Indonesia’s Fraud Crisis Exposes a Funding Gap — APEI’s Lily Widjaja Urges SRO Action and Real Cyber Investment
Key Takeaways
|
JAKARTA, Investortrust.id — The financial fraud stories circulating through Indonesia’s capital market this year have become unsettling enough to resemble scenes from a digital-crime documentary, but the drama on the surface is not what concerns Lily Widjaja the most. For the Executive Director of the Association of Securities Companies, or APEI, the deeper threat is structural, systemic, and dangerously underfunded.
Speaking in an exclusive conversation with Investortrust, Lily said Indonesia’s fraud wave has exposed a reality the industry has long avoided. Too many securities companies lack the cybersecurity foundations needed to safeguard client assets, and the national market can no longer depend solely on OJK or the exchange to close these gaps.
“Investor protection is a shared responsibility” she said on the sidelines of Investortrust Capital Market Forum 2025 on Thursday. “Investors must be vigilant, yes, but regulators and SROs also need to address the weaknesses that keep repeating. It makes no sense for these cases to continue happening without proper solutions.”
The Cost Barrier No One Wants to Discuss
Lily makes no attempt to soften her argument. Securities companies, she said, simply cannot deploy reliable cybersecurity because the technology is too expensive. Advanced monitoring tools, anomaly detection, secure coding, robust API protection, and continuous threat-hunting all require sustained investment, yet most Indonesian brokers are small or mid-sized firms with capital bases far below the levels seen in banking.
“Strong technology is not cheap” she said. “Many brokers are already fully online but have not invested sufficiently in their systems. That leaves them vulnerable to many kinds of attacks.”
An SRO representative, speaking separately to Investortrust, echoed her concern and noted that the core capital of many securities companies is significantly smaller than that of banks, making it impossible for them to meet the same cybersecurity standards without support.
Lily believes the implication is unavoidable. If brokers cannot individually fund the level of digital protection modern markets require, SROs must step in. Not as observers, but as active architects of the industry’s defensive shield.
APEI Pushes SROs to Lead the Defense
APEI has been in continuous discussions with the Financial Services Authority (OJK), IDX, and Indonesia Financial Technology Association (AFTECH) as fraud cases have proliferated through 2025. OJK advised APEI to coordinate with BSSN, the national cybersecurity agency, and to build a sector-wide defensive playbook. Lily welcomed this guidance, but she emphasized that guidance alone is insufficient when the weakest players do not have the financial capacity to implement it.
This is why the upcoming initiative from the Indonesia Stock Exchange has become a focal point of hope. IDX is preparing to subsidize a sector-wide Security Operations Center, an SOC that would allow smaller brokers to plug into enterprise-grade surveillance, detection, and incident-response systems without bearing the entire cost.
“It will function like a control center” Lily said. “Our members are evaluating which vendors to use.”
The SOC model, widely used in mature markets, offers protection not only through technology but also through shared insight. A threat detected at one member can be neutralized before it spreads to others. For Lily, this is precisely the kind of coordinated solution Indonesia has needed for years.
Fraud Cases Reveal the Weakest Links
The urgency behind Lily’s push becomes clearer when reviewing the cases APEI has tracked. Investors have woken up to find blue-chip portfolios liquidated and replaced by illiquid penny stocks purchased at inflated prices. Unauthorized drains from investor fund accounts have occurred after transactions were intercepted and altered at the API layer that connects brokers and banks. Cross-broker price manipulation, executed through matched trades in near-worthless stocks, has generated artificial profits for syndicates and catastrophic losses for counterparties.
Her tone was steady and direct. It also set the mood for the Investortrust Capital Market Forum 2025, where a room normally filled with assertive industry voices listened to her with unusual quiet.
Some firms, according to internal reports, have suffered losses in the hundreds of billions of rupiah. Emergency circulars were issued across SROs just to stabilize the situation.
On stage after Lily, Indian technologist Shuvam Misra, the founder chairman of India's Remiges Technology, added a crucial insight that reframed the conversation. His systems support major components of India’s trading and settlement ecosystem, yet the detail he emphasized was what did not happen in these Indonesian cases.
“None of these episodes required breaking into IDX or OJK core systems” Misra said. “They exploit weaknesses in member applications, connectivity, rules, and investor behavior.”
His remark underscored Lily’s main argument. Indonesia’s vulnerabilities sit not at the exchange, but throughout the surrounding ecosystem.
Latency, Surveillance, and the Challenge of Scale
Misra also warned that Indonesia cannot hope to prevent market abuse if its surveillance and risk engines are not built for modern trading volumes. India’s systems evolved from handling a thousand trades per second to tens of thousands, with risk recalculations occurring after every trade. That evolution was possible only because infrastructure was prepared ahead of demand.
“If Indonesia wants the trade counts and value we see in India today, the infrastructure must be prepared now” he said.
IDX’s Head of IT Development, Broto Endianto, agreed that capacity is not the only issue. The exchange now employs AI-enabled surveillance and next-generation firewalls, but the broader system remains porous. Ninety-three brokers, two clearing houses, custodian banks, and numerous vendors all connect to IDX through multiple points that vary in security quality.
“We have many doors we must protect” Broto said. “We must start regulating secure coding, multifactor authentication, and technical standards at the member level, not only at IDX.”
In other words, IDX can build a fortress, but it remains exposed if the village surrounding it has open gates.
The Blueprint Is Clear but Funding Must Follow
Lily believes the industry already knows how to respond. Brokers offering fully digital services need stronger standards. Incident reporting must become comprehensive rather than selective. Collaboration with OJK, BSSN, AFTECH, and banking partners is essential for safeguarding RDN flows. And above all, SROs must build common defenses to compensate for brokers that cannot afford the upgrades individually.
What is missing is the funding capacity at the member level and the collective urgency to treat cybersecurity as a fundamental component of market safety.
“Technology should be able to detect anomalies” Lily said. “From the broker side, it means protecting data across all systems. This cannot wait.”
Her message is not a caution but a call to action. The integrity of Indonesia’s capital market depends on whether the industry acknowledges that cybersecurity is no longer a backstage function but the new frontline of investor protection.
If Indonesia wants deeper markets, higher volumes, and stronger investor trust, a new defensive architecture must surround the entire ecosystem, not just the exchange. And in that future, Lily insists, SROs must lead rather than watch.
