Business Support

III. H. Disclosure Of Compliance Risk Exposure And Implementation Of Compliance Risk

Management

Compliance risk is the risk arising from the Bank’s failure to comply with and/or implement the prevailing laws and regulations.

Organization of Compliance Risk Management In order to minimize compliance risks, all organizational lines need to be responsible for the management of compliance risk in all activities of the Bank.

The Compliance, Legal and Risk Management Director, assisted by the Compliance Unit, is responsible for ensuring compliance and minimizing compliance risk by formulating compliance risk management policies and procedures as well as monitoring their implementation. The Compliance Unit is independent from other working units. The Compliance, Legal and Risk Management Director reports the results to the President Director, which will be presented to the Board of Commissioners.

The Compliance Unit is also responsible for the implementation of the Bank’s Anti-Money Laundering and Combating the Financing of Terrorism (APU and PPT) programs, including assessing the risk of APU and PPT program implementation in accordance with prevailing regulations from the regulators.

Business units at head office and branches are the front-line in ensuring all business activities are carried out in accordance with the relevant regulations.

Risk Management Strategies Associated with Compliance Risk

BCA has a strong commitment to comply with prevailing laws and regulations and actively takes steps to correct any weaknesses. This is in line with BCA’s compliance risk management strategy, which contains policies to always comply with the applicable regulations, foremost through proactive prevention (ex-ante) in order to minimize any occurrence of violations and through curative action (ex-post) as corrective measures.

Compliance Risk Monitoring and Control

In order to control and minimize compliance risk, BCA has taken the following steps:

s)DENTIFYSOURCESOFCOMPLIANCERISK

s 0ERFORMGAPANALYSISIFTHEREISACHANGEIN regulation and make the necessary adjustments to internal policies and regulations, as well as to information systems;

s 0ERFORMREGULARMEASUREMENTANDMONITORING of compliance risk exposure on a regular basis - the results are discussed with the Risk Management Unit;

s3OCIALIZEANDCONSULTONPROVISIONSOFVARIOUS regulations;

s%XAMINECOMPLIANCEINTHEIMPLEMENTATION of provisions;

s $EVELOPACOMPLIANCEMATRIXDIARYASAMEANS of monitoring commitment to comply with reporting duties to the regulators;

s -ONITOR SUSPICIOUS lNANCIAL TRANSACTIONS through the implementation of Anti Money Laundering protocols, which are regularly audited.

In order to improve the effectiveness of internal control, coordination is maintained between the Risk Management Unit, the Internal Audit Division and the Compliance Unit through regular meetings and intensive communication. Problems associated with internal compliance control, particularly in addressing potential compliance risks, are comprehensively assessed, allowing the formulation of effective measures.

Application of Integrated Risk Management

In accordance with POJK No. 17/POJK.03/2014 dated 18 November 2014 and OJK Circular Letter No. 14/ SEOJK.03/2015 of 25 May 2015 on the Implementation of Integrated Risk Management for Financial Conglomerations, BCA has developed Integrated Risk Management for Financial Conglomerates.

Application of an Integrated Risk Management structure includes:

1. Active supervision of BCA Financial Conglomeration by the Board of Directors and the Board of Commissioners of the primary entity defined as BCA;

2018 Annual Report PT Bank Central Asia Tbk 159 Management;

3. Adequacy of Identification, Measurement, Monitoring, and Mitigation of Integrated Risk, as well as Integrated Risk Management Information Systems;

4. Comprehensive Internal Control System for the Implementation of Integrated Risk Management.

BCA has implemented Integrated Risk Management by:

1. Delegating a director of integrated risk management.

2. Establishing Integrated Risk Management Committee.

3. Adjusting organizational structure of Risk Management Unit covering integrated risk management functions.

4. Reporting to the OJK regarding BCA Main Entity and member of Financial Conglomeration.

5. Conducting socialization and coordination with BCA Financial Conglomerate as a group.

6. Delivering the Integrated Risk Profile Report on a semester basis.

7. Delivering the Integrated Capital Adequacy Report on a semester basis.

In line with its function, in 2018, the Integrated Risk Management Committee conducted regular meetings. The first meeting on 2 May 2018 discussed the following:

s 3COPE OF )NTEGRATED "USINESS #ONTINUITY 0LAN (BCP);

s )NTEGRATED 2ISK -ANAGEMENT )NFORMATION System;

s 2ISK !PPETITE AND 2ISK 4OLERANCE OF "#!

