BALI – There’s a reason bankers on opposite sides of the world are suddenly having the same anxious conversation.
This week, while Canada’s financial regulator was privately warning the country’s largest banks about the cybersecurity risks of Anthropic’s Claude Mythos, an AI model so capable that its public release has been deliberately restricted, Indonesia’s own Financial Services Authority (OJK) was standing on a stage in Jakarta delivering strikingly similar news. Speaking at the Risk and Governance Summit on July 14, OJK commissioner Sophia Wattimena told an audience of over 20,000 that cyber risk and AI misuse have become the top concerns for Indonesia’s financial sector, right alongside regulatory change and geopolitical uncertainty.
For anyone banking, working, or simply living between two financial systems, Bali’s large expat community very much included, this isn’t a story happening somewhere else. It’s the same story, arriving from two directions at once.
Why This Matters If You Bank in Indonesia
The numbers behind Indonesia’s version of this warning are hard to ignore. Indonesia’s National Cyber and Crypto Agency recorded 5.2 billion internet traffic incidents with potential cyberattack risks in 2025, with 94 percent involving high-risk malware capable of evolving into full-blown ransomware attacks. Meanwhile, digital payment transactions in Indonesia hit 14.82 billion in the first quarter of 2026 alone, up nearly 38 percent year-on-year, according to Bank Indonesia.
That combination, explosive digital banking growth paired with a rapidly evolving AI threat landscape, is exactly the tension regulators from Ottawa to Jakarta are now racing to manage. OJK’s own data from the National Cyber and Crypto Agency (BSSN) shows transaction anomalies in the financial sector remain notably high, prompting calls for tighter, more coordinated risk governance across banks.
For expats who’ve grown used to Indonesia’s increasingly seamless QRIS payments, mobile banking apps, and cross-border transfers, this is the less visible side of that convenience: a financial system racing to modernize while simultaneously trying to outpace threats that are evolving just as fast.

A Global Pattern, Now Landing Locally
What makes the Canadian warning particularly relevant to Jakarta and Bali alike is the specificity of what triggered it. Cybersecurity evaluators, including the UK AI Safety Institute, found that Claude Mythos, while built to help organizations detect and patch software vulnerabilities, is powerful enough that it could, in the wrong hands, chain together the steps needed for a full network takeover. That’s precisely the category of frontier AI risk OJK now says it’s tracking too, alongside a more immediate, already-visible threat: AI-generated scams.
Earlier this year, OJK commissioner Dicky Kartikoyono flagged growing concern over AI-based cyberattacks, including deepfakes, that specifically target older customers with lower digital literacy, a warning delivered, notably, at a forum held in Bali. It’s a reminder that while headlines focus on frontier models like Mythos, the AI-driven fraud already reaching ordinary customers, deepfaked voices, cloned faces, convincingly fake bank calls, is arguably the more immediate risk for everyday account holders, expat or local.
Indonesia Isn’t Waiting Idly Either
Regulators here haven’t been quiet on this front. In January, OJK issued a new regulation on information technology implementation by commercial banks, which took effect March 1, 2026, tightening requirements around cybersecurity, third-party IT providers, and data protection. Under the rule, banks must notify OJK within 24 hours of any significant IT incident, with a full report due within five business days.
It’s a far more formal regulatory response than Canada’s internal advisory email to bank executives, but the underlying motivation is identical: financial systems everywhere are trying to build guardrails around AI faster than the technology itself is advancing.
What’s Next for Anyone Banking Across Borders
For Bali’s expat and international community, the practical takeaway isn’t alarm, it’s awareness. Whether the threat comes from a frontier model like Mythos capable of exploiting software vulnerabilities, or from a far simpler AI-generated phone scam targeting an unsuspecting account holder, the direction of travel is the same everywhere: banks, and their customers, are being asked to move faster than the risks evolving around them.
As Indonesia’s digital finance boom accelerates and global regulators from Ottawa to Jakarta compare notes on the same emerging technology, one thing seems increasingly certain: the conversation happening in Canadian boardrooms this week is the same one Indonesian regulators are already having, just with a different accent.
















































