Blog

Indonesia SMS Compliance: Kominfo Sender ID and UU PDP Guide

Written by Insights by Telerivet | May 15, 2026

Indonesia has one of the highest A2P SMS fraud rates in Southeast Asia. That is not a background detail. It is the reason why Kominfo, Indonesia's Ministry of Communication and Digital Affairs, works alongside the country's mobile operators to actively filter, block, and shut down traffic that does not run through approved channels. If your SMS program in Indonesia is delivering today but has not been registered properly, it is operating on borrowed time.

Sending business SMS in Indonesia generally requires per-operator sender ID registration with Telkomsel, Indosat Ooredoo Hutchison, and XLSmart, conducted through an operator-approved or locally authorized aggregator. A2P promotional and transactional traffic is generally expected to run through registered, authorized routes rather than grey routes. Indonesia's Personal Data Protection Law, UU PDP, has been fully enforceable since October 2024 and requires organizations processing Indonesian phone numbers to have a valid lawful basis, clear purpose limitation, and a practical process for honoring consent withdrawal and opt-out requests. Promotional messaging should be based on specific, informed consent.

The aggregator requirement is the part that catches international organizations most often. In many markets, you can connect an SMS API provider and route messages to local carriers directly or through a global aggregator. In Indonesia, that aggregator must itself be registered with and approved by the Indonesian operators. Traffic flowing through unapproved channels is treated as grey route traffic regardless of how legitimate your business is, and Indonesian carriers have been systematically closing grey routes since 2023. The deliverability drops when a route gets blocked are sudden, and the dashboard on your end will often still show messages as sent.

Kominfo and the regulatory structure

Indonesia's telecom compliance environment sits across two main authorities. Kominfo, now formally called the Ministry of Communication and Digital Affairs, sets the national framework: sender ID policy, spam prevention guidelines, data protection rules, and overall requirements for A2P messaging. BRTI, the Indonesian Telecommunications Regulatory Authority, handles sector-specific implementation and enforcement in coordination with the operators.

The three major operators, Telkomsel, which holds roughly 48% of the subscriber market, Indosat Ooredoo Hutchison at around 26%, and XLSmart, formed from the 2025 merger of XL Axiata and Smartfren, act as the gatekeepers. They control A2P delivery, run their own anti-spam filtering, and enforce Kominfo's requirements at the technical level. For financial services businesses, Bank Indonesia and OJK, the Financial Services Authority, add sector-specific layers on top of the national framework.

Because Indonesian carriers require all A2P traffic to pass through registered, approved aggregators, the choice of SMS provider in Indonesia is also a compliance decision. A provider that is not registered with Indonesian operators cannot guarantee that your messages will be treated as legitimate A2P traffic, regardless of how they market their service.

Sender ID registration: the per-operator process

Every alphanumeric sender ID must be registered with each Indonesian mobile operator before use. Registration is handled through your approved aggregator, who manages the submission process and carrier relationships. Typical processing time is three to four weeks across all operators, with documentation requirements varying slightly between them.

Your sender ID must be brand-consistent and clearly associated with your organization. Generic terms like "INFO," "PROMO," or "ALERTS" are rejected, as are sudden changes to an approved sender ID after registration. If your program requires multiple sender IDs for different message types or brands, each requires its own registration. Carriers review both the sender name and the content templates submitted with the application, which means the use case, whether OTP delivery, payment alerts, appointment reminders, or promotional campaigns, must be specified and approved alongside the sender name.

Promotional traffic often faces additional restrictions beyond sender ID registration, including time window limitations for when messages can be sent. Transactional traffic, such as OTPs, account alerts, payment confirmations, and service notifications, is classified separately, given higher delivery priority, and treated with fewer volume and time restrictions. Misclassifying promotional content as transactional to bypass those restrictions is a reliable path to sender ID suspension.

