Rancangan Sistem  ·  System Design Rahasia / Confidential — Draft for Discussion

Shared Crypto Risk Registry

A jointly-operated bureau for reporting and screening blacklisted, suspected, and suspended identifiers across Indonesian crypto exchanges — under the sponsorship of OJK, with the Asosiasi as co-governor. Working codename RegTech.

SponsorOJK (Otoritas Jasa Keuangan)
Co-governorABI (Asosiasi Blockchain Indonesia)
ParticipantsRegistered PAKK / Exchanges
StageRequirements & Design
Version0.1 — Jul 2026
01

Overview & goals

What RegTech is, and — just as importantly — what it is not.

RegTech is a shared negative-information bureau for the Indonesian crypto industry. Exchanges contribute records about risky identifiers — wallet addresses, national IDs, phone numbers, bank accounts — and query the pool before onboarding or during ongoing monitoring. OJK and the Asosiasi govern the system so that no single participant can weaponise it.

The mental model is a fraud bureau, not a blocklist. A blocklist is a flat list of "banned" values; a bureau records who alleged what, on what evidence, with what confidence, and whether it was contested. That distinction drives every design choice below.

Goal — Interdiction

Stop known bad actors from re-onboarding across exchanges after being caught at one.

Goal — Intelligence

Let exchanges and the Asosiasi see patterns — mule networks, repeat scammers — no single firm can see alone.

Goal — Oversight

Give OJK a live, auditable view of industry-wide risk activity and reporting quality.

!

Non-goals (explicitly out of scope) RegTech does not adjudicate guilt, does not replace an exchange's own KYC/AML decision, and does not auto-ban anyone. It surfaces attributed claims; each consumer decides how to act on them.

02

Phased scope

One hashed-match core, delivered in three waves of increasing depth and risk.

Phase 1 · Foundation

Onboarding screening

Hashed lookup API, CSV / manual ingestion, basic monitoring dashboard. Proves the plumbing and the legal basis on the narrowest surface.

  • Submit & query identifiers
  • Exact-match on hashed PII
  • Source-scoped status
Phase 2 · Depth

AML & fraud intelligence

Evidence attachments, subject linking, confidence scoring, dispute workflow, webhooks. Optional PPATK hand-off pathway.

  • Identifier → subject clustering
  • Corroboration & promotion rules
  • Batch re-screening
Phase 3 · Oversight

Regulatory reporting

Mostly views over data already collected: OJK dashboards, contributor scorecards, trend analytics, submission-quality enforcement.

  • Industry risk trends
  • Reporting SLAs
  • Regulator exports
i

Sequencing principleDo not build Phase 3's rich schema on day one. The hashed-match core is identical across all three phases — later phases add views and workflow, not a new spine.

03

Stakeholders & roles

Three participant classes for launch. Banks and other institutions are deferred to a later phase.

Exchange

Registered PAKK. Both a contributor and a consumer. Submits records, queries the pool, manages its own assertions and disputes it receives.

Asosiasi

Asosiasi Blockchain Indonesia. Co-governor. Runs adjudication on contested cases, maintains the shared vocabulary, mediates disputes between members.

OJK

Sponsor & supervisor. Full read visibility, audit access, policy authority, override on confirmed statuses. The legal anchor for data sharing.

A subtle sensitivity: query logsWhen Exchange A looks up an identifier, that query reveals A's interest in a customer. Query logs are therefore as sensitive as the records themselves and are visible only to OJK in aggregate — never to peer exchanges.

04

Core model: source-scoped assertions

The single most important design decision. It keeps exchange autonomy while containing defamation and abuse risk.

Any exchange can instantly set a status — including Blacklisted — on an identifier. But a status is always attributed to and scoped by the reporting source. A record never means an anonymous, system-wide verdict; it means "Exchange A asserts this."

When a consumer queries an identifier, they see the full set of attributed claims and decide for themselves. One exchange's unreviewed hunch never becomes an industry-wide sentence.

