FinTech has been a topic of animated discussion in Japan. New businesses and products spawn and evolve by the day. The Japanese government and legacy players are keen on exploring the potential of FinTech. This trend of FinTech gathered attention and high hopes in 2018, which will remain in 2019.
One of the major topics in the industry is the promotion of 'cashless' settlements. Cash has been the dominant settlement method in Japan, but the Japanese government plans to push up the cashless settlement rate to twice the current 20%, which will lead to severe competition among cashless settlement service-providers.
Another major topic is the regulation of virtual currency. Coincheck, one of the largest crypto exchanges in Japan, was hacked in January 2018. Customers’ assets under its custody equal to USD500 million were compromised due to the security breach. The Japanese Financial Service Agency (JFSA) has decided to tighten regulations and will enact new rules in 2019.
The third major topic is anti-money laundering (AML) and know your customer (KYC). With an international peer review of the Financial Action Task Force's AML compliance requirements being scheduled in 2019, the JFSA has been urging financial institutions, including those within the FinTech industry, to do a better job with AML/KYC duties and suspicious transactions. The requirements are a huge burden on the lean-staffed FinTech industry, but there was also a sweetener to the industry in those requirements. Japan required online financial institutions to send physical postal mail for KYC purposes and it was an obstacle. After discussion with industry players, Japan decided to permit entirely online KYC procedures in 2018 and this amendment will definitely boost FinTech.
Dominant business models in the Japanese FinTech industry include virtual currency and blockchain, asset-management and household management tools, and payment services. Virtual currency companies gained significant revenue in 2017 and many new companies entered this field, but it fell in 2018. As for bank application programming interfaces (APIs), a leading company for asset management and household management tools using bank APIs was listed on the Tokyo Stock Exchange (TSE) in 2017 and a new law regarding open banking and APIs became effective in 2018. As for payment services, many companies are intensely competing to achieve cashless payment.
Because of the preference for bank savings over equity investments in Japan and because of regulations on social lending, players in robo-adviser and social lending are smaller than those in the USA, but they are making efforts to expand the market.
Remarkable start-ups exist, such as services that use artificial intelligence (AI) to improve the operations of existing financial institutions and improve InsurTech.
The main authority agent of the FinTech industry in Japan is the JFSA, which regulates financial institutions such as banks, security companies, insurance companies and lending companies, and oversees FinTech participants such as virtual currency exchanges, robo-advisers, online lending companies and bank API companies.
Japan takes a conception of separation of three powers. The National Diet’s two branches legislate laws and the national government enforces the law. The JFSA is a branch of the national government. As Japan is not united with countries like the USA and is not in a union like the EU, the national government is the only body that oversees the finance industry, except for certain limited cases. Japan is a civil law country and unless there is written regulation, companies are not regulated. Depending on the business models, some FinTech companies are regulated and some are not regulated because there are no laws.
Japanese regulation is technology-neutral. In principle, whether FinTech or legacy, it does not cause any difference in the application of laws.
Supervising Bodies Other Than Regulators
In Japan, some financial regulations, such as the Virtual Currency Act and the API Act, require industry participants to form self-regulatory organisations (SROs), which regulate industry participants. For example, virtual currency exchanges have formed an SRO called the Japan Virtual Currency Exchange Association (JVCEA), which establishes self-regulatory rules such as the handling of virtual currency and user property management; the management of system risks and information security, contingency plans, AML/counter-terrorist financing, complaint processing and dispute processing, solicitation and advertisement, user management, and the order management system; the prevention of illicit transactions; the management of virtual currency-related information; and financial management.
Some financial regulations, such as the Virtual Currency Act, require exchanges to be audited by an accounting firm with a financial statement as well as a system risk.
Also, banks review new customers strictly from an AML/KYC perspective. As FinTech companies deal with 'money', these customers are generally discussed more strictly than other clients.
Japan introduced a regulatory sandbox system in 2018. People who would like to implement new outstanding technology or business models can apply for the regulatory sandbox. They need to file what kind of experiments they would like to do, their limitations, such as the limitation of the participants, the amount, period and place, the related regulations and an explanation that the experiment does not violate associated regulations.
A relevant minister permits the implementation according to the advice of a committee of innovative business activities. Anyone, including foreign companies, can apply for the regulatory sandbox.
