c) All DNFBP supervisory bodies should continue to focus their supervisory efforts on high-risk entities and ensure that this is aligned with their supervisory frameworks. Outreach initiatives should be enhanced to focus on developing a greater understanding of RBA and improvement in quality and volumes of STRs especially in the real estate and notaries’ sector.
353. The relevant Immediate Outcome considered and assessed in this chapter is IO.3.
The Recommendations relevant for the assessment of effectiveness under this section are R.14, 15, 26-28, 34, 35 and elements of R.1 and 40.
357. Source of funds and wealth, as well as flows of funds, are also reviewed, including audited financial statements for the last three years and tax statements for legal persons and individuals for the same period. DG Tax is asked for input when there is a concern. Credit checks are undertaken with external agencies individuals interviewed. Any changes to beneficial or legal owners or boards of commissioners or directors are notified beforehand to the OJK. It takes the same approach for new appointments as for licence applications with regard to its checks.
358. The checks described above are strong. At the licence application stage, except for some officers of insurers, officers immediately below the level of director are not assessed by OJK prior to appointment. This gap is mostly mitigated for commercial banks, which are required to undertake integrity checks on senior management and information on changes of senior management is provided to OJK on a monthly basis; the checks described above for OJK are carried out at that stage. In addition, in parts of the securities sector individuals are required to obtain a permit as a representative and are subject to an integrity test and interview by OJK.
359. During on-site inspections, OJK reconsiders the integrity of beneficial and legal owners and members of the BoC/BoD . These checks have the same level of intensity as at the application stage. In addition, as a result of trigger events, the integrity of specific individuals has been re-evaluated to the same degree during 32 special re- assessments of individuals undertaken since the beginning of 2017. The findings were negative and the individuals were subject to a restriction from becoming a shareholder or joining management of a bank for 3, 5 or 20 years. Reassessments in the capital market and insurance sectors have also been necessary and led to prohibitions. Follow up by OJK of fitness and properness of individuals is commendable.
360. OJK has also established and chairs the Illegal Investment Alert Task Force (IIATF) to target illegal fund raising and unauthorised investment management and securities and insurance broking. From the beginning of 2017 to the end of June 2022 the IIATF uncovered and suspended the activities of a significant number of illegal entities (5 275, of which the majority were internet peer to peer lending operations). The websites of these businesses were blocked and the names of the entities published. INP is a member of the IIATF. It follows up all cases and has investigated all 31 cases where one or more parties have been affected and where more than one illegal entity was involved. Investigations have led to court judgments, which are also published. The formation of the IIATF and number of illegal operations detected is very positive. There is scope to refine the success of the IIATF by increasing the number of investigations and for more comprehensive feedback on investigations and outcomes to the IIATF.
361. Checks are not specifically aimed at ascertaining whether an individual is an associate of a criminal but, when carried out, any links which could reasonably be known would become apparent.
BI
362. BI has a separate licensing department of 185 staff within its AML/CFT Division.
Training is predicated on supervision but addresses licensing; there is scope to further develop this.
363. Prior to a licence application, BI meets representatives of the applicant. This is facilitated for MC as beneficial owners and members of the BoC/BoD must be resident in Indonesia. This is a strong mitigating factor. The application must include documentation on the applicant’s structure, beneficial and legal owners, and BoC/BoD. This includes financial statements from legal persons, tax documents and capacity of individuals (background, education and integrity). The internet, a software search tool and the DTTOT list are checked. Input is sought from the PPATK, INP, OJK and DG Tax, the Ministry of Communication and Information (to ascertain if there have been any breaches of permits for the operation of electronic systems and transactions), the Ministry of Trade and the Indonesia Deposit insurance Corporation. Credit reference checks are carried out and written confirmation is sought from beneficial owners and each member of the BoC/BoD regarding absence of conviction for financial crime. Beneficial owners, shareholders and members of BoC/BoD are interviewed as necessary.