Financial Conglomeration;

The second meeting on 5 November 2018 discussed the following:

s /RGANIZATIONAL 3TRUCTURE OF )NTEGRATED 2ISK Management and Risk Monitoring Framework of BCA Financial Conglomeration

s )NTEGRATED STRESS TEST OF "#! &INANCIAL Conglomeration (BCA and subsidiaries) in 2018

These risks include the eight types of risks: credit risk, market risk, liquidity risk, operational risk, legal risk, reputation risk, strategic risk and compliance risk, with the addition of inter-group transaction risk and insurance risk.

Inter-Group Transaction Risk

BCA Financial Conglomeration conducts inter-group transactions in accordance with the principles of fairness and on an arms-length basis in adherence with prevailing regulations. All inter-group transactions are documented appropriately. Inter- group transactions currently do not have a material impact on the overall financial performance of the Group.

Insurance Risk

BCA Financial Conglomeration also manages Insurance Risk through the Bank’s subsidiaries active in the insurance industry. Referring to the measurement results, insurance risk did not significantly affect BCA Financial Conglomeration.

Based on integrated risk assessment, BCA Financial Conglomeration’s capital is considered sufficient to anticipate potential losses that may arise or be faced by BCA Financial Conglomeration in conducting the integrated businesses.

The Bank’s subsidiaries that are included in the implementation of the integrated risk management are: PT BCA Finance, PT BCA Finance Limited, PT Bank BCA Syariah, PT BCA Sekuritas, PT Asuransi Umum BCA (BCA Insurance), PT Central Santosa Finance, PT Asuransi Jiwa BCA (BCA Life), and PT Central Capital Ventura.

Summary of the implementation of risk management within each subsidiary, as follows:

2018 Annual Report PT Bank Central Asia Tbk

160

Management Report

PT BCA FINANCE

Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the following:

s %STABLISHMENTOF!UDIT#OMMITTEEATTHELEVELOFTHE"OARDOF#OMMISSIONERS s %STABLISHMENT OF 2ISK -ANAGEMENT #OMMITTEE AND !SSET ,IABILITY #OMMITTEE

(ALCO) at the level of the Board of Directors, and through the Regular Meeting Management and Consumer Meeting;

s 4HE"OARDOF$IRECTORSENSURESTHEPROVISIONOFTHEIMPLEMENTATIONOFPOLICIESAND evaluations, transaction agreements, risk management culture development, policy regarding independence of risk-taking work units on internal controls, and risk management within the company;

s 4HE"OARDOF#OMMISSIONERSACTIVELYOVERSEESTHEPERFORMANCEOFTHEDIRECTORS Adequacy of policies and

procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICY

s 2ISKMANAGEMENTPOLICYANDIMPLEMENTATIONGUIDELINESFORVARIOUSRISKSASDESCRIBED in Decision Letters;

s 0OLICIESANDPROCEDURESANDDETERMINATIONOFLIMITSAREADEQUATEANDSOCIALIZEDTO all employees and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 4HE IDENTIlCATION PROCESS IS CARRIED OUT ON ALL PRODUCTSTRANSACTIONS THAT CONTAIN risks. Risks are measured according to the type, characteristic, and complexity of each product/transaction by the risk-taking unit and Corporate Risk Management.