Some financial institutions outsource activities. Most financial regulations require financial institutions to have control rights over outsourcing companies. Although there are no specific provision requirements, the commission agreement with an outsourcing company usually contains provisions such as a duty of report, a duty of confidentiality and a right of inspection. If the commission agreement does not include sufficient supervision rights, the JFSA might point out that such an arrangement is insufficient.
Coincheck, one of the largest crypto exchanges, was hacked in January 2018 and a tremendous number of crypto assets were compromised. After the incident, the JFSA carried out harsh inspections of existing exchanges, and issued suspension orders and business improvement orders to them. Japan was a leading country for crypto business, but the situation dramatically changed after the hacking incident and the market has shrunk significantly.
Maneo, a crowd-lending platform, received a business investment order on 6 July 2018 because of mis-statements. The order stated that (i) Maneo collected money from investors, (ii) Maneo noted that a borrower would use the borrowed money for a particular purpose while the borrower had used the money for a different purpose, (iii) Maneo had not checked the usage of the funds and (iv) these facts constituted Maneo’s mis-statement. Japan was not friendly to crowd-lending and its market is small compared to that of the USA. The costs of stricter regulation may harm the market.
AML requirements are becoming stricter in Japan as the Financial Action Task Force will investigate Japan in 2019 and it is said that the JFSA will prepare the investigation. The JFSA has issued an order to all financial institutions, including FinTech companies, to report their AML situation. FinTech companies generally have less focus on compliance and fewer AML specialists, and face difficulty in recruiting those specialists.
Japan has the Personal Information Protection Act (Law No 57 of 2003, the PIPA) and FinTech companies need to deal appropriately with every scenario of acquisition, processing and utilisation, taking into consideration domestic and foreign personal information protection legislation. In Japan, it was somewhat unclear whether big data was included in the definition of "personal information" in the case that the data was anonymised and by which you could not identify persons. PIPA was amended in 2017 and it became clear that “anonymously processed information” is not deemed as personal information and therefore subject to different regulation.
The use of social media itself is not regulated. The use of social media for advertisement is subject to the same regulation as other advertisements and must include specific required information, and it is prohibited to make false or misleading statements. It is often difficult to judge if it is deemed as an advertisement or just providing information.
Not making misleading statements is sometimes also difficult; some conservative legacy players prohibit employees to mention any product-related information on social networking sites (SNS). FinTech companies are less conservative and take a looser approach, and often use SNS to introduce their products.
Banks, securities companies and insurance companies are required to secure approval from the JFSA to conduct business that is different from a business that banking, security, or insurance laws permit. The JFSA reviews whether such products relate to the original business, risk, etc; thus, it is sometimes difficult for those financial institutions to provide unregulated products.
Other financial institutions – such as moneylenders, which are subject to less strict regulation – can provide unregulated products and the same entity can provide regulated and unregulated products.
Robo-advisers are rapidly spreading throughout the country. A robo-adviser is an automated online portfolio management service that uses algorithms that are based on an individual’s financial status, risk tolerance, age, time horizon, etc and it is usually available at a lower cost than a traditional investment adviser. Both FinTech start-ups and traditional financial institutions have started robo-adviser businesses. Some legacy players seem to have started robo-adviser businesses as part of their services to retail customers, especially young to middle-aged customers, who tend to be more computer literate and more sensitive to fees.
Under the Financial Instruments and Exchange Act of Japan (Law No 25 of 1948, the FIEA), an entity that provides investment advice to a third party is categorised (according to whether the service-provider has discretion regarding investment decisions) as (i) an investment adviser with no discretion or (ii) an investment manager with discretion. A service involving a robo-adviser is also categorised as investment advice or investment management with investment discretion. Therefore, these service providers are regulated by the above-mentioned regulation, while the sale of investment analysis tools/software to the public is not categorised as a regulated business. Furthermore, if the service-provider engages in (among other things) (i) buying and selling securities between its customers or (ii) acting as an agent, intermediary or broker to buy and sell securities then the service-provider is also required to register as a Type I Financial Instruments Business Operator.
Through robo-advisers, you can set up your own portfolio, directly or indirectly, through exchange-traded funds (ETF) or publicly offered funds interest, which consists of various types of foreign and domestic securities (Securities). There is no difference in licensing requirements on the asset class of the Securities. However, robo-advisers are mostly offered to retail investors so the investment adviser/investment manager is less likely to be allowed to recommend high-risk, complicated financial products to its customers from 'the principle of suitability'.
