Cyber Security and Japanese Law

Q     Please explain points to keep in mind in relation to cyber security and data strategy from a legal perspective.


A           It is important to analyze laws, guidelines, cases of administrative penalties, etc. to discover the risk of administrative penalties, as well as the risk of damage due to unauthorized remittance, leakage, etc., and to take well-balanced security measures that are appropriate to those risks.    


1         Cyber Security Measures

Cybercrime is on the rise as more people work from home, due to the impact of COVID-19, and cyber security measures are becoming increasingly important. Cyber security measures are like a foundation in relation to data strategy, and it is essential to have certain cyber security measures in place.

Even though cyber security measures are essential, balance is also important. It is necessary to strike a good balance between the convenience of data use and cost in relation to data strategy objectives.

The authors are sometimes asked questions such as “From a legal perspective, what is the minimum level that needs to be done?”. With budgetary constraints and other factors, every company has concerns on the extent of implementing measures and how to prioritize the measures to be taken.

In this Q, we would like to explain what aspects we focus on in relation to cyber security from a legal perspective.


2         Risk Assessment and Legal/Compliance Perspectives

(1) Analysis of Administrative Penalties Risks and Administrative Guidance Risks

Based on the Act on the Protection of Personal Information, each business operator is required to take measures to safely manage the personal data of its own individual customers, etc. (Act on the Protection of Personal Information Article 20).

In addition, financial institutions such as banks, funds transfer companies, and crypto-asset exchange providers are obliged under laws related to their businesses to manage customer information securely and take cyber security measures as part of compliance with laws and regulations.

If a cyber-attack results in (1) leakage of personal data, (2) fraudulent remittance/stolen crypto-assets, or (3) ransom demand due to infection by ransomware (virus), the company may be subject to administrative penalties such as business improvement orders/business suspension orders or administrative guidance. Administrative guidance may not sound like a big deal, but in many cases like the administrative guidance given by the Ministry of Internal Affairs and Communications (MIC) to a certain company under the Electricity Business Act, it may widely reported and criticized. 


Each business operator needs to analyze laws, regulations, guidelines, court cases, and administrative penalty cases and make sure that it can withstand on-site inspections, etc. Therefore, when constructing/reconstructing a system, it is important for the security and systems departments to consult with the legal and compliance departments in advance to ensure that there are no fatal problems. In addition, periodic coordination of information is also important, as revisions to laws, regulations, and guidelines may require prompt action.


As such, ensuring compliance with laws and regulations and avoiding administrative penalties are the minimum points that need to be addressed.


In some cases, laws and regulations are quite specific about the level of security required, such as for credit card numbers. For example, if you want to become a merchant that can accept credit card payments, you need to take safety management measures (Article 35-16 of the Installment Sales Law), and it is understood that you need to comply with PCI DSS standards or take measures to not retain credit card numbers (Ministry of Economy, Trade and Industry, “Basic Policy on Supervision Based on the Installment Sales Law (Post-Payment Field)” II-2-2-5, “Credit Card Security Guidelines”). For this reason, we are sometimes asked to review from a legal perspective whether the criteria for non-retention measures have been met.


In addition, in relation to financial laws and regulations, a risk-based approach to cyber security measures is common, which is that the measures should commensurate with the risks involved. So, we are sometimes asked to provide opinions on whether our security measures are commensurate with the risks involved (e.g., whether they may be subject to administrative penalties).


 It is beneficial for legal and compliance departments to take the lead in making risk judgments in this area, as they are well versed in the relevant laws, guidelines, and supervisory guidelines.


To give a concrete example, the Financial Services Agency (FSA) has strongly promoted multi-factor authentication in response to a large number of fraudulent remittances from bank deposits through the accounts of a certain telephone company-affiliated payment processor (funds transfer agent/electronic payment processor). As a funds transfer agent or electronic payment agent, you will need to be familiar with the FSA’s guidelines and supervisory guidelines when considering whether you need to comply with multi-factor authentication and when you should do so. In addition, legal and compliance departments that are more sensitive to the FSA’s expectations will be able to make more precise decisions.


We are now in an age where it is commonplace for customer IDs and passwords to be leaked through phishing and other means. In Europe, multi-factor authentication is basically mandatory based on the Payment Services Directive and other global trends. Based on these elements and other global trends, the FSA has been emphasizing the importance of multi-factor authentication.


