IEC 30107-3 Presentation Attack Detection (PAD) testing at Level 2 or higher
  • Demonstrate interoperability with the IKD platform in sandbox testing
  • Provide on-premise deployment options — some operators require that biometric processing occurs within Indonesian data centers

Fintech and Digital Banking

Indonesia’s OJK (Financial Services Authority) has indicated it will recognize KOMDIGI-compliant biometric SIM verification as a valid identity verification factor for:

  • Opening basic savings accounts (up to Rp 20 million balance)
  • Peer-to-peer lending borrower verification
  • Digital wallet registration (GoPay, OVO, Dana, ShopeePay)
  • Insurance policy onboarding

This reduces friction in financial inclusion efforts, particularly for Indonesia’s 92 million unbanked adults.

Compliance Checklist for Businesses

Use this checklist to assess your organization’s readiness:

Technical Readiness

  • Biometric SDK selected and integrated (minimum 95% accuracy, liveness detection)
  • IKD platform sandbox access obtained and tested
  • AES-256 encryption implemented for biometric template storage
  • TLS 1.3 configured for all biometric data transmissions
  • Audit logging system captures all verification transactions
  • Fallback mechanism designed for IKD platform downtime
  • Load testing completed for expected verification volume

Regulatory Compliance

  • UU PDP Data Protection Impact Assessment (DPIA) completed
  • Privacy policy updated to include biometric data processing disclosures
  • User consent flow implemented (explicit opt-in for biometric collection)
  • Data retention policies documented (5-year log retention, secure deletion)
  • Incident response plan updated for biometric data breaches
  • KOMDIGI certification application submitted (deadline: June 1, 2026)

Operational Readiness

  • Staff trained on biometric verification procedures
  • Customer support scripts updated for biometric-related inquiries
  • Accessibility accommodations planned for users who cannot complete facial recognition
  • Monitoring dashboards configured for verification success/failure rates

Architecture Overview for Developers

A typical integration architecture looks like this:

Mobile App / Kiosk
       |
       v
[Biometric SDK] -- capture + liveness
       |
       v
[Operator Backend] -- template extraction
       |
       v
[IKD Gateway] -- 1:1 verification
       |
       v
[Audit & Logging] -- compliance records

For Rust developers, the biometric pipeline can be structured as:

// Simplified biometric verification pipeline
async fn verify_identity(
    State(state): State<AppState>,
    Json(request): Json<BiometricRequest>,
) -> Result<Json<VerificationResult>, AppError> {
    // 1. Validate liveness detection result
    let liveness = state.liveness_service
        .check(&request.capture_data)
        .await?;

    if liveness.score < 0.95 {
        return Err(AppError::LivenessCheckFailed);
    }

    // 2. Extract biometric template
    let template = state.biometric_engine
        .extract_template(&request.facial_image)
        .await?;

    // 3. Verify against IKD platform
    let ikd_result = state.ikd_client
        .verify_1to1(&request.nik, &template)
        .await?;

    // 4. Log audit trail
    state.audit_logger.log_verification(
        &request.nik,
        &ikd_result,
        &liveness,
    ).await?;

    Ok(Json(VerificationResult {
        verified: ikd_result.match_score >= 0.95,
        confidence: ikd_result.match_score,
        transaction_id: ikd_result.transaction_id,
    }))
}

Market Context: Why Indonesia Is Doing This Now

Indonesia’s push for biometric SIM verification is driven by several converging factors:

  • Cybercrime losses: Indonesia lost an estimated Rp 7 trillion ($407 million) to cybercrime in 2025, with SIM-swap fraud and identity theft as leading vectors
  • Duplicate SIMs: An estimated 30-40 million SIM cards are registered under false or duplicate identities
  • Digital economy growth: Indonesia’s digital economy reached $82 billion in GMV in 2025 (Google-Temasek-Bain report), requiring stronger identity infrastructure
  • Population scale: With 270+ million people and 345+ million active SIM cards, Indonesia is one of the largest mobile markets in the world
  • ASEAN alignment: The regulation aligns with ASEAN’s Digital Economy Framework Agreement (DEFA) provisions on digital identity

Frequently Asked Questions

What happens if a user cannot complete facial recognition?

The regulation includes provisions for alternative verification methods for users with disabilities or medical conditions that prevent facial recognition. Operators must provide assisted verification at physical service centers, where trained staff can perform manual identity checks with supporting documents. This covers approximately 2-3% of the population.

Does this affect existing SIM cards or only new registrations?

Initially, only new SIM registrations from July 1, 2026 require biometric verification. However, existing prepaid SIM holders must complete biometric re-verification by July 1, 2027. Postpaid subscribers are exempt until further notice, as they already undergo more rigorous identity checks.

Can foreign nationals and tourists register SIM cards?

Yes. Foreign nationals can register using their passport and a facial biometric capture at the point of sale. The system performs a 1:1 verification against the passport photo rather than the IKD database. Tourist SIM registrations are limited to 1 SIM per passport with a maximum validity of 90 days.

What biometric SDK providers are KOMDIGI-certified?

As of early 2026, KOMDIGI has approved several vendors for sandbox testing, including both international providers (such as those compliant with NIST FRVT benchmarks) and domestic Indonesian companies. The final certified vendor list will be published by June 1, 2026. Vendors must demonstrate ISO/IEC 30107-3 Level 2 compliance and pass IKD interoperability tests.

How does this relate to Indonesia’s Personal Data Protection Law (UU PDP)?

The biometric SIM mandate operates within the framework of UU PDP (Law No. 27 of 2022). Biometric data is classified as specific personal data under UU PDP Article 4, requiring explicit consent, purpose limitation, and enhanced security measures. Operators must appoint a Data Protection Officer (DPO) and conduct Data Protection Impact Assessments (DPIAs) before processing biometric data.

What are the penalties for non-compliance?

Telecom operators face fines of up to Rp 50 billion (2.9 million)** per violation. Biometric SDK providers that fail certification can be blacklisted from the Indonesian market. Individual employees responsible for data breaches involving biometric data face potential criminal penalties under UU PDP, including up to **6 years imprisonment** and fines of up to **Rp 6 billion (350,000).

Can biometric verification be performed entirely on-device?

The liveness detection component can run on-device, but the 1:1 identity verification must be performed server-side against the IKD database. This is a regulatory requirement to ensure the authoritative identity record is always the reference point. On-device processing is encouraged for the capture and liveness stages to reduce latency and bandwidth requirements.

Tags
AIBiometricsSecurity