Bank Indonesia Regulation Number 19/10/PBI/2017 on Anti-Money Laundering and Prevention of Terrorism Financing for Non-Bank Payment and Money Changing Providers

BANK INDONESIA REGULATION NUMBER 19/ 10 /PBI/2017 CONCERNING IMPLEMENTATION OF ANTI-MONEY LAUNDERING AND PREVENTION OF TERRORISM FINANCING FOR NON-BANK PAYMENT SYSTEM SERVICE PROVIDER AND NON-BANK MONEY CHANGING SERVICE PROVIDER BY GRACE OF THE GOD ALMIGHTY THE GOVERNOR OF BANK INDONESIA, Considering : a. that the rapid development of information technology and systems continues to encourage innovations in payment systems service and foreign exchange business activities; b. that such innovations cause products, services, transactions, and business models to become increasingly complex, therefore increasing the risk of money laundering and/or terrorism financing in payment system activities and foreign exchange business activities; c. that the increased risks encountered should be balanced by improving the quality and effectiveness of anti-money laundering and/or prevention of terrorism financing by using a risk-based approach in accordance with widely accepted international principles; d. that there should be a harmonization and integration of regulations concerning the

• 2 - implementation of anti-money laundering and/or prevention of terrorism financing in the payment system activities and foreign exchange business activities; e. that based on the considerations as referred to in letter a to letter d, it is necessary to enact Bank Indonesia Regulation concerning the Implementation of Anti-Money Laundering and the Prevention of Terrorism Financing for Non-Bank Payment System Service Provider and Non-Bank Money Changing Service Provider; In View Of : 1. Law Number 23 of 1999 concerning Bank Indonesia (State Gazette of the Republic of Indonesia Number 66 of 1999, Supplement to the State Gazette of the Republic of Indonesia Number 3843) as amended several times, most recently by Law Number 6 Year 2009 concerning Stipulation of Substitute Government Regulation Law Number 2 of 2008 regarding the Second Amendment to Law Number 23 of 1999 concerning Bank Indonesia to become Law (State Gazette of the Republic of Indonesia of 2009 Number 7, Supplement to the State Gazette of the Republic of Indonesia Number 4962);

2. Law Number 8 of 2010 concerning Prevention and Eradication of Money Laundering (State Gazette of the Republic of Indonesia Number 122 of 2010, Supplement to the State Gazette

• 3 - of the Republic of Indonesia Number 5164);

3. Law Number 3 of 2011 concerning Fund Transfers (State Gazette of the Republic of Indonesia of 2011 Number 39, Supplement to the State Gazette of the Republic of Indonesia Number 5204);
4. Law Number 9 of 2013 concerning the Prevention and Eradication of Terrorism Financing (State Gazette of the Republic of Indonesia Number 50 of 2013, Supplement to the State Gazette of the Republic of Indonesia Number 5406); BE IT HEREBY RESOLVED To enact : BANK INDONESIA REGULATION CONCERNING IMPLEMENTATION OF ANTI-MONEY LAUNDERING AND PREVENTION OF TERRORISM FINANCING FOR NON-BANK PAYMENT SYSTEM SERVICE PROVIDER AND NON-BANK MONEY CHANGING SERVICE PROVIDER CHAPTER I GENERAL PROVISIONS Article 1 For the purpose of this Bank Indonesia Regulation what is meant by:
5. Money Laundering is money laundering as referred to in the Law governing the prevention and eradication of money laundering crime.
6. Terrorism Financing is the terrorism financing as referred to in the Law governing the prevention and eradication of terrorism financing.
7. Anti-Money Laundering and Prevention of Terrorism Financing,

• 4 - hereinafter referred to as APU and PPT is the effort to prevent and eradicate the crime of Money Laundering and Terrorism Financing.

4. Service Provider is a legal entity other than a bank conducting payment system service activities and a legal entity other than a bank conducting foreign exchange business activities.
5. Non-Bank Payment System Service Provider hereinafter referred to as Non-Bank PJSP is a party other than a bank that has obtained a license to conduct payment system service activities referred to in the Bank Indonesia Regulation concerning the payment system.
6. Non-Bank Money Changing Service Provider, hereinafter referred to as Non-Bank Money Changer, is a party that has obtained license to conduct foreign exchange business activities as referred to in the Bank Indonesia Regulations concerning non-bank foreign exchange business activities.
7. Bank is a bank as referred to in the Law governing the banking and sharia banks as referred to in the Law governing on the sharia banking.
8. Non-Bank Institution is a non-bank business entity, in the form of a legal entity incorporated under the laws of Indonesia.
9. Service User is a party who uses the services of the Service Provider, conducts business relationship with the Service Provider, or conducts transactions through the Service Provider.
10. Beneficial Owner is any individual, whether individually or jointly, directly or indirectly, who: a. is the ultimate owner of the funds; b. controls the transactions of Service User; c. exercise ultimate effective controls over the corporation or other arrangements (legal arrangement); and/or d. authorizes the transaction (whose behalf a transaction is conducted).
11. Corporation is an organized corporate or non-corporate group of persons and/or groups, including corporations, foundations, cooperatives,

• 5 - religious associations, political parties, non-governmental organizations or non-profit organizations, and civic organizations.

12. Politically Exposed Person, hereinafter referred to as PEP shall include: a. Foreign PEP, are individuals who are or have been entrusted with prominent public functions by a foreign country; b. Domestic PEP, are individuals who are or have been entrusted with prominent public functions domestically; and c. Persons who are or have been entrusted with prominent function by an international organization.
13. Fund Transfer is the fund transfer as referred to in the Law governing the fund transfer.
14. Suspicious Financial Transactions are suspicious financial transactions as referred to in the Law governing the prevention and eradication of money laundering and the Law governing the prevention and eradication of terrorism financing.
15. Financial Transaction Reporting and Analysis Center hereinafter referred to as PPATK is the Center for Financial Transaction Reporting and Analysis as referred to in the Law governing the prevention and eradication of money laundering crime.
16. Business Group is a group or group of companies having ownership and/or control relationship with the Service Provider.
17. Senior Management is a member of the Board of Directors and Executive Officers who may take policy/decision in the operational of the Service Provider.
18. The Board of Directors is the Board of Directors as referred to in the Law governing the limited liability company.
19. Executive Officers shall be officers who directly reports to the members of the Board of Directors or have significant influence on the policy and/or operational of the Service Provider.
20. The Board of Commissioners is the board of commissioners as referred to in the Law governing the limited liability company.

• 6 - CHAPTER II SCOPE Article 2 (1) Provisions in this Bank Indonesia Regulation shall be applicable to the following Service Provider: a. Non-Bank PJSP; and b. Non-Bank Money Changer. (2) Non-Bank PJSP as referred to in paragraph (1) shall include: a. Fund Transfer Service Provider; b. issuer of card based payment instruments (APMK); c. issuer of electronic money; and d. electronic wallet Service Provider. CHAPTER III THE IMPLEMENTATION OF ANTI-MONEY LAUNDERING AND PREVENTION OF TERRORISM FINANCING Section One Obligations and Scope of APU and PPT Programs Article 3 Service Provider as referred to in Article 2 shall apply APU and PPT which includes: a. duties and responsibilities of the Board of Directors and active supervision of the Board of Commissioners; b. written policies and procedures; c. risk management process; d. human resource management; and e. internal control system.

• 7 - Section Two Duties and Responsibilities of the Board of Directors and Active Supervision the Board of Commissioners Article 4 The duties and responsibilities of the Board of Directors as referred to in Article 3 letter a shall at least include the following: a. stipulate APU and PPT written policies and procedures based on the approval of the Board of Commissioners; b. ensure the implementation of the APU and PPT in accordance with the established written policies and procedures; c. ensure the written policies and procedures are in line with changes and development of products, services, technology, money laundering or terrorism financing modes, and provisions related to APU and PPT; d. ensure the submission of Suspicious Financial Transactions Reports, cash financial transactions report, and the fund transfer financial transaction from and/or to abroad to the PPATK in accordance with the provisions of laws and regulations; e. ensure that all employees are equipped with knowledge and/or training on APU and PPT implementation; and f. ensure the updating of customer profile and customer transaction profile. Article 5 The active supervision of the Board of Commissioners as referred to in Article 3 letter a shall at least include the following: a. giving approval of written policies and procedures for the implementation of APU and PPT; and b. supervising the duties and responsibilities of the Board of Directors on the implementation of APU and PPT.

• 8 - Section Three Policy and Procedures Article 6 (1) Service Provider shall maintain, implement, and develop written policies and procedures to manage the risk of Money Laundering and Terrorism Financing. (2) Written policies and procedures referred to in paragraph (1) shall contain at least the following: a. customer due diligence (CDD); b. management of data, information and documents; and c. reporting Suspicious Financial Transactions and other reports. (3) For Service Provider that conduct Fund Transfer activities, in addition to meeting the provisions referred to in paragraph (2), it shall also maintain Fund Transfer policies and procedures. (4) Service Provider shall monitor, evaluate, and improve the effectiveness of the implementation of written policies and procedures referred to in paragraph (1). (5) Service Provider shall submit the written policies and procedures as referred to in paragraph (1), including any change thereof, to Bank Indonesia. Section Four Risk Management Process Article 7 (1) Service Provider shall apply the risk management process as referred to in Article 3 letter c, including appropriate steps to identify, asses, manage and mitigate the money laundering and terrorism financing risk. (2) Service Provider shall identify, assess, manage, and mitigate the risks

• 9 - referred to in paragraph (1) by taking into account the following factors: a. Service User; b. country or geographic area; c. product or service; and d. delivery channel. (3) In applying risk management as referred to in paragraph (2), Service Provider shall take into account the risk identified and assessed by the competent authority as well as documents and other relevant information. (4) In regard to the implementation of risk management as referred to in paragraph (2), the Service Provider shall: a. perform updating periodically; b. document; and c. have appropriate mechanisms to provide information to competent authorities. (5) The implementation of risk management as referred to in paragraph (1) shall be based on the characteristics, scale, and complexity of the Service Provider's business activities, as well as the relevant risk exposure. (6) In the event that the Service Provider identify higher risk, Service Provider shall take enhanced measure to manage and mitigate the risk. Section Five Human Resource Management Article 8 Human resource management as referred to in Article 3 letter d, shall contain at least the following: a. pre-employee screening; b. monitoring of employee profile; and c. provision of training programs and continuous improvement of employee awareness.