Further,  as a result of these circumstances, there are trends for the National Police Agency to strengthen identity authentication (authentication is necessary to omit identity verification for the second and subsequent transactions) based on the Criminal Proceeds Act.


When authenticating customer identity, it is necessary to determine the company’s response policy in light of such trends by the regulatory authorities, and there are times when legal and compliance knowledge plays an important role.



(2) Assessing the Risks of Damage

If unauthorized remittance occurs, the company may suffer significant damages. 

For example, in 2018, it was reported that Japan Airlines Inc. fell prey to a business email scam and mistakenly paid approximately 380 million yen based on a fake invoice (Yomiuri Shimbun, January 10, 2018).

The number of cases of unauthorized remittance (embezzlement) by company employees and subcontractors continue to rise.

There have also been repeated cases of crypto asset exchange providers having their crypto assets stolen. In the “Coincheck incident”, 58 billion yen worth of crypto assets were stolen.

In the case of financial institutions (banks, money transfer companies, credit card companies, etc.), unless the customer is found to have been negligent, the financial institution often bears the damages from fraudulent remittance, and there are many cases where financial institutions bear the loss of hundreds of millions of yen per year.

In the case of debit/credit card transactions due to identity theft, if the merchant does not take measures such as 3D-Secure (a method of identification recommended by international brands), the merchant is in most cases responsible for all losses due to fraudulent transfers under the rules of international brands such as Visa/Mastercard (if the card issuer can show that it supports 3D-Secure).

Also, if a company leaks personal information, credit card numbers, customer/business partner data, etc., there is a risk of being sued for damages as a breach of contract.

In addition, reputational risks (risks of loss of trust) must also be considered. It is not uncommon for customers to leave a company or for stock prices to plummet due to a loss of trust caused by a scandal.

Thus, it is useful to carefully analyze the risks of damage to the company based on assumptions of various possible cyber security incidents, since various types of damage may occur in the event of a cyber security incident.


And, for example, in relation to indemnity risks from other companies, it is useful to examine the content of contracts with other companies, and in relation to the risk of card number leakage, it is useful to analyze international brand rules. So, it is beneficial to work with legal and compliance departments which are familiar with contracts.


(3) Legal and Compliance Perspectives

The Legal and Compliance Department should examine matters from the above perspectives, and if it determines that the risk is too great after considering alternative plans and other factors, it will give the red light.

Some executives and data strategists may be under the impression that the legal and compliance department only functions like a car brake. But, please imagine a car without brakes. It would be too dangerous to drive.

The final risk decision should be made by the management team. However, the management team needs to make a risk judgment about cyber risks and take measures commensurate with the risks, taking into account legal and compliance factors while also considering various other factors such as convenience and cost.


 3        Cyber Security and System Development

As with many challenges for a company, cyber security needs to be a company-wide effort. Just as a small hole in an embankment can cause it to break, cyber security needs to be done as an organization with a proper system in place.

From this perspective, it is necessary to (i) confirm the objectives of data strategy, (ii) identify information assets (databases, etc.), the risks associated with them, and determine the security level/security measures required for each information asset, (iii) establish internal rules to ensure relevant information security measures, and (iv) ensure compliance with the internal rules through education, training, and checks (internal audits, etc.).

When creating company internal rules, my personal experience is that it is important to (1) make sure that the rules are well-balanced and commensurate with the risks involved, (2) not place too much trust in people, and (3) conduct periodic training and verification.

In relation to (1), possible risk scenarios should be considered, and then measures that are effective against those risks should be introduced. If the rules are too strict to be followed, or if following them would only be troublesome and significantly less effective for the risks involved, revision should be considered. It is meaningless if it’s like a pie in the sky. 

In relation to (2), the concept of “security by default” is important. People make mistakes, and some employees may even take out information with malicious intentions or embezzle. It is necessary to establish a system that can detect and prevent mistakes and criminal acts by officers and employees without placing too much trust in them. For example, I have come into contact with a case where remittance rights for a bank account with a balance of billions of yen was given to a subcontractor. No matter how much you trust your subcontractors, you may need to have certain checks and balances in place.

