Crypto License Asia
Get Consultation
Jakarta Sudirman SCBD skyline
Indonesia · OJK · 2026

Indonesia Crypto Licence. OJK PFAK Under POJK 27/2024

Crypto supervision moved from Bappebti to OJK on 10 January 2025. POJK 27/2024 eliminated the provisional CPFAK designation, only the fully licensed PFAK now operates. IDR 100bn paid-up capital, real PT-PMA, real substance.

  1. Home
  2. Crypto Licenses
  3. Indonesia
Budi Santoso, Indonesia lead
Budi Santoso
Indonesia lead · 17 years in financial-services and capital-markets regulation
Reviewed by Wei Ming Tan, Managing Partner · Updated 14 Apr 2026
View profile →
Regulator
OJK
Min capital
IDR 100bn (~USD 6M)
Timeline
11–17 months
Corp tax
22%
Statute
UU P2SK · POJK 27/2024
Entity
PT (PT-PMA)

Overview

Indonesia's crypto regime moved decisively in 2025. Under Law No. 4/2023 (UU P2SK. Pengembangan dan Penguatan Sektor Keuangan), supervision transferred from Bappebti (Ministry of Trade) to OJK (Otoritas Jasa Keuangan) on 10 January 2025. The same date brought POJK 27/2024 into force, the new core regulation governing the trading of digital financial assets including crypto assets. POJK 27/2024 eliminated the prior CPFAK provisional designation; only fully licensed PFAK (Pedagang Fisik Aset Kripto) now operates.

The 2026 picture: a fully OJK-supervised market with the Indonesian Crypto Asset Exchange (CFX, launched July 2023) and clearing house (KKI) in place, and Bappebti-era licensees having migrated through the 6-month compliance window that closed around 10 July 2025.

OJK-area corporate tower in Jakarta SCBD

The regulator. OJK

OJK is Indonesia's integrated financial regulator. The relevant unit for crypto is the Directorate for Financial Sector Technology Innovation, Digital Financial Assets and Crypto Assets (ITSK-AKD-AK), which runs PFAK licensing through the OJK ITSK portal. The transition consolidated supervision in OJK and removed the regulatory split that previously sat with Bappebti under the Ministry of Trade. AML/CFT supervision sits with PPATK, tax administration with DJP, monetary policy and payment-systems oversight with Bank Indonesia, corporate-law administration with Kemenkumham, and foreign-investment coordination with BKPM.

PFAK and adjacent licences under POJK 27/2024

POJK 27/2024 establishes a four-actor market structure:

  • PFAK. Pedagang Fisik Aset Kripto, the licensed exchange/broker.
  • Bursa Aset Kripto, the Crypto Asset Exchange (bourse).
  • Kliring Aset Kripto, the clearing house.
  • Pengelola Tempat Penyimpanan, storage and custody manager.

The CPFAK (provisional / candidate PFAK) status used under Bappebti has been removed; only fully licensed entities can operate. Asset listing is restricted to OJK's approved crypto-asset whitelist under Article 132 of POJK 27/2024.

Market structure. OJK, CFX, Kliring, Custody

POJK 27/2024 preserves the four-actor market structure launched under Bappebti in July 2023. The supervisory handover itself was operationalised through Government Regulation 49/2024 on the Transfer of Regulatory and Supervisory Duties over Digital Financial Assets, the implementing instrument that sat alongside Law 4/2023 (UU P2SK) and POJK 27/2024.

In practice a PFAK sits in the middle of four counterparties:

  • OJK ITSK-AKD-AK, licensor and prudential supervisor for PFAK, Bursa, Kliring and custody manager. Consumer-protection provisions under POJK 22/2023 applied to PFAK operations from 12 January 2025; the broader governance, PDP and operational compliance window closed six months later, around 10 July 2025.
  • Bursa Aset Kripto (CFX), the Crypto Asset Exchange, operated by PT Bursa Komoditi Nusantara. Every PFAK must be a member and route trading through the CFX matching engine; CFX also runs a rolling review of the approved-asset list.
  • Kliring Aset Kripto (KKI), clearing and settlement for PFAK transactions. Customer funds and asset flows settle through the clearing house rather than inside the PFAK itself.
  • Pengelola Tempat Penyimpanan, the licensed custody / depository manager. A PFAK cannot self-custody customer assets; the Bappebti-era cold-wallet-majority rule carried across to the OJK regime.

