Banking Regulation 2025 Comparisons

Indonesian banking law is generally governed under Law No 7 of 1992 on Banking as lastly amended by Law No 4 of 2023 on the Development and Strengthening of Financial Sectors (“Law 4/2023”) (the “Banking Law”). The Banking Law essentially governs:

• types of banks (ie, commercial bank and rural bank) and their activities;
• licensing, form of entity, and ownership;
• supervision of banks;
• management and employment; and
• sanctions for the violation of Banking Law.

As banking is a heavily regulated sector, more detailed regulations – for example, with regard to establishment, licensing requirements, and liquidation – are further stipulated under the regulation of its supervisory bodies, which will be elaborated on later in this section. Several key regulations governing the banking sector are:

• Law 4/2023 (also known as the Omnibus Law of the Financial Sector, which amended various banking and financial sector regulations);
• general provisions:
1. OJK Regulation No 12/POJK.03/2021 on Commercial Banks;
2. OJK Regulation No 16/POJK.03/2022 on Commercial Sharia Banks, as lastly amended by Law 4/2023; and
3. OJK Regulation No 7 of 2024 on Rural Banks and Sharia Rural Banks;
• with regard to good governance:
1. OJK Regulation No 17 of 2023 on the Good Governance of Commercial Banks;
2. OJK Regulation No 2 of 2024 on the Implementation of Governance for Sharia Commercial Banks and Sharia Business Units;
3. OJK Regulation No 9 of 2024 on Good Governance Implementation for Rural Banks and Sharia Rural Banks; and
4. OJK Regulation No 25 of 2024 on the Implementation of Sharia Governance for Sharia Rural Banks; and
• with regard to digital services offered by banks – OJK Regulation No 21 of 2023 on Digital Services by Commercial Banks.

Financial Services Authority

According to Law No 21 of 2011 on the Financial Services Authority as amended by Law 4/2023, banking activities in Indonesia are supervised and regulated by an independent institution called the Financial Services Authority (Otoritas Jasa Keuangan, or OJK). In the banking sector, the OJK is authorised to regulate and supervise the following:

• institutional aspects, such as licensing requirements and activities;
• soundness aspects, such as liquidity and assets quality, reporting, debtor information, credit testing, and standard accounting;
• prudential aspects, such as risk management, governance, KYC and AML, as well as the prevention of terrorism financing and banking crimes; and
• bank examination.

Bank Indonesia

Bank Indonesia (BI), as Indonesia’s central bank, supervises and regulates the monetary, payment system and macro-prudential policies in Indonesia in accordance with Law No 23 of 1999 on Bank Indonesia as lastly amended by Law 4/2023. Its authority includes supervision of and regulating several matters such as interest rates, liquidity (including in the banking sector), and foreign exchange transactions. BI initially had the duty and authority to regulate and supervise the Indonesian banking industry, which has since been shifted to the OJK (as previously mentioned).

Deposit Insurance Corporation

Banking resolution is handled by the Deposit Insurance Corporation (Lembaga Penjamin Simpanan, or LPS) in accordance with Law No 24 of 2004 on the Deposit Insurance Corporation as lastly amended by Law 4/2023 (the “LPS Law”). The LPS aims to insure and protect the public funds stored in banks. For banks with financial problems, LPS conducts resolution by way of:

• transferring a bank’s assets and/or obligations, either partially or in whole, to the receiving bank;
• transferring a bank’s assets and/or obligations, either partially or in whole, to the mediating bank;
• conducting temporary capital participation; or
• conducting liquidation.

More about the LPS will be explained in 6.1 Deposit Guarantee Scheme (DGS).

Requirements and Procedure

Obtaining authorisation to operate as a bank is done in two steps, as follows.

In-principle approval

The request for approval must be submitted at least by one of the prospective owners or controlling shareholders (pemegang saham pengendali, or PSPs) and must include:

• draft of deed of establishment and articles of association;
• details of the prospective shareholders and shareholding composition;
• details of the prospective board of directors and board of commissioners, with administrative documents for “fit and proper” test (FPT) approval;
• organisational structure, feasibility study, and corporate plan;
• guidelines on risk management, internal control, IT system, and good governance;
• system and work procedure;
• proof of capital injection;
• statement letters from shareholders; and
• structure of the business group related to the legal entity as a prospective PSP up to the last owner and controller.

After the complete application, the OJK will conduct:

• an investigation into the completeness and conformity of the documents;
• analysis on healthy competition between banks, density level, and equitable distribution of economic development in Indonesia; and
• an FPT on the prospective PSPs, board of directors and board of commissioners.

In-principle approval is processed within 60 business days of a complete application. If granted, it remains valid for six months and will expire if the bank does not apply for a business licence.

Business licence

The application for a business licence is submitted to the OJK by the person who has obtained the in-principle approval. The application must include:

• deed of establishment and articles of association;
• documents pertaining to certain requirements for the in-principle approval, if there is any amendment – namely, with regard to:
1. prospective shareholders and shareholding composition;
2. prospective board of directors and board of commissioners (with administrative documents for FPT approval);
3. organisational structure, feasibility study and corporate plan; and
4. guidelines on risk management, internal control, IT system, and good governance;
• proof of full payment of paid-up capital;
• proof of operational readiness; and
• statement letter from shareholders that the paid-up capital does not originate from any loan from and for the purpose of money laundering.

After receiving the complete application, the OJK will conduct:

• an investigation into the completeness and conformity of the documents; and
• an FPT if there are any changes to the prospective PSP, board of directors and/or board of commissioners since the in-principle approval process.

Applications for business licences are processed within 60 business days of receipt of a complete application. If granted, the bank must commence business activities within 60 business days following the issuance of a business licence, at the latest.

