Bank Indonesia Regulation Number 13/23/PBI/2011 Concerning The Implementation Of Risk Management In Islamic Commercial Banks And Islamic Business Units

BANK INDONESIA Unofficial Translation 1 BANK INDONESIA REGULATION NUMBER 13/23/PBI/2011 CONCERNING THE IMPLEMENTATION OF RISK MANAGEMENT IN ISLAMIC COMMERCIAL BANKS AND ISLAMIC BUSINESS UNITS WITH THE GRACE OF THE ALMIGHTY GOD THE GOVERNOR OF BANK INDONESIA, Considering: a. whereas the business activities of Islamic banks is not free from risks which may disrupt the sustainability of the banks; b. whereas the characteristics of products and services of Islamic banks require functions of identification, measurement, supervision and control of risks in accordance with the business activities of Islamic banks. c. whereas the measures which are taken by Islamic banks in mitigating risks should comply the Sharia Principles; d. whereas the management of each functional activity of the banks shall be integrated into a system and a process of risk management which are accurate and comprehensive; e. whereas based on the consideration as referred to in letter a, letter b, letter c and letter d, it is necessary to issue Bank Indonesia Regulation concerning the Implementation of Risk Management in Islamic Commercial Banks and Islamic Business Units;

BANK INDONESIA Unofficial Translation 2 Observing: 1. Act Number 23 of 1999 concerning Bank Indonesia (State Gazette of the Republic of Indonesia Number 66 of 1999, Supplement to State Gazette of the Republic of Indonesia Number 3843) as amended several times and last by Act Number 6 of 1999 concerning the Establishment of Government Regulation in lieu of Act Number 2 of 2008 concerning the Second Amendment to Act Number 23 of 1999 concerning Bank Indonesia into Law (State Gazette of the Republic of Indonesia Number 7 of 2009, Supplement to State Gazette of the Republic of Indonesia Number 4962); 2. Act Number 21 of 2008 concerning Islamic Banking (State Gazette of the Republic of Indonesia Number 94 of 2008, Supplement to State Gazette of the Republic of Indonesia Number 4867); HAS DECREED To enact : THE IMPLEMENTATION OF RISK MANAGEMENT IN ISLAMIC COMMERCIAL BANKS AND ISLAMIC BUSINESS UNITS CHAPTER I GENERAL PROVISIONS Article 1 The terminology used in this Bank Indonesia Regulation has the following meanings:

BANK INDONESIA Unofficial Translation 3

1. Bank is any Islamic Commercial Banks and Islamic Business Units.
2. Islamic Commercial Bank, hereinafter referred to as BUS, is an Islamic Commercial Bank as referred to in Act Number 21 of 2008 concerning Islamic Banking.
3. Islamic Business Unit, hereinafter referred to in as UUS, is an Islamic Business Unit as referred to in Act Number 21 of 2008 concerning Islamic Banking.
4. Conventional Commercial Bank, hereinafter referred to in as BUK, is a Conventional Commercial Bank as referred to in Act Number 21 of 2008 concerning Islamic Banking which has an Islamic Business Unit;
5. Risk is any potential loss as a result of certain events.
6. Risk Management is a series of methodology and procedures used to identify, measure, monitor, and control Risks which arise from all business activities of the Bank.
7. Credit Risk is any Risk which occurs as a result of the failure of the customer or other parties to fulfill the obligations to the Bank in accordance with the agreement which has been agreed to.
8. Market Risk is any Risk at the position of the balance sheet and administrative accounts as a result of changes in the market price, including a risk in the form of a change in value of assets which can be traded or leased.
9. Liquidity Risk is any Risk which occurs as a result of the Bank’s inability to fulfill the obligations which are due using the funding from the cash flow and/or high-quality liquid assets which can be put as collateral without causing any disruption to the Bank’s activities and financial conditions.

BANK INDONESIA Unofficial Translation 4 10. Operational Risk is any Risk which occurs as a result of insufficient internal process, failure in internal process, human errors, system failure, and/or the occurrence of external events which affect the operations of the Bank. 11. Legal Risk means any Risk which occurs as a result of legal claims and/or weak juridical aspects. 12. Reputation Risk means any Risk which occurs as a result of decline in stakeholders’ trust because of a negative perceptive against the Bank. 13. Strategic Risk is any Risk which occurs as a result of failure in the making and/or implementing of strategic decisions and failure to anticipate the changing business environment. 14. Compliance Risk is any Risk which occurs because the Bank does not comply with and/or does not implement the applicable laws and regulations and provisions as well as the Sharia Principles . 15. Rate of Return Risk is any Risk which occurs as a result of a change in the rate of return paid by the Bank to its customers because there is a change in the rate of return received by the Bank from the distribution of funds, which may affect the behavior of the customers of the third party funds. 16. Equity Investment Risk is any Risk which occurs because the Bank shall also bear the losses of the customer’s business which has been financed through the profit￾and-loss sharing financing. 17. Board of Directors is Board of Directors as referred to in Act concerning Limited Liability Companies. 18. Board of Commissioners is Board of Commissioners as referred to in Act concerning Limited Liability Companies.