In relation to (3), for example, in its “Policy for Enhancing Cyber Security in the Financial Sector,” the FSA first categorizes cyber measures for normal times and for incident responses for emergencies. For the former, it stresses the importance of understanding the actual situation and implementing countermeasures such as vulnerability assessments, as well as basic system establishments. For the latter, the report stresses the importance of practical penetration tests (TLPT) and participation in exercises such as those conducted by the FSA and NISC. In short, if the countermeasures do not work in the event of a cyber-attack, they are useless. Therefore, it is necessary to ensure that the countermeasures work by conducting proper exercises and training (penetration tests, etc.).

For example, a Computer Security Incident Response Team (CSIRT) should be set up in case a cyber-attack or information leak occurs and should collect information on a daily basis and conduct practical training on how to respond to actual incidents. The Personal Information Protection Law revised in 2020 stipulates the obligation to report to the Personal Information Protection Commission (PPC) in the event of an incident such as leakage of personal information, as well as the obligation to notify the individual (data subject) (Article 22-2 of the Personal Information Protection Law). The importance of advance preparation is expected to increase more than ever, as a quick response is required.

A significant number of incidents involving the leakage or improper use of personal information occur through subcontractors. Recently, a social networking service provider announced that a Chinese subcontractor was able to access its domestic server and view personal data, and in response, the PPC and the MIC announced that they had issued administrative guidance to the company for insufficient management of the subcontractor. It is necessary not only to impose appropriate security management obligations based on contracts with subcontractors, but also to properly monitor the performance of such obligations.


4         Conclusion

Due to the impact of COVID-19, cyber security measures are becoming increasingly important, but it is also necessary to implement cyber security measures that take into account legal and compliance aspects.

If you have any questions concerning this article, please feel free to contact us.

Guide to Business Licenses in Japan

There are numerous types of licenses that need to be obtained by businesses before starting a business in Japan. We have provided below a table of various licenses for the finance sector.

Conditions for each registration are detailed here.



Funds Transfer Service(資金移動業)

In order to operate a funds transfer business (which is similar to money services businesses in the US or payment institutions in Europe), this license is basically required.

Prepaid Instrument Issuer(前払式支払手段発行業) ― Third Party Type

In order to issue e-money, gift cards, prepaid cards, and such, this license is basically required. Prepaid instruments basically need to be non-refundable.

PISP/AISP (電子決済等代行業)

In order to access bank APIs to initiate a bank wire transfer transaction or to refer account information on behalf of your customers, this license would be required.

Credit Card Issuer (包括信用購入あっせん業)

In order to issue credit cards, including both actual cards and virtual cards, this license is basically required.

Credit Card Acquirer(加盟店契約締結業)

In order to acquire merchants for credit cards (and charge cards), this license is basically required.

Individual Credit(個別信用購入あっせん)

In order to handle individual credit services, this license is required.

Money Lending(貸金業)

This license is required in order to lend money to customers, unless the relevant entity has a bank license.

Most companies issuing credit cards in Japan have either the money lending license or the bank license.

Financial Intermediary (媒介業)

In order to act as an intermediary for other financial institutions, you would basically need this license.

If the entity wants to make profits from selling financial products of (an) other financial institution(s) to its customers, it may consider acquiring this license.

Virtual Currency Exchange(暗号資産交換業者)

In order to engage in the business of selling/purchasing virtual currency, this license would be required by the relevant entity.

Type 1 Financial Instruments Business(第一種金融商品取引業)

This is equivalent to securities companies in the U.S. Many IT-related companies acquire this license to provide FX related services.


Funds Transfer Service Providers are not allowed to accept bank deposits, and if the relevant entity wants to do so, it may consider acquiring a bank license in the future.

Please contact us if you have any questions or need assistance in obtaining these licenses.

Types of Companies in Japan

Provided below is a guide on the types of companies in Japan and their differences.

  Limited Liability Separation of Management and Ownership
(i) Kabushiki Kaisha All equity holders are limited in liability.  It is equivalent to LLC. Can be separated.
(ii) Godo Kaisha All equity holders are limited in liability.  It is equivalent to LLC. Not separate.
(iii) Gomei Kaisha All equity holders owe un-limited liability. Not separate.
(iv) Goshi Kaisha There are both un-limited liability equity holder(s) and limited liability equity holder(s). Not separate.