The OJK also imposes levies on the application for a business licence (per company), as follows:

• for a commercial bank – IDR100 million;
• for a Sharia commercial bank – IDR60 million;
• for a rural bank – IDR50 million; and
• for a Sharia rural bank – IDR30 million.

Permitted and Prohibited Activities and Services

According to the Banking Law, commercial banks may carry out the following activities/services.

• Per Article 6(1) of the Banking Law, commercial banks may:
1. collect funds from public in the form of deposit, savings and/or other equivalent forms;
2. provide credit or financing;
3. conduct payment system activities;
4. place funds in, borrow funds from, or lend funds to other banks;
5. issue and/or conduct transactions of negotiable instruments (surat berharga);
6. provide a place to store valuable goods and securities;
7. conduct foreign currency activities;
8. carry out receivables transfer activities;
9. conduct custodial activities; and
10. conduct other activities with the approval of the OJK.
• Per Article 7(1) of the Banking Law, commercial banks may:
1. conduct capital participation activities in financial services institutions (lembaga jasa keuangan, or LJKs) and/or other companies supporting the banking industry (eg, clearing agencies);
2. conduct temporary capital participation in non-LJKs;
3. act as the founder and administrator of a pension fund; and/or
4. collaborate with other LJKs and non-LJKs in providing financial services (eg, marketing insurance or mutual funds products).

Commercial banks are not allowed to perform the following activities:

• conduct capital participation in non-LJKs, except as referred to in Article 7(1)(a) and (b) of the Banking Law (ie, only temporarily or in other companies supporting the banking agency);
• engage in insurance business, except the marketing of insurance products as per Article 7(1)(d) of the Banking Law (ie, in collaboration with other LJKs and non-LJKs to provide financial services); and
• conduct other business outside the business activities referred to in Article 6 and 7 of the Banking Law.

To carry out other activities – such as activities within the payment services, either as card-based payment-related activities, e-money-related activities, payment gateways, or e-wallets (generally classified as payment services provider activities) – banks need to apply for a licence from BI.

Obtaining a European Passport

Given the territorial effect of Indonesian laws, Indonesian banking laws can only:

• govern banking activities conducted onshore;
• be enforced onshore; and
• apply to entities legally established or factually doing business in Indonesia.

Indonesia does not recognise the concept of European passport. Foreign banks may operate in Indonesia by establishing an OJK-licensed representative office and branch office. Indonesian banks may also establish offices abroad, subject to obtaining a licence from the OJK and from the local authority in such foreign country.

Bank acquisitions in Indonesia are governed by OJK Regulation No 41/POJK.03/2019 of 2019 on the Merger, Consolidation, Acquisition, Integration, and Conversion of Commercial Banks (“OJK Reg 41/2019”). This defines an acquisition as the takeover of a bank’s shares by an entity or individual, resulting in a transfer of control.

The ownership of a bank by foreign individuals and/or legal entities is capped at 99% of the bank’s paid-up capital. Accordingly, any acquisition by foreign individuals and/or legal entities must not cause this limit to be exceeded.

Pre-Acquisition Requirements

The target bank and acquiring party must prepare an acquisition plan, approved by their respective boards of commissioners (or equivalent). The plan must include:

• details of the parties;
• information regarding the acquisition plan; and
• the bank’s post-acquisition details.

The target bank and the acquiring party must also submit to the OJK:

• the draft acquisition plan;
• the draft acquisition deed; and
• required administrative documents for the FPT of the prospective PSP.

A summary of the acquisition plan must be announced in a nationally circulated Indonesian-language newspaper and on the bank’s website. The announcement must include at least a summary of the acquisition plan and a statement that the acquisition plan has not yet obtained approval from the General Meeting of Shareholders (GMS). The acquisition plan must be announced no later than:

• two working days after receiving notification from the OJK that the acquisition process may proceed based on the OJK’s review of the submitted documents; and
• 30 days before the GMS invite.

Proof of the announcement must be submitted to the OJK within two working days. Employees must also be notified of the summary of the acquisition plan simultaneously and in writing.

GMS approval and acquisition permit application

The target bank and acquiring party must obtain approval from the GMS (or equivalent) for:

• the proposed acquisition;
• the acquisition plan; and
• the draft acquisition deed.

Within three working days after the GMS approval is obtained, the target bank must apply for an acquisition permit from the OJK by submitting:

• notarial deed of GMS minutes approving the acquisition;
• the acquisition plan and the draft acquisition deed as approved by the GMS;
• proposed amendments to the target bank’s articles of association related to the acquisition (if applicable); and
• the latest financial statements and financial performance report of both the target bank and the acquiring party if the application is submitted six months or more after the public announcement.

The OJK has the discretionary power to request additional documents or information and will decide on the acquisition permit application within 14 working days after receiving all required documents. If approved, the OJK will also finalise the FPT results.

Post-Acquisition Obligations

A bank that has obtained an acquisition permit must:

• announce the acquisition’s completion within 30 days in a nationally circulated Indonesian-language newspaper and on its website; and
• submit a report to the OJK within five working days on the acquisition’s implementation, including required supporting documents.

The implementation of corporate governance for banks is regulated under OJK Regulation No 17 of 2023 on the Application of Governance for Commercial Banks (“OJK Reg 17/2023”). Banks are required to implement sound corporate governance in their business operations, which must at least encompass the principles of transparency, accountability, responsibility, independence, and fairness.

Board of Directors

Banks must have at least three members on their board of directors, all of whom must be domiciled in Indonesia. The majority of directors must have at least five years of experience in operational roles as bank executives. The bank’s articles of association must stipulate the term of office for directors, with a maximum tenure of five years per term, commencing from the effective date of their appointment by the GMS. Directors are also subject to the applicable restrictions on concurrent positions and share ownership in other companies.