• 10 - Section Six Internal Control System Article 9 The internal control system as referred to in Article 3 letter e shall contain at least the following: a. establishment of work units, functional assignment, and/or appointment of members of the Board of Directors/Executive Officers who are specifically responsible for the implementation of APU and PPT; b. the segregation of duties and responsibilities between the parties performing the audit function with the business unit; and c. commencement of independent audits periodically to test the compliance and the effectiveness of APU and PPT implementation. Section Seven Implementation of APU and PPT on Business Groups Article 10 (1) Business Group shall ensure the effective implementation of the APU and PPT to their subsidiaries and branches, both within and outside the country. (2) APU and PPT Implementation as referred to in paragraph (1) shall include the availability of: a. written policies and procedures on the exchange of information between parent companies, subsidiaries, and branch offices; b. written policies and procedures for the internal audit function and/or APU and PPT work units to obtain data and information from subsidiaries and branch offices; and c. written policies and procedures to ensure the security and the confidentiality of data and information.

• 11 - Article 11 (1) In the case that the host country of a subsidiary or branch applies APU and PPT with a less strict requirements than the provisions of this Bank Indonesia Regulation, the provisions in this Bank Indonesia Regulation shall be applied. (1) In the event that the provisions of this Bank Indonesia Regulation are not applicable in whole or in part by subsidiaries and branches pursuant to the rules of the host country, the Service Provider shall take the best available measure to implement the APU and PPT and report it to the Bank Indonesia. Section Eight Implementation of APU and PPT by Third Parties Representatives Article 12 In the event that the Service Provider cooperates with third party, the Service Provider shall ensure the implementation of the APU and the PPT as referred to in Article 3 by such third party. CHAPTER IV CUSTOMER DUE DILIGENCE (CDD) Section One Obligation and CDD Procedures Article 13 Service Provider shall undertake CDD measure on Service User to ensure the effectiveness of APU and PPT implementation. Article 14

• 12 - CDD measure as referred to in Article 13 shall include the following activities: a. identifiy the Service User, the person acting for and on behalf of the Service User, and/or Beneficial Owner; b. verify the identity of the Service User, the person acting for and on behalf of the Service User, and/or Beneficial Owner based on data, information and/or documents from an independent and reliable source; c. conduct ongoing due diligence and ensuring that the data, information and/or documents of the Service User is kept up-to-date; and d. understand the purpose and intended nature of the business relationship or transaction and the source of funds used. Article 15 The obligation to undertake CDD measure as referred to in Article 14 shall be conducted by the Service Provider when: a. establishing business relationship with Service User or potential Service User; b. carrying out occasional financial transactions denominated in rupiah and/or foreign currency of at least Rp100,000,000.00 (one hundred million rupiah) or the equivalent; c. carrying out Fund Transfer transaction; d. encountering indications of Suspicious Financial Transactions related to Money Laundering and/or Terrorism Financing; or e. having doubt as to the veracity of the information provided by potential Service User, Service User, the person acting for and on behalf of the Service User, and/or Beneficial Owners. Section Two Identification and Verification Article 16 (1) The identification as referred to in Article 14 letter a shall be undertaken by requiring the submission of at least the following identification data

• 13 - and information: a. for Individual Service User:

1. full name including alias name if any;
2. identity document number;
3. residential address according to identity documents and other residential address if any;
4. place and date of birth;
5. nationality;
6. phone number;
7. occupation;
8. sex; and
9. biometric data or signatures; b. for Corporate Service User:
10. the name of the corporation;
11. the form of legal entity or business entity;
12. place and date of establishment;
13. business license number;
14. address of registered office;
15. type of business or activity;
16. phone number;
17. name of board of directors and board of commissioners;
18. name of shareholder; and
19. information and data of natural person authorized to act for and on behalf of the Corporation; and c. for legal arrangements Service User:
20. name;
21. license number from the competent authority if any;
22. address of registered office;
23. form of legal arrangement; and
24. information and data of natural person authorized to act for and on behalf of the other legal arrangements.

• 14 - (2) In order to identify the Service User as referred to in paragraph (1), the Service Provider shall require the Service User to submit the following identification document: a. for individual Service User:

1. identity card (KTP);
2. driver's license (SIM);
3. passport; or
4. other official documents issued by Government Agencies; b. for Corporate Service User:
5. deed of establishment and/or articles of association and corporate household budget and any amendments;
6. business license or other permit from the competent authority;
7. taxpayer identification card (NPWP) for Service User who are required to have NPWP in accordance with the provisions of laws and regulations; and
8. identification documents of a natural person authorized to act for and on behalf of the Corporation; and c. for legal arrangements Service User:
9. proof of registration at the authorized institution;
10. deed of establishment and/or articles of association and by￾laws of household if any; and
11. identification documents of a natural person: a) for other legal arrangement in the form of trust:

1. a natural person authorized to act for and on behalf of the other legal arrangement;
2. settlor;
3. trustee;
4. protector if any;
5. beneficiary or class of beneficiary; and
6. natural person who becomes the ultimate

• 15 - controller of the trust; and b) for any other legal arrangement in a form other than a trust, in the form of a natural person identity having a position equal to or equivalent to a party in the trust referred to in letter a). Article 17 (1) The identification as referred to in Article 14 letter a to Service User conducting transactions less than Rp100,000,000.00 (one hundred million rupiahs) and having no continuous business relationship (walk-in customer) is conducted by at least requiring the submission of data and information: a. for individual Service User:

1. full name including alias name if any;
2. identity document number;
3. residential address according to identity documents and other residential address if any;
4. place and date of birth;
5. biometric data or signatures; b. for Corporate Service User:
6. the name of the corporation;
7. address of registered office if any;
8. information and data of a natural person authorized to act for and on behalf of the Corporation; and c. for legal arrangements Service User:
9. name;
10. address of registered office; and
11. information and data of a natural person authorized to act for and on behalf of the other legal arrangements. (2) In order to identify the Service User as referred to in paragraph (1), the Service Provider shall require the Service User to submit the relevant

• 16 - identity document as referred to in Article 16 paragraph (2). Article 18 (1) Service Provider may require the Service User to submit additional supporting data, information and/or documents other than as referred to in Article 16 and Article 17. (2) The obligations as referred to in paragraph (1) shall be performed in the event of any doubt regarding the identity of the Service User. Article 19 The identification as referred to in Article 14 letter a against Service User in the form of state institution, government institution, international institution, and foreign country representative is done by requiring the submission of data, information and/or document in the name and address of the institution, agency or representatives. Article 20 Service Provider verifies the identity of the Service User as referred to in Article 16 and Article 17 by examining the suitability of: a. identity documents issued by government agencies; b. population data and information administered by government agencies; and/or c. biometric data or electronic data only if the Service Provider can ensure the validity and reliability of the data. Article 21 (1) The verification process as referred to in Article 20 may be done by: a. face-to-face meetings; or b. the use of other methods. (2) The use of other methods of verification as referred to in paragraph (1) letter b may only be applicable provided that: a. there are robust methods or technologies to verify the identity of

• 17 - the Service User; and b. there are policies and risk control procedures implemented effectively. (3) The use of other methods of verification as referred to in paragraph (1) letter b shall be reported to Bank Indonesia. Article 22 (1) The verification process as referred to in Article 20 shall be conducted by the Service Provider before or during the establishing of the business relationship or conducting the transaction with the Service User. (2) Service Provider may complete the verification process after the establishment of business relationship with the Service User provided that: a. the risks of Money Laundering and Terrorism Financing are effectively managed; b. it is a normal conduct of business; and c. verification process can be promptly completed. Section Three Identification and Verification of Beneficial Owner Article 23 (1) Service Provider shall ensure that the Service User acts for himself or for the benefit of the Beneficial Owner. (2) In the event that the Service User acts for the benefit of Beneficial Owner, Service Provider is obliged to identify and verify the Beneficial Owner. (3) In the case of a Service User in the form of a Corporation, the Beneficial Owner shall be determined by virtue of majority ownership in the Corporation. (4) In addition to identification and verification as referred to in paragraph (2), Service Provider shall: a. examine the legal relationship between Service User and Beneficial

• 18 - Owner; b. request a written statement from the Service User regarding the authenticity of identity as well as the source of funds from Beneficial Owner; and c. request a written statement from Beneficial Owner that the concerned is the true owner of the User Service funds. Article 24 (1) Service Provider may determine the Corporate Beneficial Owner by means other than as referred to in Article 23 paragraph (3) in the case of: a. there is a doubt that an individual who owns a majority share is a Corporate Beneficial Owner ; or b. no individual is known to hold a majority share. (1) In the event that a Corporate Beneficial Owner cannot be verified by the methods as referred to in paragraph (1), the Service Provider shall identify and verify the identity of an individual who holds a position of the Board of Directors in the Corporation or equivalent position. Article 25 Identification and verification of Beneficial Owner's identity is not applicable to the Service User in the form of: a. state institutions or government agency; b. a company majority owned by the state; or c. public company or issuer. Section Four Identification and Verification of Potential Service User Article 26 Provisions on the identification and verification of Service User as referred to in Article 16 through Article 25 shall also apply to potential Service User.