When foreign companies set up subsidiaries in Japan, in most cases, they either select Kabushiki Kaisha (“K.K.”) or Godo Kaisha (“G.K.”).

1. Differences Between K.K. and G.K.

  K.K. G.K.
Equity Holder Shareholder (“Kabu-nushi”) Members of the company (“Sha-in”)
Responsibility of the Equity Holder Limited liability Limited liability
Number of persons required for establishment and operation One or more One or more
Highest Decision-Making Body General Meeting of Shareholders Meeting of the members
Voting Rights Proportionate to the number of shares held by each shareholder Each member has one vote.
Person(s) who (make important decisions on) the Execution of the Operations of the Company

Directors /

Executing Person(s)

Executing Person(s)

If there is no election of an Executing Person, then all members become Executing Person(s).

Who can become the Executing Person Non-shareholders can also be appointed as Director or Executing Person. A person who is not a member of the company cannot be appointed as Executing Person.
Term of office for Executing Persons Up to 10 years.  Many companies make the term 2 years. No limitation.  Can be  decided freely.
Representative of the Company The Directors or the Board of Directors may appoint Representative Director(s) or Representative Executing Person(s). Members may appoint Representative Executing Person(s)/
Financial Statements Publication is necessary. Publication is not necessary.
Distribution of Profits to Equity Holders Distribution of company’s profits to each shareholder must be proportionate to the percentage of shares held by each shareholder. Members may decide how the company’s profits will be distributed. Distribution does not have to be made in proportion to percentage of equity (or membership interest) held by each member.

2. General Advantages of G.K. over K.K.

  • Costs to establish G.K. are less than those for K.K.
  • Corporate management structures can be implemented more flexibly.
  • No obligations to publicize financial statements.

In addition, in the case of U.S. companies, , it is written in some articles that there are the following advantages from an international tax perspective:
– Pass-through taxation may be selected under U.S. tax law.
– Not subject to U.S. “controlled foreign company” (CFC) rules or the so-called “anti-tax haven” rules.

3. Reputable Foreign Companies that have set up G.K. as Japanese Subsidiary or Affiliate

U.S. Parent Company Japanese Subsidiary or Affiliate
Google L.L.C. Google G.K.
Apple Inc. Apple Japan G.K., Inc. Amazon Japan G.K.
The Procter & Gamble Company P&G Prestige G.K.
Exxon Mobil Corporation Exxon Mobil Japan G.K.
Universal Music Group Universal Music G.K.
Warner Bros. Entertainment. Inc Warner Brothers Japan G.K.
Cisco Systems. Inc Cisco Systems G.K.
[Source: Japanese newspapers]

4. Fees for Establishing G.K. and K.K.

(1)           Fees to be Paid to the Government and Public Offices

  K.K. G.K.
Registration Tax

150,000 Yen –

(If “0.7% of the stated capital amount” is greater than the above amount, then such amount will be the registration tax fee.)

60,000 Yen –

(If “0.7% of the stated capital amount” is greater than the above amount, then such amount will be the registration tax fee.)

Stamp Tax for Articles of Incorporation

(exempted, if created electronically)

40,000 Yen

(We handle electronic AOI, to have this 40 thousand yen exempted)

40,000 Yen

(We handle electronic AOI, to have this 40 thousand yen exempted)

Fee for Notary Public for the Certification of Articles of Incorporation 50,000 yen 0
Fees for Certified Copy of Articles of Incorporation App.  2,000 Yen App.  2,000 Yen
Total fee 242,000 Yen – 102,000 Yen –

(2) Law Firm Fees for preparation of Articles of Incorporation /registration fees

Preparing Japanese AOI and filing documents only:
100,000 yen

If English referential translations are required:
An additional 100,000 yen


5. Our Services

(1)  Establishment of Company

We  provide advice and counsel on formations of G.K. and prepare required documents in Japanese (and referential translations in English upon request).

(2)  Other Services

We provide support in making various types of company documents and documents required for authorization by the Japanese government.

Please contact us if you have any questions.

Conditions for Licenses/Permits

Below is a list of registrations for licenses/permits in Japan and the documents and requirements for each type. We offer services for the following registrations and assist companies wishing to expand in these areas.

