Technology, Media and Telecommunications
Overview
Indonesia has taken a decisive step toward strengthening digital identity governance and combating mobile-based fraud through the introduction of mandatory biometric verification for SIM card registrations.
Under this new framework, facial recognition is now required for both Indonesian citizens (WNI) and foreign nationals, marking a significant shift in how telecommunications services are accessed.
These changes are formally introduced under Minister of Communication and Digital Affairs Regulation No. 7 of 2026 on the Registration of Telecommunications Service Customers Through Mobile Networks (“Regulation 7/2026”), which entered into force on 19 January 2026. Regulation 7/2026 partially revokes and replaces several provisions of Ministerial Regulation No. 5 of 2021, particularly those governing customer registration mechanisms.
Key Regulatory Shifts Under Regulation 7/2026
1. Mandatory Biometric Verification
Telecommunications Service Providers are still required to apply Know-Your-Customer (KYC) principles. However, Regulation 7/2026 removes any discretion regarding biometric use by making facial recognition mandatory, rather than optional.
This obligation applies across:
- prepaid and postpaid services,
- physical SIM cards and eSIMs,
- registrations conducted through outlets or self-registration platforms.
2. Revised Registration Requirements
Indonesian Citizens (WNI) must now register using:
⮕ a customer number; and
⮕ NIK (National Identity Number) supported by facial recognition data.
The former option of relying on KK (family card) data alone has been removed.
Foreign Citizens remain subject to registration using:
⮕ passport; and
⮕ Limited Stay Permit Card (KITAS) or Permanent Stay Permit Card (KITAP).
For minors under 17 years old and unmarried, facial recognition must be conducted using the biometric data of the family head listed on the KK.
3. Enhanced Biometric Security Standards
Providers are now required to:
- implement biometric systems compliant with ISO/IEC 30107-3 (Presentation Attack Detection);
- achieve a minimum resilience level equivalent to Level 2 or higher; and
- establish fraud prevention and incident-handling mechanisms.
This significantly raises compliance, cybersecurity, and data-protection thresholds across the telecom sector.
4. Expanded Self-Registration Mechanisms
Regulation 7/2026 formally recognizes self-registration via:
- websites,
- mobile applications, and
- other IT-based platforms.
Verification may be conducted through SMS, email, USSD, or equivalent methods. Facial recognition may be performed via faceprint capture on mobile devices, with a minimum similarity threshold of 95%.
5. Three-Number Limit Per Identity
A major policy shift is the introduction of a maximum of three mobile numbers per individual identity (NIK). Exceptions apply to:
- machine-to-machine (M2M) and IoT services;
- operator testing and fraud-detection numbers; and
- certain legal entities or business users, subject to further regulatory guidance.
6. Administrative Sanctions
Non-compliant Providers may face:
- written reprimands; and/or
- temporary suspension of business activities.
Sanctions are applied progressively, and Providers may submit objections within 21 business days, supported by evidence.
Key Takeaways
Regulation 7/2026 reflects Indonesia’s broader push toward secure digital identity infrastructure, increased trust in mobile communications, and tighter fraud mitigation. Providers must fully implement:
- mandatory facial recognition; and
- the three-number registration limit
by 19 June 2026.
Until that date, limited transitional use of NIK and KK data remains permissible for certain IT-assisted registrations.
How Seven Stones Indonesia Can Assist
Seven Stones Indonesia supports telecom operators, digital platforms, and foreign investors navigating Indonesia’s evolving digital compliance landscape, including:
➤ Regulatory compliance reviews for telecom and digital service providers
➤ KYC and biometric workflow advisory, including readiness for ISO-aligned systems
➤ Data protection and risk-management structuring, aligned with Indonesian privacy and cybersecurity obligations
➤ Advisory support for foreign nationals and corporates, ensuring lawful SIM registration for operational, IoT, and business needs
➤ Government liaison and clarification support, particularly where exemptions or transitional arrangements apply
Our approach combines regulatory insight, practical implementation guidance, and investor-focused risk mitigation.