Director and Officer Criminal Liability in Indonesia: What Banks & Insurers Must Do in 2026

Director criminal liability in Indonesia has undergone its most significant expansion in decades. Law No. 20 of 2025, Indonesia’s new Criminal Code (KUHP), was signed by the President on 17 December 2025 and took effect on 2 January 2026, replacing the colonial-era penal code that had governed the archipelago for more than a century. For general counsel, compliance officers and M&A teams at banks and insurers, the new regime introduces broader corporate criminal liability standards, tightens the link between officer conduct and criminal exposure, and overhauls the procedural rules that prosecutors will use to investigate and charge regulated entities.

This article provides a practical, sector-specific compliance playbook, covering boardroom governance, transaction due diligence, D&O insurance analysis and internal investigation protocols, designed to help leadership teams at financial institutions act decisively in the first months of the new law.

Three urgent actions every board and GC should take now:

1. Screen live deals. Run a criminal-risk assessment on every pending M&A transaction, joint venture and material outsourcing arrangement involving a regulated target.
2. Review D&O policies. Confirm that existing director and officer liability insurance covers defence costs under the expanded criminal exposure, and identify exclusion gaps before renewal.
3. Document oversight. Implement immediate board procedural safeguards: minuted approvals, evidence of active compliance oversight and escalation records that demonstrate each director’s exercise of duty.

1. What Changed: Law 20/2025 and the New Criminal Code Indonesia

Law 20/2025 represents the culmination of Indonesia’s decades-long effort to replace the Wetboek van Strafrecht, the Dutch-colonial penal code that had been in force since 1918. The new criminal code Indonesia now operates under was passed by the legislature on 18 November 2025, signed into law on 17 December 2025 and came into force on 2 January 2026. For banks, insurers and other regulated entities, four categories of change matter most.

Corporate criminal liability expansion. The new KUHP codifies and broadens the circumstances under which a corporation, defined to include limited-liability companies, foundations and other legal entities, can be prosecuted for criminal offences. A corporation is liable when an offence is committed by a person acting in the course of, or for the benefit of, the entity, or when the offence results from the corporation’s failure to take reasonable preventive measures.

Individual officer exposure. Directors, commissioners and senior officers face personal criminal liability where they gave consent to, connived in, or were negligent in preventing corporate wrongdoing. The statute closes the gap that previously allowed officers to argue that liability attached only to the entity, not the individual behind the decision.

Sentencing and penalties. The new code introduces alternative sentencing mechanisms, including community service orders, supervisory sentences and instalment-based fines. For corporations, penalties include substantial fines, disgorgement of profits and, in serious cases, revocation of business licences, a threat with existential implications for banks and insurers dependent on regulatory permits.

Procedural changes (KUHAP). Law 20/2025 also reforms criminal procedure. Investigators now operate under updated rules governing search, seizure, detention periods and suspect rights, including expanded rights for suspects to claim indemnity for wrongful arrest or prosecution. Industry observers expect these procedural changes to accelerate the pace and rigour of white-collar crime investigations in 2026 and beyond.

Timeline of Key Legislative Dates

2. Director Criminal Liability Indonesia: Who Can Be Prosecuted?

Under the new criminal code, both the corporation and individual officers can face prosecution for the same underlying conduct. Understanding the statutory thresholds for each category of liability is essential for boards at banks and insurers designing effective corporate governance Indonesia frameworks.

Thresholds for Personal Director Liability Indonesia

A director or commissioner becomes personally criminally liable when the prosecution can establish one of three connecting elements between the officer and the corporate offence:

• Consent. The officer expressly or impliedly authorised the conduct that constitutes the offence, for example, approving a transaction structure designed to circumvent anti-money-laundering reporting thresholds.
• Connivance. The officer was aware of the wrongful conduct and, despite having the power to intervene, chose not to act, such as a bank director who knowingly permits falsified loan-quality reports to be submitted to OJK.
• Negligence (failure to supervise). The officer failed to exercise the degree of care, diligence and oversight that a person in that position would reasonably be expected to exercise. This “passive” category represents the most significant expansion of director criminal liability Indonesia has seen, because it captures officers who may not have known about the specific wrongdoing but should have known given their role and responsibilities.