364. Persons wishing to become beneficial and legal owner or a member of the BoC/BoD must be approved by BI before taking up the role. Notifications are subject to the same level of checks as at the application stage. Non-bank MVTS and money changers are subject to re-licensing every five years.
365. The checks undertaken are very good. BI is a member of the IIATF and has also taken significant, proactive steps to close down unlicensed activity. Its monitoring of intelligence and cyber patrol activity since 2017, combined with referrals by third parties, has enabled it to identify a significant number of unlicensed entities, which have been closed down or guided to obtain a licence. A substantial number has been referred to INP for action. While BI and INP created a forum in 2019 to discuss unlicensed business, BI is not advised of the results of the referrals although it is aware that many cases are pending. There has been a significant decline in the number of cases since 2017 and the BI considers that unlicensed business is now rare. This conclusion seems appropriate. Checks are not specifically aimed at ascertaining whether an individual is an associate of a criminal but any links which could reasonably be known would become apparent.
CoFTRA
366. Futures brokers must be members of the JFE, which carries out its own fitness and propriety checks on beneficial and legal owners and the BoC/BoD. Information on applicants and a recommendation is provided by the JFE to CoFTRA. The JFE also has ongoing integrity checks.
367. CoFTRA has a separate licensing department of 13 staff (9 for futures brokers and 4 for VASPs). There is technical training which is specific to the department and staff also attend other events (including on VASPs since 2020); there is scope for more intensive training.
368. Information provided by the applicant includes the background and profile of beneficial and legal owners and BoC/BoD. The internet, the DTTOT list and list of asset declarations of public servants are checked and input sought from other departments within CoFTRA, OJK and BI, the PPATK and the Ministry of Higher Education. INP confirmation of absence of conviction is also obtained. CoFTRA pays attention to the source of funds and wealth. Financial statements and other information are provided by companies and individuals, and DG Tax is contacted to ascertain whether they are in good standing.
369. There are few foreign beneficial or legal owners of futures brokers. For these, CoFTRA requires confirmation of an absence of convictions from the Police or other relevant authority. Where a foreign supervisory authority is relevant, CoFTRA requires a letter of comfort from that authority. COFTRA is advised of potential beneficial and legal owners and BoC/BoD, before occupying their positions; these changes are subject to the same scrutiny as at the application stage. The tests carried out by the CoFTRA are identical for VASPs. CoFTRA demonstrated its understanding of the business models and risks of individual VASPs. Few VASPs have foreign ownership (and these also have Indonesian beneficial owners). CoFTRA does not explicitly consider associates of criminals but association would most likely be uncovered by its checks. Overall, the checks are of sound quality.
370. There is substantial activity in searching websites for unlicensed activity. CoFTRA has referred a substantial number of cases to INP for investigation and provided expert advice when a case has reached Court. The main illegality has arisen from phishing and scamming, including the establishment of fake websites, duplicating those of existing licensees, promising a steady income from options trading, and selling fake crypto coins. During 2017-2022, CoFTRA has blocked some 3 450 website, application, social media accounts, and published each case. CoFTRA is also a member of the IIATF. There is coordination with OJK and INP to follow up consequences from illegal activity. More proactive information on investigations and outcomes could be provided by INP.
PPATK
371. As the Post Office is owned by the Government of Indonesia, the PPATK focuses its attention on the BoC/BoD. Vacancies are notified publicly and prior to any appointment, the individual must be approved by the Ministries for State Owned Enterprises and Communication and Information, which are responsible for fit and proper checks. As part of a panel acting for the Ministries, the PPATK coordinates the checks to satisfy itself that the individual has not been involved with criminality.
The State Secretariat and State Intelligence undertake checks of their systems. The approach for the BoC/BoD is sound. While there is no explicit consideration of whether or not a person might be an associate of a criminal, in practice the checks undertaken by the various agencies involved with the panel would likely uncover any association. Checks on the fitness and propriety of management below the level of director are not undertaken under formal supervisory powers but the Post Office has its own criminality and integrity checks for senior managers, including consulting with the PPATK, which then operates it checks. The PPATK is comfortable that this approach has prevented criminals from being appointed as senior managers. Ongoing monitoring of the BoC/BoD is undertaken by the Audit Committee responsible to the Minister for State Owned Enterprises and the PPATK is consulted if there are issues. There are also some controls in place in the Post Office. The overall approach is good although there would be merit in establishing a more formal approach for the authorities in relation to senior management at the appointment stage.