Grey routes: why they fail and why the window is closing

Grey routes are SMS delivery paths that bypass the official carrier interconnects. They typically route international SMS through P2P (person-to-person) pathways not intended for A2P business messaging, allowing providers to undercut registered aggregator pricing. In Indonesia, they have historically been used by operators looking to send high-volume campaigns without going through the registration and approval process.

Indonesian carriers are actively and systematically blocking them. The crackdown began in earnest around 2023 and has intensified since, driven by the fraud and smishing problem that grey routes disproportionately enable. The failure mode is not a clean bounce or error code. Messages sent over a blocked grey route typically appear delivered in your platform's logs while never arriving on the recipient's device. By the time a team identifies the problem, large portions of a campaign have silently failed.

The economics that make grey routes look attractive, lower per-message cost, no registration overhead, no approval wait, collapse entirely when a route is shut down mid-campaign. The risk is not just that individual messages fail. It is that sender reputation is damaged, carrier relationships are not available to appeal to because there is no relationship, and rebuilding a compliant program takes weeks.

For any organization sending volume into Indonesia, the only sustainable architecture is approved routes through a registered aggregator with direct operator connections. The deliverability premium of a compliant route over a grey route has increased materially as carrier enforcement has tightened, and the compliance risk of the grey route alternative has increased alongside it.

UU PDP: Indonesia's data protection law and what it means for SMS programs

Indonesia's Personal Data Protection Law, known as UU PDP, came into force on 17 October 2022 and became fully enforceable on 17 October 2024 after a two-year transition period. It is the country's first comprehensive data protection framework, consolidating provisions that were previously scattered across more than thirty separate regulations.

The UU PDP applies to any organization that collects or processes the personal data of Indonesian residents, regardless of where that organization is based. Phone numbers are personal data. A contact list used to send SMS is personal data processing. The law applies to your program regardless of whether your servers are in Indonesia.

For SMS programs, the core obligations are consent, purpose limitation, and data subject rights. Consent must be specific, informed, and explicit, obtained before processing begins. The consent request must explain what data will be collected, for what purpose, how long it will be retained, and how the individual can withdraw consent. General terms buried in a privacy policy are unlikely to satisfy the standard on their own. Consent for transactional messaging and consent for promotional messaging should be treated separately, and using data collected for one purpose to send the other type of message without additional consent is a violation.

Consent withdrawal requires action within 72 hours. If a recipient withdraws consent, processing for that purpose must stop within the same window. Deletion of data may also be required where consent was the only lawful basis for processing and no other legal basis applies. This is a stricter timeline than most markets: it means opt-out handling cannot be a weekly batch process and requires a system that responds to withdrawal requests within hours.

The Indonesian DPA, the dedicated enforcement body that the UU PDP requires, was targeted for establishment in 2026. During the transition, Komdigi conducted active compliance monitoring across digital platforms. According to compliance tracking reported by Recording Law, between 2024 and mid-2025 Komdigi reviewed approximately 350 digital platforms, identifying potential violations on 41% of websites and 34% of mobile applications reviewed, with 56 suspected UU PDP violation cases recorded through July 2025. Once the dedicated agency is formally established and implementing regulations are published, enforcement activity is expected to intensify further. Organizations that have not yet aligned their data processing practices with the UU PDP are not waiting for regulation to catch up. They are already in a period of possible enforcement.

Opt-out in Bahasa Indonesia

Indonesia does not maintain a national DND registry equivalent to Nigeria's 2442 system. Opt-out is therefore entirely the program's operational responsibility. Standard practice is to support STOP in English and BERHENTI in Bahasa Indonesia, with immediate processing and suppression list maintenance required by the consent withdrawal timeline under the UU PDP.

Including BERHENTI as the opt-out keyword is not a courtesy gesture. In a market of 270 million people where Bahasa Indonesia is the primary language for the majority of the population, an opt-out instruction that only works in English is not a functional unsubscribe mechanism for a significant share of your audience. Regulatory compliance and practical program quality both point to the same requirement.