BANK INDONESIA Unofficial Translation 5 19. Subsidiary Company is a legal entity or a company which is owned and/or controlled by a BUS directly or indirectly both within the country and/or overseas and is engaged in business activities in field of finance, and which consists of: a. Subsidiary Company is a Subsidiary Company with more than 50% (fifty percent) of ownership of the BUS. b. Participation Company is a Subsidiary Company with 50% (fifty percent) or less of ownership of the BUS, but the BUS has the Control over the company; c. Any company with more than 20% (twenty percent) to 50% (fifty percent) of ownership of the BUS that meets the requirements as follows: i. the ownership of the BUS and that of other parties in the Subsidiary Company is of the same percentage; and ii. each owner holds the collective Control over the Subsidiary Company; d. Other entities in accordance with the applicable Financial Accounting Standards shall be consolidated. CHAPTER II SCOPE OF RISK MANAGEMENT Article 2 (1) Banks shall implement Risk Management effectively. (2) Risk Management as referred to in paragraph (1) in a BUS shall be implemented individually and in consolidation with the Subsidiary Company.

BANK INDONESIA Unofficial Translation 6 (3) Risk Management as referred to in paragraph (1) in a UUS shall be implemented to all business activities of the USS, constituting an integral part of the implementation of Risk Management in the BUK. Article 3 The implementation of Risk Management as referred to in Article 2 paragraph (1) shall at least include: a. active supervision of the Board of Commissioners, the Board of Directors and the Sharia Supervisory Board; b. adequate policy, procedure, and limit of Risk Management; c. adequate process of identification, measurement, monitoring, and control of Risks and Risk Management information system; and d. a comprehensive internal control system. Article 4 The implementation of Risk Management as referred to in Article 3 shall be adjusted to the purpose, business policy, size and complexity of the business and the ability of the Bank. Article 5 (1) Risks as referred to in Article 3 shall include: a. Credit Risks; b. Market Risks; c. Liquidity Risks; d. Operational Risks; e. Legal Risks; f. Reputation Risks;

BANK INDONESIA Unofficial Translation 7 g. Strategic Risks; h. Compliance Risks; i. Rate of Return Risks; j. Equity Investment Risks. (2) The Bank shall implement Risk Management according to the types of Risks as referred to in paragraph (1) letter a, letter b, letter c, letter d, letter e, letter f, letter g, and letter h. (3) In addition to the obligation as referred to in paragraph (2), the Bank also shall implement Risk Management against the types of Risks as referred to in paragraph (1) letter i and letter j. (4) The implementation of Risk Management as referred to in paragraph (3) has not been included in the assessment of the Bank’s Risks. CHAPTER III ACTIVE SUPERVISION OF THE BOARD OF COMMISSIONERS, THE BOARD DIRECTORS, AND THE SHARIA SUPERVISORY BOARD Part One General Article 6 The Bank shall determine the authority and responsibilities of each position relevant to the implementation of Risk Management as referred to in Article (2).

BANK INDONESIA Unofficial Translation 8 Part Two Authority and Responsibilities of the Board of Commissioners Article 7 The authority and responsibilities as referred to in Article 6 of the Board of Commissioners shall at least include: a. to approve and evaluate the policy on Risk Management. b. to evaluate the accountability of the Board of Directors of the implementation of Risk Management Policy as referred to in letter a. Chapter Three Authority and Responsibilities of the Board of Directors Article 8 (1) The authority and responsibilities as referred to in Article 6 of the Board of Directors shall at least consist of : a. to prepare the Risk Management policy and strategy which are written and comprehensive; b. to be accountable for the implementation of the Risk Management policy and Risk exposure taken by the Bank as a whole; c. to evaluate and decide transactions which need the approval of the Board of Directors; d. to develop the culture of Risk Management in all parts of the organization; e. to ensure improvement of human resources competence which is related to Risk Management; f. to ensure that the Risk Management function is independent in its operations;

BANK INDONESIA Unofficial Translation 9 g. to conduct a periodic review in order to make certain:

1. the accuracy of the methodology used to assess Risks;
2. the adequacy in the implementation of Risk Management Information System; and
3. The appropriateness of the policy, procedure and limit of Risks. (2) In order to exercise and carry out the authority and responsibilities as referred to in paragraph (1), the Board of Directors shall have sufficient understanding or Risks which are inherent in all functional activities of the Bank and be able to take the necessary measures in accordance with the Bank’s Risk profile. (3) The authority and the responsibilities of the Board of Directors as referred to in paragraph (1) in a UUS is exercised and carried out by the Director of the UUS. Part 4 Authority and Responsibilities of the Sharia Supervisory Board Article 9 The authority and the responsibilities for the Sharia Supervisory Board as referred to in Article 6 shall at least include: a. to review the Risk Management policy in connection with the compliance with the Sharia Principles ; and b. to evaluate the accountability of the Board of Directors on the implementation of the Risk Management policy in connection with the compliance with the Sharia Principles as referred to in letter a.

