Overview & goals
What RegTech is, and — just as importantly — what it is not.
RegTech is a shared negative-information bureau for the Indonesian crypto industry. Exchanges contribute records about risky identifiers — wallet addresses, national IDs, phone numbers, bank accounts — and query the pool before onboarding or during ongoing monitoring. OJK and the Asosiasi govern the system so that no single participant can weaponise it.
The mental model is a fraud bureau, not a blocklist. A blocklist is a flat list of "banned" values; a bureau records who alleged what, on what evidence, with what confidence, and whether it was contested. That distinction drives every design choice below.
Goal — Interdiction
Stop known bad actors from re-onboarding across exchanges after being caught at one.
Goal — Intelligence
Let exchanges and the Asosiasi see patterns — mule networks, repeat scammers — no single firm can see alone.
Goal — Oversight
Give OJK a live, auditable view of industry-wide risk activity and reporting quality.
Non-goals (explicitly out of scope) RegTech does not adjudicate guilt, does not replace an exchange's own KYC/AML decision, and does not auto-ban anyone. It surfaces attributed claims; each consumer decides how to act on them.
Phased scope
One hashed-match core, delivered in three waves of increasing depth and risk.
Onboarding screening
Hashed lookup API, CSV / manual ingestion, basic monitoring dashboard. Proves the plumbing and the legal basis on the narrowest surface.
- Submit & query identifiers
- Exact-match on hashed PII
- Source-scoped status
AML & fraud intelligence
Evidence attachments, subject linking, confidence scoring, dispute workflow, webhooks. Optional PPATK hand-off pathway.
- Identifier → subject clustering
- Corroboration & promotion rules
- Batch re-screening
Regulatory reporting
Mostly views over data already collected: OJK dashboards, contributor scorecards, trend analytics, submission-quality enforcement.
- Industry risk trends
- Reporting SLAs
- Regulator exports
Sequencing principleDo not build Phase 3's rich schema on day one. The hashed-match core is identical across all three phases — later phases add views and workflow, not a new spine.
Stakeholders & roles
Three participant classes for launch. Banks and other institutions are deferred to a later phase.
Exchange
Registered PAKK. Both a contributor and a consumer. Submits records, queries the pool, manages its own assertions and disputes it receives.
Asosiasi
Asosiasi Blockchain Indonesia. Co-governor. Runs adjudication on contested cases, maintains the shared vocabulary, mediates disputes between members.
OJK
Sponsor & supervisor. Full read visibility, audit access, policy authority, override on confirmed statuses. The legal anchor for data sharing.
A subtle sensitivity: query logsWhen Exchange A looks up an identifier, that query reveals A's interest in a customer. Query logs are therefore as sensitive as the records themselves and are visible only to OJK in aggregate — never to peer exchanges.
Core model: source-scoped assertions
The single most important design decision. It keeps exchange autonomy while containing defamation and abuse risk.
Any exchange can instantly set a status — including Blacklisted — on an identifier. But a status is always attributed to and scoped by the reporting source. A record never means an anonymous, system-wide verdict; it means "Exchange A asserts this."
When a consumer queries an identifier, they see the full set of attributed claims and decide for themselves. One exchange's unreviewed hunch never becomes an industry-wide sentence.
What a consumer sees on a hit
Query on hash(phone) →
- Blacklisted Exchange A — fraud.scam — 12 Jun 2026
- Suspected Exchange B — aml.mule — 3 Jul 2026
- Suspected Exchange C — aml.mule — 5 Jul 2026
The consumer reads: one blacklist claim, two independent mule suspicions. Their call.
How "confirmed" is earned, not asserted
A System-Confirmed flag is applied only when the evidence crosses a governance threshold — not by any single participant:
- Corroboration: N independent exchanges report the same identifier for the same reason.
- Adjudication: the Asosiasi or OJK reviews and confirms.
- Weighting: contributor reputation scales how much each assertion counts.