For banks and insurers, the negligence standard is particularly consequential. Prudential regulation already requires boards to exercise active oversight of risk management, compliance functions and internal audit. A director who fails to enquire into red flags, approve adequate compliance resourcing or attend material risk-committee meetings may now face not just regulatory sanctions from OJK, but criminal prosecution under the new KUHP.

Corporate Criminal Liability Standards

Corporate criminal liability indonesia under the new code applies when an offence is committed by a natural person acting within the scope of their role and for the benefit, or in the interest, of the corporation. Critically, the corporation can also be found liable where it has failed to take steps that could reasonably be expected to prevent the criminal conduct. This “failure to prevent” model mirrors international trends and shifts the burden onto companies to prove the existence and adequacy of their compliance systems.

The offences most relevant to banks and insurers include fraud in financial reporting, bribery and corruption of public officials, money laundering and terrorism financing, misrepresentation in insurance claims or policy issuance, breaches of prudential capital and solvency requirements, and environmental or social-governance violations linked to financed projects. Several of these offence categories are also addressed in sectoral statutes, such as the Banking Law and the Insurance Law, that retain their own penalty frameworks alongside the new criminal code.

3. Immediate Board and Compliance Actions for Banks and Insurers

Boards and compliance teams at Indonesian banks, insurers and financial holding companies should treat the first six months of 2026 as a critical remediation window. The following prioritised checklist, organised into 30-day, 90-day and 6-month horizons, is designed for insurance company compliance Indonesia teams and banking governance functions alike.

30-Day Checklist: Must-Do Items

• Board resolution on compliance review. Pass a formal board resolution mandating a comprehensive review of existing compliance policies, internal controls and delegation frameworks against the requirements of Law 20/2025. Owner: Board Chair / GC.
• Minutes and record-keeping upgrade. Ensure that every board and committee meeting from 2 January 2026 onwards produces contemporaneous, detailed minutes documenting the matters discussed, the information considered, the advice received and the individual votes of each director. Owner: Corporate Secretary / GC.
• D&O policy review. Engage the company’s insurance broker to obtain a coverage opinion on whether the current director and officer liability policy responds to claims arising under the expanded criminal code, particularly defence costs coverage. Owner: GC / CFO.
• Legal privilege protocol. Establish a clear protocol for preserving legal professional privilege over internal communications relating to potential criminal exposure, including the appointment of external counsel to lead sensitive matters. Owner: GC.
• Whistleblower channel audit. Confirm that the company’s whistleblower mechanism is functional, adequately resourced and aligned with the new procedural protections under the KUHAP reforms. Owner: Head of Compliance.

90-Day Programme: Policy Updates and Training

• Compliance policy gap analysis. Complete a line-by-line comparison of existing AML/CFT, anti-bribery, fraud prevention and data-protection policies against the offence definitions in the new KUHP. Identify and remediate gaps. Owner: Compliance / External Counsel.
• Mandatory director training. Deliver board-level training on the new criminal code, focusing on personal liability thresholds, evidentiary standards and the practical behaviours that constitute, or rebut, negligence. Owner: GC / HR.
• Scenario testing. Run at least one tabletop exercise simulating a criminal investigation scenario (e.g., a suspected money-laundering referral from PPATK) to test the company’s escalation, privilege and regulatory-notification protocols. Owner: Head of Compliance / Risk.
• Third-party agent review. Audit all material third-party relationships, agents, brokers, intermediaries, consultants, for corruption and fraud risk indicators. Owner: Procurement / Compliance.

Board Obligations, Evidence and Ownership

4. M&A Due Diligence Indonesia: Red Flags and Transaction Templates

Every acquisition, merger or significant investment involving an Indonesian bank, insurer or financial-services company now requires an enhanced criminal-risk diligence workstream. Under the corporate criminal liability indonesia regime, a buyer or investor inherits not just the target’s balance sheet but also its legacy criminal exposure, including conduct that may not yet have been detected or investigated.

