KYC Policy

Last updated: 06 May 2026

This Know-Your-Customer (KYC) Policy describes how PT UNIT GLOBAL SYSTEM verifies the identity of merchant directors, ultimate beneficial owners, and authorised signatories. It supports anti-money-laundering and counter-terrorism-financing obligations under Law 8/2010 (UU TPPU) and PPATK directives, and regulatory expectations under the Bank Indonesia payment system framework.

1. Scope and persons subject to KYC

UnitPay performs KYC verification on:

  • Every director of a merchant entity (in Indonesian PT, every direksi member)
  • Every commissioner of a merchant entity, where the legal form prescribes commissioners
  • Every ultimate beneficial owner holding 25% or more, direct or indirect, of the merchant entity
  • Every authorised signatory of the Service Agreement
  • Every individual nominated by the merchant as an administrative super-user of the merchant cabinet with privileged settlement or risk-control rights

Customer-side KYC for individual end-users paying through merchant checkouts is performed by the issuing bank or wallet provider in line with their own AML obligations; UnitPay does not duplicate that verification.

Know-Your-Business diligence on the merchant entity itself is described in the Merchant Onboarding Requirements. KYC and KYB run in parallel: an entity cannot be onboarded until both are satisfactorily completed for the in-scope persons.

Beneficial-ownership tracing follows the entity chain to the natural-person owners. Where the chain includes corporate intermediaries, layered through holding structures, those intermediaries are documented but the verification target is always the natural person at the end of the chain.

2. Verification provider

UnitPay uses Didit (https://didit.me) as its primary KYC vendor. Didit performs document verification, biometric liveness check (ISO 30107-3 PAD level 2), and AML screening (sanctions lists, PEP, adverse media).

Didit operates from the European Union (Lithuania). Cross-border transfer of personal data to the vendor is governed by binding contractual data-protection safeguards set out in the Data Processing Agreement, consistent with UU PDP Article 56(b). The DPA incorporates UU PDP and GDPR Article 28 obligations and is reviewed annually.

Where Didit cannot complete a verification (for example, an unsupported document type), UnitPay performs manual review using internal compliance staff and may engage an alternate verification provider. Manual reviewers receive the same training as automated-flow reviewers and follow the same adjudication framework.

Vendor concentration risk is mitigated by maintaining a documented fallback to an alternate qualified KYC provider; activation of the fallback is approved by the AML Compliance Officer and recorded in the program file.

Verification subjects can be directed to the Didit flow through a unique, per-subject link generated by the compliance system. Links are valid for a bounded period and reusable for retries within that window.

3. Required documents

Indonesian nationals must present a valid KTP (Kartu Tanda Penduduk). Foreign nationals must present a valid passport. Holders of Indonesian residence permits may present KITAS or KITAP alongside a passport.

Documents must be in colour, fully legible, and not expired. Photocopies are not accepted; original documents are captured live through the Didit verification flow. Tampered or altered documents are rejected automatically and routed to manual compliance review.

For high-risk relationships and EDD cases, additional documentary evidence may be requested, including proof of address (recent utility bill or bank statement) and source-of-wealth documentation. The specific requirement is communicated to the verification subject before submission.

4. Biometric liveness check

Verification includes a selfie video matched to the photograph on the identity document. The liveness algorithm checks for spoofing attempts (printed photographs, masks, replay video) at ISO 30107-3 Presentation Attack Detection level 2.

Liveness checks are processed automatically; results are typically available within minutes. Failed attempts may be retried up to three times, after which the case routes to a manual reviewer who may request additional evidence or alternative verification.

Biometric raw imagery is held only as long as necessary to complete verification. The persistent record is the verification result and a hashed template that cannot be reversed to reconstruct the original image. Biometric data is never used for marketing, profiling, or any purpose unrelated to verification.