WhatsApp as part of the channel picture

Indonesia is one of the world's largest WhatsApp markets, ranking third globally with approximately 112 million users as of 2024, and WhatsApp commands around 92% social media penetration in the country according to Statista. For urban, smartphone-connected audiences, WhatsApp is not a secondary channel. It is often the primary communication surface for both personal and business interactions. For operators running OTP flows, payment alerts, or customer service in Indonesia, a WhatsApp-first approach with SMS as fallback reflects the actual channel preferences of a large portion of the addressable audience.

The compliance picture for WhatsApp Business API in Indonesia differs from SMS. It runs through Meta's Business verification and template approval process rather than Kominfo's carrier registration framework. The two channels coexist, and the most robust programs in Indonesia use both deliberately: SMS for guaranteed reach regardless of smartphone or data status, WhatsApp for richer engagement where data connectivity is available. For organizations already operating WhatsApp programs alongside SMS, how WhatsApp fits into a global enterprise communication strategy is worth reading before designing the channel sequencing for an Indonesian deployment.

Building for Indonesia's geographic and connectivity reality

Indonesia spans more than 17,000 islands across a geography roughly as wide as the continental United States. Network coverage, smartphone penetration, and data connectivity vary enormously between urban Java and the outer islands. For programs that need to reach audiences beyond Jakarta, Surabaya, and Bali, SMS is not just one option among several. It is the channel that works on feature phones, on basic data plans, and in the coverage zones where WhatsApp and other OTT channels are unreliable.

That geographic reality also shapes the route architecture. Telkomsel's network coverage reaches further into the outer islands than the other operators, which means programs designed to reach rural or semi-rural populations need to weight Telkomsel connectivity appropriately. A single aggregator that routes primarily through one operator is not a channel strategy for a market this geographically dispersed.

BYOC architecture matters in Indonesia for the same reason it matters everywhere: your consent records, suppression lists, and workflow logic should not be inside the connectivity provider's system. In a market where approved aggregators are a compliance requirement and the aggregator landscape itself may shift as carriers tighten requirements, having your program logic above the connectivity layer protects the investment in registration and consent management regardless of which registered route carries the traffic.

Frequently asked questions

Does my organization need to use an Indonesian-approved aggregator to send SMS in Indonesia? Yes. All A2P SMS traffic in Indonesia must flow through aggregators that are registered with and approved by Indonesian mobile operators. Connecting through an unapproved provider, even a reputable international SMS API, does not satisfy this requirement. Traffic through unapproved channels is treated as grey route traffic and is subject to carrier filtering and blocking.

How long does sender ID registration take in Indonesia? Typically three to four weeks across all operators, depending on documentation completeness and the operator's review queue. Each operator has slightly different requirements. Your approved aggregator manages the submission process.

What are the opt-out keywords for Indonesia? STOP in English and BERHENTI in Bahasa Indonesia are the standard opt-out keywords. Under the UU PDP, processing for the messaging purpose must stop within 72 hours of a consent withdrawal, and deletion of data may be required where consent was the only lawful basis for processing. Opt-out cannot be handled as a weekly batch process.

Does the UU PDP apply to my organization if I am based outside Indonesia? Yes. The UU PDP applies to any organization that processes the personal data of Indonesian residents, regardless of where the organization is located. Phone numbers collected for SMS programs are personal data. The law applies to your program even if your servers and operations are entirely outside Indonesia.

Can I use WhatsApp instead of SMS for Indonesian recipients? WhatsApp is a strong channel for urban, smartphone-connected Indonesian audiences and one of the most widely used messaging platforms in the country. It operates under a different compliance framework than SMS, through Meta's Business verification and template approval process. Most programs in Indonesia benefit from using both channels with deliberate sequencing, SMS for guaranteed reach and WhatsApp for richer engagement where data connectivity allows.

This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal or data protection professionals regarding their specific compliance obligations under Indonesian law.

Talk to our team about building a compliant, multi-channel messaging program for your Indonesian operation. Get in touch.