EFFECTIVENESS OF BANK RISK MANAGEMENT SYSTEMS

III. H. Disclosure of Compliance Risk Exposure and Implementation of Compliance Risk

Management

Compliance risk arises from the Bank’s failure to comply with and/or apply prevailing laws and regulations.

Organization of Compliance Risk Management To minimize potential compliance risk, all lines of the organization are responsible for the management of compliance risk in all bank activities.

The Compliance, Legal and Risk Management Director, ASSISTED BY THE #OMPLIANCE 5NIT IS RESPONSIBLE FOR ensuring compliance and minimizing compliance risk by formulating compliance risk management policies and procedures as well as monitoring their IMPLEMENTATION4HE#OMPLIANCE5NITISINDEPENDENT from other working units. The Compliance, Legal and Risk Management Director reports the results to the President Director, which will be presented to the Board of Commissioners.

4HE #OMPLIANCE 5NIT IS ALSO RESPONSIBLE FOR THE implementation of the Bank’s Anti-Money Laundering AND#OMBATINGTHE&INANCINGOF4ERRORISM!05AND 004 PROGRAMS INCLUDING ASSESSING THE RISK OF !05 and PPT program implementation in accordance with prevailing regulations from the regulators.

Business units at head office and branches are the front-line in ensuring all business activities are carried out in accordance with the relevant regulations.

Risk Management Strategies Associated with Compliance Risk

BCA has a strong commitment to comply with prevailing laws and regulations and actively takes steps to correct any weaknesses. This is in line with BCA’s compliance risk management strategy, which contains policies to always comply with the applicable regulations, foremost through proactive prevention (ex-ante) in order to minimize any occurrence of violations and through curative action (ex-post) as corrective measures.

Compliance Risk Monitoring and Control

To control and minimize compliance risks, BCA has taken the following steps:

s )DENTIFYINGSOURCESOFCOMPLIANCERISK

s #ONDUCTINGGAPANALYSISANALYZINGTHEIMPACTOF new regulations on operations, and proposing adjustments of manuals, internal policies and procedures

s -EASURING AND MONITORING COMPLIANCE RISK regularly and submitting the report to the risk management work unit (SKMR)

s 3OCIALIZATIONOFREGULATIONSANDCONSULTATIONON their implementation

s #ONDUCTING COMPLIANCE TESTS ON THE implementation of provisions

s $EVELOPING A COMPLIANCE MATRIX DIARY AS A monitoring tool to comply with reporting obligations to regulators

s -ONITORING SUSPICIOUS lNANCIAL TRANSACTIONS by using the STIM (suspicious transaction identification model) web-based application, and developing a system of applications by using the latest technology and updated parameters to detect suspicious transactions

s 3CREENING CUSTOMER DATA AND TRANSACTIONS related to the list of terrorist and terrorist organizations (DTTOT) and the list of funding for the proliferation of mass destruction weapons (DPPSP) issued by the relevant authority when opening an account, when the bank conducts business relations, and when there is any change in the abovementioned list.

In order to improve the effectiveness of internal control, coordination is maintained between the 2ISK-ANAGEMENT5NITTHE)NTERNAL!UDIT$IVISION ANDTHE#OMPLIANCE5NITTHROUGHREGULARMEETINGS and intensive communication. Problems associated with internal compliance control, particularly in addressing potential compliance risks, are comprehensively assessed, allowing the formulation of effective measures.

Implementation of Integrated Risk Management In accordance with POJK No. 17/POJK.03/2014 dated 18 November 2014 and OJK Circular Letter No. 14/

SEOJK.03/2015 of 25 May 2015 on the Implementation of Integrated Risk Management for Financial Conglomerations, BCA has developed Integrated Risk Management for Financial Conglomerates.