BANK INDONESIA Unofficial Translation 10 CHAPTER IV POLICY, PROCEDURE, AND DETERMINATION OF LIMITS Part One Risk Management Policy Article 10 The Risk Management Policy as referred to in Article 3 paragraph (1) letter b shall at least contain: a. the determination of Risks in connection with banking products and transactions; b. the determination of measurement method and Risk Management information system; c. the determination of limit and Risk tolerance; d. the determination of assessment of Risk rating; e. the preparation of a contingency plan to anticipate any worst condition; f. the establishment of internal control system in the implementation of Risk Management. Part Two Procedure and Determination of Risk Limits Article 11 (1) The procedure and determination of Risk limits as referred to in Article 3 paragraph (1) letter b shall be adjusted to the Risk appetite against the Bank’s Risks. (2) The procedure and determination of Risk limit as referred to in paragraph (1) shall at least contain: a. Clear accountability and levels in the delegation of authority;

BANK INDONESIA Unofficial Translation 11 b. A periodic review of the procedure and determination of limits; c. Adequate documentation of the procedure and determination of limits. (3) The determination of Risk limits as referred to in paragraph (2) shall include: a. Overall limits; b. Limits for each type of Risks; and c. Limits for each functional activity which has a Risk exposure. CHAPTER V PROCESS OF RISK IDENTIFICATION, MEASUREMENT, AND CONTROL AND RISK MANAGEMENT INFORMATION SYSTEM Part one General Article 12 (1) The Bank shall carry out the process of Risk identification, measurement, monitoring and control as referred to in Article 3 paragraph (1) letter c against all risk factors which are material. (2) The process of Risk identification, measurement, monitoring and control as referred to in paragraph (1) shall be supported by: a. Prompt Risk Management information system; and b. Accurate and informative reports on the Bank’s financial conditions, performance of functional activities and Risk exposure.

BANK INDONESIA Unofficial Translation 12 Part Two Process of Risk Identification, Measurement, Monitoring and Control Article 13 (1) The process of Risk identification shall be carried out by conducting an analysis of at least : a. The characteristics of Risks which are inherent to the Bank; and b. The Risks of the Bank’s products and business activities. (2) In the process of Risk measurement, the Bank shall perform at least: a. a regularly evaluation of the conformity of the assumptions, source of data and the procedure used to measure Risks; b. the refinement of the Risk measurement system in the event of material changes in the Bank’s business activities, products, transactions and risk factors which may affect the Bank’s financial condition. (3) In the Risk monitoring, the Bank shall at least perform: a. The evaluation of Risk exposure; b. The refinement of the reporting process in the event of material changes in the Bank’s business activities, products, transactions, risk factors, information technology and Risk Management information system. (4) The Bank shall take some measures to control Risks which may put the Bank’s business sustainability in danger.

BANK INDONESIA Unofficial Translation 13 (5) The determination of Risk control measures as referred to in paragraph (4) shall be in compliance with the Sharia Principles . Part Three Risk Management Information System Article 14 (1) Risk Management Information System as referred to in Article 3 paragraph (1) letter c shall at least include a report or information about: a. Risk exposure; b. the compliance with the policy and procedure as well as the determination of limits as referred to in Article 10 and Article 11; c. the realization of the implementation of Risk Management compared with the previously set target. (2) The report or information generated by Risk Management information system as referred to in paragraph (1) shall be delivered regularly to the Board of Directors. (3) Risk Management Information System as referred to in paragraph (1) in a UUS may utilize the technology of information system which is utilized in the Risk Management information system of a BUK. CHAPTER VI INTERNAL CONTROL SYSTEM Part One General

BANK INDONESIA Unofficial Translation 14 Article 15 (1) The Bank shall effectively implement the internal control system on the running of the business activities and the operations in all levels of the Bank. (2) The implementation of the internal control system in a UUS may be combined with the internal control system of a BUK. Article 16 (1) The implementation of the internal control system as referred to in Article 15 shall at least be able to detect the weakness and irregularities at a timely manner. (2) The internal control system as referred to in paragraph (1) shall ensure: a. the compliance with the applicable laws and regulations and the Bank’s policy or internal regulations; b. the availability of accurate, efficient and prompt financial and management information; c. effectiveness and efficiency in the operations; and d. effectiveness of risk culture on the Bank organization as a whole. Part Two Internal Control System in the Implementation of Risk Management Article 17 (1) The internal control system in the implementation of Risk Management as referred to in Article 3 paragraph (1) letter d shall at least contain:

BANK INDONESIA Unofficial Translation 15 a. the conformity of the internal control system with the type and level of Risks which are inherent in the Bank’s business activity; b. the determination of the authority and responsibility for monitoring compliance with the policy, procedure and limits as referred to in Article 10 and Article 11; c. the determination of clear reporting line and separation of the function of operating unit and the work unit which carries out the controlling function; d. the organizational structure which clearly describes the Bank’s business activities; e. accurate and prompt financial reporting and operational activities; f. adequacy of procedures which ensure compliance of the Bank with the applicable laws and regulations; g. an active, independent, and objective review of the procedure for assessment of the Bank’s operations. h. adequate testing and review of Risk Management information system; i. the complete and sufficient documentation of the operating procedure, scope and findings of the audit and the opinion of the Bank’s management based on the results of the audit; j. regular and sustainable verification and review of the efforts to handle the Bank’s material weaknesses and the measures taken by the Bank to correct the irregularities. (2) The review of the internal control system in the implementation of Risk Management as referred to in

BANK INDONESIA Unofficial Translation 16 paragraph (1) shall be conducted by the internal audit work unit (SKAI). CHAPTER VII ORGANIZATION AND FUNCTIONS OF RISK MANAGEMENT Part One General Article18 (1) In the effective implementation of the process and system of Risk Management as referred to in Article 2, the Bank shall establish: a. a Risk Management committee; and b. a Risk Management work unit. (2) The Risk Management committee and the Risk Management work unit of the UUS as referred to in paragraph (1) may be established independently or jointly with those of the BUK in accordance with the complexity of UUS’ business and the Risks inherent in the UUS. Part Two Risk Management Committee Article 19 (1) A Risk Management committee as referred to in Article 18 paragraph (1) letter a in a BUS shall at least be composed of: a. the majority of the members of the Board of Directors; and b. the relevant executive officers.

