The Financial Services Authority (Otoritas Jasa Keuangan – “OJK”) has issued Regulation No. 18/POJK.03/2016 on Banking Risk Management. It repeals and replaces the previous regulations, BI Regulation No. 5/8/PBI/2003 and No. 11/25/PBI/2009. This regulation provides guidelines to commercial banks on mitigating any risk which might arise due to the complexities in their financial conditions. This regulation imposes several obligations on banks, requiring them to: introduce risk-management measures; establish a Risk-Management committee and Risk Management Task Force; conduct a risk-management assessment for new products and activities; and report to the OJK. The regulation also provides sanctions for non-compliance.

The risk-management measures are aimed at reducing potential risks that might affect a bank’s business. These measures may be undertaken by a bank on its own or together with its subsidiaries. Article 2 requires banks to have four main risk-management measures in place:

  1. active supervision by the Board of Directors and Board of Commissioners;
  2. risk-management policy and procedures, and the determination of risk limits;
  3. the Identification, measurement, monitoring, management of risk and the establishment of information systems; and
  4. comprehensive internal supervision.

The other important measure is the establishment of a Risk Management Committee and a Risk Management Task Force. In order to implement an effective risk-management policy, banks should establish a Risk-Management Committee that has the authority to provide recommendations to the President Director on matters specified in Article 17 of the regulation. Banks should also establish a Risk-Management Task Force that must be independent and directly responsible to the President Director. This Task Force should have the authorities specified in Article18 of the regulation.

Among the other obligations and sanctions that are introduced by this regulation are: Article 20, which requires all banks to have a written procedure and policy for the assessment of their risk-management for new products and activities; and Article 23, which obliges banks to report their Risk profile to the OJK every three months.

The sanctions for non-compliance with the regulation, according to Articles 31 and 32, can be: an administrative fine; written warnings; a degradation of the bank’s health level; the suspension of a particular activity; the inclusion of the bank on the OJK’s black list; and the dismissal of the bank’s management.