DNFBP
372. Licensing, registration and other controls relating to notaries, lawyers and accountants rely on existing entry criteria, through the MLHR, Bar Association and the MoF respectively. This includes meeting minimum education and competency requirements, and not holding a criminal record for the last 5 years at start of activity evidenced by an original police clearance.
373. A DNFBP can perform a business either as a registered entity (LLC), as a non- registered entity (partnerships, firms etc) or as a natural person. For LLC, initial screening for registration is limited to DTTOT list-screening. There are no screening provisions for non-registered DNFBPs. All registered DNFBPs are subject to ML/TF review through the initial notarial risk aligned registration processes. Rejections of LLC registration relate mainly to the naming conventions applied by the registration system.
374. DNFBPs are required to obtain a trade licence from local government, which must be renewed on an annual basis. Criminal check process could not be substantiated in this process. The level of scrutiny for both trade licences and registration extend only to beneficial owners and excludes persons with a significant or controlling interest or persons holding a management function.
375. Other than obtaining a trade licence from local government, requiring a basic police certificate, and voluntary registration with the Estate Agency Associations and International gold standard setting bodies, there are no specific licensing requirements for the non-professional DNFBPs. Under these conditions, nothing prevents criminals and their associates from holding or being the beneficial owner of these DNFBPs outside of regulated professions.
376. Licensing breaches relating to DNFBPs could not be effectively demonstrated, for initial licensing of an entity and where ongoing changes are made to an entities structure. It is not clear what the ongoing monitoring conditions are. During supervisor’s inspections, PEP/TF screening is conducted. In case of a positive match, supervisory authorities would refer to the LEAs for consideration to revoke a trade license. There have been cases where notaries were convicted of a criminal offence and their accreditation was revoked as matter of course through civil proceedings. Indonesia also provided one example of licence revocation in 2019 of a public accountant owing to a guilty charge of a criminal act as part of ongoing monitoring. No revocation of license has been evidenced for PPATK regulated DNFBPs.
Supervisors’ understanding and identification of ML/TF risks Financial institutions and VASPs
377. Overall, the three main FI supervisory authorities have a very good understanding of ML risk. The understanding of TF risk is not at the same level as for ML risk.
378. Close links with the PPATK benefit each authority’s understanding of risk. There is very good beneficial routine contact between the supervisors and the PPATK, extending to sharing final on-site inspection reports, joint inspections and a daily newsletter provided by the PPATK. The FI supervisory authorities also benefit from input from other authorities such as the KPK, BNN and INP.
OJK
379. OJK has been involved with each iteration of the ML/TF NRAs. It undertook a SRA for the finance sector in 2017, 2019 and 2021. These documents provide an important basis for the understanding of risk, as does off-site information, combined with on-site inspections.
380. OJK has recently changed its systems to centralise information, which has led to easier assessment and understanding of the material. This includes twice yearly reports from banks’ and NBFIs’ internal auditors (AML/CFT is always covered in internal audit); twice yearly reports from the BoC (which covers AML/CFT for banks and NBFIs (in a limited way)), twice yearly compliance reports from banks, capital market firms and NBFIs which include a substantial component on AML/CFT; and anti-fraud strategy reports, twice yearly from banks and annually from capital market firms and NBFIs. The anti-fraud reports provide a key input into OJK’s analysis as to how firms might be used for predicate criminality (e.g., the banking crime risk which features in the NRA). More generally, the reports as a whole point to the level of governance and controls. OJK also receives a completed survey each year from licensees in all sectors (amended to take into account some structural/market factors for each sector). This is a statistical document which, for banks, includes information on deposits, the number of customers at each risk level, PEPs, private banking customers, electronic banking, correspondent banking and money transfers. These off-site supervisory documents are useful although they should be enhanced to provide more detail (including in relation to controls) and to allow more demonstrable and detailed exploration of the various types of risk, including risks specific to Indonesia, TF risks, and the differing geographic risks for ML and TF.