What a consumer sees on a hit

Query on hash(phone)

  • Blacklisted  Exchange A — fraud.scam — 12 Jun 2026
  • Suspected  Exchange B — aml.mule — 3 Jul 2026
  • Suspected  Exchange C — aml.mule — 5 Jul 2026

The consumer reads: one blacklist claim, two independent mule suspicions. Their call.

How "confirmed" is earned, not asserted

A System-Confirmed flag is applied only when the evidence crosses a governance threshold — not by any single participant:

  • Corroboration: N independent exchanges report the same identifier for the same reason.
  • Adjudication: the Asosiasi or OJK reviews and confirms.
  • Weighting: contributor reputation scales how much each assertion counts.
05

Status & reason taxonomy

Status, reason code, confidence and expiry are separate fields — never one flat label. A controlled vocabulary replaces free text.

Status levels
StatusMeaningTypical confidenceDefault review
BlacklistedReporter asserts confirmed wrongdoing tied to this identifier.High24 months
SuspectedUnproven allegation under investigation. Highest defamation sensitivity.Low–Medium6 months
SuspendedInternal account action by the reporter; often reversible, lower external weight.Low12 months
System-ConfirmedCorroborated by governance rule or adjudicated by Asosiasi / OJK.Very highCase-based
Reason codes (controlled vocabulary — illustrative)
CodeCategoryNotes
fraud.scamFraudInvestment scam, Ponzi, fake project
fraud.atoFraudAccount takeover — perpetrator, not victim
aml.muleAMLMoney-mule / layering account
aml.launderingAMLSuspected laundering flow
sanctions.listedSanctionsMatches a sanctions list (DTTOT / OFAC / UN)
phishing.actorAbusePhishing / social-engineering operator
victim.compromisedProtectiveFlags a victim for protection — never punitive
i

Two rules that prevent harmEvery record carries a mandatory expiry / review date — negative data is never permanent by default. And victim.* codes are treated as protective context, never as grounds for rejection, so reporting a victim never punishes them.

06

Data model

The atom is an Identifier, not a person — you rarely have full identity, and one actor spans many identifiers. Relations connect them into a graph, so a flagged address carries its deposit / withdrawal / counterparty context.

Entity Identifier

A single normalized value: wallet address (+ chain), NIK, phone, email, bank account, or exchange-internal user ID. The unit of matching.

Entity Relation Edge

A directional, typed link between two identifiers — deposit_from, withdrawal_to, counterparty, same_owner. Turns isolated flags into a traceable money / identity graph.

Entity Subject

A probabilistic cluster of linked identifiers (built from same_owner relations) believed to belong to one actor. Never assume one identifier equals one person.

Entity Report

One exchange's submission about an identifier / subject: status, reason code, confidence, evidence, reporter, timestamp. The attributed claim.

Entity Adjudication

Every status transition — who changed what, when, why. Tamper-evident. Feeds the audit trail and the dispute record.

Relation types
TypeClassMeaningImplies wrongdoing of target?
same_ownerIdentityTwo identifiers held by the same actor → builds the Subject clusterInherits subject status
controlled_byIdentityAddress operated by a known NIK / userInherits subject status
deposit_fromTransactionFlagged address received funds from this sourceNo — context only
withdrawal_toTransactionFlagged address sent funds to this destinationNo — context only
counterpartyTransactionTransacted with, direction unspecifiedNo — context only
funded_byTransactionInitial funding source of the flagged addressNo — context only