BANK INDONESIA Unofficial Translation 17 (2) In the event that the Risk Management committee in the UUS as referred to in Article 18 paragraph (2) is established independently, the members of the Risk Management committee shall at least be composed of: a. the directors of UUS; b. the director in charge of the function of compliance in the BUK; and c. relevant executive officers. (3) In the event that the Risk Management committee in a UUS as referred to in Article 18 paragraph (2) is combined with the Risk Management committee in a BUK, in the discussions on Risk Management of the UUS, the directors of the UUS shall be appointed as members of the Risk Management committees in the BUK. (4) The Risk Management committee as referred to in paragraph (1) shall have the authority and responsibility to provide recommendations to the President Director at least on: a. the preparation of policy, strategy, and guidelines of the implementation of Risk Management b. repairment or improvements of the implementation of Risk Management based on the results of the evaluation of its implementation; c. the justification of matters in connection with business decisions which are made not in accordance with the normal procedure (irregularities).

BANK INDONESIA Unofficial Translation 18 Part Three Risk Management Work Unit Article 20 (1) The organizational structure of the Bank’s Risk Management work unit as referred to in Article 18 paragraph (1) letter b shall be adjusted to the size and the complexity of the Bank’s business and the Risks which are inherent in the Bank. (2) The Risk Management work unit as referred to in paragraph (1) shall be independent from the operating unit (risk-taking unit) and from the work unit which carries out the function of internal control. (3) The Risk Management work unit as referred to in paragraph (2) shall be directly responsible to the President Director or to the specially-assigned Director. (4) The authority and responsibilities of the Risk Management work unit shall include: a. to monitor the implementation of the Risk Management strategy which has been approved by the Board of Directors; b. to monitor the position of Risks as a composite, each type of Risks and/or each type of functional activities as well as conducting the stress testing; c. to periodically review the process of Risk Management; d. to review the proposed activities and/or new products; e. to carry out an evaluation of model and validity of data which are used to measure Risks, for any Bank which uses an internal model;

BANK INDONESIA Unofficial Translation 19 f. to provide recommendations to the operating unit (risk-taking unit) and/or to the Risk Management Committee; and g. to prepare and deliver a periodic report on the profile/composition of Risks to :

1. President Director or a director who is specially assigned; and
2. Risk Management committee. Part Four Relationship between the Operating Unit and the Risk Management Work Unit Article 21 The operational work unit (risk-taking unit) as referred to in Article 20 paragraph (2) shall inform the Risk exposure which is inherent to the relevant work unit to the Risk Management work unit periodically. CHAPTER VIII REPORTING Part One Risk Profile Report Article 22 (1) The Bank shall submit a risk profile report to Bank Indonesia. (2) The risk profile report as referred to paragraph (1) shall contain the same content as the risk profile report

BANK INDONESIA Unofficial Translation 20 submitted by the Risk Management work unit to the President Director or to the specially- assigned Director and the Risk Management committee. (3) The risk profile report as referred to paragraph (1) shall be submitted quarterly for the positions in March, June, September and December. (4) Whenever necessary, Bank Indonesia may request the Bank to submit the risk profile report as referred to in paragraph (1) other than within the prescribed period of time. (5) Further provisions on the format and instructions for the preparation of the report as referred to in paragraph (1) shall be regulated in Bank Indonesia Circular Letters. Article 23 (1) The Risk profile report as referred to in Article 22 paragraph (1) shall be submitted not later than 15 (fifteen) business days after the end of the month of the report as referred to in Article 22 paragraph (3). (2) The Bank shall be considered late in the submission of the report if the report is submitted after the expiry of the period of submission as referred to in paragraph (1) but still within 1 (one) month since the last day of the period of submission of the report. (3) The Bank shall be considered not submitting the report as referred to in Article 22 paragraph (1) if the Bank has not submitted or does not submit the report more than 1 (one) month since the last day of the period of submission of the report as referred to in paragraph (1).

BANK INDONESIA Unofficial Translation 21 Part Two Other Reports Article 24 (1) The Bank shall submit reports other than the report as referred to in Article 22 to Bank Indonesia in the event of a condition which potentially leads to significant losses to the Bank’s financial condition. (2) The Bank shall submit to Bank Indonesia other reports in connection with the implementation of Risk Management periodically or at any time it is required. (3) The reporting format and procedure and the imposition of sanctions concerning the reports as referred to paragraph (2) shall be subject to Bank Indonesia provisions concerning the reporting of the bank to Bank Indonesia. Part Three Addresses for Submission Article 25 The reports as referred to in Article 22 and Article 24 shall be submitted to Bank Indonesia to the following addresses: a. Directorate of Islamic Banking, Jl. MH Thamrin Nomor 2, Jakarta 10350, for Banks which have head office within the working territory of Bank Indonesia Head Office. b. Local Bank Indonesia offices, for Banks which have head office outside the working territory of Bank Indonesia Head Office.