Board of Commissioners

Banks must have at least three members on their board of commissioners, with the total number not exceeding the number of directors. At least one commissioner must be domiciled in Indonesia. Similar to the board of directors, the bank’s articles of association must specify the maximum tenure of five years per term, commencing from the effective date of their appointment by the GMS. At least 50% of the board of commissioners must be independent commissioners. Commissioners are also subject to the applicable restrictions on concurrent positions.

Diversity Considerations

The appointment and/or replacement of members of the board of directors and members of the board of commissioners must prioritise professional composition, independence, and competency alignment, while also considering diversity as an essential factor in carrying out their duties and responsibilities. Diversity considerations include career background, experience, educational history, and gender.

Internal Policies

Banks are required to establish internal policies and procedures to ensure effective corporate governance in their business operations. These policies may take the form of the articles of association, decrees, manuals, bank policies or guidelines (standard operating procedures), corporate charters, or other operational documents. They must be formulated in compliance with prevailing laws and aligned with the bank’s business processes and approval mechanisms. The board of directors must communicate strategic internal policies – particularly those related to HR – to the bank’s employees, who are expected to uphold them as part of their professional responsibilities.

OJK Regulation No 27/POJK.03/2016 of 2016 on the Fit and Proper Test for Main Parties in Financial Services Institutions (“OJK Reg 27/2016”) governs the registration requirements for prospective senior management (or “main parties”) in banks. This regulation defines “main parties” as individuals or entities that own, manage, supervise, and/or have significant influence over financial services institutions. In banks, a “main party” includes:

• controlling shareholders; and
• members of the board of directors and board of commissioners.

Prohibition of Acting as a Main Party Without OJK Approval

A prospective controlling shareholder who acquires shares in a bank without OJK approval cannot exercise shareholder rights and responsibilities. Likewise, a prospective director or commissioner appointed by the GMS cannot perform their duties until they have obtained OJK approval.

FPT (General)

To obtain OJK approval, prospective main parties must undergo an FPT administered by the OJK. The application must include the required administrative documents. If the documentation is incomplete, the OJK may return the application for revision.

The FPT assesses whether a prospective main party meets the following criteria.

• Integrity requirements – all main parties must have:
1. legal capacity for legal acts;
2. good character and moral standing, including compliance with applicable laws and no prior criminal convictions within a specified period before nomination;
3. commitment to regulatory compliance and alignment with OJK policies;
4. commitment to the development of a sound banking system; and
5. not been listed among the parties prohibited from becoming a main party.
• Financial reputation requirements – directors and commissioners must have:
1. no history of non-performing loans; and
2. no history of bankruptcy, nor prior conviction as a shareholder, controlling party, director, or commissioner for causing a company’s bankruptcy within the preceding five years before nomination.
• Financial capability requirements – controlling shareholders must demonstrate:
1. sound financial reputation;
2. adequate financial capacity to support the bank’s business growth; and
3. commitment to financial support if the bank encounters financial difficulties; and
• Competence requirements – directors and commissioners must have relevant banking knowledge and experience.

FPT (Controlling Shareholder)

Prospective controlling shareholders must conduct a presentation on:

• their plans for the development of the bank; and
• their strategies for financial difficulties should the bank encounter such challenges.

If the controlling shareholder is a legal entity, the FPT extends to:

• the legal entity itself;
• its board of directors and board of commissioners; and
• any ultimate shareholders identified by the OJK.

FPT (Board of Directors and Board of Commissioners)

Banks must first perform self-assessments to ensure the prospective main party meets integrity, competence and financial reputation requirements and complies with the applicable laws and regulations. The self-assessment results must be submitted to the OJK along with the required administrative documents.

FPT Results

The OJK will issue a decision within 30 business days of receiving a complete application – although the timeline might vary in practice. Results will be communicated in writing to the bank and may also be shared with relevant authorities as required by law.

Remuneration requirements for banks in Indonesia are governed by OJK Regulation No 45/POJK.03/2015 of 2015 on Implementation of Governance in the Provision of Remuneration for Commercial Banks (“OJK Reg 45/2015”). OJK Reg 45/2015 defines remuneration as rewards granted to members of the board of directors, members of the board of commissioners, and employees – whether fixed or variable and in cash or non-cash form – in accordance with their duties, authority and responsibilities.

Remuneration Policy

Banks, through their board of directors, must establish a remuneration policy covering:

• remuneration structure, including a scale based on level and position and components; and
• methods and mechanisms for determining remuneration.

Remuneration Committee

The board of commissioners is responsible for forming a remuneration committee to oversee the implementation and conduct periodic evaluations of the remuneration policy. The remuneration committee must include at least:

• an independent commissioner (as chair);
• a commissioner; and
• an HR executive or employee representative.

Members of the board of directors cannot be part of the remuneration committee. If there are more than three members, at least two must be independent commissioners.

Principle of Prudence

Banks must apply prudential principles in the provision of both fixed remuneration (ie, remuneration that is not linked to performance and risk, including basic salary, facilities, housing allowance, health allowance, education allowance, holiday allowance, and pension) and variable remuneration (ie, remuneration that is linked to performance and risk, including bonuses or similar forms).

Regulatory Oversight and Disclosure

Banks are required to disclose information related to their remuneration policies in their annual report on governance implementation. If the OJK determines that a bank has not properly implemented its remuneration policy, it may require the bank to take corrective measures.

AML/CFT requirements in the banking sector are provided for by OJK Regulation No 8 of 2023 on the Implementation of Anti-Money Laundering, Counter-Terrorist Financing, and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF) Programmes in the Financial Services Sector (“OJK Reg 8/2023”).

