POJK No. 28 of 2025 Tightens Risk Management for Non-Bank Financial Services Institutions

Introduction

On 10 November 2025, the Financial Services Authority (Otoritas Jasa Keuangan – “OJK”) issued Financial Services Authority Regulation Number 28 of 2025 on the Implementation of Risk Management for Insurance Companies, Guarantee Institutions, and Pension Funds (“POJK 28/2025”), which will take effect on 1 January 2026. This regulation establishes new standards for Insurance Companies, Guarantee Institutions, and Pension Funds (“PPDP”) in managing their operational and strategic risks. OJK revokes Financial Services Authority Regulation Number 44/POJK.05/2020 on the Implementation of Risk Management for Non-Bank Financial Services Institutions (“POJK 44/2020”).

POJK 28/2025 implements the mandate of the Law on the Development and Strengthening of the Financial Sector (P2SK Law). The development of PPDP requires the implementation of more adequate, effective, and measurable risk management. Furthermore, OJK considers the previous regulation under POJK 44/2020 to be general in nature and not yet regulating risk management obligations for Guarantee Institutions. Therefore, a more specific and comprehensive regulation is required for each of the respective industry sectors.

 

Comparison

Below is a comparison between POJK 28/2025 and POJK 44/2020:

Key Provisions

Obligation to Implement Risk Management

PPDP must implement Risk Management in line with their objectives, business policies, scale, and business complexity. Article 3 requires that such implementation includes four main pillars, namely: active oversight by the Board of Directors, Board of Commissioners, and Sharia Supervisory Board; adequacy of policies and procedures and the establishment of risk limits; adequacy of processes for identifying, measuring, monitoring, and controlling risks and information systems; and a comprehensive internal control system. In addition, PPDP must have written guidelines for Risk Management implementation.

Risk Classification Based on Business Type

Article 5 details the types of risks that must be managed by each PPDP entity. Insurance/Reinsurance Companies must manage Strategic Risk, Operational Risk, Insurance Risk, Credit Risk, Market Risk, Liquidity Risk, Legal Risk, Compliance Risk, and Reputational Risk. Guarantee Companies must manage the same types of risks as insurance entities, but with Guarantee Risk (replacing Insurance Risk). Guarantee Risk includes risks arising from inadequate feasibility analysis, the determination of guarantee fees (IJP), and failure by re-guarantee partners. Meanwhile, Pension Funds must manage Strategic Risk, Operational Risk, Credit Risk, Market Risk, Liquidity Risk, Legal Risk, Compliance Risk, and Reputational Risk. Brokerage and Loss Adjusting Firms must manage Strategic Risk, Operational Risk, Legal Risk, Compliance Risk, and Reputational Risk.

Risk Management Committee and Risk Management Work Unit

Under Article 20, PPDP must establish a Risk Management Committee and a Risk Management Work Unit (or Function). The Risk Management Committee consists of half of the Board of Directors and relevant executive officers. This committee provides recommendations to the President Director regarding risk strategy policies and improvements to their implementation. The following companies are not required to establish a Risk Management Committee, it is sufficient for them to form a Risk Management Work Unit/Function:

• Insurance brokerage and insurance loss adjusting companies with equity below IDR 1 trillion;
• Guarantee institutions with assets below IDR 500 billion; and
• Employer pension funds with available assets below IDR 1 trillion.

The Risk Management Work Unit must remain independent from business/operational functions and must report directly to the President Director or the Director overseeing this function.

Risk Profile Reporting (Self-Assessment)

Articles 30 and 31 require PPDP to conduct a self-assessment of their risk profile. The assessment must be performed annually as of the end of December. The assessment results must obtain approval from the Board of Directors and be submitted to the Board of Commissioners. The risk profile report must be submitted to OJK no later than 15 February of the following year through the online system. OJK may request a risk assessment at any time outside the annual period if necessary.

Risk Management of New Business Development

PPDP must have written policies for managing risks associated with the development or expansion of business activities. Under Article 26, a business activity is considered “new” if it has never been carried out by the PPDP or if it has been carried out but now involves developments that significantly change the risk exposure. This policy must include analysis of legal aspects, a trial period for risk measurement methods, and transparency of information to consumers.

 

Sanctions

Sanction provisions are regulated in several articles depending on the violation type, namely Article 18 (general violations of risk management implementation), Article 24 (violations of organizational and functional provisions), Article 28 (violations of new business development risk management), and Article 33 (violations of self-assessment and risk profile reporting).

If PPDP are proven to violate these provisions, OJK may impose administrative sanctions in stages, consisting of:

1. Written warning;
2. Partial or full restriction of business activities;
3. Suspension of business activities;
4. Prohibition from conducting certain programs; and/or
5. Reduction of soundness level.

These sanctions target both corporations and the individuals who manage them. Under Articles 19, 25, 29, and 34, OJK may conduct a re-assessment of Key Parties (Board of Directors, Board of Commissioners, Sharia Supervisory Board, or Controlling Shareholders) if violations of sanction provisions occur. Therefore, failure to implement proper risk management may lead to the disqualification of the company’s management from holding positions in the financial services industry.

 

Transitional Provisions

Under Article 38, the implementing provisions of POJK 44/2020 remain valid as long as they do not conflict with POJK 28/2025. Additionally, there is a specific provision regarding the first risk profile reporting for certain entities. Article 36 provides that Guarantee Institutions, insurance/reinsurance brokerage firms, and insurance loss adjusting companies must submit the results of their self-assessment risk profile for the 2026 period no later than 15 February 2027. This grants these entities sufficient time to prepare their risk assessment infrastructure during the first full year after the regulation takes effect.

 

Closing

POJK 28/2025 shifts OJK’s supervision from a compliance-based approach to risk-based supervision, particularly for the guarantee industry, which previously lacked detailed regulation. Businesses in the PPDP sector must immediately conduct an internal audit of their organizational structure. Businesses must ensure whether they fall within the category required to establish a Risk Management Committee or qualify for exemption, and begin preparing data infrastructure for annual risk profile self-assessment. Failure to adapt before 1 January 2026 may result not only in administrative sanctions but also in reduced reputation and soundness levels in the eyes of regulators and the public.