Why not unilateral system-wide blacklistingIf any exchange could auto-condemn a user everywhere with one unreviewed click, a wrong or malicious listing would spread industry-wide — creating shared defamation and UU PDP liability, and destroying trust in the registry. Source-scoping preserves each exchange's autonomy over its own claims while preventing that failure mode.
Status & reason taxonomy
Status, reason code, confidence and expiry are separate fields — never one flat label. A controlled vocabulary replaces free text.
| Status | Meaning | Typical confidence | Default review |
|---|---|---|---|
| Blacklisted | Reporter asserts confirmed wrongdoing tied to this identifier. | High | 24 months |
| Suspected | Unproven allegation under investigation. Highest defamation sensitivity. | Low–Medium | 6 months |
| Suspended | Internal account action by the reporter; often reversible, lower external weight. | Low | 12 months |
| System-Confirmed | Corroborated by governance rule or adjudicated by Asosiasi / OJK. | Very high | Case-based |
| Code | Category | Notes |
|---|---|---|
fraud.scam | Fraud | Investment scam, Ponzi, fake project |
fraud.ato | Fraud | Account takeover — perpetrator, not victim |
aml.mule | AML | Money-mule / layering account |
aml.laundering | AML | Suspected laundering flow |
sanctions.listed | Sanctions | Matches a sanctions list (DTTOT / OFAC / UN) |
phishing.actor | Abuse | Phishing / social-engineering operator |
victim.compromised | Protective | Flags a victim for protection — never punitive |
Two rules that prevent harmEvery record carries a mandatory expiry / review date
— negative data is never permanent by default. And victim.* codes are treated as protective context,
never as grounds for rejection, so reporting a victim never punishes them.
Data model
The atom is an Identifier, not a person — you rarely have full identity, and one actor spans many identifiers. Relations connect them into a graph, so a flagged address carries its deposit / withdrawal / counterparty context.
Entity Identifier
A single normalized value: wallet address (+ chain), NIK, phone, email, bank account, or exchange-internal user ID. The unit of matching.
Entity Relation Edge
A directional, typed link between two identifiers — deposit_from, withdrawal_to, counterparty, same_owner. Turns isolated flags into a traceable money / identity graph.
Entity Subject
A probabilistic cluster of linked identifiers (built from same_owner relations) believed to belong to one actor. Never assume one identifier equals one person.
Entity Report
One exchange's submission about an identifier / subject: status, reason code, confidence, evidence, reporter, timestamp. The attributed claim.
Entity Adjudication
Every status transition — who changed what, when, why. Tamper-evident. Feeds the audit trail and the dispute record.
| Type | Class | Meaning | Implies wrongdoing of target? |
|---|---|---|---|
same_owner | Identity | Two identifiers held by the same actor → builds the Subject cluster | Inherits subject status |
controlled_by | Identity | Address operated by a known NIK / user | Inherits subject status |
deposit_from | Transaction | Flagged address received funds from this source | No — context only |
withdrawal_to | Transaction | Flagged address sent funds to this destination | No — context only |
counterparty | Transaction | Transacted with, direction unspecified | No — context only |
funded_by | Transaction | Initial funding source of the flagged address | No — context only |
Example — a suspected address with its edges
bc1q…7f3a Suspected aml.mule
- ├─ deposit_from 0x9c…a1 · 2.5 ETH · 3 Jul 2026 · reported by Exchange B
- ├─ withdrawal_to bc1q…e90 · 0.4 BTC · 4 Jul 2026 · reported by Exchange B
- └─ same_owner hash(phone) · KYC match · reported by Exchange A
A transaction edge is not an accusationA withdrawal_to / deposit_from address may belong to a victim, an exchange hot wallet, or a mixer — not a bad actor. Transaction relations carry no status of their own; they are context for investigators. Only same_owner / controlled_by edges propagate a subject's status.