The following financial services providers (penyedia jasa keuangan) (FSPs) are obliged to comply with the provisions stipulated in OJK Reg 8/2023 related to AML, CFT and CPF:

• banks;
• financing companies;
• securities companies;
• venture capital companies;
• investment managers;
• infrastructure financing companies;
• custodians;
• Indonesian export financing institutions;
• trustees;
• pawnshop companies;
• organisers of securities offerings through IT-based crowdfunding services;
• microfinance institutions;
• insurance companies;
• organisers of IT-based crowdfunding services;
• insurance brokerage companies;
• organisers of IT-based transaction services and financial sector technology innovation;
• financial institution pension funds; and
• other financial services institutions and/or parties conducting business activities related to fund collection, fund distribution and fund management in the financial services sector supervised by the OJK.

Implementation of AML/CFT Programmes

FSPs must effectively implement AML, CFT and CPF programmes by considering the risks of money laundering, terrorism-financing crime, and weapons of mass destruction proliferation financing (WMDPF) in terms of their activities, business scale, business complexity and/or business characteristics, as follows.

• Active supervision by the board of directors – this must consist, at least, of:
1. proposing written policies and procedures on the application of AML, CFT and CPF programmes to the board of commissioners;
2. ensuring that the application of AML, CFT and CPF programmes is carried out in accordance with the established written policies and procedures;
3. establishing a special work unit and/or appointing an official who is responsible for the application of AML, CFT and CPF programmes;
4. supervising compliance of the special work unit in implementing AML, CFT and CPF programmes;
5. ensuring that written policies and procedures on the application of AML, CFT and CPF programmes are in line with changes and developments in products, services, and technology within the financial services sector and in accordance with the development of AML, CFT and/or CPF modes;
6. ensuring officials and/or employees – specifically, employees of the relevant work unit, as well as new employees – have attended training in relation to the application of AML, CFT and CPF programmes once a year; and
7. ensuring that the application of AML, CFT and CPF programmes is discussed in meetings of the board of directors.
• Active supervision by the board of commissioners – this must consist, at least, of:
1. ensuring that the FSP owns policies and procedures for the application of AML, CFT and CPF programmes;
2. approving the policies and procedures for the application of AML, CFT and CPF programmes proposed by the board of directors;
3. evaluating the policies and procedures for the application of AML, CFT and CPF programmes;
4. supervising the board of directors in taking responsibility for the implementation of AML, CFT and CPF programmes; and
5. ensuring that the application of AML, CFT and CPF programmes is discussed in meetings of the board of directors and the board of commissioners.
• Policies and procedures – FSPs must have policies and procedures to manage and mitigate the risks of AML, CFT and CPF. In addition, FSPs must also have compliance management arrangements for the application of AML, CFT and CPF programmes, including the appointment of a compliance officer at the management level. As part of the compliance management arrangements, FSPs must establish a special work unit and/or appoint an official as the person in charge of the application of AML, CFT and CPF programmes at the head office and branch offices.
• Internal control – FSPs must have an effective and independent internal control system. The implementation of such system is evidenced by:
1. having adequate policies, procedures, and internal monitoring;
2. imposing limitations on the authority and responsibility of the special work unit in relation to the application of AML, CFT and CPF programmes; and
3. conducting an independent examination to ensure the effectiveness of the application of AML, CFT and CPF programmes.
• Management information system – FSPs must have a management information system that is able to effectively identify, analyse, monitor, and provide a report on the characteristics or transaction pattern habits made by a customer. Besides, FSPs must also have and maintain a single customer identification file, along with a walk-in customer profile. If FSPs are subsidiaries of a financial conglomerate, FSPs may use the information system owned by the holding company of the financial conglomeration or by FSPs in said financial conglomerate to implement AML, CTF and CPF programmes in an integrated manner.
• HR and training – to prevent FSPs from being used as a medium or destination for money laundering, terrorism financing, and WMDPF involving internal party of FSPs, FSPs must conduct:
1. pre-employee screening procedures to ensure high standards in the acceptance of new employees – both permanent and non-permanent, including senior officials and experts – from the lowest level up to one level below the board of directors and the board of commissioners; and
2. recognition and monitoring of employees’ profiles (know your employee) – both of permanent employees and non-permanent employees, including experts – from the lowest level up to the board of directors and the board of commissioners.

In addition to the foregoing, FSPs are also obliged to comply with the relevant reporting requirements and submit reports to the relevant government agencies, including the OJK, the Indonesian Financial Transaction Report and Analysis Centre, and the Indonesian National Police.

Failure to comply with AML/CFT Requirements

Failure to comply with the provisions contained in the OJK Reg 8/2023 may subject the FSP to administrative sanctions imposed by the OJK, which range from:

• a written warning or reprimand accompanied by an order to perform certain actions;
• fines;
• restriction of certain business activities;
• downgrading of the assessment of the factors forming the health level;
• suspension of certain business activities; and/or
• prohibition as a main party.

The OJK may also announce the imposition of administrative sanctions to the public.

The depositor protection regime in Indonesia is carried out through the LPS pursuant to the LPS Law. The LPS guarantees bank customer deposits in the form of giro, certificates of deposit, savings, and/or other equivalent forms of deposits. Every bank (other than the Village Credit Agency (Badan Kredit Desa)) that conducts business activities within the territory of the Republic of Indonesia must participate in the guarantee scheme implemented by the LPS in respect of the deposits of the bank’s customers.

Banks are obliged to submit customer-based deposit data to the LPS to determine eligible deposits and are responsible for the accuracy and completeness of the customer-based deposit data submitted to the LPS. To carry out this task, the LPS may conduct an examination of customer-based deposit data.