Service-providers are required to execute trades on behalf of customers in compliance with the best execution policy. Since there are no specific issues raised or discussed in relation to the policy for robo-advisers, the service-providers must follow the policy considering price, liquidity, a probability of trade, cost, market impact, etc, like a traditional investment adviser/investment manager.
Some FinTech start-ups and joint venture companies of traditional lenders (banks and non-banks) and IT companies have started online lending services to individuals and small business owners. Such online lending services are sometimes combined with the AI-based credit model, and processing transactional data as big data.
Any entity, other than banks, that engages in providing loans to any third party is required to obtain a registration as a moneylender under the Money Lending Business Act (Law No 32 of 1983, the MLBA). There do not appear to be any big differences among loans to individuals, small businesses and others in the registration process with the regulator. However, in relation to loans to individual borrowers, amongst others, the moneylenders are subject to a restriction on the total loan amount to control excess loans to borrowers, considering their income, financial resources, credits, plans for repayment, etc, under the MLBA and its guidelines. Roughly speaking, one third of a borrower’s annual income is the upper limit. In order to comply with these restrictions, the moneylender must research and access such financial information through an application for the loan with proof or documentary evidence of income and refer to a designated credit information service-provider. Further, the moneylender must be sure to keep adequate records, conduct periodic monitoring and perform internal auditing.
Underwriting processes are set by individual moneylenders even if they are online lenders or offline lenders through internal rules and operation flow charts in accordance with the MLBA and the guidelines. Specifically, the moneylender must (i) not enter into the loan agreement expecting future collection of a debt by enforcement of security or performance of guarantee and (ii) carefully review the underwriting process if the lender finds the borrower applied for the loan through the reference process with “a designated credit information reference service-provider.”
While banks raise funds for loans from bank deposits, non-bank lenders raise funds mainly from other banks and non-bank lenders. Further, some non-bank lenders successfully raise funds as a financial platform of 'social lending' or 'peer-to-peer lending' from individual investors through anonymous partnerships (tokumei kumiai) and provide loans to mainly small business-owners and mid-sized corporate borrowers. Such a business model is regulated by the FIEA and the MLBA; offering an interest of the partnership requires registration as a Type II Financial Instruments Business Operator under the FIEA and providing loans obviously requires registration as a moneylender under the MLBA. In other words, peer-to-peer lending in Japan involves the registered moneylenders as a financial platform. Lastly, the syndication of traditional loans has enabled a borrower to obtain a large number of loans effectively in a single process. The syndication of loans via online lending might serve a similar function for the borrower in the future.
The methods of transference of money from payer to payee are subject to legal restrictions in Japan as follows:
If you wish to conduct business in the first case then you are required to register a funds transfer service under the Payment Services Act, one is required to transfer JPY1 million or less and a banking licence under the Banking Law is necessary for the transfer of more than JPY1 million. If you wish to conduct business in the second case then you are required to register an electronic payment service under the Banking Law. If you wish to conduct business in the third case then it is necessary to register a credit card number, etc and the handling agreement is concluded with a business operator under the Instalment Sales Act.
On the other hand, there are several other methods not subject to financial regulation:
The businesses regulated by the law regarding payment processors under Japanese laws are as described above and although regulations are imposed on these businesses, they can create or implement new payment rails. Payment processing service providers that enable cashless payments by linking smartphone applications and bank accounts or credit cards are currently mainstream. These companies are required to register as funds transfer service-providers under the Payment Services Act.
Fund administrators typically provide accounting and administrative services for investment funds, including calculating net asset value, providing quarterly/annual reports to investors, processing KYC and onboarding other investors (Fund Administrator Services). Fund Administrator Services are not regulated under the FIEA and other applicable laws, while other fund-related services (eg, investment management services, custody services, trustees, prime brokerage services) are broadly (and sometimes heavily) regulated. Fund Administrator Services are often provided by entities such as trust banks and boutique accounting firms.