Enhanced Due Diligence: Mandatory Data-Room Documents

The following M&A due diligence Indonesia checklist identifies the minimum document requests that deal teams should include in every request-for-information (RFI) for regulated-sector targets:

Contractual Protections in the SPA

Transaction documentation for deals involving Indonesian regulated entities should now routinely include criminal-risk-specific provisions. At a minimum, practitioners should consider the following contractual mechanisms:

• Enhanced representations and warranties. Require the seller to warrant that the target is not, and has not been, the subject of any criminal investigation, prosecution or enforcement action, and that no circumstances exist that would reasonably give rise to such proceedings under Law 20/2025.
• Specific indemnities. Carve out a dedicated indemnity for losses arising from pre-completion criminal conduct, including defence costs, regulatory fines and business interruption.
• Escrow or price holdback. Where diligence reveals unresolved red flags, negotiate an escrow arrangement or deferred-consideration mechanism sized to cover reasonably foreseeable criminal-liability exposure.
• Remediation conditions precedent. In high-risk cases, make completion conditional on the target implementing specified compliance remediation steps, such as appointing an independent compliance monitor or completing an internal investigation, before closing.
• Material adverse change (MAC) clause. Ensure the MAC definition expressly captures the commencement of criminal proceedings against the target, any director or any material subsidiary.

Sample Red Flags and Recommended Deal Responses

Deal teams should employ a risk-scoring rubric. Red flags that warrant serious consideration of walkaway, price reduction or remediation conditions include: undisclosed related-party transactions with directors or commissioners; material AML investigations by PPATK or OJK that have not been disclosed in the data room; unusually high adviser or broker commissions without documented rationale; unresolved regulatory fines or pending licence-condition reviews; and evidence that the target’s compliance function lacks independence from commercial management. Where multiple red flags converge, industry observers expect that sophisticated buyers will increasingly require pre-completion remediation or apply substantial valuation discounts reflecting the cost of post-acquisition criminal-risk management.

5. D&O Insurance, Indemnities and Director and Officer Liability Management

The expansion of director criminal liability Indonesia under Law 20/2025 places immediate pressure on director and officer liability insurance programmes at banks and insurers. Boards should treat the current policy year as an urgent review window.

Will D&O Insurance Cover Liabilities From the New Criminal Code?

The short answer is: it depends entirely on the policy wording. Standard D&O policies typically provide three categories of coverage, Side A (personal liability where the company cannot indemnify), Side B (reimbursement to the company for indemnifying officers) and Side C (entity coverage for securities claims). Criminal proceedings may trigger defence-costs coverage under Side A, but most policies contain exclusions that limit or eliminate coverage once a criminal conviction is established.

The critical distinction is between defence costs and indemnity for penalties. Many policies will advance defence costs during criminal proceedings, subject to a clawback provision if the insured is ultimately convicted of intentional misconduct. However, coverage for criminal fines, penalties or disgorgement orders is typically excluded on public-policy grounds. For banks and insurers subject to OJK oversight, there may be additional regulatory restrictions on the use of corporate funds to indemnify officers facing criminal charges.

Policy Wording to Check

• Criminal-conduct exclusion. Review the precise trigger: does the exclusion apply upon allegation, charge, conviction or final adjudication? Policies with a “final adjudication” trigger provide the broadest interim protection.
• Definition of “wrongful act.” Confirm whether negligent supervision, now a basis for director liability Indonesia, falls within the policy’s definition of an insured wrongful act.
• Entity coverage (Side C). Determine whether the corporation itself is covered for defence costs in criminal proceedings, particularly relevant where the new KUHP allows parallel prosecution of entity and officers.
• Regulatory-investigation extension. Check whether the policy covers costs incurred during OJK or PPATK investigations that precede formal criminal charges.
• Sub-limits and retention. Identify any sub-limits applicable to criminal-matter defence costs, and assess whether the retention (deductible) level is commercially reasonable given the anticipated cost of criminal defence in Indonesia.

Corporate Indemnification Under Indonesian Law

Indonesian company law permits a corporation to indemnify its directors and commissioners for liabilities incurred in the good-faith exercise of their duties. However, for banks and insurers, OJK regulations may impose additional constraints, particularly where the criminal conduct involves a breach of prudential obligations. Boards should obtain a formal legal opinion on the scope of permissible indemnification under both the Indonesian Company Law (Law No. 40 of 2007) and the applicable sectoral regulations before the next renewal cycle. Early indications suggest that bespoke endorsements, tailored to the expanded offence categories in the new KUHP, will become a standard feature of D&O programmes for corporate entities in regulated sectors.

