Terms of Reference for procurement of Digital ID, Biometrics,

eKYC and Data Exchange Advisor Firm

A. Background
1. Legal basis
a. Generally, the legal basis for the implementation of population administration is Law
Number 23 of 2006 concerning Population Adminis&adon, as amended by Law
Number 24 of 2013. This law contains fundamental mandates for the implementation
of population admiris&ation in Indonesia, including population registration, civil
regisaado& management of population information, utilization of population data, and
management of the apparatus and secretarial support.
b. Further implementing regulations on population and civil registration are included in
Government Regulation Number 37 of 2007 concerning the Implementation of Law
Nulntwr 23 of 2006 concealing Population Administration, as amended by
Government Regulation Nwntxr 40 of 2019 concerning the Implementation of Law
Number 23 of 2006 regwdiag Population Admirds&ado& as amalded by Law Number
24 of 2013 concern@ changes to Law Number 23 of 2006 regarding Population
Administration.
C. Furthermore, the organi7atioa of population administration is also further ngtaated in
several Presidential Regulations, including:
Pwsidentiai Regulation Number 25 of 2008 concerning Requirmerlts and
Procedures for Population Registration and Civil Regisaation, as amended by
Presidential Regulation of the Republic of Indonesia Number 96 of 2018
concerning Requirements and Procedures for Population Regis&adon and Civil
Regisaation.
Ii. Presidential Regulation Number 26 of 2009 concerning the Implementation of
Population identi$cation Cards Based on the Population Identification Number
Nationally, as amended by Pnsidendal Regulation Number 112 of 2013
concealing the Fourth Amendment to Presidential Regulation Number 26 of
2009
d In addition, the technical aspects of population admhds&ation are also regulaed in
more detail in Minister of Home Affairs Regulation (Permendagd), including:
i. Minister of Home Affairs Regulation Number 38 of 2009 concealing Standards
and Specifications for Hardware, Software, and Blanks of Population
Identification Cards Based on the Population Identi6cation Number National&
as last amended into Minister of Home Affairs Regulation Number 72 of 2022
Regarding Standards and Specifications for Hardware, Software, and Blanks of
Electronic Popuiatiaa Idend£cation Cards as well as the Implementation of
Digital Population Identity;
Minister of Home Aaairs Regulation Number 9 of 2011 concurring Guidelines
for Issuing Population Identification Cards Based on the Population Identification
Number Nationally, as amended by Minister of Home Affairs RegulationNumtnr
 8 of 20 16 conwar@ the Second Amendment to Minister of Home Affairs
Regulation Number 9 of 2011 concening GtideHnes for issuing Population
Idea$$catMr Cards Based on the MK NatiaaalV;
111. Minister of Home AffaksReguktion Number 63 of 2016 con anang the Issuance
of Population Documents for Special 08icers;
IV. Minister of Home Aabin Regulation Number 19 of 2018 concuning the
ImlxovemerR of the Quality of Population AdmkBsaadon Services;
V. Minister of Home Affairs Regulation Number 7 of 2019 concerning Online
Population AdrnildsU%tion Services;
e. To support all population administration swvices as regulated in the above regulations,
Minister of Home Affairs Dwne Number 470-5561 of 2015 concerning the Continuity
of the XdetIan Merdeka tJara Data Center and the Development of the Batam Data
Recovery Center was issued to ensure the oper8tiona! continuity of data centers and
disaster recovery centers in supporting all population administration services in the
regions and at the cena&i level.
C Loan agreement between the Government of Indonesia with the World Bank no 9520
– ID date May 30, 2023 for the ID for bwlusive Sewiee Delivery and Digital
Tun$formation in Indonesia Investment Project Financing.
g. The procurement processes for the project win be conducted according to the World
Bank Procwemerit R£gtdations for Investment Project Financing (2820).
In general, the above mguladen and loan agreements serve as the direct foundation for the
implementation of }npulatioa administration in Indonesia, including in this context the
activities the ID for Inclusive Service Delivery and Digital Transforuration Project from
2023 to 2027.
2. General Informatioa
8+ Population Registration and Civil Registration Seetor Context
In Indonesia, the management of foundational ID systems, known as population
ngisaation (PR) and civil ngi$aation (CR), including mainMining the SIAK system
for recording data and producing populaden dwummts, is under the respoasibHity of
the General Dinctorate for Population and Civil Registration (Ditjelr Dukcapil) in the
h4iaisUy of Home A Rain (MaHA).
Various forms of ngisuatior! and identity cards have existed in the country since
before its independence and have evolved av@ time. The PR/CR systems are governed
by the Population Admitdsa&tion Law (2006, amended in 20}3). The key oomponeats
include the Population Adminis&atioa Information System (SIAK) database, a unique
nadalrai ID nunltnt (NIK) issued at birth registmtioIL an elecaoric national ID c©d
(e-KTP) available &am the age of 17, a family card {},K), and various certificates for
vital events such as bid:bs, deaths, and marriages.
 t23&367&