The implementation of integrated risk management includes:

1. Active supervision of BCA financial conglomeration by the Board of Directors and Board of Commissioners of the main entity 2. Adequacy of policies, procedures, and

determination of integrated risk management limits

3. Adequacy of the integrated risk identification, measurement, monitoring and control processes as well as the integrated risk management information system

4. Comprehensive internal control system for the implementation of integrated risk management.

BCA has implemented Integrated Risk Management by

1. Delegating a director to oversee the integrated risk management function

2. Establishing an integrated risk management committee

3. Adjusting the organizational structure of the risk management work unit, including an integrated risk management function

4. Reporting the main entity and members of the BCA financial conglomeration to the OJK 5. Conducting socialization and coordination with

BCA Financial Conglomerate as a group

6. Delivering the Integrated Risk Profile Report on a semester basis.

7. Delivering the Integrated Capital Adequacy Report on a semester basis.

BCA is building the integrated risk management information system (IRMIS), a technology-based information system for the preparation of:

s "#!2ISK0ROlLE2EPORT,02"#!

s )NTEGRATED2ISK0ROlLE2EPORT,024 s )NTEGRATED#APITAL!DEQUACY2EPORT,+04

The integrated risk management committee held regular meetings in 2019, with the first on May 27, 2019, discussing:

s 2EVIEWOFTHEIMPLEMENTATIONOFTHEINTEGRATED risk management of the BCA financial conglomeration

s 3USTAINABLElNANCE

The second integrated risk management committee meeting on September 2, discussed:

s /*+INPUTRELATEDTOINTEGRATEDRISKMANAGEMENT s )2-)3DEVELOPMENTUPDATE

s 2EPORT ON THE INTEGRATED RISK PROlLE OF "#!

financial conglomeration for semester I - 2019.

The third integrated risk management committee meeting December 2, discussed:

s INTEGRATED STRESS TEST ON "#! lNANCIAL conglomeration

s 0ROPOSED CONCEPT OF "#! lNANCIAL conglomeration circuit breaker

s )2-)3DEVELOPMENTUPDATE

BCA Financial Conglomeration manages 10 (ten) types of integrated risks as identified by the regulators.

These risks include the 8 (eight) types of risks: credit risk, market risk, liquidity risk, operational risk, legal risk, reputation risk, strategic risk and compliance risk, with the addition of inter-group transaction risk and insurance risk.

Inter-Group Transaction Risk

BCA Financial Conglomeration conducts inter- group transactions in accordance with the principles of fairness and on an arms-length basis in adherence with prevailing regulations. All inter- group transactions are documented appropriately.

Intergroup transactions currently do not have a material impact on the overall financial performance of the Group.

Insurance Risk

BCA Financial Conglomeration also manages Insurance Risk through the Bank’s subsidiaries active in the insurance industry. Referring to the measurement results, insurance risk did not significantly affect BCA Financial Conglomeration.

Based on integrated risk assessment, BCA Financial Conglomeration’s capital is considered sufficient to anticipate potential losses that may arise or be faced by BCA Financial Conglomeration in conducting the integrated businesses.

BCA subsidiaries included in the implementation of the integrated risk management are: PT BCA Finance, BCA Finance Limited, PT Bank BCA Syariah, PT BCA 3EKURITAS 04 "#! !SURANSI 5MUM "#! )NSURANCE PT Central Santosa Finance, PT Asuransi Jiwa BCA (BCA Life), PT Central Capital Ventura and PT Bank Royal Indonesia.

A summary of the implementation of risk management within each subsidiary is as follows:

PT BCA FINANCE

Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the following:

s %STABLISHMENTOF!UDIT#OMMITTEEATTHELEVELOFTHE"OARDOF#OMMISSIONERS s %STABLISHMENT OF 2ISK -ANAGEMENT #OMMITTEE AND !SSET ,IABILITY #OMMITTEE

(ALCO) at the level of the Board of Directors, and through the Regular Meeting Management and Consumer Meeting;

s 4HE"OARDOF$IRECTORSENSURESTHEPROVISIONOFTHEIMPLEMENTATIONOFPOLICIESAND evaluations, transaction agreements, risk management culture development, policy regarding independence of risk-taking work units on internal controls, and risk management within the company;

s 4HE"OARDOF#OMMISSIONERSACTIVELYOVERSEESTHEPERFORMANCEOFTHEDIRECTORS Adequacy of policies and

procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICY

s 2ISKMANAGEMENTPOLICYANDIMPLEMENTATIONGUIDELINESFORVARIOUSRISKSASDESCRIBED in Decision Letters;

s 0OLICIESANDPROCEDURESANDDETERMINATIONOFLIMITSAREADEQUATEANDSOCIALIZEDTO all employees and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 4HE IDENTIlCATION PROCESS IS CARRIED OUT ON ALL PRODUCTSTRANSACTIONS THAT CONTAIN risks. Risks are measured according to the type, characteristic, and complexity of each product/transaction by the risk-taking unit and Corporate Risk Management.

