Two of Indonesia's three major mobile operators were still activating SIM cards without biometric verification two days after the requirement became law, an unannounced government inspection found.

The Ministry of Communications and Digital (Kemkomdigi) visited a shopping mall in Central Jakarta on Friday, July 3, 2026. Of the three operators checked, only one had implemented face scanning. Indosat and XLSMART were still accepting National Identity Numbers (NIK) and Family Register Card numbers (No.KK) for activation, a method that ceased to be legally valid on July 1.

Indonesia's mobile market has consolidated around three groups after successive mergers: Telkomsel, Indosat, and XLSMART. On the first day of enforcement, two of those three had not complied with a rule that had been in force for 48 hours.

Why face scanning replaced NIK and family card verification?

Face scanning is a biometric check matched against the Population and Civil Registration Directorate General (Dukcapil) database to confirm that the person registering is the one named on the ID. NIK and family card numbers can be used by anyone: a SIM card can be activated in someone else's name without that person present, a gap that has enabled digital fraud and account registration without victims' knowledge. Ministerial Regulation No. 7 of 2026 (Permen Komdigi No. 7/2026), which replaces the previous Permenkominfo No. 5 of 2021, closes that gap by adding a biometric layer at the point of activation.

For prepaid subscribers, the process is now: submit the card number via the operator's app or website, wait for an OTP, enter your NIK, then scan your face through your device camera. The data is validated against the Dukcapil database before the number is activated. Postpaid subscribers must register in person at a store.

What inspectors found

Beyond the two non-compliant operators, inspectors found hundreds of SIM cards that had been pre-activated and placed on sale at retail points without verified customer identities. That practice is exactly what the new rules were designed to stop.

Director General of Digital Ecosystems Edwin Hidayat Abdullah said both operators cited technical problems. Formal warnings were issued, and the operators promised to comply within 24 hours.

"We have issued warnings and the operators have promised to resolve this within 24 hours," Edwin Hidayat Abdullah said.

Kemkomdigi did not stop at field inspections. The day before the visit, on July 2, the ministry sent a letter to Dukcapil asking it to shut off NIK and No.KK validation access for mobile registration. By cutting access at the Dukcapil level, the government is no longer relying solely on operator compliance on the ground.

"We are therefore asking all operators to comply with these provisions and immediately halt all activations that still use NIK and No.KK validation without biometric verification," Edwin Hidayat Abdullah said.

One data risk traded for another

The old registration method was vulnerable to misuse of population data. The new one requires a face scan that the state stores and validates every time someone buys a new SIM card. The government has not publicly explained the governance: who stores the face data, for how long, what oversight mechanisms apply, and how it relates to the Personal Data Protection Law.

Biometric verification for digital services is being adopted in many countries. The UAE, for example, requires biometric verification for social media access for children under 15. In Indonesia, the scope is broader: a face scan is now the key to something as basic as a phone number for anyone buying a new SIM.

Edwin Hidayat Abdullah stressed that compliance is a matter of responsibility, not just a regulatory requirement: "We call on all operators to make public protection a priority. Compliance with biometric registration is not only about meeting regulations, it is also a form of shared responsibility [...]"

The 24-hour deadline Indosat and XLSMART promised falls on Saturday, July 4, 2026. Kemkomdigi has not announced a schedule for follow-up compliance verification or specified what administrative sanctions would apply. Other questions remain open: whether current number holders must re-register biometrically, when Dukcapil will effectively close NIK and No.KK access, and what metrics will be used to judge whether the rule actually reduces SIM-based fraud.