Imagine a customer opening their mobile banking app to approve a transfer before a deadline. They enter their credentials and wait for the OTP. It does not arrive. They try again. The message still does not come. By the time it does – two minutes late, rerouted through an unregistered aggregator during a peak traffic window – the session has expired. The transfer has failed. The customer calls support. And somewhere in a compliance log, an authentication failure sits unexamined, indistinguishable from the hundreds of others that happened the same afternoon.
This scenario plays out daily across Indonesia’s banking system. Most banks have not measured it. With a new enforcement era arriving in 2026, that needs to change urgently.
Indonesia’s Digital Banking OTP Messaging is Built on Precarious Pipes
The scale of Indonesia’s digital banking transformation is genuinely impressive. Digital transaction volumes reached IDR 5,570 trillion in 2024, up more than 150% since 2018. Bank Mandiri’s Livin’ platform recorded a 168% jump in transaction frequency. BRImo is reaching rural communities that formal banking never fully served. Over 78% of Indonesian consumers now rely on digital banking, and the country has more active SIM cards than people – 315 million registered connections for a population of 280 million.
Behind every one of those transactions is an SMS. An OTP. A fraud alert. A payment confirmation. The entire trust infrastructure of Indonesian digital banking runs on a messaging layer that most institutions have never seriously audited.
Most Indonesian banks send these messages through intermediary aggregators – there is a risk of using other channels (WA, RCS, mobile application messaging) and grey routes (long numbers, etc.) that bypass formal carrier registration and impact delivery quality. The attraction is cost. The problem is fragility. During peak periods, grey route traffic queues and slows and might be blocked by the operators. Other channels are fragile as well in case mobile switched off our out of coverage, this traffic will be queues and slows as well. OTPs arrive late or not at all. And when carriers implement filtering enforcement – which Telkomsel, Indosat Ooredoo Hutchison, and XLSMART are actively doing – grey route traffic fails silently, with no warning and no SLA. The bank’s operations team finds out when customer complaints spike.
The Enforcement Gap is Closing – Faster than Most Banks Realize
Indonesia enacted its Personal Data Protection Law, UU PDP, in October 2022. Modelled on Europe’s GDPR, it imposes mandatory 72-hour breach notification requirements, administrative fines of up to 2% of annual revenue, and corporate criminal penalties reaching IDR 60 billion – approximately $3.6 million USD. A two-year grace period followed. That period ended on October 17, 2024.
The law is fully in force. What has not yet arrived is its dedicated enforcement body, the Personal Data Protection Agency, which is being built now and is targeted to be operational in 2026.
This is not a reason for comfort. It is a countdown.
When the PDP Agency opens its doors, it will inherit a documented backlog of breach incidents from the transition period. Banks that suffered SMS-related security incidents during this window and have not remediated their infrastructure will have no credible argument that they lacked notice. The rules have been law since October 2024. The question the regulator will ask is simple: what did you do about it?
The answer “we were using a cheaper aggregator” will not be sufficient.
The Breach Wave is Already Here
This is not a hypothetical regulatory risk. The attacks are active and documented.
Researchers identified an ongoing phishing campaign targeting Bank Rakyat Indonesia using Android SMS stealer malware – software that automatically intercepts incoming OTPs and forwards them to remote servers, bypassing 2FA entirely without the victim’s knowledge. Separately, a dataset of approximately 3 million Bank Mandiri customer records appeared for sale on cybercrime forums in late 2024. Security analysts flagged the most dangerous second-order consequence: those phone numbers become direct ammunition for APK scams – malicious files disguised as wedding invitations or courier notifications – that install remote access trojans targeting mobile banking credentials.
Indonesia lost an estimated $438 million to digital fraud in under a year. OJK documented over $200 million in fraud-related losses in the first half of 2025 alone. These figures come from a market where the messaging infrastructure of its banking sector is being systematically exploited – and where the regulatory framework to hold banks accountable is months away from becoming fully operational.
Banks still running messaging via intermediatory aggregators with the risk of using grey route or alternative channels and these messaging are not just carrying delivery risk. They are carrying liability that has not yet been called in.
WhatsApp is Gaining Ground – and Banks Need to Respond
There is a second dimension that Indonesian banks cannot afford to overlook. Indonesia has over 100 million active WhatsApp users. More importantly, Indonesia is one of Meta’s primary pilot markets for WhatsApp Conversational Commerce – business-to-consumer messaging is not an experiment here, it is already how millions of Indonesians expect to interact with the businesses they trust. Banks are the exception, not the rule.
Fintechs and digital banks – Bank Jago, SeaBank, Jenius – are already using WhatsApp to deliver OTPs, transaction alerts, and customer support through a channel their customers use every day, without requiring them to switch to a separate app. Traditional banks that still treat WhatsApp as a secondary experiment risk ceding their most digitally active customers to providers already meeting them where they are.
The infrastructure exists today for banks to run a full multi-channel communications stack: SMS as the primary OTP channel, WhatsApp as the engagement and fallback layer, and voice OTP as a safety net for customers who cannot receive either. Banks that build this stack in 2025 will have a measurable customer experience advantage over those that wait until 2027.
Three Questions Every Indonesian Bank Should Ask Their Messaging Provider Today
First: are you a direct aggregator with your own registered connections to Telkomsel, Indosat Ooredoo Hutchison, and XLSMART – or are you reselling capacity through a third party? The answer determines your delivery reliability ceiling, and your exposure when carrier filtering tightens.
Second: are your sender IDs registered with Kominfo and approved at the carrier level? Unregistered sender IDs are actively being filtered. A filtered message is not a delayed message. It is a failed authentication.
Third: when the PDP Agency issues its first enforcement actions and asks for documentation of your messaging compliance posture, what will you be able to show? Your aggregator will not be at that table. You will be – alone.
The starting point is an audit of your existing OTP messaging strategy — delivery quality, routing provenance, and actual cost per authenticated transaction. From there, the path is a multi-channel platform that centralizes routing, monitoring, and optimization across SMS, WhatsApp, and voice. The same infrastructure that secures your OTP layer becomes the communication backbone for broader customer engagement and care — compliant, consistent, and built to scale with your digital ambition
The Moment is Now
Indonesia’s banking sector is investing heavily in digital products, with mobile banking projected to triple in transaction value by 2026. Regulators are tightening standards across every layer of the financial services stack. Fintechs are moving faster than legacy institutions on every channel that matters to customers.
What may appear to be a technical detail – the state of messaging infrastructure – is in reality a matter of customer trust, regulatory standing, and competitive positioning simultaneously. Every failed OTP creates a moment of doubt. When those moments accumulate, customers begin to look elsewhere.
The banks that treat communications infrastructure as a strategic asset rather than a utility will be the ones that earn customer trust through the next decade of Indonesian financial life. The PDP Agency is coming. The carrier enforcement is already here. The 12-month window is not a deadline. It is the last period in which acting first still confers an advantage.
Inside Telecom provides you with an extensive list of content covering all aspects of the Tech industry. Keep an eye on our Press Releases section to stay informed and updated with our daily articles.