Updated: Mar 6
The Indonesian Financial Services Authority (OJK) has just issued a guideline on the implementation of Anti-Money Laundering and Counter-Terrorism Financing for Peer-to-Peer Lending Providers (P2P Company), as regulated in OJK’s Circular Letter Number 6/SEOJK.05/2021 (Guideline). The OJK stipulates that this Guideline is issued following a mandate from Article 68 of OJK Regulation Number 12/POJK.01/2017 on Implementation of Anti-Money Laundering and Counter-Terrorism Financing Requirement in Financial Services Sector, as lastly amended by OJK Regulation Number 23/POJK.01/2019. Further, the OJK believes that the nature of peer-to-peer lending (P2P) business and its products/services development is susceptible to be used as a means of Money Laundering, Terrorism Funding, and/or Funding for the Proliferation of Weapons of Mass Destruction (MLTF). Therefore, it is necessary to improve the quality of the implementation of a counter-MLTF program with a risk-based approach and following international general principles.
This article will focus on the steps to be taken by the P2P Company and key regulations as regulated in the Guideline. There are six steps that must be taken by the P2P Company to implement the counter-MLTF program, i.e. (1) identifies the risks, (2) stipulates risk-tolerance, (3) compiles risk mitigation and control measures, (4) evaluates residual risk, (5) adopts a risk-based approach, and (6) reviews and evaluates the existing risk-based approach.
Identifies the Risks
The P2P Company must first identify the risks and set a risk scale based on their identification. The P2P Company may identify the risks based on the following criteria:
country/geographical area/jurisdiction’s risks;
products/services/transactions’ risks; and
delivery channels’ risks.
After identifying the risks and setting a risk scale, the P2P Company must stipulate its risk-tolerance. Risk-tolerance is the maximum level and type of risks that can be tolerated or implemented and determined by the P2P Company.
Compiles Risk Mitigation and Control Measures
The third and one of the most important steps to be conducted by the P2P Company is to compile its risk mitigation and control measures. To conduct this, there are five pillars to be implemented by the P2P Company:
Active Supervision of the Board of Directors (BOD) and Board of Commissioners (BOC)
The BOD and BOC are expected to play an active role in supervising the implementation of the counter-MLTF program of the P2P Company. Below are the roles of the BOD and BOC, as stipulated in the Guideline:
ensure that the P2P Company has policies and procedure for counter-MLTF;
propose the policies and procedure of counter-MLTF of the P2P Company to the BOC, including mitigation on the risks, which shall at least cover the following:
background in formulating policies and procedures;
structure, duties, authorities, and responsibilities of special work units (UKK) and/or officials appointed as person in charge of implementing the counter-MLTF program (Appointed Officials);
counter-MLTF policies and procedures;
supervision of the implementation of the counter-MLTF program; and
internal control plan;
establish a UKK and/or appoint Appointed Officials;
provide clear direction on policies, supervision, as well as risk management and mitigation procedures of MLTF;
ensure the implementation of the stipulated counter-MLTF program;
supervising on the compliance of UKK and/or the Appointed Officials in implementing the counter-MLTF program;
carry out monitoring and risk mitigation actively, particularly those related to customer’s risks, country/geographical area/jurisdiction’s risks, products/services/transactions’ risks, and delivery channels’ risks;
ensure that the written policies and procedures on counter-MLTF are inline with the changes and development of products, services, and technology in financial services sectors and development on the means of MLTF;
ensure that all employees have attended training concerning the implementation of the counter-MLFT periodically;
provide technical approval of policies, supervision, as well as procedures for managing and mitigating risks of MLTF;
provide technical approval of policies, procedures, business plan, and/or electronic system by considering MLTF risks; and
ensure the security of intended information for confidential purposes.
The BOD must appoint a person in charge of the counter-MLTF program, who should report directly to the BOD. If no person is appointed, one member of the BOD can be the person in charge. Nonetheless, this member of BOD can only perform compliance and risk management function as his/her duty.
approve written policies and procedures of counter-MLTF proposed by the BOD;
supervise the performance of duties and responsibilities of the BOD for the implementation of the counter-MLTF program;
ensure that there is a discussion for MLTF in a BOD and BOC meeting; the meeting can discuss among others:
handling of problems and/or obstacles during the implementation of the counter-MLTF program;
update of laws and regulations or means of MLTF;
effectivity of the implementation of the counter-MLTF program.