Risks are controlled according the risk exposure and within risk appetite;

s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS monitoring reports and regular limit reviews;

s 2ISK MANAGEMENT OF INFORMATION TECHNOLOGY SYSTEMS IS USED TO IDENTIFY AND detect watchlist customers, mitigate fraud through certain parameters as alerts, reporting on risk events at the branches or headquarters through operation risk event management (OREM) application, risk and control self assessment, and implementation of multiple scoring both internally developed and in coperation with Credit Bureau for a more prudent lending process;

s 2ISKPROlLINGREPORTWILLBEINTEGRATEDTOMAINENTITYTHROUGH)2-)3APPLICATION Comprehensive internal control

systems

Internal Audit Division has the function of evaluating the effectiveness and efficiency of work processes and their suitability to the needs of the business. Evaluations are conducted by way of active and passive inspection throughout all work units.

BCA FINANCE LIMITED

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Directors is conducted through discussions on business and operational activities between the Board of Directors and management staff through regular reports.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICYAND'UIDELINES

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTSONA quarterly basis;

s2ISKMANAGEMENTPROCESSESAREREmECTEDINAMONGOTHERSTHEMONITORINGOFLIMITS and regular limit reviews.

Comprehensive internal control systems

Internal control is conducted by Compliance and Internal Audit division.

PT BANK BCA SYARIAH Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted through the establishment of the following:

s 2ISK/VERSIGHT#OMMITTEE!UDIT#OMMITTEEAND2EMUNERATIONAND.OMINATION Committee at the level of the Board of Commissioners; and

s2ISK-ANAGEMENT#OMMITTEE#REDIT#OMMITTEE#REDIT0OLICY#OMMITTEE(UMAN Resources Committee, Information Technology Steering Committee, and Assets and Liabilities Committee (ALCO) at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICY

s2ISKMANAGEMENTPOLICYFORVARIOUSRISKSASDElNEDIN*OB0ROCEDURESAND'UIDELINES s&INANCING0OLICYRELATEDTOCREDITRISK

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTSONA quarterly basis;

s2ISKMANAGEMENTPROCESSESAREREmECTEDINAMONGOTHERSTHEMONITORINGOFLIMITS and regular limit reviews.

Comprehensive internal control systems

4HEEFFECTIVENESSOFINTERNALCONTROLISTESTEDBYTHE)NTERNAL!UDIT7ORK5NIT

PT BCA SEKURITAS

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted through the following activities:

s2EGULARMEETINGSOFTHE"OARDOF#OMMISSIONERSANDTHE"OARDOF$IRECTORS s%STABLISHMENTOFORGANIZATIONSWITHREFERENCETOTHE$ECREEOFTHE#APITAL

Market and Financial Institution Supervisory Agency Number Kep-548/BL/2010 (Bapepam-LK/OJK) Regulation Number V.D.3 concerning Internal Control of Securities Companies Conducting Business Activities as A Broker-Dealer, comprising:

− Marketing Functions;

− Risk Management Functions;

− Bookkeeping Functions;

− Custodian Functions;

− Information Technology Functions; and

− Compliance Function;

as well as Research Functions outside of the six functions listed above;

s%STABLISHMENTOFTHE)NTERNAL!UDIT&UNCTIONINACCORDANCEWITH/*+2EGULATION POJK.04/2017 of September 26, 2017 on Implementation of Corporate Governance FOR3ECURITIES&IRMS!CTINGAS5NDERWRITERSAND"ROKERS

s 4HE"OARDOF#OMMISSIONERSGIVESAPPROVALREGARDINGCREDITFACILITIESACCEPTEDBY BCA Sekuritas from third parties;

s4HE"OARDOF#OMMISSIONERSENSURESMATTERSON-ONEY,AUNDERINGAND4ERRORISM Financing are discussed at Board of the Directors and the Board of Commissioners meetings;

s4HE"OARDOF$IRECTORSMAKESDECISIONSREGARDINGINTERNALPOLICY

s4HE "OARD OF $IRECTORS SIGNS ALL REPORTS IN ACCORDANCE WITH #APITAL -ARKET regulations.

