Effective 2 January 2026, Indonesia will fully implement its new Criminal Code under Law No. 1 of 2023.
For directors, commissioners, shareholders, and business owners, this is not merely a criminal law reform-it is a shift in corporate risk exposure.
Under the new regime, business decisions, governance failures, and internal controls may now carry personal criminal consequences in situations that were previously treated as administrative, civil, or purely commercial matters.
This article outlines what business leaders must realistically anticipate, using practical boardroom scenarios, not abstract legal theory.
1. Criminal Law Is No Longer “Someone Else’s Problem”
Historically, many boards viewed criminal law as:
- Relevant only to individuals acting in bad faith, or
- A risk that could be “absorbed” by the company.
That assumption is no longer safe.
The new Criminal Code strengthens the concept that:
Corporate acts can trigger personal criminal exposure for those who control, approve, or knowingly allow them.
This does not mean every business loss becomes a crime.
It does mean that governance quality now matters in criminal risk assessment.
2. Expanded Attribution: When Corporate Acts Become Personal Risk
Under the new framework, criminal responsibility may be attributed when:
- A crime is committed for the benefit of the company, and
- The act is connected to authority, control, or omission by management.
Practical scenario
A company continues a commercial practice after repeated internal warnings that it may violate sectoral regulations.
No director personally executes the act.
Risk shift in 2026:
The question will not be “Who physically did it?”
But “Who knew, approved, tolerated, or failed to stop it?”
3. “Good Faith” Alone Is No Longer Sufficient
Many directors rely on:
- “We acted in good faith”
- “There was no intention to commit a crime”
- “This was a business judgment”
Under the new Criminal Code, intent is not the only gateway.
Negligence, omission, and recklessness-especially at management level-carry greater weight.
Practical scenario
A board approves an aggressive cost-cutting strategy that:
- Reduces compliance staffing
- Weakens internal audit functions
No immediate violation occurs.
Two years later, regulatory breaches surface.
Key risk:
The approval trail may be examined as negligent governance, not just poor business judgment.
4. Business Judgment Rule: Still Relevant, but Narrower in Practice
The Business Judgment Rule (BJR) remains conceptually relevant.
However, it is not a criminal immunity doctrine.
In practice, BJR protection weakens when:
- Decisions lack proper documentation
- Risks were identified but ignored
- No reasonable information basis existed
Practical scenario
A director approves a high-risk transaction:
- No independent review
- No legal or compliance memo
- No dissenting opinion recorded
Outcome:
Even if commercially justified, the absence of process may expose the director personally.
5. Criminal Risk Is Increasingly About Process, Not Outcome
One of the most important shifts for boards is this:
Criminal exposure now focuses more on “how decisions were made” than “whether the business succeeded.”
Losses alone do not create crimes.
Poor decision processes increasingly do.
What prosecutors will examine:
- Was there a clear decision trail?
- Were risks escalated and discussed?
- Were internal warnings documented?
- Was compliance structurally sidelined?
6. Sector-Neutral Risk: This Affects All Industries
This is not limited to “regulated sectors”.
Exposure applies equally to:
- Manufacturing
- Trading & distribution
- EPC & infrastructure
- Technology & digital businesses
- PMA and foreign-led companies
Foreign directors should note:
Physical absence does not automatically shield personal exposure if effective control or approval is proven.
7. What Boards Should Start Doing Now (Before 2026)
This is not about panic.
It is about adjusting governance posture.
Minimum anticipatory steps:
- Strengthen documentation of board decisions
- Ensure legal and compliance input is visible, not symbolic
- Record dissent and risk discussions properly
- Align internal controls with actual business risk, not formality
Practical mindset shift:
From:
“Is this commercially acceptable?”
To:
“How will this decision look under criminal scrutiny three years from now?”
Closing Perspective
The new Indonesian Criminal Code does not criminalize business.
It criminalizes irresponsible governance more clearly than before.
For directors and business owners, the real question is no longer:
“Did we intend to break the law?”
But:
“Can we demonstrate that we governed responsibly when it mattered?”
Where necessary, we can:
- Conduct a board-level criminal risk mapping
- Review governance processes against post-2026 exposure
- Translate criminal law risk into practical decision safeguards
Law, beyond borders.