• 19 - Section Five On-Going Due Diligence Article 27 (1) The on-going due diligence as referred to in Article 14 letter c shall be applied to the Service User to ensure that transactions are conducted in accordance with the Service User profile. (2) Service Provider shall have adequate procedures for on-going due diligence as referred to in paragraph (1). (3) Service Provider having complex and large scales business and service shall have systems for effective monitoring. Article 28 (1) Service User shall kept the data, information and/or documents of Service User up-to-date as referred to in Article 14 letter c including data, information and/or documents related to CDD implementation. (2) The updating of data, information, and/or documents as referred to in paragraph (1) shall be undertaken under the following circumstances: a. change of data, information, and/or document of Service User; b. changes in transaction patterns, non-conformity of transactions with the Profile of Service User, or significant increases in the risks of the Service User; and/or c. suspicion of money laundering and terrorism financing. Section Six Simplified CDD Article 29 (1) CDD measures as referred to in Article 14 may only be simplified to potential Service User, Service User, or Beneficial Owner who have been

• 20 - identified as lower risk category. (2) Simplified CDD measures may be conducted through: a. simplifying the requirement of data and identity information of Service User; b. verifying the identity of the Service User after the establishment of the business relationship; c. verifying the identity of the Service User at the time the balance or amount of transactions of the Service User reaches a certain limit; d. reducing the frequency of User Service identification updates; e. conducting on-going due diligence of Service User with certain balance or amount of transactions; and/or f. understanding the purpose and intended nature of the User Service business relationship based on an analysis of the transaction pattern or inferring from the type of product or service specified by the Service Provider. (3) Service Provider shall have policies and procedures to determine whether potential Service User, Service User, or Beneficial Owner may be categorized as low risk based on the following factors: a. Service User; b. country or geographic area; c. product or service; and d. delivery channel. (4) Service Provider may implement simplified CDD measures only if they have policies and procedures to effectively manage and mitigate the risk. (5) The simplified CDD measures are not applicable whenever there is suspicion of Money Laundering and Terrorism Financing. (6) List of Services Users subject to simplified CDD measures shall be maintained by the Service Provider. Article 30 Issuer of electronic money which:

• 21 - a. have a limited nominal value so that it is not required to record the identity data of the holder as referred to in Bank Indonesia provisions governing electronic money; and b. cannot be used to perform Fund Transfers, is not required to conduct identification and verification. Section Seven Enhanced Due Diligence (EDD) Article 31 (1) CDD measures as referred to in Article 14 shall be enhanced to potential Service User, Service User or Beneficial Owner who have been identified as higher risk category. (2) Higher risk category of potential Service User, Service User, or Beneficial Owners as referred to in paragraph (1) shall be identified based on the following factors: a. Service User; b. country or geographic area; c. product or service; and d. delivery channel. (3) Service Provider shall have policies and procedures to determine whether potential Service User, Service User, or Beneficial Owner shall be categorized as high risk. (4) Enhanced CDD measures shall be conducted through: a. obtaining additional information about the profile of Service User; b. updating the identification data more frequently; c. obtaining additional information on the intended nature and purpose of the business relationship or transaction; d. obtaining additional information on sources of funds and sources of wealth; and/or e. conducting enhanced monitoring of the business relationships or

• 22 - transactions, including by adding the criteria and selecting patterns of transactions that need further examination. (5) Service Provider shall be required to appoint a Board of Directors or Executive Officer in charge of conducting business relationships with potential Service User, Service User, or Beneficial Owner who are in high risk category. (6) The responsibilities of the Board of Directors or Executive Officers as referred to in paragraph (5) shall be carried out by: a. grant approval or rejection of potential Service User, Service User, or Beneficial Owner who are classified as high risk; and c. make a decision to continue or terminate business relationships with potential Service User, Service User, or Beneficial Owner who are classified as high risk. (7) List of Services Users subject to enhanced CDD measures shall be maintained by the Service Provider. Article 32 In the event that the Service Provider conducts business relationships with Service User and/or conducts transactions originating from high risk countries published by the Financial Action Task Force on Money Laundering (FATF) for counter measures, the Service Provider is obliged to perform EDD by requesting confirmation and clarification to the relevant authorities. Article 33 The obligation to implement EDD as referred to in Article 32 shall also apply in the event that the Service Provider conducts a transaction with a Service User suspected as unauthorized party who engage in Fund Transfer, foreign currency exchange or other financial services activities without license from competent authority. Article 34 (1) Service Provider shall have policies and procedures to determine whether

• 23 - potential Service User, Service User, or Beneficial Owner is a PEP. (2) In the case of potential Service User, Service User, or Beneficial Owner is a PEP, Service Provider shall perform EDD. (3) In addition to identification and verification procedures as referred to in Article 16, Article 17, Article 20, Article 21, and Article 23, Service Provider shall perform EDD to PEP at least consisted the following measure: a. taking the necessary steps to determine the source of funds; and b. conducting enhanced monitoring of the business relationships or transactions, including by adding the criteria and selecting patterns of transactions that need further examination. Article 35 The provisions applicable to PEP, as referred to in Article 34 shall also apply to PEP family members or close associates. Section Eight Rejection and Termination of Business Relationship Article 36 (1) Service Provider shall reject to commence business relationships, reject to undertake transactions, cancel transactions, and/or terminate business relationships in case: a. potential Service User, Service User, and/or Beneficial Owner fail to comply with the provisions of Article 16 and Article 17; b. Service Provider has a reasonable ground to suspects that potential Service User, Service User, and/or Beneficial Owner use fictitious and/or anonymous names; and/or c. Service Provider has doubts or has reasonable ground not to believe in the true identity of potential Service User, Service User and/or Beneficial Owner.

• 24 - (2) Service Provider shall document the identity of potential Service User, Service User, and/or Beneficial Owner as referred to in paragraph (1). (3) Service Provider shall report the potential Service User, Service User and/or Beneficial Owner as referred to in paragraph (1) in the Suspicious Financial Transactions report. (4) The ability of a Service Provider to reject, cancel and/or terminate business relationships with Service User as referred to in paragraph (1) shall be disclosed in the account opening agreement and notified to the Service User. Article 37 (1) In the event that the Service Provider terminates the business relationship as referred to in Article 36 paragraph (1), the Service Provider is obliged to notify in writing to the Service User regarding the termination of the business relationship. (2) In the event that after the notification as referred to in paragraph (1), the Service User does not take any outstanding funds in the Service Provider, the disbursement of the outstanding funds shall be done in accordance with the provisions of the law. Article 38 In the event that the Service Provider forms a suspicion of Money Laundering and Terrorism Financing, and reasonably believes that performing the CDD procedures may result in violation of the provision of anti tipping-off, the Service Provider: a. may stop performing the CDD procedures; and b. shall report such transactions as Suspicious Financial Transactions to PPATK. Section Nine Third Parties CDD

• 25 - Article 39 (1) Service Provider may cooperate with a third party as referred to in Article 12 to perform CDD measure. (2) Service Providers are permitted to rely on CDD measures performed by third party. (3) The third party as referred to in paragraph (1) may be: a. a party representing the Service Provider or acting for and on behalf of the Service Provider; b. other Service Provider who have perform CDD measure against potential Service User or Service User; or c. an entity in the same business group as Service Provider. (4) Service Provider shall report the reliance on third party CDD measures to Bank Indonesia. (5) Responsibility for CDD measures shall remain with the Service Provider relying on the third party. Article 40 (1) If the Service Provider rely on CDD measures performed by third party as referred to in Article 39 paragraph (3) letter a, the following provisions shall apply: a. Service Provider is deemed to perform CDD measures by itself as part of the policies, procedures, and internal control systems established by the Service Provider; b. Service Provider shall promptly obtain the CDD results, including the identification document of the Service User and other CDD supporting documents; c. Service Provider shall ensure the compliance of third parties to the provisions of this Bank Indonesia Regulation and/or to the policies and procedures of the APU and the PPT established by the Service Provider; and

• 26 - d. Service Provider is required to administer a third party register. (2) In the event that Service Provider rely on CDD measures performed by another Service Provider as referred to in Article 39 paragraph (3) letter b or an entity in the same Business Group as referred to in Article 39 paragraph (3) letter c, such Service Provider shall: a. have a cooperative relationship with a third party in the form of a written agreement; b. obtain immediately the information concerning CDD measures; c. ensure the availability of a copy of the Service User's identification document and other CDD support documents upon request; d. ensure that third parties are supervised by the competent authority over compliance with the provisions of the APU and the PPT; and e. ensuring the country where such third party is not a high-risk country. (3) Service Provider shall ensure that third parties keep the security and confidentiality of the CDD results. Section Ten Fund Transfer Article 41 (1) Identification and verification of Service User in Fund Transfer activities shall be conducted by: a. the originating Service Provider for the originator; and b. the beneficiary Service Provider for the beneficiary. (2) The obligations referred to in paragraph (1) are not applicable to the intermediary Service Provider. Article 42 (1) The information transmitted by the originating Service Provider to the