Risks are controlled according the risk exposure and within risk appetite;

s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS monitoring reports and regular limit reviews;

s 2ISK MANAGEMENT OF INFORMATION TECHNOLOGY SYSTEMS IS USED TO IDENTIFY AND detect watchlist customers, mitigate fraud through certain parameters as alerts, reporting on risk events at the branches or headquarters through operation risk event management (OREM) application, risk and control self assessment, and implementation of multiple scoring both internally developed and in coperation with Credit Bureau for a more prudent lending proces;

s 2ISKPROlLINGREPORTWILLBEINTEGRATEDTOMAINENTITYTHROUGH)2-)3APPLICATION Comprehensive internal control

systems

Internal Audit Division has the function of evaluating the effectiveness and efficiency of work processes and their suitability to the needs of the business. Evaluations are conducted by way of active and passive inspection throughout all work units.

BCA FINANCE LIMITED

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Directors is conducted through discussions on business and operational activities between the Board of Directors and management staff through regular reports.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICYAND'UIDELINES

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTSONA quarterly basis;

s2ISKMANAGEMENTPROCESSESAREREmECTEDINAMONGOTHERSTHEMONITORINGOFLIMITS and regular limit reviews.

Comprehensive internal control systems

Internal control is conducted by Compliance and Internal Audit division.

2018 Annual Report PT Bank Central Asia Tbk 161

of Commissioners and the board of directors

conducted through the establishment of the following:

s 2ISK/VERSIGHT#OMMITTEE!UDIT#OMMITTEEAND2EMUNERATIONAND.OMINATION Committee at the level of the Board of Commissioners; and

s2ISK-ANAGEMENT#OMMITTEE#REDIT#OMMITTEE#REDIT0OLICY#OMMITTEE(UMAN Resources Committee, Information Technology Steering Committee, and Assets and Liabilities Committee (ALCO) at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICY

s2ISKMANAGEMENTPOLICYFORVARIOUSRISKSASDElNEDIN*OB0ROCEDURESAND'UIDELINES s&INANCING0OLICYRELATEDTOCREDITRISK

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTSONA quarterly basis;

s2ISKMANAGEMENTPROCESSESAREREmECTEDINAMONGOTHERSTHEMONITORINGOFLIMITS and regular limit reviews.

Comprehensive internal control systems

The effectiveness of internal control is tested by the Internal Audit Work Unit.

PT BCA SEKURITAS

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted through the following activities:

s2EGULARMEETINGSOFTHE"OARDOF#OMMISSIONERSANDTHE"OARDOF$IRECTORS s%STABLISHMENTOFORGANIZATIONSWITHREFERENCETOTHE$ECREEOFTHE#APITAL

Market and Financial Institution Supervisory Agency Number Kep-548/BL/2010 (Bapepam-LK/OJK) Regulation Number V.D.3 concerning Internal Control of Securities Companies Conducting Business Activities as A Broker-Dealer, comprising:

− Marketing Functions;

− Risk Management Functions;

− Bookkeeping Functions;

− Custodian Functions;

− Information Technology Functions; and

− Compliance Function;

as well as Research Functions outside of the six functions listed above;

s%STABLISHMENTOFTHE)NTERNAL!UDIT&UNCTIONINACCORDANCEWITH/*+2EGULATION POJK.04/2017 of September 26, 2017 on Implementation of Corporate Governance for Securities Firms Acting as Underwriters and Brokers;

s 4HE"OARDOF#OMMISSIONERSGIVESAPPROVALREGARDINGCREDITFACILITIESACCEPTEDBY BCA Sekuritas from third parties;

s4HE"OARDOF#OMMISSIONERSENSURESMATTERSON-ONEY,AUNDERINGAND4ERRORISM Financing are discussed at Board of the Directors and the Board of Commissioners meetings;

s4HE"OARDOF$IRECTORSMAKESDECISIONSREGARDINGINTERNALPOLICY

s4HE "OARD OF $IRECTORS SIGNS ALL REPORTS IN ACCORDANCE WITH #APITAL -ARKET regulations.

Adequacy of policies and procedures, and determination of limits

s 0OLICYAND0ROCEDURESTHATAREINLINEWITH#APITAL-ARKETREGULATIONSANDAREUSED as basis for developing guidelines for BCA Sekuritas’ business activities;

s "ASIC2ISK-ANAGEMENT0OLICY

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed;

s 0OLICIESDERIVEDFROMBASICRISKMANAGEMENTPOLICY Identification, measurement,

monitoring and mitigation processes and risk management Information system

s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN REGULAR MONITORING OF THE HAIRCUT effects, customer limits, and customer daily transactions, all of which are reported regularly;

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDRECORDEDINRISKPROlLEREPORTSEVERY semester.