BANK INDONESIA Unofficial Translation 22 CHAPTER IX MISCELLENEOUS Part One Assessment of the Risk Management Implementation Article 26 Bank Indonesia may carry out an assessment of the implementation of Bank’s Risk Management. Article 27 The Bank shall provide data and information in connection with the implementation of Risk Management to Bank Indonesia. Part Two Disclosure of Performance and Risk Management Policy Article 28 (1) The disclosure of Risk Management in the Bank’s annual report as stipulated in Bank Indonesia Regulation on the Transparency of Banks’ Financial Conditions shall be adjusted to this Bank Indonesia Regulation. (2) The disclosure as referred to in paragraph (1) shall at least contain the performance of Risk Management and the direction of Risk Management policy. (3) The disclosure of Risk Management of the UUS in the annual report as referred to in paragraph (1) shall be incorporated in the annual report of the BUK.

BANK INDONESIA Unofficial Translation 23 CHAPTER X SANCTIONS Article 29 (1) A Bank which is late in the submission of its reports as referred to in Article 22 shall be subject to a sanction in the form of penalty of Rp1,000,000.00 (one million rupiah) per day of delay per report. (2) A Bank which fails to submit the reports as referred to in Article 22 shall be subject to a sanction in the form of penalty of Rp50,000,000.00 (fifty million rupiah) per report. (3) A Bank which fails to submit the reports as referred to in Article 22 and has been penalized to pay a penalty as referred to in paragraph (2) shall remain obliged to submit the reports to Bank Indonesia. (4) A Bank which submits the reports as referred to in Article 22 but the reports are considered significantly incomplete or without the required material documents and information in accordance with the previously determined format is subject to a sanction in the form of penalty of Rp50,000,000.00 (fifty million rupiah) after the Bank receives 2 (two) reprimand letters issued by Bank Indonesia with a grace period of 7 (seven) business days for each letter and the Bank fails to improve the report within a period of 7 (seven) business days upon receipt of the last reprimand letter. Article 30

BANK INDONESIA Unofficial Translation 24 A Bank which fails to comply with the provisions of Article 2 paragraph (1), Article 4, Article 5 paragraph (2), Article 6, Article 11 paragraph (1), Article 11 paragraph (3), Article 12, Article 13 paragraph (2), Article 13 paragraph (3), Article 13 paragraph (4), Article 12 paragraph (2), Article 15, Article 16 paragraph (2), Article 17 paragraph (2), Article 18 paragraph (1), Article 21, and Article 32 paragraph (2) shall be subject to administrative sanctions in the form of : a. reprimand letter; b. freeze on certain business activities; and/or c. the mention of the name of members of the management, employees of the Bank, and/or shareholders on a list containing names of persons who fail the fit and proper test and on the administrative record of Bank Indonesia as stipulated in Bank Indonesia provisions. CHAPTER XI TRANSITIONAL PROVISIONS Article 31 (1) The obligation of UUS to submit the risk profile report as referred to in Article 22 shall commence as of the report on the position of June 2012. (2) The adjustment in the disclosure of Risk Management as referred to in Article 28 paragraph (1) in the UUS shall be done for the first time in the annual report on the position of last December 2012.

BANK INDONESIA Unofficial Translation 25 CHAPTER XII CLOSING PROVISIONS Article 32 (1) Further provisions concerning the implementation Risk Management in Banks shall be stipulated in Bank Indonesia Circular Letters. (2) with the enactment of this Bank Indonesia Regulation, the Bank shall adjust the operating procedure which is in connection with the implementation of Risk Management. Article 33 Upon this Bank Indonesia Regulation comes into force: a. Bank Indonesia Regulation Number 5/8/PBI/2003 concerning the Implementation of Risk Management in Commercial Banks; and b. Bank Indonesia Regulation Number 11/25/PBI/2009 concerning the amendment to Bank Indonesia Regulation Number 5/8/PBI/2003 concerning the Implementation of Risk Management in Commercial Banks declared void for BUS and UUS. Article 34 The implementing provisions of Bank Indonesia Regulation Number 5/8/PBI/2003 concerning the Implementation of Risk Management in Commercial Banks as amended by Bank Indonesia Regulation Number 11/25/PBI/2009 concerning the Implementation of Risk Management in Commercial

BANK INDONESIA Unofficial Translation 26 Banks shall remain valid to BUS and UUS in so far as they do not contravene this Bank Indonesia Regulation. Article 35 This Bank Indonesia Regulation shall come into force on the date of enactment. For the public to be informed, it is ordered that this Bank Indonesia Regulation be promulgated in The State Gazette of The Republic of Indonesia. Enacted in: Jakarta Dated: 2 November 2011 GOVERNOR OF BANK INDONESIA (signed) DARMIN NASUTION Promulgated in : Jakarta Dated : 2 November 2011 THE MINISTER OF LAW AND HUMAN RIGHTS REPUBLIC OF INDONESIA (signed) PATRIALIS AKBAR STATE GAZETTE OF THE REPUBLIC OF INDONESIA NUMBER 103 OF 2011 DPbS

BANK INDONESIA Unofficial Translation 27 ELUCIDATION TO BANK INDONESIA REGULATION NUMBER 13/23/PBI/2011 CONCERNING THE IMPLEMENTATION OF RISK MANAGEMENT IN ISLAMIC COMMERCIAL BANKS AND ISLAMIC BUSINESS UNITS GENERAL The business activities of the Bank are constantly exposed to risks that are closely related to its function as a financial intermediary institution. The development of the external and internal environment of Islamic banking which is rapidly increasing has resulted in more complex risks in the operations of Islamic banking. Banks are required to adapt through the implementation of risk management in accordance with the Sharia Principles. The principles of risk management which are implemented in Islamic banking in Indonesia are directed so as to be in line with the standards rules issued by Islamic Financial Services Board (IFSB). The implementation of risk management in Islamic banking is adapted to the size and business complexity and the ability of the Bank. Bank Indonesia sets the rules on risk management as a minimum standard that BUS and UUS shall meet so that Islamic banking can develop according to the needs and challenges faced in a process which is healthy, consistent and in compliance with the Sharia Principles .