• 27 - intermediary Service Provider or to the beneficiary Service Provider shall contain at least the following information: a. the identity of the originator; b. the originator account number or unique transaction reference number; c. beneficiary’s name; and d. the beneficiary account number or unique transaction reference number. (2) For cross border Fund Transfers of less than Rp10,000,000.00 (ten million rupiahs) or equivalent, the identity of the originator as referred to in paragraph (1) letter a shall only contain the name of the originator. (3) For domestic Fund Transfers, the information accompanying the Fund Transfer from the originating Service Provider to the intermediary Service Provider or the beneficiary Service Provider may contain at least the following information: a. the originator 's account number or unique transaction reference number; and b. the beneficiary’s account number or unique transaction reference number, provided that these numbers will permit the transaction to be traced back to the originator or the beneficiary. (4) In the event of any request for information from the competent authority, the Service Provider shall submit information as referred to in paragraph (1), paragraph (2), or paragraph (3) no later than 3 (three) working days after the request is received. (5) The originating Service Provider failing to comply with the provisions referred to in paragraph (1) to paragraph (4) shall not be allowed to execute the Fund Transfer from the originator. Article 43 (1) The intermediary Service Provider shall ensure the completeness of the

• 28 - required information referred to in Article 42 accompanying the Fund Transfer from the originating Service Provider. (2) The intermediary Service Provider shall maintain and implement policies and procedures to take follow-up action, including where the Fund Transfer from the originating Service Provider lacking the required information. (3) The intermediary Service Provider shall forward all information referred to in paragraph (1) to the other intermediary Service Provider or the beneficiary Service Provider. (4) The intermediary Service Provider shall administer all information referred to in paragraph (1). Article 44 (1) The beneficiary Service Provider shall ensure the completeness of the required information referred to in Article 42 accompanying the Fund Transfer from the originating Service Provider or the intermediary Service Provider. (2) The beneficiary Service Provider shall maintain and implement policies and procedures to take follow-up action, including where the Fund Transfer from the originating Service Provider or the intermediary Service Provider lacking the required information. Article 45 The originating Service Provider acting as the beneficiary Service Provider shall take into account and analyze all information about the originator and the beneficiary in filing the Suspicious Financial Transactions report to the competent authority. Article 46 The provisions referred to in Article 42, Article 43 and Article 44 is not applicable to: a. Funds Transfers using debit cards, ATM cards, credit cards or electronic

• 29 - money so long as they are used for purchase of goods or services; and b. Funds Transfers between Services Providers acting on their own behalf. Section Eleven Action on The List of Suspected Terrorist and Terrorist Organizations and The List of Funding of the Proliferation of Weapons of Mass Destruction Article 47 (1) Service Provider shall administer and update the list of suspected terrorists and terrorist organizations as well as the list of funding of the proliferation of weapons of mass destruction in accordance with the provisions of laws governing the prevention of terrorism financing and funding of the proliferation of weapons of mass destruction. (2) Service Provider shall examine the suitability of names and other information of potential Service User and Service User with the list referred to in paragraph (1). (3) In the event that there are similar names and other information from potential Service User and Service User with the list referred to in paragraph (1), the Service Provider shall freeze without delay, report them as Suspicious Financial Transaction Reports, and take other necessary actions in accordance with the provisions of laws. CHAPTER V ANTI TIPPING-OFF Article 48 (1) The Boards of Commissioners, Directors, Managers, and/or employees of the Service Provider shall be prohibited to notify the Service User or the other party, directly or indirectly, in any manners whatsoever regarding the Suspicious Financial Transactions Report which is being prepared or has been submitted to the PPATK.

• 30 - (2) The Service Provider is obliged to maintain the confidentiality of the information collected from CDD procedures in accordance with the anti tipping-off provisions as referred to in the Law governing the prevention and eradication of money laundering crime. (3) The provisions concerning the prohibition as referred to in paragraph (1) shall not be applicable for the provision of information to Bank Indonesia. CHAPTER VI COOPERATION ON AND DEVELOPMENT OF NEW PRODUCTS OR TECHNOLOGY Section One Cooperation Article 49 (1) The Service Provider shall gather information on the other party and asses the impact of the cooperative relationship to the Service Provider's Money Laundering and Financing Terrorism risk profile prior to establishing a cooperative relationship with another party. (2) In the Fund Transfer arrangement, the Service Provider providing the International Transfers service shall: a. refused to cooperate with shell bank; and b. ensuring that the counterparties do not permit their accounts to be used by shell bank. Section Two Development of New Product and Technology Article 50 (1) Service Provider shall identify and assess the risk of Money Laundering

• 31 - and Terrorism Financing as referred to in Article 7 prior to the development of new products and/or use of new technology. (2) Service Provider shall control and mitigate the risks referred to in paragraph (1). CHAPTER VII RECORD KEEPING Article 51 (1) Service Provider shall administer and retain: a. all the relevant records relating to Service User data for at least 5 (five) years since:

1. termination of business relationship or completion of transaction with Service User; or
2. irregularities of transaction with risk profile of Service User has been found; an b. all the relevant records relating to the financial transactions of Service User with the period referred to in the Law governing the company documents. (2) All the relevant records relating to Service User data as referred to in paragraph (1) letter a shall at least includes: a. the identification data of the Service User including the supporting documents; b. proof of Service User identity verification; c. results of any monitoring and analysis that have been undertaken; d. any correspondence with Service User; and e. documents relating to the Suspicious Financial Transactions Reports if any. (3) Service Provider shall immediately provide data, information, and/or documents administered when requested by Bank Indonesia, law enforcement and/or other authorized authorities in accordance with the

• 32 - provisions of laws and regulations. (4) Retention period as referred to in paragraph (1) may be longer if related to certain cases and/or requested by Bank Indonesia, relevant authorities, and/or law enforcement in accordance with the provisions of laws and regulations. CHAPTER VIII SUPERVISION Article 52 (1) Bank Indonesia shall conduct risk-based supervision on the implementation of APU and PPT by the Service Provider. (2) Risk-based supervision as referred to in paragraph (1) constitutes an ongoing supervisory activities covering the process of risk identification, monitoring and assessment. (3) The supervision of Bank Indonesia as referred to in paragraph (1) shall be conducted through on-site supervision and off-site supervision. Article 53 For supervision by Bank Indonesia, the Service Provider shall: a. identify, records and update the data of the Beneficial Owner of the Service Provider; and b. ensuring the availability of the Beneficial Owner’s data as referred to in letter a for the purposes of Bank Indonesia supervision. CHAPTER IX REPORTING Article 54 (1) Service Provider shall be obliged to submit to Bank Indonesia the following reports:

• 33 - a. reports on changes in written policies and procedures of APU and PPT as referred to in Article 6 paragraph (5) within no later than 10 (ten) working days after the changes are made; b. annual report on the implementation of APU and PPT within no later than in January of the following year; c. reports on transaction frozen, account blocked and/or transaction rejected related to the list of terrorist suspects and terrorist organization or the list of funding of proliferation of weapons of mass destruction, within no later than 10 (ten) working days since the actions taken; and d. other reports. (2) In the event that the reporting date falls on a holiday, the submission of the report shall be made on the next working day. Article 55 (1) Service Provider shall submit the Suspicious Financial Transactions report, the cash financial transaction report, the fund transfer financial transaction from and/ or to the abroad, and other reports to the PPATK as stipulated in the provisions of the law. (2) The obligation of the Service Provider to report Suspicious Financial Transactions also applies to transactions suspected related to terrorism activities or terrorism financing. (3) The submission of reports as referred to in paragraph (1) shall be conducted in accordance with the provisions issued by PPATK. CHAPTER X COORDINATION Article 56 (1) Bank Indonesia may coordinate and cooperate with other parties and authorities, both domestically and international.

• 34 - (2) The coordination and cooperation as referred to in paragraph (1) includes: a. exchange of information; b. formulation of regulations and/or guidelines; c. supervision; d. socialization; e. education and training; f. research and assessment; g. employee assignments; and/or h. development of information systems. (3) Bank Indonesia may give recommendation to other competent authorities to take supervisory actions or impose sanctions on the Service Provider who are also under the supervision of such authority. CHAPTER XI SANCTION Article 57 (1) Violation to provisions under Article 3, Article 6, Article 7, Article 10, Article 11, Article 12, Article 13, Article 16, Article 17 ayat (2), Article[AEM21] 19, Article 21 ayat (3), Article 23, Article 27 ayat (3), Article 28 paragraph (1), Article 29 paragraph (3), Article 29 paragraph (6), Article 31, Article 32, Article 33, Article 34, Article 36, Article 37 paragraph (1), Article 38, Article 39 paragraph (4), Article 40, Article 41 paragraph (1), Article 42 paragraph (4), Article 43, Article 44, Article 47, Article 48 paragraph (2), Article 49, Article 50, Article 51 paragraph (1), Article 51 paragraph (3), Article 53, Article 54 paragraph (1), Article 55 paragraph (1), Article 59 paragraph (1), and/or Article 61, shall be subject to administrative sanctions: a. to Service Provider comprising the following:

1. written warning;