Adequacy of policies and procedures, and determination of limits

s 0OLICYAND0ROCEDURESTHATAREINLINEWITH#APITAL-ARKETREGULATIONSANDAREUSED as basis for developing guidelines for BCA Sekuritas’ business activities;

s "ASIC2ISK-ANAGEMENT0OLICY

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed;

s 0OLICIESDERIVEDFROMBASICRISKMANAGEMENTPOLICY Identification, measurement,

monitoring and mitigation processes and risk management Information system

s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN REGULAR MONITORING OF THE HAIRCUT effects, customer limits, and customer daily transactions, all of which are reported regularly;

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDRECORDEDINRISKPROlLEREPORTSEVERY semester.

Comprehensive internal control systems

)NTERNALCONTROLOFALLBUSINESSACTIVITIESISCONDUCTEDBY)NTERNAL!UDIT7ORK5NITIN accordance with Capital Market regulations.

PT ASURANSI UMUM BCA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following committees:

s !UDIT #OMMITTEE AND 2ISK /VERSIGHT #OMMITTEE AT THE LEVEL OF THE "OARD OF Commissioners; and

s )NVESTMENT #OMMITTEE )NSURANCE #LOSURE !CCEPTANCE #OMMITTEE AND )NSURANCE Claim Finalization Committee at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

s 6ARIOUSPOLICIESINCLUDINGTHEFOLLOWING

- Guidelines of the implementation of risk management;

- Authority for Claim Approval, Acceptance and Insurance Policy/Cover Note Signing;

5NDERWRITING'UIDELINES - IT Operation Guidelines;

- Manual Disaster Recovery Plan (DRP);

- Reinsurance policy guidelines;

- Corporate Investment Policy;

- Operations Cost Approval Authority, Fixed Asset Purchasing, Office/

Building Renovations;

)MPLEMENTATION'UIDELINESFOR!05AND004 - Manual Business Continuity Plan;

- Anti Fraud Guidelines;

- Financial Crisis Business Continuity Plan Policy;

- Loss Event Database (LED) administrative Guidelines

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDRECORDEDINRISKPROlLEREPORTS s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS

monitoring reports and regular limit reviews, company stress test simulation report, and business continuity plan testing result evalution report.

Comprehensive internal control systems

)NTERNAL SUPERVISION IS CONDUCTED BY THE )NTERNAL !UDIT 7ORK 5NIT WHICH ASSISTS management in monitoring the effectiveness of the implementation of all policies/

procedures established.

PT BCA MULTI FINANCE Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted in the following forms:

s 2OUTINEMEETINGSOFTHE"OARDOF#OMMISSIONERSANDTHE"OARDOF$IRECTORS s 4HE"OARDOF$IRECTORSACKNOWLEDGESANDSIGNSALLREPORTSFORTHEAUTHORITIES s 4HE"OARDOF#OMMISSIONERSHASESTABLISHEDTHE2ISK/VERSIGHT#OMMITTEEWHICHIS

attached to the Audit Committee.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICY

s #OMPANYS ACTIVITIES ARE REGULATED IN POLICIES AND INTERNAL PROCEDURES WHICH continue to be evaluated in accordance with company objectives.

s -AINTAINING PERFORMANCES APPROPRIATE WITH THE LIMITS SET BY THE REGULATOR Determination of risk limits is contained in the authority of business and operational decision making in accordance with the organizational hierarchy

s 0OLICIES AND PROCEDURES AND DETERMINATION LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 0ROCESSOF)DENTIlCATIONMEASUREMENTMONITORINGANDCONTROLOFRISKSESTABLISHED in the application of risk management. In practice, the company agreed to this implementation in order to reach properly running process in risk management.

s 4HERISKMANAGEMENTPROCESSHASBEENREPORTEDINPROlLEREPORTSEVERYSEMESTER and annually

s 4HEINFORMATIONSYSTEMCONTINUESTOBEIMPROVEDTOPROVIDEFASTANDACCURATEDATA to support the risk management process

Comprehensive internal control systems

s )NTERNALSUPERVISIONISCONDUCTEDBYTHEINTERNALAUDITDIVISION

s $OCUMENTING THE RESULTS OF THE AUDIT AND THE FOLLOWUP IS THE COMPREHENSIVE internal control system

s 4HECOMPLIANCEANDINTERNALAUDITFUNCTIONISINDEPENDENTOFTHEWORKUNITSTHAT carry out business processes. The compliance function ensures that every policy and operational activity complies regarding regulatory requirements

PT ASURANSI JIWA BCA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following:

s 2ISK /VERSIGHT #OMMITTEE AND !UDIT #OMMITTEE AT THE LEVEL OF THE "OARD OF Commissioners; and

s 0RODUCT$EVELOPMENT#OMMITTEE)NVESTMENT#OMMITTEEAND2ISK-ANAGEMENT Committee at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

s "ASIC2ISK-ANAGEMENT0OLICYANDITS)MPLEMENTATION'UIDELINESFOREACHTYPEOF risks, as defined in the job procedures and guidelines;

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTS s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS

monitoring reports and regular limit reviews.