This separation matters for capital and technology budgets: the PFAK owns the customer relationship, KYC, surveillance and front-office UX, but matching, clearing and custody are outsourced to regulated counterparties. New-entrant business plans should budget for integration, margining and connectivity costs with each of CFX, KKI and the custody manager from day one.

OJK transition timeline, from Bappebti to OJK

The Bappebti-to-OJK handover was not a single-day switch; it was a staged programme driven by Law No. 4/2023 (UU P2SK), implemented by Government Regulation 49/2024 and landed operationally by POJK 27/2024. Applicants and legacy licensees should read the timeline as a compliance map, not a history lesson.

  • 12 January 2023. Law No. 4/2023 (UU P2SK) enacted. The statute mandated transfer of crypto-asset supervision from Bappebti to OJK within 24 months.
  • July 2023. Bappebti launched the Indonesian Crypto Asset Exchange (CFX, operated by PT Bursa Komoditi Nusantara), the Kliring Aset Kripto (KKI) clearing house and the custody/depository manager, the three-layer market structure that OJK has preserved.
  • 10 December 2024. POJK 27/2024 signed. Promulgated 12 December 2024 on the OJK regulations portal.
  • 10 January 2025. OJK officially took over crypto supervision. POJK 27/2024 came into force. Bappebti-era CPFAK (provisional) status was abolished; only fully licensed PFAK can operate.
  • 12 January 2025, consumer-protection provisions under POJK 22/2023 began applying to PFAK operations.
  • 10 February 2025, one-month deadline for Bappebti-era licensees to submit existing product applications to OJK.
  • 10 July 2025, six-month compliance window closed. Legacy PFAKs had to have migrated governance, operational, consumer-protection and data-protection (PDP Law 27/2022) frameworks to OJK standards.
  • 2026 (ongoing). OJK continues to run whitelist reviews and has placed stablecoin-specific rules in consultation; implementing Circular Letters under POJK 27/2024 are rolling out to set tiered thresholds for Bursa, Kliring and custody-manager licences.

For new entrants, the practical effect is that OJK approaches applications in a post-transition posture: the playbook is POJK 27/2024 from day one, not legacy Bappebti-era documentation. Bappebti precedents remain useful context but the filing architecture, fit-and-proper standards and consumer-protection disclosures all follow the OJK template.

Approved coin list, how the OJK whitelist works in practice

Asset listing on any PFAK is capped by the OJK-approved crypto-asset whitelist under Article 132 of POJK 27/2024. The list was inherited from Bappebti Regulation 7/2020 and successor updates, and OJK has continued to manage and prune it through the 2025–2026 transition. CFX runs a rolling review of the approved-asset universe; PFAKs cannot list tokens that sit outside that perimeter.

In operational terms this means three things for a new PFAK:

  • Listing committee. Article 132 assumes each PFAK operates an internal asset-listing committee with documented methodology, screening for legal clarity, market integrity, technology risk, AML risk and consumer-protection exposure. OJK will review the committee charter and listing procedures as part of the licence file.
  • Whitelist-only trading. A PFAK cannot accept inbound customer deposits of tokens outside the whitelist, cannot quote pairs outside the whitelist and cannot run OTC or brokered flows in non-whitelisted assets for Indonesian residents.
  • Delisting discipline. If OJK removes an asset from the whitelist, the PFAK must follow an orderly delisting, customer notification, wind-down window and either conversion or withdrawal support, inside a timeframe set by OJK. The same applies if CFX's periodic review signals a removal.

The whitelist is therefore both a market-access filter and a live compliance obligation. New-entrant PFAKs should budget for an in-house asset-risk function from the outset rather than treating listing as a commercial-team exercise.

Capital requirements

RequirementAmount
Minimum paid-up capitalIDR 100,000,000,000 (~USD 6 million)
Minimum maintained equityIDR 50,000,000,000 (~USD 3 million)

The framework was carried over from the Bappebti-era Regulation No. 8/2021 and confirmed for PFAK under OJK.