Example — a suspected address with its edges

bc1q…7f3a  Suspected aml.mule

  • ├─ deposit_from  0x9c…a1  · 2.5 ETH · 3 Jul 2026 · reported by Exchange B
  • ├─ withdrawal_to  bc1q…e90  · 0.4 BTC · 4 Jul 2026 · reported by Exchange B
  • └─ same_owner  hash(phone)  · KYC match · reported by Exchange A
Field-level storage map
FieldTypeStorageRationale
Wallet addressIdentifierPlaintextPublic on-chain data; enables analytics & readable dashboards
NIK / KTPIdentifierHashedHigh-sensitivity PII; only ~270M possible values → pepper is load-bearing
PhoneIdentifierHashedExact-match key; normalized to E.164 before hashing
Bank accountIdentifierHashedExact-match key
NameAttributeEncryptedNot a reliable match key; kept for confirmed-case context only
Evidence fileAttributeEncrypted + RBACReleased only for disputes / adjudication / legal request
Reason, status, datesReportPlaintextOperational metadata, non-identifying
Relation type + directionRelationPlaintextEdge label; non-identifying
Tx hash / asset / amountRelationPlaintextOn-chain, public; the traceable money trail
Related address (on-chain)RelationPlaintextPublic address; stored as-is for graph traversal
Related PII (phone/NIK edge)RelationHashedIf an edge targets PII, hash the target like any identifier
07

Privacy: hashed matching

The registry can answer "is this identifier flagged?" without holding a plaintext honeypot of national IDs.

Every sensitive identifier goes through the same deterministic transform before storage or lookup:

raw value normalize canonicalize HMAC-SHA256 · pepper stored hash
  • Normalize & canonicalize — phone → E.164, NIK → digits only, EVM address → checksummed and chain-namespaced (eip155:1:0x…). Equal inputs must yield equal outputs for matching to work.
  • System-wide pepper (HMAC key), not per-record salt — matching requires deterministic hashes, so a shared secret pepper replaces per-record salt.
  • Pepper lives in an HSM / KMS, never in the database. A DB breach alone cannot brute-force the small NIK space without it — the pepper is the load-bearing secret.
  • Wallet addresses stay plaintext (already public on-chain) — preserving readable dashboards and on-chain analytics.
i

Accepted trade-offHashing means no fuzzy matching on those fields — "Budi Santoso" vs "Budi Santosa" won't match. That's fine for exact identifiers (NIK, phone, account). Names, which are poor match keys anyway, are kept encrypted-plaintext for context rather than hashed.

08

Ingestion pipeline

Three intake channels, but one normalization + validation core. Never build three parallel ingest paths.

CSV / Excel

The messiest and most-used. Strict template, schema validation, staged preview, per-row error report, dedup. Assume dirty data.

REST API

For mature exchanges. Idempotent, versioned, batch + single submission, webhook callbacks on status change.

Manual form

For small institutions and one-offs. Same validation core underneath — a thin adapter, not a separate path.

Convergent flow
CSV / API / form staging validate & normalize dedup / merge hash PII record + adjudication log

Validation rejects malformed NIKs, unknown reason codes, missing expiry dates, and self-reports of an exchange's own known infrastructure addresses (see §12).

09

Consumption & APIs

How value is actually delivered. API-first; the dashboard is a client of the same API.

POST/v1/lookupReal-time screen: submit hashed identifiers, get attributed claims + confidence. The onboarding check.
POST/v1/reportsSubmit one or many records. Idempotent by client reference.
POST/v1/reports/batchBulk CSV/Excel ingest via the staging pipeline.
POST/v1/screen/batchRe-screen an entire customer base against new listings.
GET/v1/reports/{id}Retrieve a report you filed, with its adjudication history.
POST/v1/disputesRaise or respond to a dispute on a record.
POST/v1/subscriptionsWebhook: notify me when an identifier I queried is later listed.

Subscription valueThe webhook closes the loop: an exchange screens a user today who is clean, and is alerted the day a peer lists them — turning a point-in-time check into continuous monitoring.

10

Access control

Attribute-based: role × data-sensitivity × action. Different consumers get different depth.

CapabilityExchangeAsosiasiOJK
Submit reports
Lookup / screen
See own submissions
See others' attributed claimsScoped
View plaintext / evidenceOwn + disputesAdjudication
Adjudicate / confirm
Override confirmed statusProposed
View query logsAggregate
Industry analytics / exportsOwn only

Scoped = sees the claim and reporting exchange's identity per governance policy; Aggregate = statistical, not per-lookup detail.

11

Governance & lifecycle

Every record moves through a defined lifecycle. Nothing is permanent; everything is contestable.

01

Submit

Exchange files a source-scoped claim via any channel.