• 35 -

2. obligation to pay;
3. restrictions on business activities;
4. temporary suspension of the business activities, whether in whole or in part; and/or
5. revocation of license; and/or b. to members of the Board of Directors, members of the Board of Commissioners, shareholders and/or Executive Officers Service Provider comprising the following:
6. dismissal as a member of the Board of Directors, members of the Board of Commissioners, and/or Executive Officers; and/or
7. a prohibition to become a member of the Board of Directors, members of the Board of Commissioners, Shareholders, and/or Executive Officers of institutions operating in the payment system and foreign exchange business activities, which are subject of Bank Indonesia supervision of no later than 5 (five) years. (2) The imposition of sanctions as referred to in paragraph (1) shall be based on the degree of violation, consequences and/or other factors considered by Bank Indonesia. (3) Bank Indonesia may publicly announce the imposition of sanctions as referred to in paragraph (1). Article 58 Sanctions in the form of revocation of license as referred to in Article 57 paragraph (1) letter a and/or prohibited to become members of the Board of Directors, members of the Board of Commissioners and/or shareholders as referred to in Article 57 paragraph (1) letter b may also be imposed in the case of Service Provider, The Board of Directors, members of the Board of Commissioners, Shareholders, and/or Executive Officers are found guilty of certain criminal offenses based on a court decision that has final and binding

• 36 - legal force. Article 59 (1) In the event that Bank Indonesia implements sanctions as referred to in Article 57 paragraph (1) letter b and Article 58 then: a. members of the Board of Directors, members of the Board of Commissioners, and/or shareholders are prohibited from taking decisions and/or conducting other activities that may affected the Service Provider's policy and financial condition since the date of notification from Bank Indonesia; b. Service Provider shall convene a general meeting of shareholders to dismiss members of the Board of Directors and/or members of the Board of Commissioners within no later than 20 (twenty) working days from the date of notification from Bank Indonesia; and c. the shareholders are required to transfer their shares within no later than 90 (ninety) days from the date of notification from Bank Indonesia. (2) During the period of imposition of sanctions as referred to in paragraph (1), Bank Indonesia may temporarily suspend the Service Provider's business activities. (3) In the event that after the expiration of the period referred to in paragraph (1) letter b and letter c Service Provider does not make changes to members of the Board of Directors, members of the Board of Commissioners, and/or shareholders, the following provisions apply: a. Service Provider may be subject to administrative sanctions; b. Bank Indonesia does not acknowledge any legal relationships committed by members of the Board of Directors, members of the Board of Commissioners, and/or shareholders; and c. all actions taken by members of the Board of Directors, members of the Board of Commissioners, and/or shareholders are subject to their personal liability.

• 37 - CHAPTER XII MISCELLANEOUS PROVISIONS Article 60 Bank Indonesia may stipulate parties other than the Non-Bank PJSP and the Non-Bank Money Changer as referred to in Article 2 to be subjected to the provisions of this Bank Indonesia Regulation. CHAPTER XIII TRANSITIONAL PROVISIONS Article 61 (1) Service Provider that have obtained license from Bank Indonesia prior to the enactment of this Bank Indonesia Regulation shall be obliged to adjust the written policies and procedures of APU and PPT in accordance with this Bank Indonesia Regulation no later than 6 (six) months after the enactment of this Bank Indonesia Regulation. (2) Written policies and procedures as referred to in paragraph (1) shall be reported to Bank Indonesia no later than 10 (ten) working days after the expiration of the period referred to in paragraph (1). CHAPTER XIV CONCLUDING PROVISIONS Article 62 Upon the effective date if this Bank Indonesia Regulation: a. Bank Indonesia Regulation Number 12/3/PBI/2010 concerning the Implementation of Anti-Money Laundering and Counter-Terrorism Financing Program for Non-Bank Foreign Exchange (State Gazette of the Republic of Indonesia Year 2010 Number 46, Supplement to State

• 38 - Gazette of the Republic of Indonesia Number 5118); b. Bank Indonesia Regulation Number 14/3/2012 concerning Anti Money Laundering and Counter-Terrorism Financing Program for Non-Bank Payment System Service Provider (State Gazette of the Republic of Indonesia of 2012 Number 86, Supplement to State Gazette of the Republic of Indonesia Number 5302); c. Circular Letter of Bank Indonesia Number 12/10/DPM dated March 30, 2010 concerning Standard Guidelines for Implementation of Anti-Money Laundering and Counter Terrorism Financing Program on Non-Bank Foreign Exchange; and d. Circular Letter of Bank Indonesia Number 14/38/DASP dated December 28, 2012 regarding Standard Guidelines for Implementation of Anti￾Money Laundering and Counter-Terrorism Financing Program for Non￾Bank Payment System Service Provider; is revoked and declared no longer valid. Article 63 This Bank Indonesia Regulation shall come into force on the date of promulgation. For public cognizance, this Bank Indonesia Regulation shall be promulgated in the State Gazette of the Republic of Indonesia. Enacted in Jakarta On GOVERNOR OF BANK INDONESIA, AGUS D.W. MARTOWARDOJO

• 39 - Promulgated in Jakarta On MINISTER OF LAW AND HUMAN RIGHTS OF REPUBLIC OF INDONESIA, YASONNA H. LAOLY STATE GAZETTE OF REPUBLIC OF INDONESIA OF .......NUMBER.........

ELUCIDATION OF BANK INDONESIA REGULATION NUMBER 19/10/PBI/2017 CONCERNING IMPLEMENTATION OF ANTI-MONEY LAUNDERING AND PREVENTION OF TERRORISM FINANCING FOR NON-BANK PAYMENT SYSTEM SERVICE PROVIDER AND NON-BANK MONEY CHANGING SERVICE PROVIDER I. GENERAL In accordance with the Law concerning Prevention and Eradication of Money Laundering Crime (UU TPPU) and the Prevention and Eradication of Criminal Acts of Terrorism Financing (UU TPPT), Bank Indonesia is one of the Supervisory and Regulatory Agency (LPP) which has the authority to supervise, regulate, and impose sanctions on the reporting parties in the implementation of the laws and regulations regarding anti-money laundering and the prevention of terrorism financing. The reporting party under the authority of Bank Indonesia is the Non￾Bank Payment System Service Provider (PJSP) which consists of issuer of card based payment instruments (APMK), issuer of electronic money, electronic wallet Service Provider, and fund transfer Service Provider. In addition to PJSP other than Bank, the reporting party which is also under the authority of Bank Indonesia is the non-bank money changer. To exercise such authority, Bank Indonesia shall issue Bank Indonesia Regulation concerning the implementation of Anti-Money Laundering and Prevention of Terrorism Financing (APU and PPT) and supervise its implementation. This Bank Indonesia Regulation has been aligned with FATF's recommendation that sets benchmarks for countries around the world to implement Anti-Money Laundering and Prevention of Terrorism Financing (APU and PPT). The FATF recommendations continue to be adjusted in line with the development of money laundering and terrorism financing practices. The development of technological innovation encourages the development of products or services and business models of payment system activities becomes more advanced and complex. In addition, information technology development has eliminated state boundaries that facilitate the occurrence of transnational crime organized (transnational crime) so that the risk of money laundering and financing of terrorism is increasing.

• 2 - In order to anticipate these developments, Bank Indonesia deems it necessary to improve the regulation and implementation of APU and PPT in the field of payment system and foreign exchange, so there is a balance between efforts to control the risk of Money Laundering and Countering the Financing of Terrorism and efforts to support the use of national economic activity. An approach which is recommended by FATF in implementing APU and PPT is to use a risk based approach, taking into account risk factors associated with customers, products, geographic areas, and delivery channels. A risk-based approach shall be applied either by the Provider in conducting its business activities or by Bank Indonesia in conducting oversight. By using a risk-based approach, it is expected that the management of monitoring resources can be applied to areas of high risk. Management and mitigation of Money Laundering and Financing of Terrorism risk should also be conducted in an integrated manner with the results of the national and sectoral risk assessment. The issuance of this Bank Indonesia Regulation aims to support the pursuit of a more robust, more resilience, and higher-integrity financial system that is in line with the efforts to create a safe, efficient, smooth, and reliable payment system that contributes to the economy, monetary stability, and financial system stability, with due observance to financial inclusion, customer protection, and national interest. II. ARTICLE PER ARTICLE Article 1 Self-explanatory. Article 2 Paragraph (1) Letter a The obligation to implement APU and PPT is based on the grounds and considerations that the party is establishing a business relationship in the form of opening an account and/or providing a fund transfer facility. Letter b

• 3 - Self-explanatory. Paragraph (2) Letter a "Fund transfer Service Provider" means Provider of funds transfer as referred to in the Bank Indonesia regulations governing the fund transfer. Letter b "Issuer of card based payment instruments (APMK)" is the issuer of debit card, ATM card and/or credit card as referred to in the Bank Indonesia regulations governing card based payment instruments. Letter c "Issuer of electronic money" means the issuer of electronic money as referred to in Bank Indonesia regulations governing electronic money. Letter d "Electronic wallet Service Provider" means Electronic wallet service provider who provides electronic services to store payment instrument data and collect funds to make payments as referred to in the Bank Indonesia regulations governing operation of payment transaction processing. The fulfillment of the provisions in this Bank Indonesia Regulation for the Provider of electronic wallets shall be limited to the funds held in the electronic wallet. Article 3 APU and PPT implementation is aligned with the implementation of good corporate governance principles. Article 4 Self-explanatory. Article 5 Self-explanatory. Article 6

• 4 - Paragraph (1) Self-explanatory. Paragraph (2) The scope of policies and procedures can be adjusted if: a. Service Provider only provides services to other Providers and does not deal directly with Service User, such as Intermediary Service Provider in Fund Transfers; or b. Service Provider does not engage in Fund Transfer activities, such as a Non-Bank Money Changer. Letter a CDD policies and procedures shall include:

1. establishing business relationship with Service User;
2. identification and verification of the identity of the Service User and Beneficial Owner if any;
3. determining the risk profile and grouping of Service User into low, medium, or high risk;
4. monitoring of transactions with regard to the Service User rofile; and
5. rejection to establish business relationships, rejection to undertake transactions, and termination of business relationships. Letter b Management of data, information and documents procedures shall include:
6. updating of data, information, and documents; and
7. the provision of data, information, and documents for internal purposes such as compliance units, internal audit units, and other business units as well as for competent authorities such as Bank Indonesia, PPATK, law enforcement and authorized authorities. Letter c The reporting procedures shall include:
8. identification, analysis, investigation, and reporting of Suspicious Financial Transactions;
9. other reporting obligation related to the implementation of APU and PPT, such as cash transactions reports and

• 5 - cross border transfer reports; and

3. data security and confidentiality of the report. Paragraph (3) Fund Transfer policies and procedures include: a. receiving and/or sending Fund Transfers; b. ensuring completeness of the required information in Fund Transfers and follow-up actions; and c. completing funds payment to the beneficiary. Paragraph (4) Self-explanatory. Paragraph (5) Self-explanatory. Article 7 Paragraph (1) Self explanatory. Paragraph (2) Letter a Customer risk factor is determined by, including but not limited to, type of employment, nationality, business, scale of business activity, and ownership. Letter b Country or geographic risk factor is determined by, including but not limited to, the location of delivery and/or receipt of funds, or territories adjacent to another country. Letter c Product or service risk factor is determined by, including but not limited to, the use of cash, the limit of transactions that can be made, the use of new technology, the availability of the Person to Person (P2P) and Cross Border Fund Transfer features. Letter d Delivery channel risk factor is determined by, including but not limited to, the use of web-based platforms, the internet or other media that enable transactions to be

• 6 - made without face-to-face relationships, and the use of third parties in conducting business relationships with Service User. Paragraph (3) The results of risk identification and assessment by the competent authorities include National Risk Assessment (NRA) and Sectoral Risk Assessment (SRA). "Competent authority" shall mean Bank Indonesia, PPATK, and/or other competent authorities. Paragraph (4) Self-explanatory. Paragraph (5) Self-explanatory. Paragraph (6) Enhanced measure risk management and mitigation are conducted such as by tightening the procedures for establishing business relationships, increasing the frequency of data updating, and strengthening the mechanisms to detect Suspicious Financial Transactions. Article 8 Letter a Pre-employee screening is a procedure for identifying prospective employee profiles in order to ensure that the financial industry is conducted only by people who have high standards of ethics, integrity, and professionalism. Letter b Monitoring of employee profile (know your employee) can be conducted through the identification of employee’s background, character, behavior, and lifestyle. Letter c Training programs and continuous improvement of employee awareness include:

1. the implementation of laws and regulations related to the APU and PPT;
2. techniques, methods, and typologies of Money

• 7 - Laundering and Financing of Terrorism; and

3. policies and procedures for the implementation of APU and PPT and the roles and responsibilities of employees in preventing and combating Money Laundering and Financing of Terrorism. Article 9 Letter a Service Provider who have a small business scale, simple technology or a low level of risk of Money Laundering and Terrorism Financing may appoint a Board of Directors or Executive Officer who has the function or responsibility to ensure the effectiveness of APU and PPT in the day-to-day implementation. Letter b Self-explanatory. Letter c Implementation of APU and PPT audit can be conducted by internal auditors or external auditors, as long as Service Provider can ensure the independency and objectivity on its implementation. The frequency, coverage, and depth of the audit are adjusted to the characteristic, scale, and complexity of the Service Provider's business activities as well as the risk level of the Service Provider. Audit coverage includes review of:
4. adequacy of risk management and mitigation policies and procedures;
5. the effectiveness of the implementation of policies and procedures;
6. the quality of parameters applied to identify risks; and
7. effectiveness of implementation of human resource management policies and procedures. Article 10 Paragraph (1) "Subsidiary" means a company whose majority ownership of

• 8 - shares and/or control is in the Provider. Branch office shall be defined as all offices that perform operations and provide services for Service User. Paragraph (2) Letter a Exhange of information is conducted in the framework of CDD implementation and risk management of Money Laundering and Terrorism Financing. Letter b Data and information from subsidiaries and branch offices include Service User profiles, accounts, and/or transactions, as well as Money Laundering and Terrorism Financing typology and modus. Letter c Self-explanatory. Article 11 Paragraph (1) Self-explanatory. Paragraph (2) The report to Bank Indonesia is accompanied by explanations, related provisions, and/or letters or information from the competent authority in the country of domicile of subsidiaries and branch offices where possible. Article 12 "Third party" means a party representing a Service Provider or acting for and on behalf of the Service Provider in making direct connection with a potential Service User or Service User. Third party includes agent, cash payment point (TPT), and digital financial services (LKD) agent of the electronic money issuer. Article 13 Self-explanatory. Article 14 Letter a

• 9 - In order to conduct identification, Service Provider classifies the Service User into groups of individual persons, corporations in the form of legal entities or business entities, and other legal arrangements. Service Provider categorizes the Service User according to the risk level of low risk, medium risk, or high risk. The determination of the Service User risk level may be based on identity, business location, risk profile, transaction amount, income, and ownership structure of Service User. Letter b In order to verify the parties acting for and on behalf of the Service User, verification shall be made to the grantor and assignee, and the power granted to the assignee. Letter c Continuous monitoring shall be conducted such as by analyzing the suitability of the transactions with the Service User profile including the source of funds if necessary. Letter d The Service Provider may directly obtain information about the the purpose and intended nature of the transaction/business relationship and the source of funds from the Service User, or may inferring the information, as long as Service Provider can ensure validity of the information. . Article 15 Letter a Self-explanatory. Letter b With regard to two or more linked, correlated, or separated transactions which appear to be restructured into a number of small transactions to avoid the provisions of this Bank Indonesia Regulation, Service Provider shall treats them as a single transaction. Letter c Self-explanatory. Letter d

• 10 - CDD procedures are conducted without regard to any threshold or limit of transaction when there are indications of Suspicious Financial Transactions related to Money Laundering and/or Terrorism Financing. Letter e Self-explanatory. Article 16 Paragraph (1) The submission of identification data and information can be done directly or through technology/electronic means. Letter a Number 1 Self-explanatory. Number 2 Self-explanatory. Number 3 Information on other residential address is required if potential Service User or Service User have residential address which is different from the address registered on the identity document. Number 4 Self-explanatory. Number 5 Self-explanatory. Number 6 Self-explanatory. Number 7 Self-explanatory. Number 8 Self-explanatory. Number 9 Signature shall includes digital signature as stipulated in laws and regulations. Biometeric data is in the form of fingerprints of Service User.

• 11 - Letter b Number 1 Self-explanatory. Number 2 Self-explanatory. Number 3 Self-explanatory. Number 4 Business license shall include other business licenses equivalent to the permits issued by the authorized institution. Number 5 The Provider may request information about the address of registered office of other business activities if necessary. Number 6 Self-explanatory. Number 7 Self-explanatory. Number 8 For corporation other than limited liability company, shall be in the form of the name of natural person having similar or equal position with board of Directors in limited liability company. Number 9 For corporation other than a limited liability company or corporation which does not use shares as a measure of ownership, shall be in the form of the name of natural person who has the authority to influence or control the corporation without having to obtain authorization from any parties. Number 10 Self-explanatory. Letter c

• 12 - Legal arrangement shall include trustee arrangement. Example of commercial bank as a trustee is the trust manager or trust recipient. Number 1 Self-explanatory. Number 2 License shall include other license equivalent to the permits issued by the authorized institution. Number 3 Self-explanatory. Number 4 Self-explanatory. Number 5 Self-explanatory. Paragraph (2) Letter a Number 1 Self-explanatory. Number 2 Self-explanatory. Number 3 For Individual potential Service User or Service User who are of foreign nationals, the passport shall be accompanied by a resident permit card in accordance with the provisions of immigration laws and regulations if the business relationship with the Service Provider is established in the form of account opening or other sustainable business relationship. Residence permit documents can be replaced by other documents which may provide confidence to the Service Provider regarding the profile of the foreign potential Service User such as reference letters from: a) an Indonesian citizen or an Indonesian company/institution/government

• 13 - regarding the profile of a foreign potential Service User; or b) the bank in the country or jurisdiction of the domicile of the foreign potential Service User, in which the country or jurisdiction is not classified as high risk. Number 4 Other official documents issued by Government Agencies shall be in the form of other identity documents displaying photos of potential Service User or Service User, and containing identity information. Letter b Deed of establishment and Corporation license shall be in accordance with the form of legal entity or business entity and business field undertaken. Letter c Self -explanatory. Article 17 Self-explanatory. Article 18 Paragraph (1) Including by requesting more than one identity document, for example in addition to the identity card may also ask for a passport or driving license. Paragraph (2) Self-explanatory. Article 19 "State agencies" means an institution which has executive, judicial, or legislative authority. "Government agency" means an unit of government organization that performs its duties and functions, including: a. coordinating ministries; b. state ministries;

• 14 - c. ministries; d. non-ministerial state institutions; e. provincial government; f. city government; g. district government; h. state institutions established under the Act; and i. state institutions that perform government functions using state budget revenues and/or regional expenditure budgets. Documents for institutions, agencies or representatives shall be in the form of appointment letters to the competent authorities representing institutions, agencies or representatives in conducting business relationships. Article 20 Service Provider ensures the use of more valid data, information, and documents when the risks of Money Laundering and Terrorism Financing are higher. Article 21 Paragraph (1) Letter a Face-to-face meetings can be conducted through direct face-to-face meetings or through technological means such as video calls. Letter b Use of other methods include using biometric data and real time online photo submission. Paragraph (2) Letter a The use of other methods includes using the technology and communication media, to verify the identity of the Service User. Letter b Self-explanatory. Paragraph (3) Submission of reports by the Service Provider, among others,

• 15 - accompanied by explanation of the verification method to be applied and the technology to be used. Article 22 Paragraph (1) Self-explanatory. Paragraph (2) The risk management of Money Laundering and Terrorism Financing among others can be conducted through: a. limitation of nominal value, number of transaction, and/or type of transaction that Service User may perform; and b. monitoring the complex transactions, with unusual amounts or patterns . Completion of verification shall be conducted immediately after the establishing of business relationship within the time limit according to normal conduct of business. Article 23 Paragraph (1) Self-explanatory. Paragraph (2) Self-explanatory. Paragraph (3) For Corporation other than limited liability company, such as a foundation or association, or corporation that not using shares as a measure of ownership, the Beneficial Owner of the Corporation is an individual who, according to the assessment by Provider, has the authority to influence or control the Corporation without having to obtain authorization from any parties. Paragraph (4) Letter a The legal relationship between any potential Service User or Service User with Beneficial Owner is indicated, among others, by assignment letter, letter of agreement, or a power of attorney.