BANK INDONESIA Unofficial Translation 28 ARTICLE BY ARTICLE Article 1 Self-explanatory. Article 2 Paragraph (1) The implementation of Risk Management includes the implementation of Anti-Money Laundering and Prevention of Terrorism Financing programs which has previously been known as the Know Your Customer principle (KYC). Paragraph (2) Self-explanatory. Paragraph (3) Self-explanatory. Article 3 Letter a The role of the Board of Commissioners of a branch of foreign bank is performed by the competent officers in accordance with the Bank’s organizational structure. Letter b Self-explanatory. Letter c Self-explanatory. Letter c Self-explanatory.

BANK INDONESIA Unofficial Translation 29 Letter d Self-explanatory. Article 4 Business complexity includes variety in terms of transactions/products/services and business networks. The Bank’s ability includes financial capacity, supporting infrastructures and human resources capacity. Article 5 Paragraph (1) Letter a Credit Risk includes the Risk of financing concentration. Concentration risk is the risk arising from the provision of funds which is concentrated in 1 (one) party or a group of parties, industry, sector, and/or specific geographic area which have potential losses serious enough to threaten the going concern of the Bank. Letter b Market risks include, among other things, exchange rate Risk, commodity Risk and equity Risk. Exchange rate risk is a risk which occurs as a result of changes in the value of the position trading book and the banking book due to changes in foreign exchange rates or changes in the gold price. Commodity Risk is a risk which occurs as a result of changes in the price of financial instruments from the

BANK INDONESIA Unofficial Translation 30 trading book position and the banking book position which is caused by changes in the price of commodities. Equity risk is a risk which occurs as a result of price changes in the price of financial instruments from the trading book position which is caused by changes in the stock price. Letter c Self-explanatory. Letter d Self-explanatory. Letter e This risk arises partly because of the absence of the supporting laws and regulations or a weak contract, such as when any requirements for the validity of the contract are not met or a collateral contract is not perfect. Letter f This risk arises partly because the negative news coverage in the media and/or rumors about the bank and the bank’s less effective communications strategy. Letter g This risk arises partly because the bank sets a strategy which is not in line with the vision and mission of the bank, conducts a strategic environmental analysis which is not comprehensive, and/or there is a mismatch of the strategic plan between strategic levels. Moreover, Strategic Risk arises from the failure to anticipate changes in business environment including the failure to

BANK INDONESIA Unofficial Translation 31 anticipate changes in technology, changes in macroeconomic conditions, the dynamics of competition in the market, and changes in policy of the relevant authorities. Letter h Self-explanatory. Letter i This risk arises partly because of changes behavior of customers of third-party funds as a result of changes in their expectation of the returns received of the Bank. The changing expectations can be caused by internal factors such as decline in the Bank’s asset values and/or external factors such as the increasing return offered by other banks. Changes in the expected rate of return can trigger the transfer of funds from the bank to other banks. Letter j This risk arises when the Bank provides financing on the basis of profit-and-loss sharing in which the Bank also bears the risk of any business loss of the customer it finances. In this case, the calculation is not done based on the revenues or sales received by the customer, but based on the profits earned. If the customer’s business goes bankrupt, the principal loaned by the Bank to the customer will not be repaid. Paragraph (2) Self-explanatory.

BANK INDONESIA Unofficial Translation 32 Paragraph (3) Self-explanatory. Paragraph (4) Self-explanatory. Article 6 Self-explanatory. Article 7 Letter a The evaluation of Risk Management policy by the Board of Commissioners at least 1 (once) in a year or more in the event of changes in the factors that adversely affect the Bank's business significantly. Letter b The evaluation of the Board of Directors’ accountability for the implementation of Risk Management policy is conducted by the Board of Commissioners at least on a quarterly basis. Article 8 Paragraph (1) Letter a The Risk Management policy and strategy include the establishment and approval of risk limits: the overall (composite) risk, by type of risk, and by functional activity. The development of Risk Management policy and strategy at least 1 (once) in a year or more in the event of any

BANK INDONESIA Unofficial Translation 33 changes of factors which significantly affect the operations of the BUS. Letter b Responsibilities for the implementation of the Risk Management policy include:

1. to evaluate and provide guidance based on the reports submitted by the Risk Management work unit;
2. to submit the accountability report to the Board of Commissioners on a quarterly basis. Letter c Self-explanatory. Letter d The development of Risk Management culture includes adequate communication to all levels of the organization about the importance of effective Risk Management. Letter e Increased competence of human resources, among others through sustainable education and training programs on the implementation of Risk Management. Letter f The term "independent" among other things means the separation of functions between the Risk Management work unit which identifies, measures, and monitors risks and the unit which conducts and completes the transactions.

