Regulatory Compliance in Indonesia: The System No Longer Waits for You to Check

Indonesia’s government platforms do not evaluate compliance when you file. They evaluate it continuously, by cross-referencing your corporate data, licensing records, tax position, and reporting history against each other in real time. When the data is inconsistent, automated sanctions follow. XPND manages the ongoing compliance obligations that keep your company’s data accurate and consistent across all government systems, so enforcement actions do not arrive without warning. 

The Compliance Gaps That Cause the Most Disruption

Most regulatory compliance failures in Indonesia are not discovered during annual audits or scheduled inspections. They surface when a company tries to do something routine and finds that a system has been blocked.

Your company has not submitted its annual report through the Corporate Legal Administration System (Sistem Administrasi Badan Hukum or SABH) since the introduction of mandatory annual reporting under Minister of Law Regulation (Peraturan Menteri Hukum or Permenkum) No. 49 of 2025, effective 17 December 2025. Under this regulation, capital-partnership companies including PT PMDN and PT PMA are now required to submit annual reports covering financial statements, beneficial ownership data, and shareholder structure through SABH every year. Companies that do not meet this obligation are treated as non-compliant legal entities under Indonesian law, exposing them to progressive administrative sanctions that can culminate in the blocking of all SABH access. Without SABH access, the company cannot file corporate amendments, change directors, transfer shares, or execute any corporate action.

Your company’s Beneficial Ownership data in the AHU Online system has not been updated following a change in the shareholder structure six months ago. Under Minister of Law Regulation or Permenkum No. 2 of 2025, effective 4 February 2025, any change in beneficial ownership must be reported within three days of occurrence. The regulation requires annual review and update of all BO data even when no changes have occurred. A company whose AHU data is inconsistent with its actual ownership faces AHU system blocking, which cascades immediately into OSS licensing disruption because OSS draws its company data from AHU.

Your company’s OSS licensing profile shows business activities registered under KBLI codes that no longer match what the company actually does. The company expanded into a new service line twelve months ago without updating its KBLI registration. Under PP No. 28 of 2025 and BKPM Regulation No. 5 of 2025, activities conducted under an unregistered KBLI classification create both a licensing gap and an investment realization reporting inconsistency. Post-approval supervision cross-references operational data against OSS records and the inconsistency has been accumulating with each LKPM filing.

Your company processes personal data of Indonesian customers and employees but has not conducted a formal review of its data processing obligations since Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Perlindungan Data Pribadi or UU PDP) entered full effect in October 2024. The privacy notice on the company’s website reflects the old framework. Consent records for customer data were collected under terms that no longer satisfy the lawful basis requirements of the PDP Law. The company has not designated a Data Protection Officer despite operating at a scale that requires one.

Your company has been operating in a sector that requires TKDN certification for government procurement eligibility, and the certification was obtained under the old framework governed by MIR No. 16 of 2011. Minister of Industry Regulation or MIR (Peraturan Menteri Perindustrian) No. 35 of 2025, effective 11 December 2025, replaced this framework. The calculation methodology has changed, the validity period has been extended to five years, and the certification must now reflect the new standards. Operating under an outdated certification in procurement processes creates eligibility risk.

Tell us which areas of your compliance program you are most uncertain about. We will identify the gaps before they become enforcement events.

What Changed Under Permenkum No. 49 of 2025 and Why It Affects Every PT in Indonesia

Minister of Law Regulation or Permenkum No. 49 of 2025, effective 17 December 2025, fundamentally changed how corporate compliance works in Indonesia by transforming SABH from a passive company registry into an active compliance monitoring platform.

Under the previous framework, SABH recorded corporate events such as establishment, amendments, and director changes as they occurred. Companies interacted with SABH only when they needed to file a change. Under Permenkum No. 49 of 2025, SABH operates as a continuous compliance control system. Corporate data is now a living record that must remain accurate, complete, and consistent with the company’s actual legal and operational status at all times.

The most significant practical change for PT PMDN and PT PMA companies is the introduction of mandatory annual reporting. Every capital-partnership company must now submit through SABH each year: financial statements, beneficial ownership data, shareholder and director information, and any material corporate changes that occurred during the year. This obligation applies regardless of whether any corporate amendments were made during the year.

The consequence of non-compliance is not a warning letter. Permenkum No. 49 of 2025 establishes a progressive sanction framework that moves from written warning to filing restrictions to the blocking of SABH access. A blocked company cannot process any corporate action through SABH. It is, in the language of the regulation, a legally frozen entity.

For companies that were established before 2025 and have not yet reviewed their corporate records against the new requirements, the risk is not theoretical. Inconsistencies between what was filed under the old framework and what Permenkum No. 49 of 2025 requires are the primary source of compliance gaps in the current environment.

Has your company submitted its annual report through SABH under the new framework? If you are not certain, now is the right time to check.

The Cross-System Consistency Problem

Indonesia’s government platforms do not operate in isolation. AHU, OSS, the Coretax tax system, the Ministry of Manpower’s labor database, and the National Land Agency’s title registry all cross-reference each other. A company’s compliance position in one system affects its standing in all others.