+,
9012.3456
U
41

5
HIll aceld6tnu
(NeW+belOII (eIIB. DeRIB.
RegUmM1
aqa HU'Hmi UHqea. fBI
at
LI
bb
$1 and data

&
ac
ah

Ut&irRRnwvkepMdedto wwe prov&sto vW brrp

UNRydcktlK rDK8HK
VRdgatbtngHakfH PIuB Naoepu# tO mgr

Be
DR nA
row EIMO

Figwe I. Population and ctvil registration in indonesia

b. Context regarding this Scope of Work

While Indonesia has made commendable progress in developing its foundational ID

systems, there are still challenges related to in&astructwv, scalability, and
cybersecudty.
In&asuucture and scalability challenges hinder the system’s potential impact. Although
progress has been made, coverage gaps remain, particularly in twelve priority
provinces and among win@able populations. Additionally, the existing ICT
in&astructure of the Ditjen Dukcapil is insufBcieat to meet the increasing demand for
real-time identity verification and data utilimdon services, including for the
introduction of national scale digital identity services.
Data security and cybersecudty are critical for user con£dence in the system. The
growing number of data breaches in Indonesia and globally highlights the need for
prioritizing data protection measures. Strengthening information and cybersecwity
capabilities, including monitoring and responding to threats, is necessary to safeguard
the system’s integrity.
Ditjen DukcapU has developed the f @mUDkW
Population Identity) application. Built in-house, the current version of IKD has more
than 8.8 million users as of April 2024. Through the Project, KD will be enhanced to
swve at least four core functionalities: (i) inclusive and secure activation/onboardiag
processes, through remote and in-person channels; (ii) storage and presentation of &
KTP, KK, and other population and official documents, including for oKline
verification using barcode, Bluetooth, and other technologies; (iii) single sign on and
identity verification for online/remote public and private sector services, similar to
Singapore’s Singpass and Australia’s myOovID; and (iv) consented data sharing.
Currently, Di$en Dukcapil has two Automated Biometric Identification Systems
{ABIS) available and in use for the deduphcation process, with each ABIS operating
in parallel. Both ABIS systems utilize three biometric modalities, namely angers, eyes,
and face, and the results of these modalities contribute to the accumulated matching
 value. ABIS I contains approximately 1 72 million data records, while ABIS 2 contains
approximately 40 miIEon data records. Data &cm ABIS is also empioyed in the
pdatirrg lxwess, when deduphcatior! results are s&xed in a database and data is
individually ideatiae d ABIS I has reached end of life and will need to be replaced
Fwttruman, utaiza6oa gaps exist in leveraging the ID system’s in&astructwe. Current
aut}reaticadoa aaasacdons primarily rely on dmrogmptac machin& which is error-
prone and less secure for high-value transactions. Then is a need to invest in w
identity verification and eKYC platform to provide a wide range of identity
veHfication modalities at a high scale, including to expand biometric vcd Bcation, to
provide higher levels of assurance and reduce risks, especially for financial inclusion
and mlpowering worn@ economically. The in&oducdon oftianetHc veHacation will
also require robust s@wity measures at hardware and so aware levels. This new
platform could exist alongside or replace the existing population data and document
utilization systems.
TIle polninian data managed by Ditjen Dukcapil is used for many purposes, such as
for identity vedacation during individual transactions, for bulk aansactions (e.g.,
cross-checking databases), and for producing statistics and geospatial maps, The
development of an APi-based Data Exchange Platform will help to improve the
speed, aww8cy, and integrity of how data is shared with kwtitutionai users, as well as
data shared with DRjea Duke ViI. The Data Exchange Platform should be integrated
with Sistem Penghubung Lcryanan Pemerintah (Government Services Integration
System, SPLP), which is an API exchange/gateway for government agencies and
aligned with Sam Data Indonesia (One Data Indonesia) data governance policies and
guidelines.
Each of these new systems (an enhanced KD application and backend system; new
ABIS; Identity Vwiacation and eKYC Platform; and Data Exchange Platform) need
to be compatible and integrated with each other. A Trust Framework governing the
linkages between these and with institutional users will therefore need to tn developed
The enactment of the Personal Data Protection law (PDP) in Indonesia is a significant
step in saengthening digital trust Modelled after the Ewopean Union's General Data
Protection Regulation (Gl)PR), the PDP law intmduws nquinmeats for consent, data
minimization, and pra}nrdanality. However, operadanaazing the law will pose
challenges, and support will be needed for policy, regulatory, twhnoiogical, and
operational refonns.
Addressing these challenges will unlock the systan’s arormous potential for
development impact, improve service delivery, and enhance resilience to crises. It
nquins increased investment in iCT in&astrtwtwe, stwngtt©nbB biometric
vwific&tion, pdodtiza6on of data protection and cybenecwity, and the wIlancing of a
digital iD system and framework.
C+ Project Description
Through the ID for Inclusive Service Delivery and Digital Transformatiar in Indonesia
Project, the World Bank is supporting the Ditjen Dukcapil (as Lead, workIng closely
with Local Departments of Population and Ctvil Registration (Dinas Dukcapit) and
 other relevant stakeholders) to further improve the coverage and functioning of
Indonesia’s PR/CR system, to build platforms on top of the PR/CR system (e.g., the
identity verification and Electronic Know Your Customer (eKYC) platform, digital
ID, and data exchange platform) for more accessible, efficient, and innovative services,
and to strengthen cybersecudty and data protection of the Ditjen Dukcapil ecosystem.
This project’s objectives are to strengthen population and civil registration and
increase usage of digital identification to improve delivery and accessibility of select
public and private sector services for all Indonesians. It consists of five components:
i. Enhancing civil and population registration performance by improving local
processes and expanding coverage, especially in remote and vulnerable areas.
ii. Upgrading Information and Communications Technology (ICT) in#astructure,
creating eKYC services, and establishing a digital identity namework.
iii. Promoting eKYC and digital identity adoption by increasing population data
utilization and supporting institutional users.
iv. Developing Ditjen Dukcapil's capacity at central and local levels through reforms
in processes, human capital, legal &ameworks, and communication strategies.
v. Project management and coordination to effectively plan, monitor, and implement
the project, including risk management and change management. The overall
objective is to strengthen the population and civil registration system and
introduce digital identification for better public and private sector services.
The Project was approved in May 2023 and closes on December 31, 2027, Expected
results include, inter-alia, increases in identification and PR/CR documents among the
general population and vulnerable groups (such as children, persons with disabilities,
women, and persons living in remote areas, etc.); increase in digital ID use and
authentication; improved cybersecurity and regulatory environment.