The LPS guarantee covers deposits if the following conditions are met:

• the customer’s personal data and deposit information are properly recorded in the bank’s books;
• the interest rate paid on the deposit does not exceed the maximum interest rate set by the LPS; and
• there is no indication or proof that fraud has been committed in relation to the deposit.

The value of deposits guaranteed for each customer at one bank is a maximum of IDR100 million. The guaranteed deposit value can be changed if one or more of the following criteria are met:

• there is a simultaneous withdrawal of large amounts of banking funds;
• there is considerable inflation over several years;
• the number of customers whose deposits are guaranteed becomes less than 90% of the total number of the entire bank’s depositors; or
• there is a threat of crisis that has the potential to cause a decline in public confidence in banking and endanger the stability of the financial system (in the event that the situation has been resolved, the amount of guaranteed savings can be readjusted).

The LPS is obliged to pay guarantee claims to a bank’s depositors even if the bank’s business licence is revoked. In connection with the calculation and payment of guarantee claims, the LPS is entitled to obtain data from a bank on its depositor customers (nasabah penyimpan) and other necessary information as of the date on which the bank’s business licence is revoked. In the event that the LPS deems it necessary, reconciliation and verification are conducted based on data and information obtained from other parties.

The LPS is further obliged to determine which deposits are eligible for payment after reconciling and verifying the data no later than 90 working days from the date on which the bank’s business licence was revoked and must start paying the eligible deposits no later than five working days following the verification. The LPS will announce the commencement date of the submitted guarantee claim in at least two widely circulated daily newspapers. The period of claim payment is five years from the date on which bank’s business licence was revoked.

Guarantee claims are declared not eligible for payment if, based on the results of reconciliation and/or verification:

• the customer’s deposit data is not recorded at the bank;
• the depositor customer will receive unreasonable financial benefits; and/or
• the depositor customer’s actions have negatively impacted the bank’s financial stability.

Depositor customers who object to the LPS’ decision determining the status of their deposits can submit objections to the LPS by submitting real and clear evidence no later than 180 calendar days from the date of the announcement.

The payment of guarantee claims can be made in cash and/or by other equivalent means of payment. The payment of each guarantee claim is made in Indonesian currency (rupiah). However, guarantee claim payments tied to deposits denominated in foreign currencies will be converted to the equivalent amount in Indonesian rupiah based on the exchange rate set by BI.

Basel III Standards have been implemented in the Indonesian banking sector through the following local regulations:

• risk management rules stipulated in OJK Regulation No 18/POJK.03/2016 of 2016 on Implementation of Risk Management for Commercial Banks as partially revoked by OJK Regulation No 13/POJK.03/2021 of 2021 on the Organisation of Commercial Bank Products;
• capital adequacy requirements set out in OJK Regulation No 11/POJK.03/2016 of 2016 as lastly amended by OJK Regulation No 27 of 2022 on Mandatory Minimum Capital Requirements for Commercial Banks; and
• liquidity requirements governed by OJK Regulation No 42/POJK.03/2015 of 2015 as lastly amended by OJK Regulation No 19 of 2024 on Mandatory Liquidity Coverage Ratio for Commercial Banks and OJK Regulation No 50/POJK.03/2017 of 2017 as lastly amended by OJK Regulation No 20 of 2024 on the Obligation to fulfil the Net Stable Funding Ratio for Commercial Banks.

Risk Management Rules

The implementation of risk management in commercial banks is conducted through:

• active supervision by the board of directors and the board of commissioners;
• enforcement of risk management policies and procedures;
• establishment of risk limits;
• adequacy in the process of identification, measurement, monitoring, and controlling risks; and
• risk management information systems.

Bank risk profiles are categorised into five grades, with Grade 5 indicating the highest level of risk and Grade 1 representing the lowest.

Capital Adequacy Requirements

In Indonesia, banks are required to hold a minimum amount of capital, depending on their risk profile grade. This amount is calculated based on the bank’s risk-weighted assets. Such minimum capital requirements are as follows:

• banks with a Grade 1 risk profile – 8% of the bank’s risk-weighted assets;
• banks with a Grade 2 risk profile – 9%–<10% of the bank’s risk-weighted assets;
• banks with a Grade 3 risk profile – 10%–<11% of the bank’s risk-weighted assets; and
• banks with a Grade 4 or Grade 5 risk profile – 11%–14% of the bank’s risk-weighted assets.

To determine capital adequacy according to the bank’s risk profile, banks must have an Internal Capital Adequacy Assessment Process (ICAAP). The ICAAP is a method of a self-assessment for banks, which covers:

• active supervision by the board of commissioners and the board of directors;
• capital adequacy assessment;
• monitoring and reporting; and
• internal control.

After the banks carry out an ICAAP, the OJK will evaluate the ICAAP result in what is known as the Supervisory Review and Evaluation Process (SREP).

Indonesian commercial banks must meet the minimum threshold for first-tier and second-tier capital, with first-tier common equity (paid-up capital and disclosed reserves) being 4.5% of the bank’s risk-weighted assets and first-tier capital being 6% of the bank’s risk-weighted assets. Second-tier capital is limited to a maximum of 100% of first-tier capital, either individually or when consolidated with the bank’s subsidiaries.

Banks must also set aside additional capital as a buffer against variations in economic and financial risk, as follows:

• a capital conservation buffer of 2.5% of the bank’s risk-weighted assets for banks with core capital of more than IDR6 trillion;
• a counter-cyclical buffer of 0% to 2.5% of the bank’s risk-weighted assets, which applies to all banks; and/or
• capital surcharge for systemic banks of 1% to 2.5% of the bank’s risk-weighted assets, which only applies to banks that may have systematic financial impact due to various elements, including the amount in assets owned by the bank, the bank’s capital levels, the obligations that the bank holds, the bank’s networks or relationships with other sectors, and the complexity of the bank’s transactions or services.

