Indonesia Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Indonesia?

Indonesia's regulatory structure for financial crime sits across three bodies, each with a distinct mandate and supervisory scope.

OJK (Otoritas Jasa Keuangan) is the consolidated financial services authority, established by Law No. 21 of 2011 and fully operational from January 2014. It supervises banks, capital markets firms, insurance companies, pension funds, and, since the Financial Sector Omnibus Law (Law No. 4 of 2023) took effect, crypto asset service providers. OJK issues binding AML/CFT requirements through POJK (Peraturan OJK) circulars, conducts on-site examinations, and imposes administrative sanctions ranging from written warnings and management restrictions to full licence revocation. Its regulations and published sanction decisions are accessible at ojk.go.id.

PPATK (Pusat Pelaporan dan Analisis Transaksi Keuangan) is Indonesia's Financial Intelligence Unit, created by the 2010 AML law. It receives Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) from approximately 6,000 reporting parties across financial institutions and designated non-financial businesses, analyses transaction flows, and disseminates intelligence to the National Police (Polri), the Attorney General's Office, and the Corruption Eradication Commission (KPK). PPATK is a member of the Egmont Group and shares intelligence internationally. Its annual reports, typology studies, and filing guidance are published at ppatk.go.id.

Bank Indonesia, the central bank, retains supervisory authority over payment system operators and e-money issuers for AML/CFT purposes. It issues its own regulations, independent of OJK's POJK framework. Institutions that fall under Bank Indonesia supervision rather than OJK will encounter a parallel but procedurally distinct examination environment. Full regulatory materials are at bi.go.id.

The KPK and the National Narcotics Agency (BNN) are the primary generators of predicate-offence cases that produce ML referrals to PPATK and downstream prosecutions under the 2010 law.

What are the key AML and fraud laws in Indonesia?

The foundational statute is Law No. 8 of 2010 on Prevention and Eradication of Money Laundering (Undang-Undang No. 8 Tahun 2010). It defines money laundering across three tiers of criminal conduct, lists 26 predicate offences including corruption, narcotics, terrorism, fraud, and human trafficking, and places obligations on "reporting parties" to apply Customer Due Diligence, file STRs and CTRs, maintain records, and cooperate with PPATK. Maximum criminal penalties are 20 years' imprisonment and a fine of up to IDR 10 billion (approximately USD 620,000) for active laundering. Passive ML, where someone handles proceeds without knowing their origin, carries lower penalties but is still prosecutable.

Law No. 9 of 2013 on Prevention and Eradication of Terrorism Financing extends the CFT framework. It criminalises providing or collecting funds for terrorist acts regardless of whether those acts occur inside Indonesia, and requires immediate STR filing on suspected terrorist financing. Tipping off the customer is a criminal offence under both the 2010 and 2013 laws.

OJK Regulation No. 12/POJK.01/2017 and its successor regulations implement the risk-based approach for OJK-supervised entities, consistent with FATF Rec 1. They set out CDD standards aligned with FATF Rec 10 and record-keeping obligations per FATF Rec 11.

Law No. 27 of 2022 (PDP Law), Indonesia's Personal Data Protection Law, came into full compliance effect in October 2024. It introduces data subject rights, lawful processing bases, and cross-border transfer restrictions. For compliance teams, this changes how KYC records, transaction histories, and STR-related documents are stored, shared with group entities overseas, and retained at end-of-relationship.

The Financial Sector Omnibus Law (Law No. 4 of 2023) consolidated and modernised the regulatory architecture, extended OJK's mandate to include crypto asset regulation, strengthened OJK's enforcement powers, and tightened beneficial ownership disclosure requirements across all supervised entities.

What controls do Indonesia regulators expect?

OJK's examination framework is risk-based and broadly aligned with FATF standards. These are the controls that consistently appear in exam scope and published sanction findings.

Customer Due Diligence. All OJK-supervised entities must apply CDD at onboarding, verify identity through government-issued documents (the national ID card, KTP, is standard for individuals), and identify Ultimate Beneficial Owners for corporate customers. Enhanced due diligence is required for PEPs, high-risk customers, and correspondent banking relationships covered by FATF Rec 13. Simplified CDD is permitted for lower-risk products where OJK has defined the eligibility conditions.

Transaction Monitoring. Entities must monitor transactions for suspicious patterns on an ongoing basis. The CTR reporting threshold is IDR 500 million (approximately USD 31,000) per transaction or set of aggregated transactions in a business day. OJK examinations have moved well past verifying that a transaction monitoring system exists; examiners now request scenario documentation, alert governance records, and tuning logs.

STR Filing. Suspicious transaction reports must reach PPATK within 3 working days of suspicion arising. The clock starts when the compliance function forms a reasonable suspicion, not when the original transaction settled.

Sanctions Screening. Entities must screen against the UN consolidated list and PPATK's national designation list. OJK guidance references OFAC and EU designations for internationally active institutions. Sanctions screening must apply at onboarding and on an ongoing basis throughout the customer relationship.

Record-Keeping. Transaction records and CDD documentation must be retained for at least five years from the end of the customer relationship. OJK expects records to be retrievable within a defined timeframe on examiner request, not just archived.

What is unique about compliance in Indonesia?

Several features make Indonesia's framework materially different from other APAC markets.

Digital ID and Dukcapil integration. Indonesia's KTP national identity card is linked to the Dukcapil population registry at the Ministry of Home Affairs. Banks are permitted to verify KTP data electronically through the Dukcapil API, which cuts identity fraud risk at account opening. The system isn't always real-time, and rural branches still rely on manual checks in many cases. Foreign banks that want Dukcapil access need formal cooperation agreements with the Ministry, a process that can take several months.