02

Validate

Schema, vocabulary, infra allow-list, dedup.

03

Publish

Claim becomes queryable, attributed to the source.

04

Promote

Corroboration or adjudication → System-Confirmed.

05

Dispute

Data subject or exchange contests; SLA-bound review.

06

Expire

Review date reached → downgrade, renew, or purge.

Dispute & remediation

A wrongly-listed party must have a path to challenge — this is a legal requirement, not a courtesy. Disputes route to the reporting exchange first, escalate to the Asosiasi if unresolved, with an SLA and a full evidence trail. Successful disputes feed contributor reputation.

Audit immutability

Every listing, promotion, downgrade, dispute and de-listing is written to a tamper-evident, append-only log. OJK will require this; it is also the system's own defence when a listing is challenged in a legal forum.

12

Trust & abuse controls

The failure modes that quietly kill shared-blacklist schemes — designed against from the start.

Contributor reputation

Each exchange carries a score driven by overturned-dispute rate and corroboration history. It weights how much their assertions count toward promotion.

Infrastructure allow-lists

Known-good addresses — exchange hot wallets, custodians, bridges — are protected so a shared custodial wallet can't be mass-listed by accident.

Anti-weaponisation

Submission rate limits and anomaly detection flag an exchange bulk-listing a rival's users. Source-scoping already blunts the payoff.

False-positive hygiene

Address reuse, recycled phone numbers and shared custodial wallets are known traps; confidence bands and expiry keep stale flags from lingering.

13

Legal & compliance

The foundation. Get this wrong and the software is irrelevant.

Data residency

OJK-backed financial data almost certainly must stay onshore in Indonesia, possibly in a certified data centre. This constraint shapes the hosting choice — assume domestic.

Defamation containment

Source-scoping, evidence requirements, confidence bands and mandatory expiry together keep the system from making unqualified public accusations.

Retention & right to correction

Every record expires; every data subject can contest. Purged records leave only a non-identifying audit stub.

Sanctions alignment

sanctions.* reasons align with DTTOT and international lists so screening supports existing PPATK / APU-PPT obligations.

14

Architecture

Indicative shape for Phase 1 — deliberately boring and auditable. Detail firms up after the data model is signed off.

Exchange systems API Gateway · authn/z · rate limit Ingestion service · Lookup service
Registry DB (hashed idx) · Evidence store (encrypted) · HSM / KMS · pepper · Append-only audit log
Dashboard (API client) · Webhook dispatcher · Analytics / reporting
  • API-first — the monitoring dashboard consumes the same public API, so nothing is dashboard-only.
  • Separation of secrets — pepper and evidence keys live in the HSM/KMS, isolated from the registry DB.
  • Onshore, certified hosting — pending confirmation of OJK residency requirements.
15

Roadmap

Indicative, pending stakeholder sign-off on the data model and legal basis.

WaveDeliversGate to proceed
Phase 1Hashed lookup, CSV + manual ingest, source-scoped status, basic dashboard, audit logDPIA + documented PDP basis + template sign-off
Phase 2API, evidence, subject linking, confidence, dispute workflow, webhooks, corroboration rulesPhase 1 live + reputation policy agreed
Phase 3OJK oversight dashboards, contributor scorecards, trend analytics, reporting SLAsSufficient data volume + oversight requirements finalised
16

Open decisions

Points to resolve with OJK and the Asosiasi before build. These shape everything downstream.

  • Corroboration threshold — how many independent reports (and at what reputation weight) auto-promote a claim to System-Confirmed?
  • Peer visibility — do exchanges see which peer filed a claim, or only that "a claim exists"? Affects trust and gaming.
  • Dispute SLA & owner — who fields data-subject disputes, and within how many days?
  • Retention defaults — confirm per-status review periods against OJK / PDP guidance.
  • Data residency — confirm the required hosting jurisdiction and certification.
  • PPATK interface — is there a formal hand-off pathway for confirmed AML cases, and in which phase?
  • Non-exchange consumers — when (if ever) do banks / fintechs get query-only access, and on what basis?