High-level checklist

  1. Indonesian Perseroan Terbatas (PT), typically a PT-PMA where there is foreign ownership.
  2. Capital fully paid up: IDR 100 billion paid-up plus IDR 50 billion maintained equity.
  3. Fit-and-proper assessment by OJK for directors, commissioners and controlling shareholders.
  4. Asset-listing committee aligned with the OJK-approved whitelist (Article 132 POJK 27/2024).
  5. AML/CFT programme aligned with PPATK regulations.
  6. Data-protection compliance under Law 27/2022 (PDP); consumer-protection rules under POJK 22/2023.
  7. Records of transactions and financial data retained for 10 years.
  8. Operational integration with the CFX exchange and KKI clearing house.
  9. OJK application via the ITSK portal; respond to fit-and-proper review and clarification rounds.
  10. Post-licensing: ongoing OJK reporting, periodic inspections, governance and consumer-protection compliance.

Step-by-step: how to apply for a PFAK under POJK 27/2024

  1. Entity and capital. Incorporate an Indonesian Perseroan Terbatas, typically a PT-PMA for foreign shareholders, with the PFAK KBLI classification. Open the corporate bank account and pay in IDR 100 billion; commission an auditor's confirmation of paid-up capital and of the IDR 50 billion maintained equity.
  2. Governance and persons. Appoint directors, commissioners and a controlling-shareholder structure that can pass OJK fit-and-proper. Set up the Compliance, Risk Management, Internal Audit and MLRO functions with clear segregation from trading operations.
  3. Policy and technology stack. Build the AML/CFT programme aligned with PPATK regulations and the FATF Travel Rule, the consumer-protection framework under POJK 22/2023, the PDP Law 27/2022 programme and the OJK cyber-resilience framework (typically benchmarked to ISO/IEC 27001).
  4. Dukcapil agreement. Sign the population-data verification agreement with Ditjen Dukcapil for KYC, mandatory for Indonesian-resident onboarding.
  5. Application submission. File the PFAK application via the OJK ITSK portal with corporate, governance, AML, technology-risk, consumer-protection and financial-plan documentation.
  6. Fit-and-proper and clarification rounds. Respond to OJK questions on business model, risk management, IT controls and shareholder structure; attend interviews with directors, commissioners and controlling shareholders.
  7. SRO membership. Secure membership of CFX (Bursa Aset Kripto) and the Kliring Aset Kripto (KKI) clearing house, and execute the custody-manager contract (Pengelola Tempat Penyimpanan). Complete technical integration testing with each counterparty.
  8. Asset listing. Constitute the internal asset-listing committee and select an initial set of tokens from the OJK-approved whitelist under Article 132 POJK 27/2024.
  9. Go-live and ongoing reporting. On grant of the PFAK licence, begin monthly operations reporting, quarterly financial reporting and annual audited financial statements to OJK. Retain transaction and financial data for 10 years.

Process and timeline

StageDuration
Entity setup (PT-PMA) and capital injection2–3 months
Application preparation. AML, governance, technology audit3–5 months
OJK review and fit-and-proper6–9 months
Total realistic11–17 months

Taxation

  • Corporate income tax: 22%.
  • VAT on crypto transactions: 0.11% of transaction value (previously prescribed under MoF Regulation 68/PMK.03/2022; retained under the OJK regime pending update).
  • Income tax on crypto transactions (PPh 22): 0.1% final tax for transactions through registered PFAK.
  • No crypto-specific tax holiday.
Foreign ownership

Crypto-exchange activity is not listed as closed in Perpres 10/2021 (Positive Investment List), treated as open subject to OJK licensing and PT-PMA incorporation. Foreign ownership is in principle up to 100%, but OJK fit-and-proper plus controlling-shareholder approval is the practical filter. Plan group structure with that review in mind.

Penalties and enforcement for unlicensed PFAK operation

POJK 27/2024 gives OJK a full administrative-sanctions toolkit, coordinated with PPATK on the AML side and Bank Indonesia on the payments side. For an unlicensed operator soliciting Indonesian residents, enforcement can be layered and fast.