BANK INDONESIA Unofficial Translation 34 Letter g A periodic review, among other things, is intended to anticipate changes in the external factors and internal factors. Paragraph (2) The phrase "have sufficient understanding" includes understanding the Sharia Principles related to products, services and other operations of the Bank. Paragraph (3) In carrying out the authorities and responsibilities, the Director of the UUS may coordinate with another director of the BUK. Article 9 Letter a The evaluation of the Risk Management policy related to compliance with the Sharia Principles conducted by the Sharia Supervisory Board at least 1 (once) in a year. Letter b The evaluation of the Board of Directors’ accountability for the implementation of the Risk Management policy related to the compliance with the Sharia Principles is conducted by the Sharia Supervisory Board at least on a quarterly basis. Article 10 The Risk Management policy is established among other things by formulating the Risk Management strategy to ensure that:

BANK INDONESIA Unofficial Translation 35

1. The Bank maintain the Risk exposure in accordance with Bank's internal policies and procedures and the applicable laws and regulations as well as other provisions, and
2. The Bank is managed by human resources that have knowledge, experience, and expertise in the field of Management Risk in accordance with the Bank’s complex business. The Risk Management strategy is formulated by taking into account the financial conditions of the Bank, the Bank’s organization, and Risks arising from changes in external factors and internal factors. Letter a Self-explanatory. Letter b Self-explanatory. Letter c Risk tolerance is the potential loss that can be absorbed by the capital of the Bank. Letter d The determination of assessment of Risk rating is the basis for Bank to categorize its risk rating. Risk Rating is categorized into 5 (five), namely: 1 (Low), 2 (Low to Moderate), 3 (Moderate), 4 (Moderate to High), and 5 (High). Letter e Self-explanatory. Letter f Self-explanatory.

BANK INDONESIA Unofficial Translation 36 Article 11 Paragraph (1) The level of risk to be taken (risk appetite) which considers the experience of the Bank in managing Risks. Paragraph (2) Letter a Self-explanatory. Letter b The word "periodic" means at least 1 (once) or more in a year, depending on the type of Risks, needs, and development of the Bank. Letter c The phrase "adequate documentation" means written and complete documentation which makes it easy for audit trail to be conducted for the Bank's internal control. Paragraph (3) Self-explanatory. Article 12 Paragraph (1) The term “Risk factors" means different parameters that affect Risk exposure. The phrase "Risk factors which are material" means Risk factors which both quantitatively and qualitatively affect the Bank's financial conditions significantly.

BANK INDONESIA Unofficial Translation 37 Paragraph (2) Self-explanatory. Article 13 Paragraph (1) The process of risk identification which, among other things, is based on the losses experienced by the Bank. Paragraph (2) To measure risks, the Bank can use the Qualitative and Quantitative approaches which are adjusted to the business purpose, business complexity, and the ability of the Bank. Letter a The word "regular" means at least on a quarterly basis or more frequent subject to the development of the Bank and external conditions which affect the Bank’s conditions. Letter b Self-explanatory. Paragraph (3) Letter a The evaluation of Risk exposure is conducted by monitoring and reporting material Risks or conditions which affect the Bank's capital, among other things, based on the assessment of potential Risks by using historical trends.

BANK INDONESIA Unofficial Translation 38 Letter b Self-explanatory. Paragraph (4) The measures to control can be implemented by the method of Risk mitigation such as hedging and capital increase to absorb potential losses. In addition, in the implementation of the controlling function of exchange risk and liquidity risk, the Bank shall at least apply the Assets and Liabilities Management (ALMA). Paragraph (5) Self-explanatory. Article 14 Paragraph (1) Letter a Reports or information exposure risks include exposure quantitative and qualitative, overall (composite) and the details of each type of risk and per type of activity functional. Letter b Self-explanatory. Letter c Self-explanatory. Paragraph (2) The frequency of submission of Reports or information to the Board of Directors may be increased in accordance with the needs of the BUS.

BANK INDONESIA Unofficial Translation 39 Paragraph (3) Self-explanatory. Article 15 Self-explanatory. Article 16 Paragraph (1) Self-explanatory. Paragraph (2) Letter a Self-explanatory. Letter b Complete, accurate, appropriate, and timely Financial and management information is necessary for appropriate and accountable decision making which can be communicated to the parties concerned. Letter c Effectiveness and efficiency in operations are required to protect the Bank's assets and resources from relevant Risks. Letter d Effectiveness of risk culture is intended to identify weaknesses and irregularities in more Early and reassess the fairness of policies and procedures that existed at the Bank on an ongoing basis.

BANK INDONESIA Unofficial Translation 40 Article 17 Self-explanatory. Article 18 Paragraph (1) Letter a The Risk Management Committee shall be non￾structural. Letter b Risk Management work unit is part of the Bank's organizational structure (structural). Paragraph (2) This arrangement is made in order that the UUS can determine an organizational structure which is appropriate and suitable to the conditions of the BUK, including the financial ability and human resources. Article 19 Paragraph (1) The membership of the Risk Management Committee can be either permanent or temporary membership, in accordance with the needs of the Bank. Letter a One of the members of the Board of Directors who shall be appointed as a member of the Risk Management Committee is the Director in charge of the compliance function.