Notwithstanding the foregoing, in relevant fund agreements such as a limited partnership agreement in the form of a limited partnership or a trust agreement in the form of a unit trust, Fund Administrator Services should be primarily performed by fund managers or trustees. Such parties, as licensed and regulated entities, have a duty of care as a good manager and a duty of loyalty. To the extent of the performance of such duties, the fund managers and the trustees as delegators must control the quality of Fund Administrator Services through monitoring fund administrators as delegates.
Although fund administrators might have the opportunity to act as gatekeepers by virtue of the fact that they examine financial statements and calculate net asset values, in actual fact, fund administrators’ roles and scope of business are still limited. Instead, the regulators seem to expect licensed financial instrument dealers to act as gatekeepers. Because of certain scandals (including Ponzi schemes), there have been amendments to the FIEA, including the stricter regulation of investment managers that (i) requires more detailed reports for trustees so that they can find any suspicious or unlawful behaviour and (ii) ensures compliance with the changes by imposing criminal penalties if managers provide false reports to trustees.
Several new trading platforms for virtual currencies and other new products have been set up alongside the traditional trading platforms for securities in Japan. The Payment Services Act (Law No 59 of 2009, the PSA) as amended in April 2017 stipulates the definition of virtual currency as a new concept that is independent of conventional financial instruments or commodities. Under the PSA, any person who engages in the purchase and/or sale of virtual currencies is required to be registered as a registered Virtual Currency Exchange Service Provider (VC Exchange Service Provider) with the JFSA and is subject to various types of regulation under the PSA.
As a trading platform for trades of traditional securities and derivatives, there exists the Financial Instruments Exchange Markets, the Proprietary Trading System and “the dark pool of liquidity,” etc. The TSE and Tokyo Financial Exchange have been acting as a licensed Financial Instruments Exchange Market. Only those registered as a Type I Financial Instruments Business Operator, etc may establish a proprietary trading system if the Type I Financial Instruments Business Operator obtains separate approval under the FIEA.
Further, the traditional venues for trading commodities have been the commodities markets (provided under the Commodity Derivatives Act). Currently, there are two licensed commodities markets for carrying out futures transactions of commodities or commodity indices in Tokyo and Osaka.
The platforms for crowdfunding may be grouped into a few categories:
The Financial Instruments Exchange has established listing standards and only stocks that meet the standards may be tradable at the Financial Instruments Exchange.
On the other hand, there are no clear listing standards with regard to virtual currency. Here is the current procedure:
If a peer-to-peer trading platform exists, such a platform will be subject to business-conduct rules in accordance with the laws applicable to the assets being traded. As described in 7.1 Permissible Trading Platforms, for example, if transactions are for securities then licences, permits, registrations, etc under the FIEA shall be required, depending on the types of securities. The form of transactions and registration under the PSA shall be required if the transactions are for virtual currency.
The Financial Instruments Business Operator is obliged to seek the best execution under the FIEA. Specifically, the Financial Instruments Business Operators, etc are obliged to execute orders from customers for sales and purchases of securities, etc in a financial market with the best terms and conditions for the customers. Still, interpretation of the best execution policy may be open to each Financial Instruments Business Operator.
The scope of transactions of securities subject to the best execution policy is broad and includes the sale and purchase of listed share certificates, etc (share certificates, bonds with share options, etc are listed on the Financial Instruments Exchange Markets), sales and purchases of OTC traded securities, and the sale and purchase of tradable securities.
There is no legal regulation to create a system for high-frequency and algorithmic trading (HFAT), but the user must be registered with the Treasury Bureau when someone (High-speed Trader) conducts HFAT in principle under the FIEA. Exceptionally, since the Financial Instruments Business Operators and the Authorised Firms for On-Exchange Transactions have already registered with the Treasury Bureau, it is sufficient to file a notification to the effect that they will perform HFAT and there is no need to register newly. An application for registration of HFAT can be granted unless there are registration rejection reasons for the applicant (eg, the system necessary for business execution is not maintained, or that it does not have a human composition, or that the amount of capital is less than JPY10 million).
The requirements falling under HFAT are divided into two types: (i) the purchase and sale of securities or a market derivatives transaction and (ii) entrustment of the act set forth in (i) above, because the content of regulation is the same, and whether the High-speed Trader is a fund or a dealer, the applicable laws and rules are the same.