Policies and Procedures
The P2P Company must have policies and procedures on the counter-MLTF. These policies and procedures must observe the know your customer principle and shall at least contain the following content:
identification and verification of prospective customers or customers; this can also be done electronically if the P2P Company has the ability, facilities, and infrastructures;
identification and verification of beneficial owner of the prospective customers or customers;
closure of business relation or rejection on a transaction;
management of MLTF risks related to customer’s risks, country/geographical area/jurisdiction’s risks, products/services/transactions’ risks, and delivery channels’ risks;
maintenance of accurate data related to transactions, administration of the Customer Due Diligence (CDD) process, as well as administering policies and procedures;
specific for the CDD, the Guideline stipulates that CDD must be conducted at:
conducting business relations with prospective customers or transactions with customers;
there are financial transactions in rupiah currency and/or foreign currency which value is at least or equivalent to IDR 100,000,000.00 (one hundred million Rupiah);
there are indications of suspicious related financial transactions with MLTF; or
the P2P Company doubted the accuracy of the information provided by the prospective customers, customers, attorneys, and/or beneficial owner;
further, the Guideline also stipulates that in addition to CDD, the P2P Company is obliged to conduct enhanced due diligence (EDD) for high-risk customers or customers who are from high-risk jurisdiction/geographical area; the P2P Company must also update the data to ensure that the data is the latest (once a year for high-risk customers, once in two years for medium-risk customers, and once in three years for low-risk customers);
thus, it is expected that the P2P Company should include these requirements in its policies and procedures;
updating and monitoring;
reporting to senior officials, the BOD and BOC; and
reporting to the Indonesian Financial Transaction Reports and Analysis Centre (PPATK).
The Guideline emphasizes that to ensure the effectiveness of the counter-MLTF program, the P2P Company must implement it into internal management. The internal management must at least contain:
adequate policies, procedures, and internal management, so that the P2P Company can detect a deviation in implementation of the counter-MLTF program;
provision of a system that can accurately identify, monitor, and report any suspicious financial transactions;
provisions related to training on the application of the counter-MLTF program to all employees;
procedures for random sampling to test the effectiveness of program implementation;
the requirement to have internal independent audits to test the counter-MLTF program compliance and effectiveness.
Management Information System
The P2P Company must have a management information system to identify, analyze, monitor, and provide reports effectively on the characteristics of transactions carried out by its customers by using parameters that are adjusted periodically. The management information system must also consider business complexity, transaction volume, and risk
owned by the P2P Company.
Human Resources and Training
The Guideline stipulates that to avoid the P2P Company being used as means of MLTF by an internal party of the company, the P2P Company must have (i) screening procedures for hiring new employees (pre-employee screening) as part of its know your employee policy; and (ii) implement a policy of recognizing and monitoring of its employees’ profiles.
Also, the P2P Company must conduct continuous training for their employees on the counter-MLTF program. The training should also establish the roles and responsibilities of the employees in preventing and countering the MLTF.
Evaluates Residual Risk
The next step for the P2P Company is to evaluate residual risk. By evaluating the residual risk, the P2P Company is expected to evaluate the residual risk that it has and to adjust on the level of risks that it has and the level of risks that it can tolerate/accept.
Adopts a Risk-Based Approach
Another important step to be taken by the P2P Company is to adopt a risk-based approach. By adopting a risk-based approach, the P2P Company is expected to:
be able to ensure that the risk assessment is carried out has described a risk-based approach, frequency of monitoring low and high risks customers, and described internal control measures implemented to reduce the identified high risks;
apply a risk-based approach;
update data and information on the customers and beneficial owners;
monitor all of the business relations;
conduct more frequent monitoring of high-risk business relationships;
take certain steps towards high risks customers; and/or
involve senior officials in dealing with situations or high-risk areas.
Reviews and Evaluates the Existing Risk-Based Approach"
The last step to be taken by the P2P Company to implement its counter-MLTF program is to review and evaluate the existing risk-based approach. By doing so, the P2P Company can:
conduct a review based on its needs;
produce a review that includes compliance policies and procedures, risk assessment on MLTF, and training program to test the effectiveness of the risk-based approach;
administer the review process and report to senior officials; and
administer the results of the joint review by determining corrective steps to be followed up.
In addition to the above, the Guideline also requires the P2P Company to submit a report to OJK (among others (i) reports on data updating activity plans and reports on the realization of data updating activities; and (ii) reports on changes to policy adjustments and procedures for the counter-MLTF program) and to PPATK.
Considering that P2P business has become a hot seat business in Indonesia, the concern of OJK is valid that the P2P business may be abused as a means of MLTF. Thus, the issuance of this Guideline is on point and in line with the spirit of the government to combat MLTF activities. The Guideline also provides detailed guidance for the P2P Company – therefore it may ease the burden of the P2P Company in preparing for its policies and procedures of the counter-MLTF program.
For further information, please contact:
Freddy Karyadi, Partner, ABNR
+62 818 103 949
Anastasia Irawati, Senior Associate, ABNR