| Field | Type | Storage | Rationale |
|---|---|---|---|
| Wallet address | Identifier | Plaintext | Public on-chain data; enables analytics & readable dashboards |
| NIK / KTP | Identifier | Hashed | High-sensitivity PII; only ~270M possible values → pepper is load-bearing |
| Phone | Identifier | Hashed | Exact-match key; normalized to E.164 before hashing |
| Bank account | Identifier | Hashed | Exact-match key |
| Name | Attribute | Encrypted | Not a reliable match key; kept for confirmed-case context only |
| Evidence file | Attribute | Encrypted + RBAC | Released only for disputes / adjudication / legal request |
| Reason, status, dates | Report | Plaintext | Operational metadata, non-identifying |
| Relation type + direction | Relation | Plaintext | Edge label; non-identifying |
| Tx hash / asset / amount | Relation | Plaintext | On-chain, public; the traceable money trail |
| Related address (on-chain) | Relation | Plaintext | Public address; stored as-is for graph traversal |
| Related PII (phone/NIK edge) | Relation | Hashed | If an edge targets PII, hash the target like any identifier |
Privacy: hashed matching
The registry can answer "is this identifier flagged?" without holding a plaintext honeypot of national IDs.
Every sensitive identifier goes through the same deterministic transform before storage or lookup:
- Normalize & canonicalize — phone → E.164, NIK → digits only, EVM address → checksummed and chain-namespaced (
eip155:1:0x…). Equal inputs must yield equal outputs for matching to work. - System-wide pepper (HMAC key), not per-record salt — matching requires deterministic hashes, so a shared secret pepper replaces per-record salt.
- Pepper lives in an HSM / KMS, never in the database. A DB breach alone cannot brute-force the small NIK space without it — the pepper is the load-bearing secret.
- Wallet addresses stay plaintext (already public on-chain) — preserving readable dashboards and on-chain analytics.
Accepted trade-offHashing means no fuzzy matching on those fields — "Budi Santoso" vs "Budi Santosa" won't match. That's fine for exact identifiers (NIK, phone, account). Names, which are poor match keys anyway, are kept encrypted-plaintext for context rather than hashed.
Ingestion pipeline
Three intake channels, but one normalization + validation core. Never build three parallel ingest paths.
CSV / Excel
The messiest and most-used. Strict template, schema validation, staged preview, per-row error report, dedup. Assume dirty data.
REST API
For mature exchanges. Idempotent, versioned, batch + single submission, webhook callbacks on status change.
Manual form
For small institutions and one-offs. Same validation core underneath — a thin adapter, not a separate path.
Validation rejects malformed NIKs, unknown reason codes, missing expiry dates, and self-reports of an exchange's own known infrastructure addresses (see §12).
Consumption & APIs
How value is actually delivered. API-first; the dashboard is a client of the same API.
Subscription valueThe webhook closes the loop: an exchange screens a user today who is clean, and is alerted the day a peer lists them — turning a point-in-time check into continuous monitoring.
Access control
Attribute-based: role × data-sensitivity × action. Different consumers get different depth.
| Capability | Exchange | Asosiasi | OJK |
|---|---|---|---|
| Submit reports | ✓ | — | — |
| Lookup / screen | ✓ | ✓ | ✓ |
| See own submissions | ✓ | ✓ | ✓ |
| See others' attributed claims | Scoped | ✓ | ✓ |
| View plaintext / evidence | Own + disputes | Adjudication | ✓ |
| Adjudicate / confirm | — | ✓ | ✓ |
| Override confirmed status | — | Proposed | ✓ |
| View query logs | — | — | Aggregate |
| Industry analytics / exports | Own only | ✓ | ✓ |
Scoped = sees the claim and reporting exchange's identity per governance policy; Aggregate = statistical, not per-lookup detail.
Governance & lifecycle
Every record moves through a defined lifecycle. Nothing is permanent; everything is contestable.
Submit
Exchange files a source-scoped claim via any channel.
Validate
Schema, vocabulary, infra allow-list, dedup.
Publish
Claim becomes queryable, attributed to the source.