The High-speed Trader often acts as a market-maker. There are no separate registration systems for acting as a market-maker, which is separate from registration as a High-speed Trader. When registering as a High-speed Trader, it is necessary to submit a document stating the content and method of the business related to HFAT. When a High-speed Trader acts as a market-maker, they must state in this document that they will conduct market making.
In the ETF market of the TSE, there is a market-maker registration system based on the application. The registration application qualification for a market-maker of the ETF is to be registered as a High-speed Trader with the Treasury Bureau.
HFAT and Front-running
One of the issues related to best execution is that front-running might be performed by the High-speed Trader. In Japan, the largest stock exchange, the TSE, and the second-largest exchange, the Osaka Stock Exchange, merged in 2013, and more than 90% of domestic transactions are conducted on the TSE. The opportunity for a time-lag between exchanges has been decreased since the merger. If there is a time-lag between exchanges, there is a possibility that front-running will be performed and if HFAT takes place, the risk will increase. The FIEA prohibits front-running.
Another issue relating to the best execution obligation is payment for order flow. “In the United States, there are things like exchanges giving certain incentives to contractors such as High-speed Traders because of payment for order flow, but in Japan, there are no such systems,” said the president of the Japan Securities Dealers Association in 2015. Currently, it seems that payment for order flow is not being done in Japan.
Under Japanese law, there are no laws explicitly regulating payment for order flow. However, it might be thought that payment for order flow contradicts the principle of faithful obligation that the “trustee should not obtain its own profit through transactions done for beneficiaries” and it seems that it may be contrary to the best execution obligation.
In Japan, the best-execution obligation means “an obligation to execute under the best conditions for customers while considering conditions such as price, cost, speed, and executability based on disclosed signage and transaction information” (the Working Group on Exchanges of the Financial System Council, 9 December 2003). Although it seems that the best-execution obligation appears to be decided only by the price in the USA and the like, since it is judged in Japan by considering factors other than price, it is not considered that payment for order flow should be prohibited immediately.
In Japan, there are no specific regulations governing financial research platforms (Platforms), platform operators and platform participants.
However, depending on the type and information handled by the Platform service providers and the conduct on the Platform, regulations on the protection of personal information and finance-related business regulations may be applied, including the items below.
As mentioned in 9.1 Registration, there are no specific regulations governing Platform service-providers.
The Platform service-provider is not legally responsible for monitoring the Platform or other roles as a gatekeeper, although the Platform service-providers may play such roles as a gatekeeper on their own.
In Japan, no person may conduct insurance business without having first obtained a licence from the Prime Minister under the Insurance Business Act (Law No 105 of 1995). Insurance business means a business that undertakes to underwrite life insurance or property insurance and other insurance, and there are two kinds of licences: a life insurance business licence and a non-life insurance business licence. The same person or company may not obtain a life insurance business licence and a non-life insurance business licence.
A company that has received a life insurance business licence can undertake insurance in connection with the survival or death of individuals and insurance for injury or disease, and a company that has received a non-life insurance business licence can undertake insurance for damages caused by specific unexpected events and insurance for injury or disease.
InsurTech as Low-cost, Short-term Insurance
As getting a full insurance business licence is difficult, some InsurTech companies have started their business by registering as low-cost, short-term insurance businesses. A low-cost, short-term insurance business is allowed when the insurance period is less than or equal to a particular period (two years for non-life insurance, one year for other) and the insurance amount is equal to or less than a certain amount (the limit amount is defined for each death or obstacle, etc and the total of the limit amount for each type of insurance is JPY10 million or less). It is much easier to obtain a low-cost, short-term licence than a regular licence.
InsurTech companies that obtain the low-cost, sort-term licence often try to reduce their business costs by allowing their users to apply for insurance from applications on smartphones and conclude insurance contracts, and using AI.
InsurTech and AI
There are some insurance companies that engage in InsurTech in Japan that use AI to calculate premiums; for example, measuring the number of steps and sleeping-time of the insured person by utilising a wearable terminal, and calculating the insurance premium of the insured by grasping the health condition of the insured based on this information. Also, in underwriting, the analysis and assessment of a contract risk are carried out by analysing the medical data of the insured with AI.