Coordination and Consultation Proj Steering lmmttte

Supe in Committ
MoHA Bappenas, MeF, M€nP/W.RB, MaCTT General, MaCFE assN,
LKPP. Gaurul, RFE
OK PIwendurs Deputy
BPI$Social, BPS

B Dttjm DukuNL
Project Management Unit
CAI

h';PIE LL ': T: _-: coandhmMam

StraIns AXPSH PIAK

Team
unI Component 2

Gal overseas
missions

Figure 2. Project Organization Structure

 In connection with this matter, to enhance the implementation of the ID for Inclusive
Service Delivery and Digital Trmsformation Project &om 2023 to 2027, and especially
to support the Project Management Unit (PMU), a Digital ID, Biometrics, eKYC and
Data Exchange Advisor Firm is required.

B. Objective
The objective is to seek the services of an Advisor firm to provide technical and strategic
advice to Dukcapil for designing, developing, and implementing Digital ID Application
(including Bameworks and back-end systems), an Identity Verification and eKYC Platform,
Biometrics systems enhancements, and a Data Exchange Platform under the ID for Inclusive
Service Delivery and Digital Transformation in Indonesia Project.

C. Output
The output of this procurement is to onboard an Advisor firm to provide work based on the
scope of work and deliverables in this ToR, for designing, developing, and implementing
Digital ID Application (including aameworks and back-end systems), an Identity Verification
and eKYC Platform, Biometrics systems enhancements, and a Data Exchange Platform.

D. Stakeholders
The stakeholders of Advisor firm activity are:
Primary stakeholders
• Project Management Unit (PMU)
• The Directorate General of Population and Civil Registration
• Ministry of Home Affairs (MoHA), Republic of Indonesia
Secondary Stakeholders
• SPBE Institutions
e Private sector and other public sector service providers

E. Scope of Work
To enhance the implementation of H) for Inclusive Service Delivery and Digital Transformation
Activities From 2023 To 2027, and especially to support the Project Management Unit (?MU), an
Advisor Firm for designing, developing, and implementing Digital ID application and back-end
system, eKYC platform, Biometrics systems upgrade, and Data Exchange Platform is required.
Relevant Project results and indicators to be supported by this Scope of Work
• Number of Indonesians who have installed the digital ID application and authenticated
themselves to access an online service at least one time in the length of the project – 25
million
 •

Number of people who have used the eKYC platform for oaboarding selected services
including financial services – 50 million
o Sub indicator: Number of women using the identity verification and e-KYC
platform to onboard for a financial service – 20 million
•

Number of institutional users using the new identity verification and eKYC platform for
authentication – 25 relying parties
•

Difference between the proportion of Indonesian men and women owning a bank account
2%
•

Number of institutional users using the new identity verification and e-KYC platform for
authentication – 25
•

Number of government agencies integrated with data exchange platform – 5

•

Draft amended Population Administration law amendment submitted for joint discussion
between the Executive Branch and Parliament
e Digital ID Trust Framework adopted
e A national regulation governing the usage of digital ID is submitted to the President

Existing Systems covered by the Scope of Work for assessment (herein referred to as
“Existing Systems”):
• Current version oflKD

• Current ABISes, including ABIS I and ABIS 2 and their integration with SIAK and e-KTP
recording clients and manual adjudication systems
• Current Population Data and Document Utilization Systems

Target Systems and Frameworks that the Advisor firm will support development of (herein
referrod to as “Tar£et Systems and Frameworks”):
• A future version oflKD (which may be re-named/rebranded), including back-end systems,
#ameworks, and standards
•

A new Automated Biometric Identification System (ABIS) to replace ABIS I, including

migration from ABIS I and integration with ABIS 2 and integration with SIAK and e-KTP
recording clients and manual adjudication systems
•

A new Identity verification and eKYC platform for population data and document
utilization

• A new Data Exchange Platform

• A trust &amework governing all of the above
Work 8n8ngement3
e The Advisor Film will work under the day-today direction of the PMU. All deEverables
will be produced in consukadon and for approval by the PMU. The PMU win facilitate
coordinadon and cooperadalr with relevant internal stakeholders, external stakeholders,
and ottin ooasuking arms.
+

TIle Advisor Firm will novi& strategic and technical support to the PW, the Dime&x-
General, other related teams in Ditjen Dukcapi] and the Ministry of Home Affairs, and
other govanment miaistde8/agencies proposed by Ditjen i>ukcapil.
•