As regards foreign banks’ branch offices, they must satisfy the Capital Equivalency Maintained Assets (CEMA) requirement. CEMA is the fund that must be allocated to the bank’s financial assets and must be maintained at a minimum of IDR1 trillion.

Liquidity Requirements

Indonesia has implemented both the Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR), forming part of its bank liquidity risk policy.

The LCR aims to preserve a bank’s short-term liquidity stability by ensuring that it has sufficient high-quality liquid assets (HQLA) to cover estimated total net cash outflows during a 30-day stress scenario. Fulfilment of a minimum LCR of 100% indicates that banks have adequate liquidity.

Commercial banks are required to maintain their liquidity adequacy using the NSFR, which is set at a minimum of 100%. The value of the NSFR is obtained by comparing the value of available stable funding (ASF) with the value of required stable funding (RSF). A bank’s ASF refers to the amount in stable liabilities and equity that remains in the bank within one year, whereas RSF refers to the total assets and off-balance sheet exposure.

Additional Requirements

Banks are required to submit reports to the OJK concerning their compliance with risk management, capital adequacy, and liquidity requirements. The reporting intervals can differ and may include daily, monthly, quarterly, semi-annual or annual submissions, in accordance with the structured report formats stipulated under OJK Regulation No 63/POJK.03/2020 on Commercial Banks Reporting Through the OJK Reporting System.

Indonesia is a member of the Financial Stability Board (FSB) and implemented the FSB Key Attributes of Effective Resolution Regimes by enacting Law No 9 of 2016 on the Prevention and Resolution of Financial System Crisis in 2016 as amended by Law 4/2023 (“Law 9/2016”). The law clarifies the responsibilities of the agencies involved in crisis management and specifies the resolution procedure for non-systemic and systemic banks. According to the regulation, banking resolution is jointly handled by the LPS in co-ordination with the OJK and BI as well as the Committee on Financial System Stability (Komite Stabilitas Sistem Keuangan, or KSSK).

If a bank encounters difficulties that jeopardise its business continuity, the OJK is authorised to:

• restrict the authority of the bank’s shareholders and management personnel;
• instruct shareholders to inject additional capital to the bank, replace members of the board of commissioners and/or the board of directors, divest their ownership in the bank to a buyer, provide loans to the bank, and/or support the implementation of the duties of the OJK and the LPS in resolving the bank’s issues;
• instruct the bank to write off non-performing loans or problematic fund disbursements and account for the bank’s losses against its capital;
• request the bank to merge or consolidate with another bank;
• instruct the bank to transfer the management of all or part of its operations to another party;
• instruct the bank to sell part or all of its assets and/or liabilities to another party;
• appoint a statutory manager and instruct the bank to facilitate the statutory manager’s duties within the bank;
• instruct the bank to refrain from conducting specific transactions with related parties and/or other parties as determined by the OJK;
• restrict certain business activities of the bank;
• issue written instructions to the bank and/or certain parties; and/or
• instruct the bank to take any other necessary measures as deemed appropriate by the OJK.

As stipulated in Law 9/2016, the systemic bank should develop a recovery plan that comprises the obligation of the ultimate shareholders to conduct bail-in (eg, convert the debt to equity). As implementation of the law, the OJK has enacted OJK Regulation No 5 of 2024 on the Determination of the Status of Supervision and Problem Handling of Commercial Banks (“OJK Reg 5/2024”). The regulations mainly govern recovery actions taken by banks while facing crisis related to capital, liquidity, profitability, and asset quality.

To overcome capital deficiencies, banks must pursue the following recovery options.

• Injection of bank capital by the controlling shareholder and/or the ultimate beneficial owner of the bank ‒ banks must first implement this recovery option before implementing any of the other options mentioned here.
• Conversion of certain types of obligations into bank capital ‒ this measure maybe imposed by the regulator of the bank or by involving other parties. Eligible converted obligations comprise deposits and/or debt or investment instruments that possess capital characteristics. Conversion can be done by converting the liabilities into ordinary shares or writing down the liabilities.
• Injection of bank capital by other parties – this could involve investments from other investors, strategic partners, or government entities to bolster the bank's capital.

Recovery options for banks facing liquidity problems include:

• application to BI for short-term liquidity loans or short-term liquidity financing based on Islamic finance principles;
• request for fund placement to the LPS; and/or
• other recovery options, such as owning a credit line in the money market.

Failure in profitability aspects can be addressed through cost-efficiency programmes, sale of fixed assets, and/or other recovery options, such as increasing collection activity. Meanwhile, issues caused by low asset quality can be resolved through credit restructuring, productive asset write-offs, and/or other recovery options, such as the transfer of credit collection rights (cessie).

If those measures are implemented and the bank continues to face challenges that threaten its business continuity and cannot be restored to a stable condition by the OJK within the latter’s authority, the OJK will designate the bank as a bank under resolution. Written notification of this designation will be provided by the OJK to the bank, the LPS, and BI accordingly.

In accordance with OJK Reg 5/2024, the OJK will classify a bank as being under resolution if it cannot be restructured and meets the following criteria:

• the bank has not exceeded the one-year restructuring period set by the OJK, but the bank’s condition has worsened and:
1. the minimum capital ratio requirement reaches below 8%, making restructuring impossible; and/or
2. the minimum required balance (Giro Wajib Minimum, or GWM) ratio in Indonesian rupiah is equal to 0% and is deemed impossible to resolve in accordance with provisions of the laws and regulations;
• the one-year restructuring period ends and:
1. the bank’s minimum capital adequacy ratio is less than the minimum capital adequacy requirement that corresponds to the bank’s risk profile; and/or
2. the GWM ratio in Indonesian rupiah is less than the required ratio that must be fulfilled by the bank and/or the bank has not been able to resolve fundamental liquidity problems; or
• the banks cannot return deposits from the LPS.