Japanese insurance companies analyse data about insurance using AI in underwriting, but it seems that AI does not decide whether the companies underwrite. This is considered to be due to the following provision in the Comprehensive Guidelines for Supervision of Insurance Companies of the JFSA. It prescribes to the question: “Does the insurance company guidance and management of sales bases and insurance agents comply with underwriting standards, etc, for insurance solicitation? Does it take measures to confirm that they are actually observing them? It is desirable to construct a system that cannot conclude insurance contracts against the underwriting standards.” In other words, while it is necessary for insurance companies to ensure compliance with underwriting standards, it is thought that they comply with underwriting standards not based on AI judgement but based on human judgement.
Further, an insurance company should attach statements of business procedures, general policy conditions and calculation procedures for insurance premiums and policy reserves to the written application for a licence. The company must also obtain approval from the JFSA. One criterion for approval is that “the method of calculating insurance premiums and policy reserves is reasonable based on actuarial analysis.” From the viewpoint of reasonable rationality and the validity of this actuarial analysis, analysis of the correlation with insured events (death, disease, etc) may be required to use various insurance data for underwriting. Even though insurance companies use AI, employees of these companies are supposed to make final decisions on underwriting so that AI does not underwrite insurance using data not correlated with insured events.
Notwithstanding the foregoing, concerning fixed, routine plans (eg, life and accident insurance at airports for overseas travel and insurance for a smartphone), since underwriting standards are also stereotyped, there are cases in which AI may underwrite them.
RegTech is the use of new technologies to solve regulatory and compliance burdens more effectively and efficiently (the Institute of International Finance, at https://www.iif.com/Innovation/Regtech).
There is no regulation in Japan on RegTech providers. RegTech companies are not deemed as financial institutions; instead, they are seen as just providing services that ease regulatory and compliance burdens.
However, financial regulations might require financial institutions to monitor RegTech providers. For example, if regulated financial institutions outsource regulatory and compliance-related activities to RegTech providers, financial laws might require them to monitor the RegTech providers.
Financial acts often require financial institutions to include supervision provisions when they outsource part of their regulated businesses to outside vendors. Supervisory provisions usually contain reporting requirements and inspection rights.
In the case of RegTech, some financial institutions include provisions that relate to accuracy. An example of these provisions is when an institution sets a target level of accuracy, conducts a sample check and pays a fee, which differs depending on the accuracy level.
Currently, there are some regulations on virtual currency, not imposed by the FIEA, but by the PSA as a specific act concerning virtual currency. In other words, as of 11 March 2019, blockchain assets are basically not deemed as securities, with some exceptions (eg, when the assets consist of so-called collective investment schemes). On the other hand, in Japan, there is a definition of regulated virtual currency (Virtual Currency) in the PSA. There are Type I and Type II Virtual Currency. Type I includes bitcoin, litecoin, ether and other virtual currencies that can be used as a payment method. The other digital tokens that can be mutually exchanged with the Type I Virtual Currency with unspecified persons acting as counterparties are Type II Virtual Currencies. Besides, the tokens that are linked to any fiat currency are regulated by yet another provision in the PSA. In this regard, the JFSA currently deems almost all digital tokens (eg, alt-coins, initial coin offering tokens and so on) to be Virtual Currency, except for fiat currency-denominated assets (eg, Suica, a fiat-denominated prepaid e-money card).
In order to purchase and sell Virtual Currency, and to act as an intermediary, brokerage, or agent for such transactions (VC Exchange Service), it is required to be registered as a VC Exchange Service Provider by the JFSA in accordance with the PSA.
With regard to the virtual currency sector of blockchain technology, the JFSA supervises VC Exchange Service Providers and is currently considering amendments to virtual currency-related laws and regulations (eg, the PSA and the FIEA). In addition, the Ministry of Economy, Trade and Industry is studying the utilisation of blockchain technology through experts, but it is not proposing new rules.
Lastly, there are some other points that remain unclear with respect to the regulation of blockchain assets and the following points have been discussed: (i) whether the blockchain assets are Virtual Currency or not and (ii) what kind of business related to the Virtual Currency falls under the VC Exchange Service.
In recent years, Japanese financial institutions have been conducting a demonstration experiment to examine introducing blockchain technologies to their own business and/or financial services. Specifically, there are the following examples:
As described in 12.1 Use of Blockchain in the Financial Services Industry, regulations will be considered mainly by the PSA.
In this regard, for the present PSA, there is no concept of 'issuers' or 'initial sales' with respect to virtual currency.