381. OJK routinely meets all banks and NBFIs at least once a year. Ad hoc meetings are held with capital market licensees. FIs also provide reports to OJK via the SIGAP system in relation to the DTTOT list (see IO.10 and IO.11). OJK has established links with the private sector through a PPP for banks, which has considered business email compromise and TBML issues. OJK also benefits from its participation in supervisory colleges. It receives input from on-site inspections by foreign supervisors on group entities in Indonesia, and from its own inspections of group entities abroad.
382. There is routine dialogue with the PPATK. OJK provides the PPATK with an annual report on its activities and views on risks. The two authorities meet annually to consider the report, the on-site inspection plan for the following year and statistics in relation to STRs and CTRs. In addition, OJK has access to the goAML system and considers STRs and CTRs made by individual FIs prior to an on-site inspection. The PPATK also provides STR/CTR data on individual cases on request by OJK. More generally, STR/CTR data for each firm is provided by the PPATK to OJK each time a SRA is undertaken. This data is used to develop red flags. OJK’s liaison with other authorities is also positive for its understanding of risk. This has included the BNN, KPK, MoHA, and MLHR.
383. FIs are rated under a methodology; there are a few differences between the business factors and structural factors for the various sectors. The methodology has been amended over time, reflecting the importance OJK attaches to robust and understandable risk categorisation. The assessment process is systematic and allows OJK to focus its supervision. As with the off-site returns by FIs, the AT considers the methodology would benefit from more detail across the various risk components, including TF risk, and geographic risk for each of ML and TF and addressing the specific risks faced by Indonesia in a detailed way. Written materials demonstrate that considerable thought has been applied to risk ratings by OJK over the period under review. Nevertheless, the pattern and number of FIs at some risk levels in some sectors suggests that recalibration of thresholds would be appropriate.
384. Risk ratings are considered on an annual basis for high-risk licensees, at least every two years for medium risk licensees and at least every three years for low-risk licensees. Ratings are also considered when there are trigger events (e.g., a change of beneficial owner, management or strategy or mergers of firms). Ratings have been revised as a result. In addition, more fundamental factors have led to revisions, in particular in the securities sector as a result of cases and improvements to the risk assessment methodology for most sectors.
BI
385. BI has been involved with each iteration of the ML and TF NRAs. It undertook a SRA of MC and MVTS in 2017 and updated this earlier in 2022. Questionnaires were issued to all firms. There is also significant input from the PPATK and weighting towards that input including data and frequency of each provider’s STR and criminal justice outcomes. While BI uses the outcomes of its supervision there is scope to exercise more judgment based on supervision and further ML/TF information in risks obtained to support this judgement.
386. BI receives two annual reports from FIs. One is a report on governance by the BoD, which refers to compliance matters, including AML/CFT, in a general way. The second is dedicated to the effectiveness of AML/CFT controls, including reference to STRs/CTRs filed with the PPATK. BI also receives monthly transaction reports from MC on the number of purchase and sale transactions and from MVTS on incoming, outgoing and domestic remittances, together with monthly fraud reports.
It also receives reports on changes to the management structure, capital structure or shareholding of licensees as they occur. These provide useful information, as do self-assessment reports provided by licensees prior to an on-site inspection.
Overall, BI would benefit from receiving more detail from firms.
387. FIs are risk rated into one of five risk levels. The general pattern has been for ratings to reduce in riskiness; the AT has a concern that the absence of any MC or MVTS rated as high risk (dating back several years) means that the risk profiling methodology is unbalanced to some extent. BI demonstrated thoughtfulness of approach, including consideration of regional risks, and has noted that a focus on outreach has had a positive effect on controls. Risk ratings are considered annually and after trigger events. Ratings have changed as a result. Overall, there is scope for greater detail in the risk assessment.