During the bank resolution, the clients’ deposits will be protected by the LPS. It will insure bank deposits in the form of current accounts, term deposits, certificates of deposit, saving accounts, or other equivalent forms of deposit. Currently, the number of deposits insured by the LPS for each customer in a bank is set at IDR2 billion. Meanwhile, deposits exceeding IDR2 billion will be settled by the liquidation team based on the results of the bank’s asset liquidation. The LPS guarantees various types of deposits, including conventional banking products such as demand deposits, time deposits, certificates of deposit, savings, and other equivalent forms, as well as deposit products governed by Islamic finance principles.

Sustainability Regulation

Indonesia has implemented regulations that govern the broader concept of sustainability within the banking sector. However, there are no specific regulations that explicitly focus on ESG matters. The existing regulation – namely, OJK Regulation No 51/POJK.03/2017 on the Implementation of Sustainable Finance for Financial Services Institutions, Issuers, and Public Companies (“OJK Reg 51/2017”) – requires banks to adopt sustainable practices, but it primarily refers to sustainability in terms of economic, social and environmental factors, rather than the more specific ESG framework.

Under OJK Reg 51/2017, banks in Indonesia are mandated to practise sustainable finance in their operations, so as to create sustainable economic growth by aligning economic, social and environmental interests. In practising sustainable finance, banks are required to prepare and implement the following.

• Sustainable Finance Action Plan ‒ banks are required to prepare and submit a Sustainable Finance Action Plan annually to the OJK. The Sustainable Finance Action Plan must at least include a plan to develop sustainable products, a plan to develop internal capacity or organisational adjustment to align with sustainable finance practices, and the target deadline to implement the plan.

• Sustainability report ‒ banks must prepare a sustainability report, which can be a separate or integral part of the annual report, and publish the report annually (by April 30th at the latest). The sustainability report must be prepared in Bahasa Indonesia (the official national language of Indonesia) and at least include the bank’s sustainability strategy, a summary of sustainability aspects (economic, social and environmental), a profile of the bank, an explanation from the board of directors, sustainability governance, sustainability performance, written verification from an independent party, a feedback sheet for readers, and a response to feedback on the previous year’s report.

• Sustainable finance funds allocation ‒ banks that are required to conduct social and environmental responsibility measures must allocate a portion of their funds for social and environmental responsibility to the implementation of sustainable finance. This fund allocation must be included in the Sustainable Finance Action Plan.

The OJK may impose administrative sanctions for any non-compliances with the foregoing. Conversely, if the banks have performed sustainable finance effectively, the OJK may provide an incentive to the banks by involving the banks in HR competency development programmes, granting the Sustainable Finance Award, or other kinds of incentives.

Specific Regulations on Governance

While OJK Reg 51/2017 does not specifically covers the “governance” aspect of ESG, the governance of banks has been regulated in several other OJK regulations as discussed in 1.1 Key Laws and Regulations, such as:

• OJK Regulation No 17 of 2023 on the Implementation of Governance for Commercial Banks;
• OJK Regulation No 2 of 2024 on the Implementation of Governance for Sharia Commercial Banks and Sharia Business Units;
• OJK Regulation No 9 of 2024 on the Implementation of Governance for Rural Banks and Sharia Rural Banks; and
• OJK Regulation No 25 of 2024 on the Implementation of Sharia Governance for Sharia Rural Banks.

The above-mentioned regulations require banks to implement good governance and provide detailed guidelines on the implementation of good governance tailored for each type of bank in Indonesia. The regulations cover the duties and responsibilities of board of directors and board of commissioners, the formation and duties of committees, the handling of conflicts of interest, the implementation of compliance and audits, risk management, remuneration, the provision of funds to related parties and large funds, the integrity of reporting and IT systems, banks’ strategic plans, and shareholder aspects, as well as implementation of anti-fraud measures, sustainable finance, and governance within banks’ business groups.

For Sharia banks, the regulations have also covered good governance in the Sharia context, such as the duties and responsibilities of the Sharia Supervisory Board, Sharia compliance and Sharia risk management.

The OJK has established regulations regarding risk management in the use of IT within the banking sector, which encompass several matters addressed under Regulation (EU) 2022/2554 (the “Digitial Operational Resilience Act” (DORA)), including requirements for managing banks’ IT risks, incident reporting, and managing third-party IT risks. These are regulated under OJK Regulation No 11/POJK.03/2022 on the Organisation of IT by Commercial Banks (“OJK Reg 11/2022”) and its implementing regulations, OJK Circular Letter No 24/SEOJK.03/2023 on the Assessment of Digital Maturity of Commercial Banks and OJK Circular Letter No 29/SEOJK.03/2022 on Cyber Resilience and Cyber Security for Commercial Banks.

IT Governance

Pursuant to OJK Reg 11/2022, banks are required to implement good IT governance. This is conducted by making clear the duties and responsibilities of the board of directors, the board of commissioners, and officials of all levels in the implementation of IT governance. In addition, banks are also required to establish:

• an IT steering committee, which will be responsible for providing recommendations to the board of directors on the banks’ IT strategic plan, IT policies, allocation of IT resources, and IT issues resolution efforts; and
• an IT management unit, which will be responsible for managing IT activities.