1 Registrations
(1)Issuing of Credit Cards
(2)Acquiring/Sub-acquiring of Credit Cards
(3)Individual Credit Provider
(4)Funds Transfer Service
(5)Money Lending Business
(6) Crypto Assets Exchange Service
(7) (Financial Service) Intermediary
(8)Rent Guarantee Service
(10)Financial Instruments and Exchange Service
(11)Issuer of Prepaid Payment Instruments
(12)Electronic Payment Services

2 Conditions of Each Registration
(1) Issuing of Credit Cards

Supervising Authority
Ministry of Economy, Trade and Industry (“METI”)

Main Requirements
-Be a corporation or a “foreign corporation having a place of business in Japan.”
-Own “property basis deemed necessary to properly and reliably perform the funds transfer business.”
-20 million yen or more in capital stock or contribution
-Net assets (excluding total liabilities of applicant corporations) shall be more than 90% of the amount of its capital or contributions.

Documents Needed for Registration (Installment Sales Act Article 32, Enforcement Ordinance of the Installment Sales Act Article 63, etc.)
1. Registration application form
2. Articles of association
3. A certified copy of the registration [as a legal entity] or certificate of registered matters
4. Statement on property (Excel format)
5. Balance sheet, income statement, and statement of changes in net assets and notes (for the previous fiscal year)
6. Summary document on joint venture (Word format)
7. Curriculum vitae and background of the directors (Word format)
8. List of shareholders / employees of entity and parent company, or a document in lieu thereof (Word format) (Note: Limited to shareholders, etc. specified in law.)
9. Document stating the name of the participating Authorized Credit Bureau
10. Document stating name of person who conducts the Authorized Credit Bureau Service with whom the Credit Bureau Service Agreement has been concluded (excluding the subscribing designated credit information agencies)
11. Internal rules for business operations (Note: Includes documents related to merchant surveys, etc.)
12. Organization chart concerning operations
13. A document stating to pledge certain matters (Word format)
14. Corporate profile reference
15. Work plan reference
16. Contracts with members

(2) Acquiring of Credit Cards
Who Needs to Register
Any entity trying to acquire credit card merchants.

Supervising Authority

Documents Needed to Register
(Same as (1) Issuing of credit cards)

(3) Individual Credit Provider
Who Needs to Register
Any entity trying to provide individual credit service.

Supervising Authority

Main Requirements
(1) Property: Net worth shall not be less than 50 million yen.
(2) Personnel: Compliance with the Installment Sales Act and establishment of a complaint handling system.
(3) Physical: An office system that reflects compliance with various laws (with particular emphasis on the protection of personal information).

Overview of the Examination Perspectives
・Whether policies (such as establishment of an internal control unit, responsible persons, disciplinary rules, etc.) are in place to ensure compliance with laws/regulations, and internal rules.
・Whether there are policies (appointment of responsible persons, system, record keeping, etc.) for investigating the estimated amount of payment.
・Whether there are policies (such as responsible persons, workflows, systems and record keeping) for conducting surveys on the solicitation of individual credit sales contracts, etc.
・Whether there is a system in place to ensure the smooth implementation of the measures stipulated in the revised Installment Sales Act in order to manage the number of member stores.
・Whether there are policies for the protection and use of information on purchasers, etc. (responsible person, handling standards, system, etc.)?
・Whether there are policies for handling complaints (responsible person, work flow, system, record keeping, etc.)

Procedure of Registration
A Preliminary Consultation about Registration
The Bureau of Economy, Trade and Industry (“BETI”) in each region provides advance consultation for registration. In order to carry out the registration application smoothly, the applicant or its agent is strongly expected to contact the relevant section of BETI. The most difficult part is preparing an internal control system to comply with applicable laws, regulations and self regulations of Japan Credit Association (“JCA”). Particularly regarding the internal control system with laws and regulations, complaint handling, and proper management of credit card numbers, etc., face-to-face interviews are conducted in accordance with internal regulations. The actual registration is usually completed within 2 months after all necessary and appropriate documents have been filed.

(4) Funds Transfer Service
Who Needs to Register
An entity that is not a bank, etc. which engages in funds transfer service as a business.