BANK INDONESIA Unofficial Translation 41 Letter b The term "the relevant executive officers" means Bank officers who are one level below the Board of Directors who head the operating unit (risk taking) and Risk Management work unit. Membership of the executive officers of Management Risk is adjusted to the Bank’s problems and needs. Paragraph (2) The membership of the Risk Management Committee can be either permanent or temporary membership, in accordance with the needs of the UUS. Letter a Self-explanatory. Letter b Self-explanatory. Letter c The term "the relevant executive officers" means the officers of UUS and BUK who are one level below the Board of Directors who head the operating unit and Risk Management work unit. Membership of the executive officers of Management Risk is adjusted to the UUS’s problems and needs. Paragraph (3) Self-explanatory. Paragraph (4) Letter a Self-explanatory.

BANK INDONESIA Unofficial Translation 42 Letter b Self-explanatory. Letter c Business decisions that do not comply with the normal procedures include significant business expansion as compared to the Bank's business plan and taking of the position/ Risk exposure that is not in accordance with the previously determined limit. Article 20 Paragraph (1) This arrangement is intended in order that the Bank may determine an organizational structure appropriate and suitable to the condition of the Bank, including the financial ability and human resources. Paragraph (2) The word "Independent" is reflected from:

1. The separation of the functions/tasks between the Risk Management work unit and the operating unit (risk￾taking unit) and the work unit that perform the functions of internal control;
2. the decision-making process which is impartial or favorable to a a certain risk taking unit or ignoring other operating units. The term operating unit (risk-taking unit) means financing, treasury, and finance units. Paragraph (3)

BANK INDONESIA Unofficial Translation 43 The term "specially assigned Director" is a director who heads the compliance function or the Director of Risk Management. Paragraph (4) The authorities and responsibilities of the Risk Management work unit are adjusted to the business objectives, business complexity, and the ability of the Bank. Letter a Self-explanatory. Letter b Stress testing is conducted to determine the impact of implementation of policies and strategies on risk management of the performance and revenues of the Bank’s each risk taking unit or the functional activity. Letter c The review is done based on the findings of audit internal and / or development of practices of the Management Risks which are internationally applicable. Letter d The review includes the evaluation of the Bank’s ability to carry out the activities and / or of new products and the review of proposed changes to the systems and procedures and the compliance with Sharia Principles. Letter e Self-explanatory. Letter f Recommendations include recommendations in connection with the magnitude or the maximum Risk exposure that shall be maintained by the Bank.

BANK INDONESIA Unofficial Translation 44 Letter g Risk Profile is a comprehensive overview of the magnitude of the potential risks inherent in the Bank’s entire portfolio or exposure. The frequency of submission of reports shall be increased in the event of rapidly changing market conditions. For a change in Risk exposure which takes quite a long time, such as Credit Risk, the submission of the report is at least 1 (once) in a month. Article 21 The frequency of the delivery of information about Risk exposure is tailored to the characteristics of the type of the Risks. Article 22 Paragraph (1) A Risk Profile Report contains information about the overall trend of the Risk exposure. Paragraph (2) Self-explanatory. Paragraph (3) A Risk Profile Report is presented comparatively with the previous quarterly position. Paragraph (4) Self-explanatory. Paragraph (5) Self-explanatory.

BANK INDONESIA Unofficial Translation 45 Article 23 Paragraph (1) Example: Risk profile report for position of September 2011, the Bank shall submit the report referred to Bank Indonesia no later than 21October 2011. Paragraph (2) Example: If the Bank submits the risk profile report of September 2011 from 22 October 2011 to 21 November 2011, the Bank is considered to be late in the submission of the report. Paragraph (3) Example: If the Bank submits the risk profile report of September 2011 after 21 November 2011, the Bank is considered not submitting the report. Article 24 Paragraph (1) Self-explanatory. Paragraph (2) Reports related to the implementation of Risk Management include, among other things, the Projected Cash Flow Report and the Maturity Profile Report in the implementation of Risk Management for Liquidity Risks.

BANK INDONESIA Unofficial Translation 46 Paragraph (3) Bank Indonesia provisions concerning the reporting of banks include Bank Indonesia provisions concerning the Periodic Reports of Commercial Banks and the Report of the Head Office of Commercial Banks. Article 25 Self-explanatory. Article 26 Assessment of the Risk Management of the Bank includes the assessment of inherent Risks and the adequacy of Risk control system. Article 27 Self-explanatory. Article 28 Paragraph (1) Self-explanatory. Paragraph (2) The performance of Risk Management is the result of the implementation of Risk for a period from the beginning of the year (January) until the end of the year (December) including Risk profile; meanwhile the direction of Risk Management policy is the direction and strategy of the Risk Management for one year ahead.

BANK INDONESIA Unofficial Translation 47 Paragraph (3) Self-explanatory. Article 29 Paragraph (1) The term "day" means business day. Paragraph (2) A Bank which has been penalized to pay in accordance with this paragraph shall not be penalized for delay as referred to in paragraph (1). Paragraph (3) Self-explanatory. Paragraph (4) A Bank which has been penalized to pay in accordance with this paragraph shall not be penalized as referred to in paragraph (1). Article 30 Self-explanatory. Article 31 Self-explanatory. Article 32 Self-explanatory.

BANK INDONESIA Unofficial Translation 48 Article 33 Self-explanatory. Article 34 Self-explanatory. Article 35 Self-explanatory. SUPPLEMENT TO STATE GAZETTE OF THE REPUBLIC OF INDONESIA NUMBER 5247 DPbS

BANK INDONESIA Unofficial Translation 49