If blockchain assets fall under Virtual Currency and are sold commercially to third parties, they must be registered with the VC Exchange Service in accordance with the PSA. The same applies to cases where the intermediary, brokerage and agency services for the sale and exchange of Virtual Currency are conducted as a business.
This idea does not depend on whether the distributors are 'issuers' or 'other', or 'initial sales' or 'secondary'.
The legislative reform scheduled shortly is expected to make clear that (i) the FIEA, but not the PSA, will be applied to the issue of tokens with rights to receive profit distribution (security token) and (ii) the issue of tokens will be made subject to the rules similar to those applied to the shares, etc, such as the following: disclosure requirements on issuers and selling/solicitation restrictions, etc on intermediaries of sales and purchases of tokens.
As described in 12.1 Use of Blockchain in the Financial Services Industry, regulations will be considered mainly by the PSA. In this regard, under the current PSA, if the blockchain assets fall under the category of Virtual Currency and the secondary distribution transactions of the said assets are specifically conducted – such as sales, exchange or intermediary services (eg, transaction platform companies and intermediaries) – it is necessary to obtain registration as a VC Exchange Service under the PSA.
As has been indicated in 12.2 Regulation of 'Issuers' of Blockchain Assets, legislative reform is scheduled shortly and it is expected that the FIEA but not the PSA will be applied to the secondary distribution of security tokens.
When the relevant fund receives capital contributions, it is, in principle, required to be registered as a Type II Financial Instruments Business in accordance with the FIEA. On the other hand, the current FIEA does not apply when the fund is invested in virtual currency. After the amendment of the FIEA, it is expected that the FIEA regulation applies to funds that receive virtual currency investments.
In addition, under the FIEA, when the investment target of the fund is securities and derivatives, registration of the investment management business shall be required, in principle. In this regard, blockchain assets do not basically fall under securities and in that case, funds that invest in blockchain assets do not need to register as an investment management business. By the legislative reform scheduled shortly, it is expected that (i) tokens with rights to receive profit distribution will be one of the securities under the FIEA and (ii) for sales and purchases of funds that invest in such tokens, registration as an investment management business will be required.
When recording personal information in a blockchain, certain precautions must be taken in relation to the characteristics of the blockchain and the rules for protecting personal information.
For example, if personal data is recorded in a blockchain for use by multiple users, the recording/data entry may be regarded as the provision/transfer of personal data because the content of the personal information is made recognisable by other nodes. In such a case, the required procedures (eg, obtaining consent from the individual/person identified by such personal data) must be followed in accordance with rules such as the General Data Protection Regulation (GDPR) and the PIPA.
In addition, under the PIPA, it is mandatory to make efforts to erase personal data and in some cases, the individual/person identified by such personal data has the right to request correction, deletion, etc. Under the GDPR as well, while conditions for exercising rights vary, the individual identified by such personal data may have the right to request correction, deletion, etc. In this case, the response will need to be considered and discussed based on the characteristics of the blockchain that the entry, once made, cannot be corrected or erased.
In any case, recording personal information in a blockchain may require consideration depending on the type of blockchain used (eg, whether it is public or private, whether it is personal information or only hashed information).
Japan enacted new regulations on electronic payment intermediate service-providers (EPISPs) in 2017, which correspond to open banking. An EPISP (i) transmits the instructions of bank account-holders to banks using a digital method, (ii) collects information on bank accounts and (iii) provides that information to account-holders by using digital methods.
The EPISP often uses API keys provided by account-holders to provide the above services, but whether such activity was legal was uncertain because most banks prohibited account-holders from sharing passwords, IDs and API keys with others.
The amendment law requires EPISPs to register with the JFSA and obey certain duties but requires banks to open account information to EPISPs under certain conditions.
The JFSA requires banks and EPISPs to carry out adequate information security management and cybersecurity management.
The degree of the required security management depends on the degree of risk of the services provided by the EPISP. For example, in information security management, it is conceivable to formulate policies and inhouse rules that properly manage information, to establish an internal management system for mutual checking of accesses to critical information and to improve the information security management continuously through 'plan–do–check–act' cycles, taking into account fraud or misconduct matters in other companies.
Also, in cybersecurity management, a system for detecting unauthorised logins, abnormal transactions and the like by using a variable password, a digital certificate, etc and a method for promptly notifying the user shall be considered.