Where to Register
Registrations shall be submitted to the director of the finance bureau in the jurisdiction your principal place of business.
(Who to register with: Financial Services Agency, “FSA”.)

Main Requirements
-Required to be a “joint stock company” or a “foreign funds transfer service operator having a place of business in Japan”.
-Required to own “property basis deemed necessary to properly and reliably perform the funds transfer business”.
-Required to organize a system to ensure appropriate and accurate fund transfer service and to comply with the provisions of “Chapter 3: Fund Transfer”.  
-Shall not use the same or similar trade name as other fund transfer services.
-Shall not have had its registration as a fund transfer service or its license as a fund liquidator revoked, under the provisions of foreign laws and regulations equivalent to the Funds Settlement Act or the Banking Act, etc., during the past five years.
-Shall not have been sentenced to a fine or equivalent foreign punishment for violating the Funds Settlement Act, Banking Act, etc., the Capital Subscription Act or equivalent foreign laws and regulations during the past five years.
-None of the directors, etc. shall be ineligible. An ineligible person is as defined as the following:
(a) Adult ward
(b) A person who has received an order to begin(of commencement of) bankruptcy proceedings and does not obtain reinstatement (or any person equivalent to that under the laws and regulations of a foreign country).
(c) A person who has been sentenced to imprisonment or more (or a foreign punishment equivalent to this) and for whom five years have not passed.
(d) A person who has violated the Payment Services Act, the Banking Act, etc., the Capital Subscription Act (or formally, the Act Regulating the Receipt of Contributions, the Receipt of Deposits, and Interest Rates), or the Act on Punishment of Physical Violence and Others (or any equivalent foreign laws and regulations) and who has been sentenced to a fine (or any equivalent foreign punishment) and five years have not passed.
(e) In the case where registration as a fund transfer service provider has been revoked (or in the case of similar registration being revoked in a foreign country), a person who was a director etc. within 30 days prior to the date of revocation and five years has not yet passed.
(f) A person specified by a Cabinet Order as being equivalent to (e)

(5) Money Lending Business
Examples of Entities Who Needs to Register
Consumer lenders, bill discounters, business lenders (e.g., real estate mortgage lenders), credit card companies that offer loans, and department stores and supermarkets that provide credit card companies and loans

Supervising Authority
Financial Services Agency
Registered entities need to renew registration every three years.

Main Requirements [concerning registration]
-A trade name or name that does not mislead users, etc. into believing that you are a public institution or financial institution, which may damage fairness of transactions.
-Do not apply for two or more registrations under two or more trade names or names.
-Do not establish a reinstatement agent or a branch office of an agent.
-The agency agreement shall contain the following information:
(a) A statement indicating that you will comply with laws and regulations governing the money lending business
(b) Matters about the scope of agency services
(c) Matters about determination and payment of agency fees
(d) Matters related to the allocation of expenses necessary for the handling of agency services
(e) Principal facilities and equipment used for business
Main Requirements [concerning operations]
-Prevention of over-lending
-Regulation on collection activities
-Normalization of business relationships
-Confirmation of business offices, etc. locations

(6) Crypto Assets Exchange (Service) Business
Who Needs to Register
Any person engaging in the Crypto Asset Exchange Business (or “Crypto Assets Traders”) will need to register (JPSA Article 63, item 2). Here, the Crypto Asset Business means engaging in either of the following items:
(i) sales and purchase of Crypto Asset, or the exchange of a Crypto Asset with another type of Crypto Asset;
(ii) intermediary, brokerage, or agent service of (i);
(iii) administering money for its users for the services listed in (i) or (ii) that it provides to such users; or
(iv) administering Crypto Assets on behalf of someone else (JPSA Article 2, item 7).