IT Risk Management

Banks must implement risk management measures effectively by at least conducting risk identification, risk measurement, risk monitoring, and risk control. Information security must be implemented effectively and efficiently in every aspect, and communication networks provided by the banks must adhere to the principles of confidentiality, integrity, and availability. Further, banks must have a disaster recovery plan in place to ensure the operation of the banks in the event of a disaster of IT disruption.

Cyber-Resilience and Cybersecurity

In maintaining cyber-resilience, banks must – with the support of adequate cyber-resilience information systems – conduct identification of assets, threats and vulnerability, as well as conducting asset protection, cyber-incident detection, and cyber-incident response and recovery. Banks must conduct self-evaluation on their cybersecurity maturity level annually and submit the evaluation report to the OJK. In addition, cybersecurity tests must be conducted periodically ‒ at least once a year ‒ on a vulnerability analysis basis and scenario basis. To handle their cyber-resilience and cybersecurity, banks are required to establish a special unit or function responsible for this.

Co-Operation With Third-Party IT Services Providers

If a bank co-operates with a third-party IT services provider, the bank must be able to supervise the bank’s activities conducted by the IT services provider. Banks must establish policies and procedures in utilising the services of IT services providers, including with regard to:

• the process of identification of the need for an IT services provider;
• the selection process;
• guidelines on co-operating with the IT services provider;
• the risk management process; and
• guidelines on evaluating the performance and compliance of the IT services provider.

When the selected IT services provider experiences significant organisational changes, banks are required to conduct a materiality reassessment of the IT services provider.

Banks must report to the OJK and decide the next step to address issues – including the termination of the IT services provider ‒ if the following conditions occur:

• the results of the materiality reassessment indicate that the performance of the IT services provider may not be effective;
• the deteriorating performance of the IT services provided by the IT services provider may cause or lead to significant impacts on the bank’s business and/or operations;
• the IT services provider becomes insolvent, is in the process of liquidation, or is declared bankrupt by the court;
• the IT services provider violates regulations regarding bank secrecy and/or customer personal data;
• banks are unable to provide the data needed for supervision by the OJK; and/or
• there are other conditions that disrupt or halt the provision of IT services by the IT service provider to the bank.

Reporting

Banks must submit several periodical reports to the OJK, including the IT development plan, a report on the current condition of IT operations, and an IT operations implementation report. In the event of an IT incident that has the potential to or has caused significant loss and/or disrupted the bank’s operational continuity, banks are required to submit an initial notification within 24 hours, as well as an IT incident report no later than five working days after the IT incident is discovered.

The OJK is currently in the process of preparing several regulations in the banking sector. Those expected to be implemented next are as follows.

Draft OJK Regulation on Transparency and Publication of Bank Reports

This draft regulation is expected to replace the current regulation on bank reports – namely, OJK Regulation No 37/POJK.03/2019 on Transparency and Publication of Bank Reports. The draft regulation has re-compiled all mandatory reporting of banks regulated under the banking regulations and has grouped the reports according to the type of the banks as well as their reporting period and deadlines. This regulation aims to provide banks with easier guidance on navigating their relevant reporting obligations.

The draft regulation emphasises that each of the bank reports must be prepared thoroughly, accurately, currently, fully, on time, and comparably. Additionally, the OJK requires the bank’s board of directors to appoint an executive officer with the integrity and relevant competence to prepare the bank’s financial statements. Such an officer must have a good track record and must sign a statement letter of integrity and compliance with the applicable laws and regulations as well as the OJK’s directives. The officer must be assisted by at least one chartered accountant qualified at the lowest level or at least one level above the lowest level.

Draft OJK Regulation on Liquidity Coverage Ratio and Net Stable Funding Ratio for Sharia Commercial Banks and Sharia Business Units

To promote a healthy banking system, particularly within the Sharia banking sector, the OJK will impose the obligation for Sharia commercial banks and Sharia business units to meet the minimum LCR and NSFR. While these obligations have long been applied to conventional banks, the OJK will finally impose this obligation on Sharia banking as well.

The purpose of calculating the LCR is to ensure that the bank has an adequate supply of unencumbered HQLA, such as cash and/or assets that can be rapidly converted into cash with minimal or no loss of value, to meet its liquidity requirements during a 30-day stress scenario. NSFR calculation, meanwhile, aims to ensure that the bank maintains stable funding that aligns with the composition of its assets and off-balance sheet items.

The calculation formula of both the LCR and the NSFR will be provided in the regulation, which is mainly based on the HQLA and total net cash outflow within the following 30 days. The percentage of each LCR and NSFR that must be fulfilled is 100%. The calculation must be conducted daily, monthly and quarterly, and must be submitted to the OJK according to the specified deadlines under the draft regulation.

Other than the LCR, the draft regulation also requires banks to monitor their liquidity conditions and capital adequacy based on certain indicators.

Draft OJK Regulation on a Leverage Ratio for Sharia Commercial Banks

Following the introduction of a leverage ratio obligation for commercial banks in 2019, the OJK is currently preparing a similar regulation, aimed at imposing the same obligation to maintain a leverage ratio on Sharia banks. Reflecting on the previous cyclical financial and economic crises, excessive leverage in the banking system poses risks of exposures recorded in the financial position report and of exposure to administrative transactions in the bank’s commitments and contingencies report. Therefore, imposing a leverage ratio obligation on banks may prevent banks from having excessive leverage conditions.

Pursuant to the draft, banks will be required to always maintain a leverage ratio of at least 3%, which will be used to calculate the adequate core capital that must be provide by each bank based on its recorded total exposure.

Each bank will have to submit a quarterly report to the OJK on the calculation of its leverage ratio, including a total exposure leverage ratio report and a leverage ratio calculation report. The report must also be published by the bank on its website and in at least one newspaper.