Comprehensive internal control systems

Internal control of all business activities is conducted by Internal Audit Work Unit in accordance with Capital Market regulations.

2018 Annual Report PT Bank Central Asia Tbk

162

Management Report

PT ASURANSI UMUM BCA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following committees:

s !UDIT #OMMITTEE AND 2ISK /VERSIGHT #OMMITTEE AT THE LEVEL OF THE "OARD OF Commissioners; and

s )NVESTMENT #OMMITTEE )NSURANCE #LOSURE !CCEPTANCE #OMMITTEE AND )NSURANCE Claim Finalization Committee at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

s 6ARIOUSPOLICIESINCLUDINGTHEFOLLOWING

- Guidelines of the implementation of risk management;

- Authority for Claim Approval, Acceptance and Insurance Policy/Cover Note Signing;

- Underwriting Guidelines;

- IT Operation Guidelines;

- Manual Disaster Recovery Plan (DRP);

- Reinsurance policy guidelines;

- Corporate Investment Policy;

- Operations Cost Approval Authority, Fixed Asset Purchasing, Office/

Building Renovations;

- Implementation Guidelines for APU and PPT;

- Manual Business Continuity Plan;

- Anti Fraud Guidelines;

- Financial Crisis Business Continuity Plan Policy;

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDRECORDEDINRISKPROlLEREPORTS s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS

monitoring reports and regular limit reviews, company stress test simulation report, and business continuity plan testing result evalution report.

Comprehensive internal control systems

Internal supervision is conducted by the Internal Audit Work Unit which assists management in monitoring the effectiveness of the implementation of all policies/

procedures established.

PT CENTRAL SANTOSA FINANCE Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted in the following forms:

s2OUTINEMEETINGSOFTHE"OARDOF#OMMISSIONERSANDTHE"OARDOF$IRECTORS s4HE"OARDOF$IRECTORSACKNOWLEDGESANDSIGNSALLREPORTSFORTHEAUTHORITIES s4HE"OARDOF#OMMISSIONERSHASESTABLISHEDTHE2ISK/VERSIGHT#OMMITTEEWHICHIS

attached to the Audit Committee.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICY

s 0OLICIES AND PROCEDURES AND DETERMINATION LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

Risk management processes are conducted and outlined in annual and semester risk profile reports;

s )MPROVEMENTONTHE)NFORMATIONSYSTEMTOENSURETHEREADINESSOFACCURATEDATA within a short time as required by management.

Comprehensive internal control systems

Internal supervision is conducted by the Internal Audit Work Unit.

2018 Annual Report PT Bank Central Asia Tbk 163

of Commissioners and the board of directors

Directors through the establishment of the following:

s 2ISK /VERSIGHT #OMMITTEE AND !UDIT #OMMITTEE AT THE LEVEL OF THE "OARD OF Commissioners; and

s 0RODUCT$EVELOPMENT#OMMITTEE)NVESTMENT#OMMITTEEAND2ISK-ANAGEMENT Committee at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICYANDITS)MPLEMENTATION'UIDELINESFOREACHTYPEOF risks, as defined in the job procedures and guidelines;

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTS s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS

monitoring reports and regular limit reviews.

Comprehensive internal control systems

Internal Audit Division has been established which reviews the effectiveness and efficiency of each operational procedure independently and periodically according to the scope of each work unit.