• 16 - Letter b Self-explanatory. Letter c Self-explanatory. Article 24 Paragraph (1) Self-explanatory. Paragraph (2) Example of Corporate control through another form of control is the ability to appoint or replace the Board of Directors of the Corporation. Article 25 Letter a Self-explanatory. Letter b Self-explanatory. Letter c Public company or issuer is a company that is required to disclose information on the control of the Corporation transparently to the public, including its subsidiary whose majority shares are owned by the company. Article 26 Self-explanatory. Article 27 Paragraph (1) On-going due diligence is conducted by analyzing all transactions, especially Suspicious Transactions, among others, complex transactions, with unusual amounts or patterns, as well as out of Service User’s profile or suspected of having no clear economic objectives. On-going due diligence also includes on-going due diligence of: a. transactions of Service User who conduct business relationship with the Service Provider without using any

• 17 - account; and b. transactions processed through a system or network belonging to the Service Provider eg. intermediary Service Provider in fund transfer. On-going due diligence can be conducted on transactions that have occurred (post transaction) within a certain time. Paragraph (2) Self-explanatory. Paragraph (3) The complexity of business scale and service can be identified from the number of office networks, the number of Service User, the number of product variations and product features. The on-going due diligence system may use a computerize system or using other methods/means to: a. identify, analyze, monitor and report effectively regarding profiles, characteristics and/or patterns of transactions conducted by Service User; and b. tracking every transaction, if necessary, including tracking the identity of the Service User, the form of the transaction, the date of the transaction, the number and the denomination of the transaction, as well as the source of fund. Article 28 Paragraph (1) Data, information and/or documents of Service User include those data, information and/or documents that are collected in the CDD procedures. Service User includes new Service User and existing Service User. Paragraph (2) Self-explanatory. Article 29 Paragraph (1) Self=explanatory. Paragraph (2)

• 18 - CDD measures should be applied proportionately to risk factors that have been identified as lower risk category. Paragraph (3) Letter a Services User that belong to low risk category include:

1. a state institution or government agency;
2. a company majority owned by the government;
3. a public company or issuer subject to the provisions of legislation governing the obligations of financial transparency; or
4. service user of products or services made for government programs related to poverty alleviation. Letter b Countries or geographic areas that belong to low-risk category include:
5. a country that has a high level of good governance as determined by the World Bank; and/or
6. countries that have a low level of corruption risk as identified in the transparency international corruption perception index. Letter c Products or services that belong to low-risk category include:
7. products or services tailor-made to support government programs in the context of financial inclusion, enhancement of community welfare, poverty alleviation and/or aimed at persons with disabilities, who are limited in number and use; and/or
8. products or services made with limited purpose, usability, features, Service User, balances, or limits and at the risk of effective Money Laundering and Counter-Terrorism Funding. Letter d Low risk delivery channels shall include transactions

• 19 - through direct meetings and small amount. Paragraph (4) Policies and procedures to effectively manage and mitigate the risk shall contain low risk category assessment and simplified CDD procedures. Paragraph (5) Self-explanatory. Paragraph (6) The list created shall includes, among others, information on the reasons for determining that it is classified as low risk. Article 30 Self-explanatory. Article 31 Paragraph (1) Self-explanatory. Paragraph (2) Letter a Service User that belong to high risk category include:

1. PEP, PEP family, or related parties with PEP (close associates);
2. having a high risk business field;
3. appoint a third party to open a business relationship or transaction; or
4. listed on the terrorist suspect list and terrorist organization or list of funding proliferation weapons of mass destruction. Letter b Countries or geographical areas that belong to the high risk category among others are:
5. jurisdictions that are identified as countries that do not implement FATF recommendations adequately based on assessments by organizations such as Financial Action Task Force on Money Laundering (FATF), Asia Pacific Group on Money Laundering (APG), Caribbean

• 20 - Financial Action Task Force (CFATF), Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Terrorism Financing (MONEYVAL), Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG), The Eurasian Group on Combating Money Laundering and Terrorism Financing (EAG), The Grupo de Accion Financiera de Sudamerica (GAFISUD), Intergovernmental Anti-Money Laundering Group in Africa (GIABA), or Middle East & North Africa Financial Action Task Force (MENAFATF);

2. the country identified as not cooperative or as tax haven by Organization for Economic Cooperation and Development (OECD);
3. countries with low levels of good governance as determined by the World Bank;
4. countries that have a high level of corruption risk as identified in the transparency international corruption perception index;
5. countries that are widely known to be a producer and center for drug trafficking;
6. countries subject to sanctions, embargoes or otherwise, such as by the United Nations; or
7. a state or jurisdiction identified by a trustworthy institution, as a financier or supportive of an act of terrorism, or which permits the activities of a terrorist organization in its country. Letter c Products or services that belong to the high-risk categories include:
8. private banking or similar business relationship;
9. anonymous transactions which are mainly made in cash; or
10. payments received from unknown or unrelated third parties.

• 21 - Letter d Delivery channels of high risk criteria, among others, are transactions made online with a large amount. High risk criteria may refer to independent and reliable sources such as Bank Indonesia, PPATK and other relevant authorities, including National Risk Assessment (NRA) and Sectoral Risk Assessment (SRA) results. Paragraph (3) Self-explanatory. Paragraph (4) Self-explanatory. Paragraph (5) Self-explanatory. Paragraph (6) Self-explanatory. Paragraph (7) Self-explanatory. Article 32 Self-explanatory. Article 33 Self-explanatory. Article 34 Paragraph (1) Examples of foreign PEP are those who are authorized to perform prominent functions by other countries, such as heads of state or government, senior politicians, senior government officials, military officials, law enforcement officials, Senior Management in state-owned enterprises, or important officials in political parties. Examples of domestic PEP are those who are authorized to perform a prominent function by the state, such as heads of state or government, senior politicians, senior government officials, military officials, law enforcement officials, Senior Management in state-owned enterprises, or important officials

• 22 - in political parties. Examples of PEP in international organizations are those authorized to perform prominent functions by international organizations, such as Senior Management, including among others directors, deputy directors, and equivalent members of the board or function. Paragraph (2) Implementation of EDD is conducted on foreign PEP, domestic PEP, or any person authorized to perform prominent functions in international organizations eg International Monetary Fund (IMF), World Bank, United Nations (UN), Organization for Economic Co-operation and Development (OECD), the Asian Development Bank (ADB), and the Islamic Development Bank (IDB). Paragraph (3) Self-explanatory. Article 35 “PEP family members” means members of PEP family to the second grade, horizontally or vertically, namely: a. biological/step/foster parents; b. biological/step/foster siblings c. biological/step/foster children; d. biological/step/foster grandfather or grandmother; e. biological/step/foster grandchild; f. biological/step/foster siblings of parents; g. husband or wife; h. in-laws; i. husband or wife of biological/step/foster child; j. grandfather or grandmother of a husband or wife; k. husband or wife biological/step/foster grandchild; l. biological/step/foster sibling of siblings of husband; and/or m. wife and husband or wife from relatives. PEP close associate shall includes: a. companies owned or managed by PEP; or b. publicly known parties have close links with PEP, for example:

• 23 - drivers, personal assistants, and private secretaries. The PEP criteria, family members of PEP, and related parties to PEP may refer to independent and reliable sources such as Bank Indonesia, PPATK, and other relevant authorities. Article 36 Paragraph (1) Self-explanatory. Paragraph (2) The obligation of the Service Provider to record data, information, and/or documents of potential Service User, Service User, and Beneficial Owner is intended as a supporting document for reporting Suspicious Financial Transactions to PPATK. Paragraph (3) Self-explanatory. Paragraph (4) Selfexplanatory. Article 37 Paragraph (1) "Business relationship" means business relationship by using account which is APMK, electronic money, and electronic wallet. Notice may be made in writing addressed to the Service User in accordance with the address listed in the Service Provider’s database. Paragraph (2) The settlement of the remaining Service User’s funds is in the form of transfer of the remaining funds to the Property and Heritage Agency (Balai Harta Peninggalan). Article 38 "Anti tipping-off" means a prohibition for the Board of Directors, Commissioners, Board of Directors, and/or employees of the Service Provider notifying the Service User or other parties, either directly or indirectly, in any way regarding the Suspicious Financial