Promote
Corroboration or adjudication → System-Confirmed.
Dispute
Data subject or exchange contests; SLA-bound review.
Expire
Review date reached → downgrade, renew, or purge.
Dispute & remediation
A wrongly-listed party must have a path to challenge — this is a legal requirement, not a courtesy. Disputes route to the reporting exchange first, escalate to the Asosiasi if unresolved, with an SLA and a full evidence trail. Successful disputes feed contributor reputation.
Audit immutability
Every listing, promotion, downgrade, dispute and de-listing is written to a tamper-evident, append-only log. OJK will require this; it is also the system's own defence when a listing is challenged in a legal forum.
Trust & abuse controls
The failure modes that quietly kill shared-blacklist schemes — designed against from the start.
Contributor reputation
Each exchange carries a score driven by overturned-dispute rate and corroboration history. It weights how much their assertions count toward promotion.
Infrastructure allow-lists
Known-good addresses — exchange hot wallets, custodians, bridges — are protected so a shared custodial wallet can't be mass-listed by accident.
Anti-weaponisation
Submission rate limits and anomaly detection flag an exchange bulk-listing a rival's users. Source-scoping already blunts the payoff.
False-positive hygiene
Address reuse, recycled phone numbers and shared custodial wallets are known traps; confidence bands and expiry keep stale flags from lingering.
Legal & compliance
The foundation. Get this wrong and the software is irrelevant.
UU PDP No. 27/2022 — lawful basisCirculating NIK, names, and accounts tied to alleged wrongdoing is high-risk processing. OJK sponsorship provides the legal-obligation / public-interest basis, but it must be explicitly documented, with purpose limitation, retention limits, a data-subject correction path, and a DPIA completed before launch.
Data residency
OJK-backed financial data almost certainly must stay onshore in Indonesia, possibly in a certified data centre. This constraint shapes the hosting choice — assume domestic.
Defamation containment
Source-scoping, evidence requirements, confidence bands and mandatory expiry together keep the system from making unqualified public accusations.
Retention & right to correction
Every record expires; every data subject can contest. Purged records leave only a non-identifying audit stub.
Sanctions alignment
sanctions.* reasons align with DTTOT and international lists so screening supports existing PPATK / APU-PPT obligations.
Architecture
Indicative shape for Phase 1 — deliberately boring and auditable. Detail firms up after the data model is signed off.
- API-first — the monitoring dashboard consumes the same public API, so nothing is dashboard-only.
- Separation of secrets — pepper and evidence keys live in the HSM/KMS, isolated from the registry DB.
- Onshore, certified hosting — pending confirmation of OJK residency requirements.
Roadmap
Indicative, pending stakeholder sign-off on the data model and legal basis.
| Wave | Delivers | Gate to proceed |
|---|---|---|
| Phase 1 | Hashed lookup, CSV + manual ingest, source-scoped status, basic dashboard, audit log | DPIA + documented PDP basis + template sign-off |
| Phase 2 | API, evidence, subject linking, confidence, dispute workflow, webhooks, corroboration rules | Phase 1 live + reputation policy agreed |
| Phase 3 | OJK oversight dashboards, contributor scorecards, trend analytics, reporting SLAs | Sufficient data volume + oversight requirements finalised |
Open decisions
Points to resolve with OJK and the Asosiasi before build. These shape everything downstream.
- Corroboration threshold — how many independent reports (and at what reputation weight) auto-promote a claim to System-Confirmed?
- Peer visibility — do exchanges see which peer filed a claim, or only that "a claim exists"? Affects trust and gaming.
- Dispute SLA & owner — who fields data-subject disputes, and within how many days?
- Retention defaults — confirm per-status review periods against OJK / PDP guidance.
- Data residency — confirm the required hosting jurisdiction and certification.
- PPATK interface — is there a formal hand-off pathway for confirmed AML cases, and in which phase?
- Non-exchange consumers — when (if ever) do banks / fintechs get query-only access, and on what basis?