Authorities must tackle the challenges from the use of cross-border QR payments between countries following the system’s launch in mid-August between Indonesia and Thailand to allow their residents to purchase goods and services.
Bank Indonesia (BI) and the Bank of Thailand (BoT) announced the implementation of the cross-border payment link where residents in both countries can scan a QR code to pay for goods and services.
Despite the potential benefits, authorities and payment providers may face challenges and risks that need careful consideration in the cross-border QR scheme, especially as other nations plan to join Indonesia and Thailand.
A similar initiative is in the pipeline between the BI and the Monetary Authority of Singapore, which is targeting its launch in the second half of 2023. The central banks of Malaysia and the Philippines have also committed to connecting their payment systems as part of the Asean-wide payments connectivity effort.
One of the main issues is the difference in the implementation of a global standard for electronic data interchange between financial institutions, ISO 20022.
Jessada Sawatdipong, a co-managing partner at Chandler MHM in Bangkok, notes that the BoT has a strong commitment to encouraging the adoption of global standards to facilitate the transmission of financial data.
In early 2019, the BoT issued the Payment Systems Roadmap No. 4 (2019-2021) to set out five development frameworks in respect of Thailand’s payment systems, namely interoperablity infrastructure, innovation, inclusion, immunity and information.
“Under this road map, the BoT envisioned that ISO 20022 would be used by both the private and government sectors,” said Sawatdipong.
The launch of a new type of QR code payment called MyPromptQR in 2019 marked Thailand’s first payment initiative developed in accordance with the global standard. This year, the BoT integrated ISO 20022 into its BAHTNET System, an automated high-value transfer network for financial institutions that had been launched in 1995.
However, ABNR partner Freddy Karyadi in Jakarta has observed a difference in Indonesia, where the government has not issued any regulations requiring financial institutions to implement ISO 20022.
The BI issued a 2025 Indonesian Payment Systems Blueprint in late 2019 laying out the central bank’s plans to develop an integrated payment platform using the application programming interface (API) to increase financial inclusion through interoperability between various channels.
“The blueprint also states that as part of the second blueprint initiative on the retail payment system, which leads to a more efficient and secure modernisation of the retail payment system infrastructure by utilising the latest technology, there are certain concrete plans prepared by the BI involving ISO 20022,” Karyadi added.
For example, the ISO 20022 message format will be set as the communication standard for financial market infrastructure and will be implemented in the new generation of the BI’s real-time gross settlement system. This implementation is in line with the harmonisation initiative of the regional messaging format to create interconnections between settlement infrastructures.
The BI also has issued a regulation to serve as the legal basis for implementing the national standard on open API payments, entitled Standar Nasional open API Pembayaran (SNAP), that was launched in August last year.
The SNAP regulation requires payment service providers and users to perform certain types of testing to examine all components of the open API payment end-to-end, as well as to have their systems verified by a self-regulating organisation determined by the BI. However, this regulation only covered domestic payment system providers.
“As these are national standards, their compatibility with international standards may need to be evaluated,” Karyadi added.
With cross-border financial crime increasing in the region in recent years, Sawatdipong noted a number of developments in Thailand’s anti-money laundering, combating the financing of terrorism (AML/CFT) and fraud controls to support the interlinked systems.
In 2020, the BoT issued a notification setting know your customer requirements for customers opening e-money accounts. The central bank subsequently produced “know your merchant” policy guidelines in the next year, setting a framework on how designated payment providers should identify, verify and monitor the merchants with whom they conduct transactions.
“The BoT aims to ensure that its supervisory standards are equivalent to the financial sector’s supervisory bodies in other countries such as the US Federal Financial Institutions Examination Council, the Monetary Authority of Singapore and the Hong Kong Monetary Authority,” said Sawatdipong.
“With strong compliance from the financial sector, Thailand’s legal framework is clearly effective in addressing AML/CFT and fraud controls.”
Late last year, the BoT issued an updated version of the Cyber Resilience Assessment Framework that was a reference guide to assess levels of cyber risk and close key gaps.
On data security, Sawatdipong argued that minimum levels of security that are acceptable across the region need to be agreed on at a regional level. Regional implementation of standards or guidelines, a facilitative approach, regarding data security could start with pilot projects.
“These pilot projects would demonstrate the feasibility of standardisation of data security across the region,” said Sawatdipong. “The current disparity in the regulatory framework and effective implementation may make this challenging.”
In Indonesia, the central bank’s AML/CFT-specific regulation was issued in 2017 and it has not been updated to accommodate the latest developments, particularly on cross-border financial crimes.
“This regulation focuses on the obligation of financial service providers to conduct customer due diligence and report suspicious financial transactions,” said Karyadi. “However, the Financial Transaction Report and Analysis Centre periodically issues AML/CFT-related regulations and has launched several platforms to facilitate the shift from offline to online reporting and information systems.”
Earlier this year, the centre launched an AML reporting system called goAML and an electronic information management system on suspected integrated terrorism financing called SIPENDAR.
As Indonesia has yet to issue specific laws on data and privacy protection, the rules are still fragmented across several sectoral laws and regulations. Nonetheless, these regulations do not specify the data security standards that must be implemented, with consequences for violation.
“Measures that must be taken are described in a general manner in the regulations and are left at the stakeholders’ discretion as long as they fulfil the minimum requirements,” said Karyadi.
However, Karyadi noted that the BI seems to have put efforts into implementing the cross-border linking of payment systems. BI Regulations No. 22/23 and No, 23/6 on payment service providers open up the possibility of co-operation between local and foreign payment service providers, or support providers, with approval from the BI. The regulations disclose the approval requirements and considerations that may be taken by the BI to decide on the matter.
“As the regulations are ‘principle based’ and ‘activity based’, not ‘institutionally based’, most provisions are left to the BI’s assessment and discretion,” said Karyadi. “The provisions are not sufficiently clear and the BI ultimately has veto rights on matters requiring their decision.”
Given that laws and regulations tend to be issued by individual countries, Sawatdipong noted that the distinct challenges in interlinked payment systems would be regulatory overlaps and arbitrage. These challenges may present themselves at any stage of a payment system’s operation.
“This includes the licensing process, whether a licence or registration is required in a jurisdiction if an operator’s services involve such jurisdiction and if so, whether the operator is required to establish a local office,” said Sawatdipong. “Compliance obligations, customer complaint handling, i.e., identification of the responsible party among various operators along the line of the interlinked transactions, sanctions to be imposed, and the enforcement process given the cross-border nature of the systems also need to be considered.”