• 24 - Transactions report being prepared or has been submitted to PPATK. Article 39 Paragraph (1) Self-explanatory. Paragraph (2) Self-explanatory. Paragraph (3) Letter a The third party representing the Service Provider or acting for and on behalf of the Service Provider in dealing with prospective Service User or Service User directly, among others, is agents in cooperation with the Service Provider. Agents include marketing agents, cash payment points (TPT), and digital financial services agencies (LKD) from electronic money issuers. Letter b Other Service Provider may be other Financial Service Provider that are monitored and regulated by Bank Indonesia or other relevant authorities. Letter c Self-explanatory. Paragraph (4) Self-explanatory. Paragraph (5) Self-explanatory. Article 40 Paragraph (1) Letter a Self-explanatory. Letter b Self-explanatory. Letter c The obligation to ensure the compliance of third parties is conducted in the form of:

• 25 -

1. state the obligations of the third parties to comply with the provisions of this Bank Indonesia Regulation and/or the policies and procedures of the APU and PPT in a written agreement;
2. train or educate the third parties concerning the provisions of this Bank Indonesia Regulation and/or the policies and procedures of the APU and PPT; or
3. periodic monitoring and evaluation of third parties for compliance with the provisions of this Bank Indonesia Regulation and/or the policies and procedures of the APU and PPT. Letter d The Service Provider should be able to provide information on third parties who cooperate with the Service Provider if requested by Bank Indonesia or other competent authority. Paragraph (2) Letter a Self-explanatory. Letter b Self-explanatory. Letter c Self-explanatory. Letter d "Competent authority" means the authority of the country to which the third party originated, who supervise the compliance of the third party with the provisions of the APU and PPT. Letter e Self-explanatory. Paragraph (3) Self-explanatory. Article 41 Paragraph (1)

• 26 - Letter a "Originating Service Provider" means a Fund Transfer Service Provider which receives a Fund Transfer order from the originator to pay or to orders another Service Provider to pay a certain amount of funds to the beneficiary as referred to in the Act governing the Fund Transfer. "Originator" means the party who initially issue a Fund Transfer order as referred to in the Act governing the Fund Transfer. Letter b "Beneficiary Service Provider” means a Fund Transfer Service Provider which makes payments or delivers the proceeds of transfers to beneficiary as referred to in the Act governing the Fund Transfer. Beneficiary Service Provider shall includes Service Provider which makes payments in cash or equivalent, either directly or through an agent, intermediary or TPT. "Beneficiary" means the party stated in the Fund Transfer Order to receive the funds transferred as referred to in the Act governing the Fund Transfer. Paragraph (2) "Intermediary Service Provider" means a Fund Transfer Provider other than the originating Service Provider and the beneficiary Service Provider as referred to in the Fund Transfer Act. Article 42 Paragraph (1) Identity includes name and address which may be accompanied by other information such as identity number, place and date of birth or other information in accordance with the provisions of law and regulation. "Unique transaction reference number" means letter, number, and/or symbol used in system or payment procedure and funds transfers settlement which enables the tracking of funds

• 27 - transfer transactions, in lieu of account number. Required information submitted by the ordering Service Provider to the intermediary Service Provider or beneficiary Service Provider is also should be included in the Fund Transfer Order which is bundled into a batch file. Paragraph (2) "Cross Border Fund Transfer" means a fund transfer in which at least 1 (one) Service Provider between the originating Service Provider, intermediary Service Provider, and beneficiary Service Provider, is located outside the territory of the Republic of Indonesia. Paragraph (3) Self-explanatory. Paragraph (4) Self-explanatory. Paragraph (5) Self-explanatory. Article 43 Paragraph (1) The intermediary Service Provider ensures the completeness of information including through post event monitoring or real time monitoring where possible. Paragraph (2) Follow-up actions by the intermediary Service Provider may be as follows: a. executing transactions; b. rejecting transactions; c. suspend transactions; or d. other necessary actions including reporting such transactions to the competent authorities as required. Determination of the follow-up action is conducted by considering the level of risk faced by the beneficiary Service Provider. Paragraph (3) Self-explanatory.

• 28 - Paragraph (4) Self-explanatory. Article 44 Paragraph (1) The beneficiary Service Provider shall ensure the completeness of the information including through post event monitoring or real time monitoring in case it is possible. Paragraph (2) Follow-up action by the beneficiary Service Provider may be as follows: a. executing transactions; b. rejecting transactions; c. suspending transactions; or d. other necessary actions including reporting such transactions to the competent authorities as required. Determination of the follow-up action is conducted by considering the level of risk faced by the beneficiary Service Provider. Article 45 The Suspicious Financial Transaction Report submitted to the competent authority of another country shall be also submitted to PPATK. Article 46 Letter a Funds Transfer using debit cards, ATM cards, credit cards, or electronic money can be traced, among others, through card numbers. Payment of goods or services does not include Person to Person (P2P) Fund Transfer. Letter b Self-explanatory. Article 47 Paragraph (1)

• 29 - Service Provider ensures the availability of terrorist suspected lists and terrorist organizations as well as lists of funding of weapons of mass destruction proliferation in all the Provider's branches. Paragraph (2) Self-explanatory. Paragraph (3) Other necessary actions include preparing the blocking report and sending it to the competent authority, and rejecting and/or terminating the business relationship with the Service User. Article 48 Self-explanatory. Article 49 Paragraph (1) Service Provider collects information such as: a. counterparty profiles including products and their Service User; b. country of domicile and the operational territory of the counterparty including the parent or group of business as long as deemed necessary; c. license to conduct business activities; and d. other relevant information such as the financial reputation and compliance with applicable laws, ownership structure, and management structure. Service Provider may obtain information, among others, through sources accessible to the public to the extent that they could ensure its reliability. Cooperation relations include cooperation of domestic Fund Transfer, remittance or Cross Border Fund Transfer, and cooperation related to payment services. Paragraph (2) "Shell bank" is defined as a bank or shell financial institution established and licensed in a country or territory in which they have no physical office and/or have no affiliation with a financial institution that is regulated and consolidated

• 30 - supervised by a competent authority. Article 50 Paragraph (1) Product development includes the development of business models and delivery mechanisms. Paragraph (2) Self-explanatory. Article 51 Paragraph (1) Document may be administered in its original form, copies, electronic documents, microfilm, or other documents which under applicable law may be used as valid evidence. Letter a Self-explanatory. Letter b All the relevant records relating to Service User financial transactions includes accounts, transaction journal, bookkeeping, fund transfer orders, receipts and/or proof of transaction of Service User. Record keeping of the Service User financial transaction document shall be conducted in a manner that facilitates tracking and reconstruction of transactions in the event of being requested by Bank Indonesia, law enforcement and/or authorized authorities. Paragraph (2) Self-explanatory. Paragraph (3) Self-explanatory. Paragraph (4) Self-explanatory. Article 52 Self-explanatory. Article 53

• 31 - Self-explanatory. Article 54 Paragraph (1) Letter a Self-explanatory. Letter b The report contains at least the implementation of APU and PPT by the Service Provider. Letter c Self-explanatory. Letter d Other reports include:

1. a report of the reliance of third party CDD measures, no later than 10 (ten) working days from the commencement date of the cooperation; and
2. a report requested by Bank Indonesia. Paragraph (2) Self-explanatory. Article 55 Self-explanatory. Article 56 Paragraph (1) Coordination and cooperation are implemented for the prevention and eradication of criminal acts of Money Laundering and Terrorism Financing. Paragraph (2) Self-explanatory. Paragraph (3) Self-explanatory. Article 57 Paragraph (1) Letter a

• 32 - Number 1 Administrative sanctions in the form of written warning may be accompanied by an obligation to perform or prohibition to do action in order to ensure compliance within the due date stipulated by Bank Indonesia. Number 2 Self-explanatory. Number 3 Self-explanatory. Number 4 Administrative sanctions in the form of temporary suspension of the business activities, whether in whole or in part, accompanied by the lengths of the sanctions which can be extended. Service Provider imposed with a sanction of temporary suspension of the business activities shall announce the termination of their business activities to the public on the same date as the date of the letter concerning imposition of sanctions from Bank Indonesia. The Announcements should be put at the Service Provider's office in a position that is visible and readable. Number 5 Self-explanatory. Letter b Self-explanatory. Paragraph (2) Self-explanatory. Paragraph (3) The announcement can made through the website of Bank Indonesia, newspapers, or other media. Article 58 "Certain criminal actions" means Money Laundering, Terrorism

• 33 - Financing , and predicate crime as referred to in the Law governing the prevention and eradication of money laundering, such as corruption, bribery, narcotic, psychotropic, labor smuggling, immigrant smuggling, criminal action in banking, criminal action in capital market, criminal action in insurance, customs, excise, human trafficking, trade of illegal fire arm, terrorism, kidnapping, burglary, embezzlement, fraud, money counterfeiting, gambling, prostitution, criminal action in taxation, criminal action in forestry, criminal action in environment, criminal action in marine and fishery, or other criminal action threatened with the imprisonment for 4 (four) years or more. Article 59 Self-explanatory. Article 60 Parties that may be determined to implement the APU and PPT are those conducting activities in the field of payment systems or foreign exchange services. Article 61 Self-explanatory. Article 62 Self-explanatory. Article 63 Self-explanatory. SUPPLEMENT TO STATE GAZETTE OF REPUBLIC OF INDONESIA NUMBER ……