  • Cease-and-desist and blocking. OJK can issue public warnings and direct the blocking of offending websites and apps through coordination with the Ministry of Communication and Digital Affairs (Komdigi). Payment-level blocking can follow via Bank Indonesia and PPATK direction to banks and e-wallet operators.
  • Administrative sanctions for PFAK licensees. OJK can issue written warnings, impose administrative fines, restrict business lines, suspend activities, and ultimately revoke the PFAK licence for serious or repeated breaches of POJK 27/2024, POJK 22/2023 consumer-protection rules, PPATK AML obligations or the PDP Law.
  • Fit-and-proper consequences. Directors, commissioners and controlling shareholders who fail fit-and-proper during enforcement reviews can be barred from holding equivalent positions in other OJK-regulated entities.
  • Criminal exposure. Running crypto-asset trading without the required licence can attract criminal penalties under UU P2SK and related financial-sector statutes, including fines and custodial sentences for individuals involved in the unlicensed activity.
  • AML and Travel Rule breaches. PPATK reporting failures (STRs, CTRs above the statutory reporting threshold and Travel Rule originator/beneficiary information for crypto transfers) are enforced separately under Law 8/2010 on Anti-Money Laundering, with administrative sanctions and criminal liability for wilful breaches.

For offshore exchanges the compliant path is always the same: incorporate a local PT-PMA, capitalise to the IDR 100 billion paid-up threshold, obtain the PFAK, and route order-flow through CFX and KKI. Attempts to serve Indonesian residents through VPN-routed offshore front-ends are treated as unlicensed activity and have drawn public OJK warnings since the 2025 takeover.

FAQ

What capital does a PFAK need?

IDR 100 billion paid-up plus IDR 50 billion maintained equity. The framework was retained from Bappebti-era Regulation 8/2021 and confirmed under OJK.

Is OJK now the sole regulator?

Yes, since 10 January 2025. Bappebti no longer supervises crypto. The OJK ITSK directorate handles licensing and ongoing supervision.

What does the whitelist mean?

Asset listing on a PFAK is limited to crypto assets approved on the OJK whitelist under Article 132 POJK 27/2024. New listings require OJK approval.

How does Indonesia compare with Thailand?

Thailand is more category-granular and lower capital. THB 50M (~USD 1.4M) for a custodial Exchange. Indonesia is a single PFAK regime at much heavier IDR 100bn.

What were the Bappebti-era transition deadlines?

One month from 10 January 2025 to submit existing product applications to OJK; six months (around 10 July 2025) for full compliance with OJK governance, operational, consumer-protection and data-protection standards. New applicants apply directly under POJK 27/2024.

Must a PFAK connect to CFX and the clearing house?

Yes. POJK 27/2024 preserves the four-actor market structure launched in July 2023: every PFAK must operationally connect to the Bursa Aset Kripto (CFX), the Kliring Aset Kripto (KKI) and a custody manager (Pengelola Tempat Penyimpanan). Order-matching, clearing and custody cannot be self-contained inside a single PFAK.

What entity type is required and can foreigners own 100%?

An Indonesian Perseroan Terbatas (PT), usually a PT-PMA for foreign ownership. Crypto-exchange activity is not closed under Perpres 10/2021 (Positive Investment List), so foreign ownership is in principle up to 100% subject to OJK fit-and-proper and controlling-shareholder approval. The PFAK KBLI classification must be reflected in the corporate documents.

How does the OJK whitelist of approved crypto assets work?

Article 132 of POJK 27/2024 limits a PFAK's tradable universe to assets on the OJK-approved whitelist, inherited from Bappebti Regulation 7/2020 and successor lists. New listings require OJK approval, with an internal asset-listing-committee governance and ongoing monitoring obligations.

What AML/CFT and Travel Rule rules apply?

PFAKs are reporting entities under PPATK, Indonesia's FIU. The AML/CFT programme aligns with PPATK regulations and the FATF Travel Rule, collection, verification and transmission of originator and beneficiary information for crypto transfers. STRs, CTRs and sanctions screening are all in scope, alongside consumer-protection rules under POJK 22/2023.

What compliance staffing does OJK expect?

OJK fit-and-proper covers directors, commissioners and controlling shareholders. In practice a PFAK carries a Compliance Director or Head of Compliance, a designated MLRO for PPATK reporting, a Risk Management function and an Internal Audit function, segregated from front-office trading. Technology-risk and information-security roles run alongside the ITSM/SOC framework.