5. AML screening at KYC

Each verified individual is screened against:

  • UN Consolidated, EU Consolidated, OFAC SDN, and OFSI sanctions lists
  • The PPATK domestic sanctions list (DTTOT) and any additional Indonesian regulatory lists in force
  • Politically exposed person (PEP) databases including direct, family, and close-associate categories
  • Adverse media drawn from over 1,000 sources, with a focus on financial crime, terrorism, and corruption signals

Positive matches block onboarding pending compliance review. The compliance officer adjudicates true-positive vs false-positive with documented rationale; PEP-true matches proceed only with enhanced due diligence and senior management sign-off.

PEP status by itself is not disqualifying. Indonesia has a substantial population of legitimate PEPs across politics, judiciary, and senior public service; the policy is to apply EDD measures (including source-of-wealth review and enhanced ongoing monitoring) rather than to refuse the relationship by default.

Adverse media match adjudication weighs source quality, recency, and severity of the underlying allegation. A single old, uncorroborated piece of adverse media does not by itself trigger refusal; a pattern of credible reporting on serious matters does.

6. Re-verification triggers

KYC is refreshed periodically and on event:

  • Periodic refresh: every 24 months for low and medium risk; every 12 months for high risk
  • Event refresh: change of director, change of ultimate beneficial owner, change of signatory, or change of legal form
  • Risk-event refresh: suspicious activity flag, regulator inquiry, sanctions list update affecting the individual, material adverse media event
  • Document expiry: refresh requested before the expiry of the identity document on file

Failure to complete a triggered refresh within 30 days places the merchant account in restricted-mode (settlements continue to existing bank account; new transactions throttled) until refresh is complete.

Refresh requests are sent to the verification subject by email and through the merchant cabinet, with a clear deadline and step-by-step instructions. Reminders are issued at 7 days and 3 days before the deadline so that the merchant has reasonable opportunity to comply.

7. Data retention

KYC records are retained for five years after the merchant relationship ends, as required by PPATK under UU TPPU Article 21. Retention may extend longer where specific regulatory or legal-process requirements apply. Categories retained include:

  • Identity documents collected for verification (KTP, passport, KITAS or KITAP scans)
  • Biometric template hashes (the persistent reference, not raw imagery)
  • Screening reports (sanctions, PEP, adverse media) with the matched list reference
  • Adjudication notes and the final disposition of any compliance review
  • Audit trail of when verification was performed, by which reviewer, and the outcome

Biometric raw imagery is held only as long as necessary to complete verification; the persistent record is the verification result and a hashed template that does not allow image reconstruction. Detailed retention schedules and lawful bases are documented in the UU PDP Personal Data Notice.

During retention, identifying data is access-controlled to compliance and legal staff with named-individual approval. Read access is logged and reviewed quarterly; bulk export is not permitted without dual approval.

8. Customer rights

Verified individuals have the rights set out in UU PDP Articles 5 to 15: "information about processing, access, rectification of incorrect data, restriction of processing, portability" where technically feasible, objection, and (subject to regulatory retention) erasure.

The right to erasure is qualified by the legal obligation to retain KYC records for the periods set out in section 7 above. During that retention period, identifying data may be archived and access-restricted but not deleted. After the retention period elapses, records are deleted on the next scheduled cycle.

Rights are exercised by writing to dpo@unitpay.net. The DPO acknowledges requests within five working days and provides a substantive response within thirty days, in line with the timing applied to broader data subject rights work.

Where a request relates to data shared with the KYC vendor, UnitPay coordinates with Didit so that the response is consistent across both parties. Vendor-side records are subject to the vendor's own retention obligations as bound by their Data Processing Agreement.

Complaints about KYC handling specifically may also be addressed to complaints@unitpay.net and follow the Dispute Resolution and Complaint Handling framework, which implements POJK 18/2018 timelines and external escalation channels (LAPS SJK, OJK consumer hotline 157).

For questions about whether a specific person is in scope for KYC, the merchant onboarding team coordinates with compliance to provide a definitive answer; the default position is that any individual whose authority materially influences the merchant relationship is in scope.

Effective date: 06 May 2026