When AHU data is blocked due to a Beneficial Ownership inconsistency, OSS licensing applications for that company are automatically suspended because OSS draws its company identity data from AHU. When a company’s OSS licensing profile shows activities that do not match its LKPM investment reports, the Business Licensing system flags the company for post-approval review. When a company’s tax data in Coretax does not reconcile against counterparty records, the DJP’s risk engine elevates the company’s supervision level.

The practical implication is that a compliance gap that originates in one system does not remain contained to that system. It propagates. A single outdated entry in AHU can ultimately affect the company’s ability to renew a business license, process a share transfer, and apply for a new work permit simultaneously.

XPND’s regulatory compliance program is designed around this cross-system reality. Rather than managing each compliance obligation in isolation, XPND tracks the full data profile of the company across all relevant government systems and ensures consistency is maintained as the company’s operations, ownership, and regulatory obligations evolve.

Annual Reporting Under Permenkum No. 49 of 2025: What Companies Must Submit

Under Permenkum No. 49 of 2025, the annual reporting obligation for capital-partnership companies covers four categories of data that must be submitted through SABH each year.

Financial statements. The company’s annual financial statements prepared in accordance with the applicable accounting standard, which for private companies is now SAK EP effective 1 January 2025.

Beneficial ownership data. Current beneficial ownership information consistent with the requirements of Permenkum No. 2 of 2025, including the identity of all individuals who ultimately control or benefit from the company and supporting documentation that validates the declared ownership structure.

Shareholder and director information. Current records of all shareholders, directors, and commissioners, including any changes that occurred during the preceding year.

Corporate change documentation. Records of any material corporate actions taken during the year including capital changes, KBLI updates, address changes, and amendments to the articles of association.

The annual report must be submitted within the deadline specified in Permenkum No. 49 of 2025. Companies that miss the deadline or submit incomplete or inconsistent data are placed in the progressive sanction framework.

For companies that have not established a structured process for gathering, verifying, and submitting this data, the annual reporting obligation represents a material new compliance burden that must be built into the operational calendar.

Personal Data Protection: The Compliance Gap in Most Operational Companies

Law No. 27 of 2022 on Personal Data Protection entered full effect in October 2024. For companies that operate in Indonesia and process personal data of Indonesian individuals, the PDP Law created obligations that most operational compliance programs have not yet fully incorporated.

The most material gaps XPND identifies in PDP compliance reviews are privacy notices that do not accurately describe how personal data is actually processed, consent records collected under terms that do not satisfy current lawful basis requirements, the absence of a designated Data Protection Officer where one is required, and the absence of documented data processing agreements with third-party service providers who access personal data on behalf of the company.

For companies that process significant volumes of customer data, employee data, or data from Indonesian users of digital platforms, the PDP Law creates both a direct compliance obligation and a transaction risk: any future M&A transaction, investment round, or regulatory inspection will examine PDP compliance as a material element of the company’s regulatory standing.

Not sure whether your company’s data processing practices meet current PDP requirements? XPND can run a gap assessment.

How XPND Structures the Regulatory Compliance Program

SABH and AHU compliance monitoring

XPND tracks the company’s annual reporting obligation under Permenkum No. 49 of 2025, prepares the required submissions including financial statement integration, beneficial ownership data, and corporate records, and ensures the submission is complete and consistent before the deadline. For companies with outstanding compliance gaps from the pre-2025 framework, XPND conducts a remediation review before annual reporting is submitted.

Beneficial Ownership maintenance under Permenkum No. 2 of 2025

XPND monitors the company’s ownership structure for events that trigger BO reporting obligations, prepares updates within the three-day deadline, manages the annual review process, and maintains the supporting documentation required for risk-based verification by the Ministry of Law.

OSS licensing profile maintenance

XPND monitors the company’s actual business activities against its registered KBLI codes, identifies any activity drift that has not been reflected in the OSS profile, and manages KBLI updates and investment realization reporting to ensure the licensing profile remains consistent with operational reality.

Personal Data Protection compliance review and program management

XPND reviews the company’s data processing practices against the requirements of Law No. 27 of 2022, identifies gaps in privacy notices, consent records, and third-party data processing agreements, and develops the documentation framework needed to bring the company’s PDP posture into compliance.

Cross-system data consistency monitoring

XPND maintains a consolidated view of the company’s data profile across AHU, OSS, SABH, and the Coretax system, and identifies inconsistencies between systems before they trigger automated enforcement actions.

Regulatory change monitoring

XPND tracks changes to the regulatory frameworks that affect the company’s compliance obligations and provides advance notice of upcoming requirements, so the company can prepare rather than react.

Ready to move regulatory compliance from a reactive function to a proactive program? Talk to XPND about what that looks like for your company.

Why Regulatory Compliance

The companies that manage regulatory compliance well in Indonesia’s current environment are not the ones with the most complex legal teams. They are the ones whose corporate data is accurate and current across all government systems, whose annual reporting obligations are met before deadlines, and whose compliance program is designed to identify gaps before they trigger automated enforcement.

The alternative is reactive compliance: addressing each enforcement event after it occurs, resolving system blocks that have already affected operations, and paying the remediation cost of gaps that accumulated without detection. In Indonesia’s current regulatory environment, the cost of reactive compliance consistently exceeds the cost of proactive management.