The Advisor Firm is expected to work and cooRinnate closely with other consultants for the
Project, including the Pnjax Management Consultant (PMC) firm (especially on
pRxurwart, budgeting, and planning), the iCT In&8saucture, Public Key Tnf7asauctun,
and Cybersecwity Advisor finn (especially on in&asauctme designs and information and
cybwse€udty issues), and other individual consultants hired by Diyen Dl&cap a

Outputs of this Scope of Work must comply with the following norms and guiding principles
(henceforth referred to as “Guiding Norms and Principles”)
Norms :
e Indonesian laws and ngtd&ions, including related to population administratbl\ SPBE,
PDP, and cybenecuHty
•

Identified international standards, including at least those identified in the Scope of Work
B
ID for Inclusive Service Delivery and Digital Transformation in Indonesia Project loan
agreement
•

Principles for Digital DeveiopmaB – www.digitalprinciples.org

+

Principles for Identification for Sustainable Development – www.idprincipies.org

Principles :
e Inclusivity and Acc'w8ibility: The citizen-facing Target Systems and Frameworks must
be accessible and user-&ieadiy. For examIBe, KD should incorporate featwes to ensure
accessibHity for persons with a disability and users with lower levels of digital iheracy.
8
Scalability: The Target Systems and Frameworks must be able to scale horMntally to
manage expanding user bases and escalating Uansaction requests, including to minimize
latency to enable real-time responses.
e
Modularity: The Target Systems and Frameworks must be modular by aaain, allowing
for intercbangeabUity of individual modules or components,
•

Accuracy: The Target Systans and Frameworks must achieve the highest standards of
performance, in terms of data quality, veriScation performance, and other factors.
 •

System Adaptability and Extensibility: The Target Systems and Frameworks must take
into account the need for continuous enhancement, including with the ability for Ditjen
Dukcapil to do such enhancements in-house.
•

Technology and Vendor Neutrality: The Target Systems and Frameworks must be
designed to reduce risk of technology and vendor lock-in and capture, such as through open
standards, open-source software, and open interfaces. Ditjen Dukcapil aims to maintain as
much of the Target Systems and Frameworks in-house as possible.
•

Interoperability and Standards Compliance: The Target Systems and Frameworks must
comply with relevant international and industry standards to seamlessly integrate with
various systems, both internally and externally (i.e., relying parties).
•

Security, Privacy and Consent Management: The Target Systems and Frameworks must
adhere to the best standards of information and cybersecurity and privacy-byqjesign, and
the Law on Personal Data Protection. This includes implementing consent management
tools for user-controlled data sharing, including using end-to-end encryption for secure
data transmission and storage.
e Redundancy and Disaster Recovery: The Target Systems and Frameworks must have
backup systems and replication of data to prepare for failover situations, including disaster
recovery strategies to guarantee uninterrupted service continuity.
e Regulatory Updates and Adaptability: The Target Systems and Frameworks must be
flexible to adapt to evolving laws, regulations, and standards.
•

Whole of Government (WOG): The Target Systems and Frameworks must align with
relevant WOG initiatives of the Republic of Indonesia, including (but not limited to) SPBE
and Satu Data Indonesia, such as Presidential Regulation Number 82 of 2023 on
Acceleration of Digital Transformation and Service Integration National Digital.

Detailed Scope of Work

In support of these outputs the activities of the Advisor Firm are as follows:
1. Project Inception
a. Requirements Gathering: The Advisor Firm will consult key stakeholders to gather
high-level knowledge about the current state of Existing Systems and Rrture
requirements of the Target Systems and Frameworks, at a sufficient level of detail to
enable development of the details required for the inception report.
b. Inception Report: The Advisor Firm will produce an Inception Report including, at a
minimum, the detailed work plan (including timelines and outputs), working
arrangements (including mechanisms for coordinating with other consultants and
cadence for meetings), risk identification and mitigation plans, and stakeholder
mapr)mg.
2. Study and Analysis
a. Study of Existing Systems and Capabilities: The Advisor Firm will conduct
comprehensive ' As-is’ assessments as follows:
 1.
Technical and Operational Assessment: The Advisor Firm will assess Existing
Systems against relevant good practices and the requirements of the Target Systems
and Frameworks, including migration from Existing Systems to Target Systems and
Frameworks. This assessment should consider whether and how specific Existing
Systems should be continued once Target Systems and Frameworks are in
production, including to assess migration capabilities.
ii. Legal and Regulatory Compliance: Advisor Firm will conduct a study to
benchmark Existing Systems (including their laws and regulations processes)
against applicable laws and regulations.
iii. Standards and Best Practices: The Advisor Firm will perform a gap analysis of
the standards implemented in Existing Systems, against latest international
standards and best practices related to the Target Systems and Frameworks.
iv. Capacity and Knowledge Gaps: The Advisor Firm will assess Ditjen Dukcapi i’s
structure and capabilities to implement the Target Systems and Frameworks,
including to ensure maximum inclusivity, accessibility, interoperability, security,
and scalability.
V. User Interface and User Experience (UI/W: The Advisor Firm will assess the
Ul/UX of Existing Systems and produce recommendations to improve accessibility
and user-Biendliness for the Target Systems and Frameworks.
vi. Ecosystem: The Advisor Firm will assess the role of Existing Systems in relevant
initiatives, including but not limited to SPBE, the National Strategy for Financial
Inclusion, and ASEAN initiatives related to digital economy. This will include, at
a minimum, priority services identified in Presidential Regulation No. 82/2023,
population administration services, financial services, telecommunications
services, and e-commerce.
b. Needs Assessment Report: The Advisor Firm will produce a Needs Assessment Report
to recommend to Ditjen Dukcapil the business, technical, functional, non-functional,
use cases services and scale, and Ul/UX requirements and priority use cases of the
Target Systems and Frameworks, vis-a-vis the findings of the Study of Existing
Systems, as well as the Guiding Norms and Principles. The Needs Assessment should
include recommendations for strengthening Ditjen Dukcapil’s organi7ational structure
and capabilities to maintain and sustain the Target Systems and Frameworks.
c. Implementation Plan: The Advisor Firm, in coordination with other consultants
working on the Project, will produce a detailed five-year implementation plan for the
Target Systems and Frameworks. The plan must also contain describe the
implementation and procurement approach for each of the Target Systems and
Frameworks, including how these will be integrated. For example, the Advisor Firm
should recommend if and how specific systems or components could or should tn
developed in-house by Ditjen Dukcapil.
3. Design Development and IMaintenance