Comprehensive internal control systems

Internal Audit Division has been established which reviews the effectiveness and efficiency of each operational procedure independently and periodically according to the scope of each work unit.

PT CENTRAL CAPITAL VENTURA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following:

s 2EGULAR MEETINGS OF THE "OARD OF #OMMISSIONERS AND THE "OARD OF $IRECTORS (minimum once in three months, based on OJK regulation No. 36/POJK.05/2015);

s %STABLISHMENT OF ORGANIZATION STRUCTURE BASED ON /*+ REGULATION .O POJK.05/2015;

s 4HE "OARD OF #OMMISSIONERS APPROVAL ON THE "OARD OF $IRECTORS REQUEST ON THE CAPITALINJECTIONTO005

s 4HE"OARDOF$IRECTORSAPPROVALONINTERNALPOLICIES

s 2EGULARMEETINGOF"OARDOF$IRECTORSAMINIMUMOFONCEAMONTHBASEDON/*+

Regulation No. 36/POJK.05/2015;

s 4HE"OARDOF$IRECTORSAUTHORIZATIONANDRESPONSIBILITIESOFALLREPORTSINCLUDINGRISK profile reports to the regulator.

Adequacy of policies and procedures, and determination of limits

s 0OLICIES AND PROCEDURES ARE IN COMPLIANCE WITH PREVAILING REGULATIONS AND ARE outlined in BCA’s guidelines and procedures and guidelines for the sustainability business;

s 0OLICIES AND PROCEDURES AND DETERMINATION OF LIMITS ARE ADEQUATE AND REGULARLY reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

s 2ISKMANAGEMENTPROCESSESARECONDUCTEDANDOUTLINEDINRISKPROlLEREPORTSEACH semester;

s 2ISK MANAGEMENT PROCESSES ARE REmECTED IN AMONG OTHERS RISK PROlLE REPORTS monitoring reports and regular limit reviews.

Comprehensive internal control systems

s (AVE POLICIES PROCEDURES AND DETERMINATION OF LIMITS RELATED TO CORPORATE investment;

s)NTERNALCONTROLPROCESSHASBEENCARRIEDOUTINTHEIMPLEMENTATIONOFOPERATIONAL activities.

PT BANK ROYAL INDONESIA Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and Board of Directors is conducted through the following form:

s 2ISK-ONITORING#OMMITTEE!UDIT#OMMITTEEAND2EMUNERATIONAND.OMINATION Committee at the Commissioner level

s 2ISK-ANAGEMENT#OMMITTEE#REDIT#OMMITTEE)43TEERING#OMMITTEEAND!SSET Liability Committee (ALCO) at the Directors level

Adequacy of policies and procedures, and determination of limits

s 'ENERAL RISK MANAGEMENT POLICY WITH THE APPLICATION GUIDELINES FOR EACH TYPE OF risk, which are explained in the implementation procedures and instructions s 0OLICIESPROCEDURESANDDETERMINATIONOFLIMITAREADEUQATEANDREGULARLYREVIEWED Identification, measurement,

monitoring and mitigation processes and risk management Information system

s 2ISK MANAGEMENT PROCESSES HAS BEEN CARRIED OUT AND OUTLINED IN THE RISK PROlLE report quarterly,

s 2ISKMANAGEMENTPROCESSESISREmECTEDINAMONGOTHERSRISKPROlLEREPORTSAND monitoring reports and regular limit reviews

Comprehensive internal control systems

The internal control function is inherent of all work units. The implementation is MONITOREDBYTHE#OMPLIANCE2ISK-ANAGEMENT5NITAND)NTERNAL!UDIT7ORK5NIT

Table A. Disclosure of the Capital Structure

Disclosure of the Bank’s capital structure (on standalone basis and consolidated) is presented in the audited Consolidated Financial Statements, note No. 45.