What technology-risk and cyber-resilience standards apply?

OJK cyber-resilience rules apply alongside POJK 27/2024, information-security management, incident response, change management and business continuity. PFAKs typically align IT service management with ISO/IEC 20000 and information security with ISO/IEC 27001, and run a monitored security operations function. Customer-asset segregation with a cold-wallet majority rule carried from the Bappebti era remains part of the custody control set.

What ongoing reporting and audit obligations apply?

Monthly operations reporting, quarterly financial reporting and annual audited financial statements to OJK. Transaction and financial data retained for 10 years. PDP Law 27/2022 governs personal data; POJK 22/2023 governs consumer-protection disclosures. OJK conducts periodic inspections and can impose administrative sanctions, licence restrictions or revocation for breach.

Is crypto legal for payments in Indonesia?

No. The rupiah is Indonesia's sole legal tender under the Currency Law (Law 7/2011). Crypto is legal to trade and hold as a digital financial asset under POJK 27/2024 and is recognised as a commodity for tax purposes, but it cannot be used as a means of payment. Merchants, payment service providers and e-wallets regulated by Bank Indonesia are prohibited from processing crypto as payment.

Can a foreign exchange serve Indonesian residents without a PFAK?

No. Under POJK 27/2024 soliciting or serving Indonesian residents for crypto trading requires a PFAK licence and operational integration with CFX, the Kliring Aset Kripto and a licensed custody manager. OJK has issued public warnings against unlicensed offshore platforms, and PPATK can direct blocking at the payments level. The compliant route for an offshore exchange is to incorporate a local PT-PMA, obtain PFAK and route order-flow through CFX.

What are the step-by-step PFAK application milestones?

PT-PMA incorporation with IDR 100 billion paid-up; governance, AML/CFT, technology-risk and consumer-protection frameworks; OJK ITSK portal submission; fit-and-proper for directors, commissioners and controlling shareholders; Dukcapil data-verification agreement for KYC; CFX and Kliring Aset Kripto membership plus custody-manager contract; OJK-whitelist-aligned initial listings; licence grant and start of continuous reporting to OJK.

What is the difference between Bappebti and OJK for crypto?

Bappebti (Badan Pengawas Perdagangan Berjangka Komoditi), under the Ministry of Trade, supervised crypto as a commodity from 2019 until 9 January 2025 and issued the first PFAK and CPFAK regime. OJK (Otoritas Jasa Keuangan), Indonesia's integrated financial regulator, took over on 10 January 2025 under Law 4/2023 and POJK 27/2024. OJK supervises crypto as a digital financial asset, not as a commodity, removed the CPFAK provisional status, and applies a consumer-protection and prudential framework consistent with the rest of the financial sector.

What happens if the OJK removes an asset from the whitelist?

The PFAK must follow an orderly delisting inside the timeframe set by OJK: customer notification, suspension of new orders in the affected pair, a wind-down window for open positions and support for either conversion into a listed asset or withdrawal of the token to self-custody. Listing-committee minutes and delisting records are part of the audit trail OJK can review.

Can a foreign investor own 100% of an Indonesian PFAK?

In principle yes. Crypto-exchange activity is not on the closed list under Perpres 10/2021 (Positive Investment List), so foreign ownership of a PT-PMA PFAK can go up to 100%. The practical filter is OJK's fit-and-proper test on directors, commissioners and controlling shareholders, including source-of-funds review and past regulatory record. Group structure should be designed with that review in mind.

Keep reading

Related jurisdictions, services and guides

Cross-border

Thailand SEC Digital Asset

Lower capital, more granular categories, comparison anchor for SEA.

 Cross-border

Malaysia SC DAX

Mid-weight SEA option at MYR 5M paid-up.

 Service

Legal opinions

Token-classification opinions for OJK whitelist applications and banking partners.
Indonesia licensing

Map your business to OJK before you incorporate the PT-PMA.

A 30-minute call with Budi Santoso, our Jakarta lead. PFAK or adjacent licence, capital structuring and OJK fit-and-proper readiness.

Request consultation Meet Budi