a. Enterprise and System Architectures, Designs and Processes: The Advisor Film will
produce detailed architecture, design, and process documentation for the future IKD,
ABISes (including integration with SIAK and e-KTP recording clients and manual
 adjudication systems, and any future middleware requirements), Identity Verification
and eKYC Platform, and Data Exchange Platform, including:
i. Individual system-level: For each of IKD, the new ABIS (including integration
with SIAK and e-KTP recording clients and manual adjudication systems, and any
future middleware requirements), Identity Verification and eKYC Platform, and
Data Exchange Platform.
li. Enterprisblevel: Covering how the IKD, the new ABIS, Identity Verification and
eKYC Platform and Data Exchange Platform interoperate and integrate with each
other and other systems in Ditjen Dukcapil. For example, how IKD and the Identity
Verification and eKYC Platform can be used for consented data sharing, facilitated
by the Data Exchange Platform. These outputs will cover business, data,
application, and technology layer elements for these systems as per the TOG AF
Bamework, and should be developed in such a way that Ditjen Dukcapil and their
consultants can incorporate into the organization's Enterprise Architecture. The
Advisor Firm should coordinate and collaborate with other consultants in
developing the outputs.
b. Wireframes and Mockups: The Advisor Firm will produce wireframes and mockups
for the IKD, Identity Verification and eKYC Platform, and Data Exchange Platform.
c. Security Design: The Advisor Firm will produce detailed security and privacy
documentation to ensure that the Target Systems and Frameworks protect personal data,
including encryption, access controls, and secure authentication methods, in
consultation with other security consultants appointed by Ditjen Dukcapil.
The Advisor Finn will be responsible for the following:
i. Rkk Assessment: The Advisor Firm will conduct a comprehensive risk assessment
to identify potential risks and vulnerabilities for the Target Systems and
Frameworks, as well as identify mitigation measures.
11. Security Strategies: Based on the risk assessment, the Advisor Firm will develop
a roadmap for implementing security measures aligned with user requirements and
industry best practices in accordance with applicable laws and regulations.
iii. Security Policies: Drafting and assisting Ditjen Dukcapil in implementing security
policies and protocols that govern access controls, data handling, and incident
response procedures.
iv. Technology Evaluation and Recommendations: Evaluating and recommending
security tectulologies such as encryption methods, access control systems,
firewalls9 and intrusion detection systems that align with user needs and enhance
their security posture.
d. Inputs to Procurement Plan: The Advisor Firm will produce inputs to Ditjen
Dukcapil’s Procurement Plan and Annual Work Plan and Budget on the number, tYpe,
and details of procurement activities to realize the Enterprise and System Architectures,
Designs and Processes.
 e. Data Protection Impact Assusments (DPIA): TIle Advisor Firm will conduct a DPIA
and produce a reInn for each of the agreed Enterprise and System Are}Btecaires and
Designs, in compliance with the Law on Personal Data Protection.
f. Use Case and Interep€abiHty Design: TIle Advisor Firm will identify priority use
cases and produce detailed iatemperability documentation to ensure that the Target
Systems and Fmmewoas can be easily integrated with each other, relying party
services, and other releyant systans, such as SPLP. This will include, at a minimum,
priority swvices iderld6ed in Pnsideatial Regulation No. 82/2023, population
administration services, financial sen’ices, telecommunhatioas suvlees, and e-
colnlllerce.

g. Migration Plan: The Advisor Firm wU produce detailed migration documentation to

ensure that the migration to a new version of ND, to a new ABIS, to a new Identity
Ved$cation and eKYC Platform, and to a new Data Exchange Platform is done
seamlessly, secuwly, and efficiently.
h. Trust Framework and Standards: The Advisor Finn will produce detailed trust
&amework documentation for the IKD, Diger! Duke@ii’s ABISes (for the new ABIS
and ABIS 2), Identity Ved6cation and eKYC Platform and Data Exchan© Platform,
including (but not limited to): technical standards, integration standards and processes,
levels of assurance, and govenwne mechanisms.
i. Operatioaalizing Govwnan@ Mechanisms: The Advisor Firm will support Digen
DukeViI to operationalize governance mechanisms identified in the Trust Framework
including (but not limited to) drafting Mms of reference, regulations and deaees, and
relevant letters.