Data localisation. The PDP Law 2022 and Bank Indonesia's IT governance regulations require that financial data generated by Indonesian residents be stored on servers physically located in Indonesia. Cross-border transfers are permitted only where the destination jurisdiction has equivalent protection standards or where explicit consent has been obtained. This affects cloud-based compliance platforms, overseas group data lakes, and cross-border shared-service centres. POJK No. 11/POJK.03/2022 on IT governance for commercial banks sets out the specifics.

Beneficial ownership gaps. Presidential Regulation No. 13 of 2018 requires corporations to disclose UBOs to the Ministry of Law and Human Rights. Registry completeness is uneven in practice. Banks can't rely on registry data alone for corporate customer KYC and must build independent verification into their CDD process.

VASP regulation. Crypto asset supervision shifted from the Commodity Futures Trading Regulatory Agency (BAPPEBTI) to OJK under the 2023 Omnibus Law. OJK issued POJK No. 27/2024 on crypto asset financial services. VASPs must register with OJK, meet AML/CFT obligations equivalent to those for other financial services providers, and apply travel rule requirements per FATF Rec 15.

FATF grey list history. Indonesia was placed on FATF's Increased Monitoring list in October 2021 for gaps in beneficial ownership transparency, DNFBP supervision, and non-profit sector oversight. It was removed in February 2023 after meeting most of its action plan commitments. The grey-listing period raised correspondent banking scrutiny on Indonesian institutions across major markets. The 2018 APG Mutual Evaluation Report, available at fatf-gafi.org, remains the most detailed public technical assessment of the framework.

Recent enforcement actions in Indonesia

OJK publishes its administrative sanction decisions on its website. Between 2020 and 2024, it issued sanctions against commercial banks, rural banks (BPR), and non-bank financial institutions for AML/CFT programme deficiencies. The most common findings: inadequate CDD at account opening, failure to identify beneficial owners for corporate accounts, delayed CTR submissions to PPATK, and absent or underdocumented enhanced due diligence for high-risk customers. Sanctions in published decisions ranged from formal written warnings and management appointment restrictions to suspensions of specific business activities. OJK's full enforcement record is searchable at ojk.go.id.

PPATK's publicly available annual reports document the volume of suspicious activity passing through reporting parties. The 2022 annual report recorded over 500,000 STRs from the banking sector, with case referrals to law enforcement covering potential proceeds in the trillions of rupiah. Corruption-linked ML from KPK investigations and narcotics-connected flows from BNN referrals are the dominant prosecution categories.

Indonesia's 2021 FATF grey-listing had direct commercial consequences. Correspondent banks in Singapore, the United Kingdom, and the United States applied heightened due diligence to Indonesian counterparties throughout the monitoring period, increasing documentary requests and transaction processing delays for affected institutions.

For context on the regional penalty trajectory, the Westpac 2020 enforcement action in Australia produced an AUD 1.3 billion penalty for 23 million reporting failures, a result that demonstrated the financial consequences regulators now attach to systemic AML programme gaps. Indonesian supervisors and supervised institutions track these regional precedents closely.

What foreign banks operating in Indonesia need to know

Foreign banks in Indonesia operate through branch offices or representative offices. Full-subsidiary structures require majority Indonesian ownership, with exceptions under applicable bilateral investment treaties. Branch licences are issued by OJK and require an approved local compliance structure as a precondition to approval.

Local compliance officer. OJK requires each supervised entity to designate a Direktur Kepatuhan (compliance director) with direct regulatory accountability for the AML/CFT programme. For foreign bank branches, this person must reside in Indonesia and be OJK-approved. Personal liability under the 2010 law attaches to directors for systemic compliance failures, not just to the institution.

Reporting timelines. STRs must reach PPATK within 3 working days of suspicion arising. CTRs for cash transactions above IDR 500 million (approximately USD 31,000) are due within 14 working days. All filings go through PPATK's mandatory electronic platform, GRIPS (Gathering Reports and Information Processing System).

Language requirements. All AML policies, procedures, and regulatory reports must be in Bahasa Indonesia. Foreign banks that maintain group-level compliance documentation in English need to maintain parallel Indonesian translations. Examination correspondence with OJK and PPATK is conducted in Indonesian throughout.

Outsourcing constraints. Technology systems and AML platforms can be sourced from international vendors, but data must remain within Indonesia's borders under the localisation rules. Core compliance functions including STR decision-making and policy ownership cannot be outsourced.

Cross-border coordination. Foreign banks with existing operations in Singapore or India will find Indonesia's FATF-aligned structure broadly familiar, but the Dukcapil KYC integration, GRIPS filing system, and Bahasa Indonesia documentation requirements are Indonesia-specific. Budget 6 to 9 months for full regulatory readiness before commercial launch.

How FluxForce supports Indonesia compliance

FluxForce's real-time transaction monitoring maps directly to OJK's requirement for continuous suspicious-pattern detection across IDR-denominated and cross-border payment flows. Automated STR and CTR drafting compresses the time between a compliance alert and a PPATK submission from days to hours. PEP screening and sanctions screening run continuously against UN, OFAC, EU, and Indonesian national designation lists. Every decision produces full, auditable evidence ready for OJK examination or PPATK enquiry. For institutions subject to Indonesia's data localisation requirements, FluxForce supports on-premise and local cloud deployment. Book a demo to see the platform in practice.