AML/KYC in Indonesia—One of the Strongest Economies in the APAC Region

Indonesia’s digital economy and 4.0 industry are considered the fastest in Southeast Asia, with more than 2,000 startups in the country.

The country’s digital economy is also anticipated to reach a valuation of US$124 billion by 2025, according to a recent e-Conomy report. A substantial portion of this growth is attributed to the e-commerce sector, expected to account for over US$83 billion to the digital economy by 2025.

As this growth continues, there is a notable emergence of new businesses, particularly in the e-commerce and fintech sectors. And these businesses are obliged to adhere to local Anti-Money Laundering (AML) regulations, one of which is KYC (eKYC), or Know Your Customer.

Let’s therefore dive into the specifics of Indonesia’s AML/KYC rules.

Who’s affected?

According to the Law No. 8 of 2010 on the Prevention and Eradication of Money Laundering, the following institutions are obliged to comply with the country’s AML regulations:

1. banks

2. finance companies

3. insurance companies and insurance broker companies

4. financial institution pension funds

5. securities companies

6. investment managers

7. custodians

8. trustees

9. postal services as the current account service providers

10. traders of foreign currency

11. card-basis payment device service providers

12. e-money and/ or e-wallet service providers

13. lending and savings institutions

14. pawn shops

15. companies which run in the field of commodity future trading

16. remittance service providers

17. property companies/ property agents

18. motor vehicle dealers

19. gems, jewelry, and precious metal dealers

20. antique and artistic stuff dealers

21. auction houses.

What are the main regulations?

1. Law No. 8 of 2010 on the Prevention and Eradication of Money Laundering (UU PPT No. 8 Tahun 2010) is the primary legal basis for anti-money laundering in Indonesia, outlining the requirements for various entities to prevent and combat money laundering.
2. Government Regulation No. 74 of 2015 provides further details on the implementation of Law No. 8 of 2010. It specifies the obligations and procedures for reporting and verifying financial transactions.
3. Financial Transaction Reports and Analysis Center Regulation No. 1/POJK.04/2018 sets out the procedures for reporting financial transactions to PPATK.
4. Government Regulation No. 43 of 2015 addresses the reporting obligations related to financial transactions and suspicious activities.
5. Law No. 9 of 2013 on the Prevention and Eradication of the Financing of Terrorism (UU PT No. 9 Tahun 2013) focuses on combating the financing of terrorism, complementing AML efforts.
6. OJK Regulation No. 12/POJK.01/2017 provides guidelines for the implementation of risk-based supervision in the prevention of money laundering and terrorism financing.
7. Counter-Terrorist Financing (CFT) Program in the Financial Services Sector, as amended by POJK No. 23/POJK.01/2019 and
8. OJK Regulation (POJK) No. 8 of 2023 on the Implementation of Anti-Money Laundering (AML) are aimed at mitigating emerging risks of money laundering (ML), terrorist financing (TF), and/or weapons of mass destruction proliferation financing.

The full list of KYC/AML-related laws in Indonesia can be found on the OJK website.

Who are the main regulators?

1. The Bank of Indonesia plays a crucial role in maintaining financial stability and implementing monetary policy
2. The Pusat Pelaporan dan Analisis Transaksi Keuangan (PPATK) is the country’s financial intelligence unit, responsible for collecting, analyzing, and disseminating information related to suspicious financial transactions.
3. The Otoritas Jasa Keuangan (OJK) is Indonesia’s Financial Services Authority which is responsible for regulating and supervising the financial services sector.

How to stay compliant

Indonesia officially became a full member of the Financial Action Task Force (FATF) on  October 27, 2023. 

The country has significantly advanced in aligning its AML framework with FATF recommendations. As a result, the FATF is no longer actively monitoring Indonesia. 

Being an FATF member, Indonesia adheres to the FATF’s risk-based approach, which means businesses are mandated to follow a number of steps including:

1. Implementing AML policies and procedures. This means developing a robust AML policy within the organization and appointing a Money Laundering Reporting Officer (MLRO).
2. Customer Due Diligence (CDD) and KYC (or eKYC in Indonesia). These must be conducted before establishing a business relationship. This means verifying the identity of customers, assessing the nature of their business, and understanding the source of their funds.
3. Transaction monitoring. Systems for real-time transaction monitoring must be implemented to identify and report suspicious activities. Thresholds should be established  for reporting large or unusual transactions.
4. AML Training. Staff should be trained to identify suspicious behavior and transactions and to follow the proper escalation procedures.
5. Record keeping. Accurate and up-to-date records of customer transactions should be maintained for the required period as per regulatory guidelines.
6. Reporting suspicious transactions. Procedures should be established for issuing suspicious activity reports (SARs) to the Financial Transaction Reports and Analysis Center (PPATK) promptly. An AML-obligated business must report a suspicious transaction to PPATK in case of:

a. Any financial transaction that seems suspicious

b. Cash transactions of Rp500,000,000.00 (±$32K) or its equivalent in foreign currency, whether made in one single transaction or several transactions on the same day

c. Fund transfers to or from other countries.

7. Risk assessment. Periodic risk assessments should be conducted to identify and mitigate AML risks specific to a business. AML programs should be adjusted based on the identified risks.
8. Internal controls and audits. Internal controls should be established to monitor and enforce AML policies. Conduct regular internal audits to assess the effectiveness of AML procedures and make necessary improvements.

Suggested read: The APAC Sentinel: Effective Transaction Monitoring Tactics

KYC in Indonesia

The KYC (Know Your Customer) process is a mandatory compliance measure according to the Indonesian Financial Services Authority (OJK), aiming to enable financial institutions to correctly verify their customers’ identities.

When incorporating KYC solutions, businesses must report their utilization to the Bank of Indonesia, implementing robust identity verification methods or technologies, and establishing effective policies and risk control procedures to adhere to regulatory requirements.

For identity verification, it is necessary to obtain the following identity verification information and certain documents (except for low-risk customers).

Identification information:

• Full Name
• Identity document number
• Residential address according to identity documents
• Place and date of birth
• Biometric data or signatures

In accordance with the guidelines set by the Bank of Indonesia, businesses are required to gather identity information from officially recognized government-issued documents, such as: 

• Identity Card (KTP)
• driver’s license (SIM)
• BPJS Kesehatan
• KITAP
• Passport

Penalties for non-compliance

Penalties for money laundering offenses vary based on the nature of the crime and other circumstances, but may include:

• Fines ranging from 10 billion up to 100 billion Indonesian Rupiah
• Prison sentences of up to 20 years
• Suspension on overall or partial business activity
• Revocation of business license
• Confiscation of business assets for the state
• Business takeover by the state