J+ Business and RweBue Mcxlels: The Advisor Firm win develop detailed business and
revenue models for the new IW Identity VeriScation and eKYC Platform, and Data
Exchange Platform. Prices and costs to end-users should be minimal so as not to
disincentivin uptake, but enough to support operational and financial stwtainabibty.
The Advisor Firm will also assist Ditjen Dukcapa to work with the &Hnistry of Finance
to turn these models into nlevarR regulations for non-tax revenue.
4. Procurement Implementation and Support

& Preparation: The Advisor Firm will conduct the following studies to support successful
procwealent, based on the recommended approaches (as per the implementation plan):
1.
IVlarket Rwawh: The Advisor Firm will produce a market assessment report for
each of the new IKT\ the new ABIS, Identity Vuiacation and eKYC Platform, and
Data Exchange Platform. The aim of the market research would tn to validate the
chosen procwement and iInIHementation approach.
ii. Cost Estimation: The Advisor Firm will produce a detailed and credible cost
estimates for each of the new IKD, the new ABIS, Identity Verification and eKYC
Platform, and Data Exchange Platform (as per the agreed designs), to cover both
capital expent$tues and operating exlwnditwes for the next five years. This should
cover include a breakdown of costs for each component and resource reqrind such
as (but not limited to) hardware costs, software licensing fees, implementation
 costs, training expenses, maintenance, support contracts, and contingency funds.
The cost estimation should include assumptions and substantiating evidence.
b. Procurement Documentation: The Advisor Firur will produce a Scopes of Work
Terms of Reference, and/or a Bills of Quantity, as well as evaluation criteria, for the
procurement packages related to the new IKD, the new ABIS, Identity Verification and
eKYC Platform, and Data Exchange Platform, and related goods and services. The
documentation should conform to relevant Government of Indonesia and World Bank
procurement regulations. The PMC will be responsible for incorporating the Scopes of
Work, Terms of Reference, and/or a Bias of Quantity into bidding documents,
The number and type of packages will be dependent on what has been agreed in the
implementation plan. For example, if the Advisor Firm and Ditjen Dukcapil agree that
one system will be developed by a Systems Integrator, then the Advisor Film will
produce documentation for that procurement. Similarly, if the Advisor Firm and Digen
Dukcapil agree that another system will be developed in-house, the Advisor Firm will
produce Terms of Reference for the procurement of developers, including individual
consultants.

c. Procurement and Contracting Process Support: The Advisor Firm will support
Ditjen Dukcapil to carry out procurement processes for the Target Systems and
Frameworks, including to assist with answering questions from bidders, adjusting
requirements during the process, evaluating bids, and negotiating contracts to protect
the interests ofDiyen Dukcapil.
5. Implementation Support

a. Supervision: The Advisor Firm will be a technical resource to support Digen Dukcapil
to onboard and supervise the work of suppliers and individual consultants involved in
developing and maintaining the Target Systems and Frameworks. This includes (but not
is limited to) sharing and answering questions about relevant deliverables from the
Design phase, joining regular meetings, and advising Ditjen Dukcapil on vendor
management and how to ensure successful execution of contracts and ensuring the
migration process runs according to migration plan.
b. Pilots: The Advisor Firm will assist Ditjen Dukcapil to design, execute, and evaluate
pilots of the new IKD, the new ABIS, Identity Verification and eKYC Platform, and
Data Exchange Platform.
c. User Testing: The Advisor Firm will carry out regular Ul/UX testing for the new IKD,
especially to ensure accessibility and user-&iendhness, and feed results and
recommendations to Ditjen Dukcapil and the development team.
d. Technical Testing and Quality Assurance: The Advisor Firm, working closely with
Ditjen Dukcapil, will conduct functional and non-functional testing of the new IKD, the
new ABIS, Identity Verification and eKYC Platform, and Data Exchange Platform,
including unit testing, integration testing, system testing, user acceptance testing (UAT),
load testing, and code reviews. The Advisor Firm will maintain documentation for tests
conducted
e. Developer Documentation and Third Party Integration: The Advisor Firm will
assist Ditjen Dukcapil and suppliers to develop comprehensive and accessible developer
 documentation (e.g., API specifications) for external stakeholders and to supervise
integration of relying parties with the new IKD, the new ABIS, Identity Vednc&tior! and
eKYC Platform, and Data Exchange Platform.
6. Capacity Building and Knowledge Management

a. Training and Capacity Building: The Advisor Firm will regularly conduct training
workshops for D&jen l>ukcapil officials on international good practices and standards
related to the Target Systems and Frameworks, with topics targeted at addressing
knowledge gaps identi$ed in the Study of Existing Systems and with requirements
during implementation (e.g., for conducting testing according to appropriate
methodologies).
b. Version Control and Maintenance: The Advisor Firm will be responsible for keeping
upto-date the documentation produced under the Design category over the course of
the assignment, including version control, in consultation with the PMC. For example,
design documents and the Trust Framework should be updated in line with the
implementation.
c. Knowledge and Documentation Management: The Advisor Firm will support Digen
Dukcapil to properly manage know}edge and docwnentation, including to maintain
institutional memory and records of decisions made.
7. Exit Management
& Knowledge Transfer: The Advisor Firm will transfer knowledge and capabilities to
Ditjen Dukcapil teams for ongoing management and development of the Target Systems
and Frameworks.
b. Exit Management Plan: The Advisor firm will produce for Ditjen Dukcapil plans for
provision of contingent support for the Target Systems and Frameworks. This Exit
Management plan shall be furnished in writing to Ditjen Dukcapi! or its nominated
agencies within 30 days from the receipt of notice oftaminadon or ttuw months prior
to the expiry the engagement.