PT CENTRAL CAPITAL VENTURA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following:

s 2EGULAR MEETINGS OF THE "OARD OF #OMMISSIONERS AND THE "OARD OF $IRECTORS (minimum once in three months, based on OJK regulation No. 36/POJK.05/2015);

s %STABLISHMENT OF ORGANIZATION STRUCTURE BASED ON /*+ REGULATION .O POJK.05/2015;

s 4HE "OARD OF #OMMISSIONERS APPROVAL ON THE "OARD OF $IRECTORS REQUEST ON THE capital injection to PPU;

s 4HE"OARDOF$IRECTORSAPPROVALONINTERNALPOLICIES

s 2EGULARMEETINGOF"OARDOF$IRECTORSAMINIMUMOFONCEAMONTHBASEDON/*+

Regulation No. 36/POJK.05/2015;

s 4HE"OARDOF$IRECTORSAUTHORIZATIONANDRESPONSIBILITIESOFALLREPORTSINCLUDINGRISK profile reports to the regulator.

Adequacy of policies and procedures, and determination of limits

s 0OLICIES AND PROCEDURES ARE IN COMPLIANCE WITH PREVAILING REGULATIONS AND ARE outlined in BCA’s guidelines and procedures and guidelines for the sustainability business;

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTSEACH semester;

s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS monitoring reports and regular limit reviews.

Comprehensive internal control systems

s (AVE POLICIES PROCEDURES AND DETERMINATION OF LIMITS RELATED TO CORPORATE investment;

s)NTERNALCONTROLPROCESSHASBEENCARRIEDOUTINTHEIMPLEMENTATIONOFOPERATIONAL activities.

2018 Annual Report PT Bank Central Asia Tbk

164

Management Report

Table A. Disclosure of the Capital Structure

Disclosure of the Bank’s capital structure (on standalone basis and consolidated) is presented in the audited Consolidated Financial Statements, note No. 45.

Table B.1.a.1. Disclosure of Net Receivables by Region - Bank Only

(in million Rupiah)

No. Portfolio Category

Period of December 31, 2018

Net Receivables by Region

Sumatera Jawa Kalimantan Eastern

Indonesia Total

(1) (2) (3) (4) (5) (6) (7)

1 Receivables on sovereigns - 151,206,893 - - 151,206,893 2 Receivables on public sector entities 26,541 36,284,517 - - 36,311,058 3 Receivables on multilateral development

banks and international institutions

- - - - -

4 Receivables on banks 88,332 67,042,218 2,540 35,022 67,168,112 5 Loans secured by residential property 2,103,089 40,430,355 826,332 2,236,183 45,595,959 6 Loans secured by commercial real estate 870,732 15,402,633 204,565 680,450 17,158,380

7 Employee/retired loans - - - - -

8 Receivables on micro, small business &

retail portfolio

2,867,308 63,801,148 756,106 1,538,289 68,962,851 9 Receivables on corporate 24,200,166 376,571,085 7,708,958 14,963,416 423,443,625 10 Past due receivables 123,342 1,395,429 38,495 142,119 1,699,385 11 Other assets 2,769,330 45,235,542 820,481 1,956,327 50,781,680

Total 33,048,840 797,369,820 10,357,477 21,551,806 862,327,943

(in million Rupiah)

No. Portfolio Category

Period of December 31, 2017 Net Receivables by Region

Sumatera Jawa Kalimantan Eastern

Indonesia Total

(1) (2) (3) (4) (5) (6) (7)

1 Receivables on sovereigns - 163,927,574 - - 163,927,574 2 Receivables on public sector entities 6,633 24,265,866 - - 24,272,499 3 Receivables on multilateral development

banks and international institutions

- - - - -

4 Receivables on banks 44,616 50,469,846 15,766 29,996 50,560,224 5 Loans secured by residential property 1,914,945 33,892,558 760,127 1,930,569 38,498,199 6 Loans secured by commercial real estate 615,414 13,665,656 178,859 694,818 15,154,747

7 Employee/retired loans - - - - -

8 Receivables on micro, small business &

retail portfolio

2,824,832 59,780,953 722,599 1,473,715 64,802,099 9 Receivables on corporate 21,019,287 342,167,220 5,689,550 14,817,118 383,693,175 10 Past due receivables 160,244 1,104,972 71,692 40,458 1,377,366 11 Other assets 1,631,965 36,720,974 472,176 1,280,238 40,105,353

Total 28,217,936 725,995,619 7,910,769 20,266,912 782,391,236