6. Internal Investigations, Regulator Interaction and Reporting

When a potential criminal issue emerges within a bank or insurer, the first 48 to 72 hours are critical. The new KUHAP procedural rules give investigators expanded search and seizure powers, making early preparation and a clear response protocol essential for corporate governance Indonesia best practice.

Regulatory Notification Considerations for Banks and Insurers

Banks and insurers operating in Indonesia should follow a structured notification sequence when a credible criminal risk is identified:

1. Engage external counsel immediately. Appoint specialist criminal-defence or regulatory counsel to lead the response. This preserves legal privilege over investigative communications and ensures that the company’s initial interactions with regulators are strategically managed.
2. Assess mandatory reporting obligations. Determine whether the suspected conduct triggers a mandatory notification to OJK (for prudential matters), PPATK (for suspicious transactions) or law enforcement (for offences requiring self-reporting). Failure to report where required can itself constitute an offence.
3. Prepare a holding statement. Draft an internal and external holding statement to manage stakeholder communications. For listed companies, assess continuous-disclosure obligations under capital-markets regulations.
4. Coordinate with D&O insurers. Provide timely notice under the company’s D&O and professional-indemnity policies. Late notification is one of the most common grounds for coverage denial.

Preservation and Chain of Custody

Immediately upon identifying a potential criminal issue, the company must issue a document-preservation notice covering all potentially relevant electronic and physical records. Key steps include suspending routine document-destruction schedules for affected business units, imaging the electronic devices and email accounts of involved personnel, securing access logs for critical systems (core banking, claims management, accounting platforms) and maintaining a chain-of-custody log for all preserved materials. These steps protect the company’s ability to cooperate with investigators, and provide evidence of good faith that may mitigate corporate and individual officer liability. Boards should consult the Indonesia country guides for broader regulatory context alongside these criminal-law measures.

7. Implementation Roadmap and Sample Templates

The following condensed roadmap and template provisions are intended as starting points. Each should be adapted to the specific regulatory environment, organisational structure and risk profile of the institution.

90-day / 180-day roadmap summary:

• Days 1–30: Board resolution; D&O policy review; privilege protocol; minutes upgrade; whistleblower audit.
• Days 31–90: Compliance gap analysis; director training; tabletop exercise; third-party agent review; RFI template deployment for live deals.
• Days 91–180: Policy rewrites finalised; D&O programme restructured (renewals with bespoke endorsements); annual compliance-effectiveness testing scheduled; cluster of implementing regulations monitored and integrated.

Sample board resolution (extract): “RESOLVED that the Board of Directors hereby mandates the General Counsel, in coordination with the Head of Compliance and external legal advisers, to conduct a comprehensive review of the Company’s compliance framework against the requirements of Law No. 20 of 2025 (New KUHP) and to report findings and recommended remediation actions to the Board within 60 calendar days of the date of this resolution.”

Sample SPA clause, criminal-risk warranty (extract): “The Seller warrants that, as at the date of this Agreement and at Completion, neither the Target Company nor any of its directors, commissioners or senior officers is the subject of, or has received notice of, any criminal investigation, prosecution or enforcement proceeding under Law No. 20 of 2025 or any predecessor criminal statute, and that no facts or circumstances exist that would reasonably be expected to give rise to any such proceeding.”

For lawyers in Indonesia who specialise in these matters, and for in-house counsel seeking transaction-ready templates and tailored compliance advisory, expert guidance is essential to navigating the full scope of director criminal liability Indonesia in this new era of enforcement.

Sources

1. UU Nomor 20 Tahun 2025, Official PDF (JDIH)
2. Hukumonline, Indonesia’s New Criminal Code Now Officially in Force
3. PwC Indonesia Legal Alert, November 2025, No. 50
4. HBtLaw, Indonesia’s New Criminal Procedure Code: Key Changes Businesses Should Know
5. ARMA Law, Navigating the New KUHP and KUHAP: Criminal Law Reform and Corporate Risk in Indonesia
6. MNL Law, Corporations as Legal Entities in the New Criminal Code
7. Kusuma Law Firm, Directors’ Liability Under Indonesian Law