F, Payment, Deliverables and Timeline:

-\cti\ it\ Dci i lb i l-ilrrclillc [>ii\ lllc11t

1. Project Planning and Kick Off

Requirement
Gathering [1.1] inception Contract + 4 10% of Total Contract
Report weeks Value
Inception and kick
off

2. Study Id Analysis
Study of Existing [2.1] As-Is Study 4 weeks after
Systems and
Report Inception Report
Capabilities

[2.2] Future 3 weeks after As-

Needs Assessment 10% of Total Contract
Requirements Report Is Study Report Value
3 weeks after
Implernentation [2.3] Implementation Future
Plan Plan Requirements
Report

3. Design Development and Maintenance

[3.1] Enterprise and

System Architectures
Design Documents:
e Enterprise
Enterprise and
System Architecture
Architectures, •
IKD
Designs and •
New ABIS
Processes •

Identity
Verification and
eKYC Platform
•

Data Exchange All work is to be

Platform conducted within
[3.2] Wire&ames and one year of
Mock:ups Design contract signing.
27% of Total Contract
Documents: Speci6c timeline
Value
as agreed in the
Wireframes and •
H(D Implementation
Mockups •

Identity Plan.
Verification and
eKYC Platform
•

Data Exchange
Platform

[3.3] Security Design

Security Design Document

Inputs on [3.4] Inputs on

Procurement Plan Procurement Plan

Data Protection [3.5] DPIA Reports:

Impact • IKD
G. Key Personnel Needed
The following positions must be filled, with at least one consultant assigned to each role.

: JC till i}< iii) I-\ pc nt i '_ \ rICfiCIIcc it i >LI iii it !C:it 11_Ii-IS

,\}}IS;_} iI Jill.:; {- }-- Li } i

F #•] [! ! ! il:: ::: i

1 . Project Manager Full time

•

Mr;I iii;’s degree.

•

Minimum of 10 years of experience in

Program/Project management of IT on a
national scale.

Must include a minimum 5 years of

experience of working with government
projects.
•

Must have Proficiency in Bahasa for

effective communication with clients
proven by letter of statement can write and
speak in good Bahasa Indonesia.
e Have a professional certification PMP
(Project Management
Professional)/PRINCE2/MPM (Master
Project Manager) or other equivalent
certification that are still valid.

2 . Governance, Full Time

•

Minimum Bachelor’s degree--=

Compliance, and Legal/Computer Science/ Software
Data Privacy Engineering/ Computer Management/
Advisor Information Technology/Information
Systems/Informatics Engineering.
•

Minimum of 10 years of experience in

governance, risk management, and
compliance (GRC).
•

Minimum experience of 5 ($ve) years in

data privacy. Minimum experience of 1
(one) project related to the Personal Data
Protection Law, or GDPR (General Data
Protection Regulation), or HIPAA (Health
Insurance Portability and Accountability
Act), or ISO 27701 (Privacy Information
Governance), and/or ISO 27018
(Protection of Personal Data in Cloud
Computing Environments). Minimum
experience of 1 project in designing
;overnance structures for djgjtal ID
 projects, including the establishment of
oversight bodies and compliance
committees. The expert must have provided
advisory/consulting services for national
identjty and djgjtal ID pro
Full time Minimum Bachelor's degree in Computer
3 ! Digital
ID &
•

eKYC Advisor Science/ Software Engineering/ Computer

Management/ Information
Technology/Information Systems/
Informatics Engineering. Minimum of 7
(seven) years of experience in the field of
design and implementation of large-scale
systems (including national identity
systems and/or other identity systems).
•

Minimum of 5 (five) years of experience in

providing consulting services or technical
advice for National Digital Identity (for the
Indonesian Government or outside the
Indonesian Government).
•

Experience of at least one project in

identity verification methods, including
biometrics, document verification, facial
recognition, and multi modal biometric
recognition.
4 } Biometric Advisor i Full Time
•

m;lgb irl--m>
Science/ Software Engineering, Computer
Management/ Information
Technology/Information
Systems/Information Engineering.
•

Preferably have a Certified Biometrics

Security Professional CBSP/ Certified
Biometrics Professional (CBP) / equivalent
certificate.
•

Minimum of 10 years of experience in

implementing biometric solutions with
three modalities with a minimum of 10
million records (face, fingerprint and iris).
•

Must have experience in integration

systems between different ABIS.

5 } DataExchange Full time

•

Minimum Bachelor's degree in Comaii;

Platform Advisor Science/ Software Engineering, Computer
Management/ Information
Technology/Information
Systems/Information Engineering.
•

Minimum of 5 years of experience in data

exchange, data integration, or data sharin
 Supervision

Pilots

User Testing

Testing and Before the end of

Quality Assurance the quarter after
the 2.5% of Total Contract
Developer [5.1] Implementation Implementation
Documentation Value for each Quarterly
Quarterly Report Plan Released
Report (27.5% in total)
and Third-Party (expected to start
Integration in April 2025 to
November 2027)
Training and - 11 reports
Capacity Building

Version Control
and Maintenance

Knowledge and
Documentation
Management

7. Exit Management

12 weeks before
Knowledge [7.1] Knowledge
Transfer project
Transfer Report
completion. 5.5% of Total contract
Value
12 weeks before
Exit Management [7.2] Exit
Plan project
Management Plan
completion.

e The deliverables should be delivered in Bahasa Indonesia and English.

