Indonesia’s crypto market has grown exponentially in the past 12 months, with 9.5 million traders in Oct. 2021 — more than double year-on-year. Consider the following:
- IDR 480 trillion (about US$33.4 billion) in crypto assets were traded in the first seven months of 2021.
- At least 13 licensed crypto brokers and trading platforms are currently operating for consumers to transact on.
- Indonesia’s government is planning on opening its own national crypto exchange.
It’s not hard to understand why digital currencies are soaring in popularity in Indonesia or, in fact, Southeast Asia — home to one of the largest underbanked and unbanked populations in the world. These are precisely the people who do not have bank accounts or do not have access to financial and credit services by banks. Traditional investment options such as shares, stock or other asset classes are inaccessible for this group, let alone the fees, hassle and procedures involved in opening up and maintaining a bank account.
Conversely, crypto trading is a very appealing prospect. You don’t need a lot of capital to start with, and with an email account and smartphone, you can start trading — in a real-time, borderless manner — virtual or digital currencies via your exchange or digital wallet. Crypto also promises outsized gains, are increasingly being accepted as a form of real-world payment, and most importantly, you don’t need a bank account.
But the high number and value of crypto scams are a growing cause for concern. Globally, there were US$14 billion worth of scams in crypto in 2021 alone, with the size of crypto exchange hacks growing together with the rising prices of crypto. Indonesia contributed 11% of total victims to crypto scams in 2019, the second-highest in the world. The numbers prove the susceptibility of both Indonesian consumers and exchanges to such fraud and hacks.
Understandably, Indonesia’s government has also stepped on the brakes to protect consumers. Crypto exchanges now have to be licensed to operate, while others were banned, its central bank prohibited the use of crypto as a payment tool, and its Financial Services Authority (OJK) restricted financial firms from offering and facilitating sales of crypto assets
How to protect customers
Threats exist across the entire customer journey with crypto exchanges, including onboarding, transactions and identity recovery. The majority of compliance and focus is on the onboarding phase, where exchanges ensure that individuals go through eKYC (electronic “know your customer”) to verify their identity, and businesses undergo KYB (know your business) to verify the business’s legitimacy, to avoid fraud, money laundering or other criminal activity.
But there is more that exchanges can do. Additional measures that can protect investors include:
- KYB, KYT processes: To tackle the high incidence rate of fraud in transactions, exchanges can use KYT (know-your-transaction) monitoring to review transactions in real time, detect any suspicious activity and file such reports as well as manage investigations.
Other than threats in the customer journey, exchanges are also susceptible to hacking and scams that can drain accounts in minutes. Crypto exchanges should hold themselves to the highest security standards, with crypto being a lucrative target for hackers — be it the value of the assets traded or the reputational risk. - Multi-factor authentication: One way to mitigate such risks is to implement multi-factor authentication. Instead of using SMS OTP authentication, which runs the risk of having SMSes diverted and fraudulent transactions performed as well as being a weak link for spoofing, exchanges should consider biometric authentication instead. Biometric authentication is much more robust, identifying the individual rather than the device, and solutions like liveness detection allow verification of a live user by checking the live person’s facial movements. This makes it less likely for identity theft to occur.
- Biometric authentication: The use of biometric authentication should still be balanced with OTPs and other forms of authentication. Not all users may have access to smartphones with biometric authentication capabilities. Take, for example, Indonesia’s smartphone penetration at just 62% despite being the region’s largest digital economy. While more than half of users have smartphones, 38% of the population still needs to rely on OTP-based authentication methods. While solutions implemented should be robust enough for most of their clients, exchanges should allow for their services to still be accessed by those without biometric authentication capabilities and less digital native consumers, who do not know how to enable camera/ fingerprint functions or have concerns about such digital security measures.
Other preventive measures include the ability to store crypto in cold wallets (offline), temporary or permanent account locks when a user exceeds a certain number of failed login attempts, and blocking withdrawals once account details like the linked email address and phone number are changed.
Crypto exchanges should also notify users when funds are withdrawn or deposited, to alert customers of any suspicious activity. Potentially, the exchange could also allow users to click in and cancel the transaction or suspend the account immediately.
For the methods above, crypto exchanges can involve users in the decision-making by getting them to consent and indicate what constitutes suspicious activity and when they want their account to be locked/ frozen, what they want to be alerted for and how much liquidity they need in their hot wallets.
Indonesia’s crypto future
Indonesia’s appetite for crypto, particularly among the young, digital-savvy population shows no signs of slowing down. This will further draw the attention of regulators hoping to increase consumer protection, safety and compliance, as well as bad actors ready to pounce on lax security infrastructure or customer lapses. Crypto exchanges must urgently play their part in protecting themselves and their customers from financial and reputational risk.