• The Advisor Firm should complete all the activities within the defined timelines as
indicated above. The payment will be released only after the successful completion of
activity and approval of deliverable by Ditjen Dukcapil.
• The Advisor Firm need to submit the invoice along with the approved deliverable (in soft
copy and hard copies).
The duration of Advisor Firm will be aom the date of contract signing until December 2027.
Assessments B New A31S
(DHA) e Idendty
Verification and
eKYC Platform
e Data Exchange
Platform
Use Cases and [3.6] Uses Cases aIId
Interoperability Interoperability
Design Design Document

[3.7] Migration Plan

Migndon Plan Document

Trust Framework
and Standards
[3.8] Trust
Framework and
Opeutioaalizing
Governance Design Document
Mechanisms

Business and [3.9] Business and

Revenue Models
Revenue Models
Analysis Report

4. Procurement Impleme&tatioa and Support

[4.1] Report on
Market Research and
Preparation Cost Estimation 2% of Total Contract Value

Proeuremeat [4.2] Prwwwrelrt

Documentation Docuarentadons:
As agreed in the
8 IKD Implemeatatioa
e New ABIS Plan
4.5% of Total Contract
8 identity
Procurement and Verification and Value for each (18% in
total)
Contr%ctiag eKYC Platform
Process Support 6
Data Exchange
Platform

5. Implementation Support
 projects for national identity and digital ID
program.
•

Minimum 2 projects experience in

designing and implementing data exchange
solutions for large-scale national-level
lroiects.

6 1Security Advisor Full time

•

Minimum Bachelor's degrge in -CM

Science/ Software Engineering/ Computer
Management/ Information
Technology/Information
Systems/Informatics Engineering.
Minimum of 5 years of experience in data
exchange, data integration, or data sharing
projects for national identity and digital ID
program.
•

Have at least 1 minimum professional

certification, such as CISSP (Certified
Information Systems Security
Professional), CISM (Certified Information
Security Manager) or other equivalent
certification.
•

Minimum experience of 1 (one) project

related to the Personal Data Protection
Law, or GDPR (General Data Protection
Regulation), or HIPAA (Health Insurance
Portability and Accountability Act), or ISO
27701 .

7 { Ul/UX Advisor Full time

•

-id&tMige in Computer
Science/ Software Engineering/ Computer
Management/ Information
Technology/Information
Systems/Informatics Engineering/ Design .
•

Minimum of 7 years of experience in

Ul/UX and product design roles for
national identity and digital ID program
proven with reference/work contracts.
•

Minimum experience of 1 (one) project of

UI/UX that targeted >5 million users.
8 ! Quality Assurance Full time
•

hifi;';-dig;ge in COIl
Advisor Science/ Software Engineering/ Computer
Management/ Information
Technology/Information
Systems/Informatics Engineering proven
by a diploma.
•

Minimum of 5 years of experience in

uality assurance product testing for citizen
 facing govenrmait ff systems and
lxt>duns.
Have at least i minimum professional
cer6$c3tio& such as CQE (Certified
Quality Engineer) or C:SQE (CeRi6ed
So&ware Q Ea Leer

H. Evaluation Criteria

Description

Consultant’s specific experience (as a Firm) relevant to the Assignment:

Bicidus must have experience in poviding consulting services involving de sigh and
implementadca support for Digital iD pm for States

Bidders must have exped mce in providing consuldng services involving desigr!, and
implementation support for handBag eKYC systems

Bidders must have exlnrience in providing consuldng services involving design, and
implementation support for biamebic systems

Bidders must have experience in providing consuidag services iavolvirrg design, and
implementation support for Data Exchange platforms.

1. Location of Task/Job Implementation

The location of the work assignment for Pracwemerit of a Consuldng Company for Digital iD,
Biometrics, eKYC and Data Exchange in 2024 is at the Office of the DineRme <ieaeal of
Population and Cjyji R£gisaadaIb Ministry of Home AfFairs, JUan Raya Pas&r Minggu, KM 19
South Jakarta or another place npnseadIB the I)inawat£ GerIemi of Population and Civil
Registry, Ministry of Home ABairs.

J. Task Implementation Period

The period for implementing the task af Prwwing a Digital W, Blame&ics, eKYC and Data
Exchange Consukiag Company in 2024 is estimated to be 42 {faay-two} months &on the staR of
signing the con&act until Dwemtnr 2027.

K Closure
This is the Terms of Reference for the activity of providing profwsioaai Expert Personnel in the
form of Procurement of Consulting Companies for Digital ID, Biometrics, eKYC and Data
Exchange in 2024 to be used as material for consideration by consultants in submitting offer
documents and as a guideline in their implementation.

Jakarta, 2024
Commitment-Making Official
Component II
Foreign Loans/Grants Directorate General
of Population and CivJl Registration

Dr. Handayani Ningrum, SE, M.Si

NIP. 19670423 199403 2 004