Supervising Authority
Financial Services Agency

Definition of Crypto Assets
1. May be used against unspecified parties for the payment of goods/services that you purchase. (Requirement 1: unspecific)
2. Has a property value that may be purchased/sold to an unspecified party. (Requirement 2: has a property value)
3. Shall be recorded by electronic means on an electronic device, etc. and may be transferred by an electronic data processing system. (Requirement 3: electronic records)
4. Assets shall not be a Japanese/foreign currency or any currency-based asset. (Requirement 4: non-legal currency/tender)

Requirements for Registration
1. Organizational Requirements
Shall be a K.K. (joint-stock company) or a foreign crypto assets exchange provider with sales office and representative in Japan.
2. Property Requirements
1. Capital amount shall be ten million yen or more.
2. Amount of your net asset shall not be negative.
3. Business Conduct Requirements (internal systems)
Internal systems of appropriate measures to protect users, such as segregation of users’ money and virtual currency shall be in place to properly and securely conduct your business. More specifically, strengthening the function of internal control/internal audit departments, and whether monitoring is being carried out to ensure appropriate operational control systems.
4. Legal Compliance Requirements (internal systems)
Shall have necessary internal systems in place to comply with the provisions of the amended Payment Services Act. Specifically, whether you have developed a training and education system covering compliance, and whether you are working to improve and foster compliance awareness among your officers and employees.
5. Trade Name Requirements
You may not use the same (or similar) name/trade name used by other crypto asset exchange providers.
6. Requirements Regarding Other Businesses
If you are engaged in any other business, such business shall not be contrary to public interest.

Key Processes (from interviews with your directors, document screening, and on-site examinations)
-Confirmation of business plan, details of business activity (including system plans)
e.g. Is the business plan of your company and your group company clear enough?
-Review of the basic concept of risk management.
e.g. Have you identified and assessed risks in accordance with your business plan and organized internal control systems to handle each risk?
-Verification of detailed management methods/systems, based on documents and rational evidence (self-regulation rules will be referenced together).
e.g. Risk management for handling Crypto Assets
-Business management, etc. (including internal audits)
-User protection measures
-Separate management of used property
-User information management
-Management of external contractors
-System risk management
-Anti-money laundering and terrorist financing
-Based on results of document screenings, the operational status and effectiveness of management systems at the actual operational site.

(7) (Financial Service) Intermediary
Financial Service Intermediary is any entity that engages in one or more of the following operations as a business: deposit, etc. intermediary business, insurance intermediary business, securities intermediary business, or money lending intermediary business.

Supervising Authority
Financial Services Agency

Main Requirements
-Applicant’s license or registration shall not have been revoked by the Amended Act, the Banking Act, or any other law within five years (Section 15 of the Amendment Act);
-Shall not be identified by an ordinance as likely to commit unauthorized or unfaithful acts;
-Shall not be engaged in other business activities that may be deemed to be against public interest;
-Shall have sufficient ability to properly carry out financial service intermediary business;
-In the case of providing financial services electronically (i.e., via the Internet), applicants shall have systems in place to properly and securely conduct electronic financial service intermediary;
-Shall have developed internal rules that are equivalent to rules established by Association of Certified Financial Service Intermediary or shall have established an internal system to ensure compliance.

Details of Application Form
To be registered, you must submit an application form stating the name of entity, name of directors, name and address of business office, type of business, whether you are engaged in this business as a digital entity (Electronic Financial Services Intermediary Business) or not, and the type of business you are engaged in, if you are engaged in any other business.

(8) Rental Liability Guarantee Service
Supervising Authority
Ministry of Land, Infrastructure, Transport, and Tourism

A rental liability guarantee firm who meets certain requirements can be registered with the government as a party that can properly and reliably carry out the rental liability guarantee business (renewable every five years).
This is a voluntary registration system, and it is possible to operate a rental liability guarantee firm without registration.

Benefits of Registering
-Registered by the government as a party who can properly conduct the business of a rental liability guarantee firm and such information will be widely provided [by the government] to others.
-Application of Housing Finance Agency’s Rental Liability Guarantee Firm (under specific conditions)
-Subject to subsidies to reduce rental liability guarantee fee,.

Documents Needed to Register
An application form must be turned in with supplementary documents such as copies of internal regulations, work experience resumes, and written statements on the status of business.

Each item of Article 6, Section 1 of the Rental Liability Guarantee Firm Rule lists those who cannot register for Rental Liability Guarantee Services. These include persons who have received an order of commencement of bankruptcy proceedings and have not been reinstated as well as those with net assets of less than 10 million yen.

(9) Banking
There are two types of banks, and therefore, two processes for obtaining licenses. 

(1) Option 1: Creating a Japanese Sub and Acquiring Bank License
In general, there are two types of banks. One is the ordinary bank prescribed under the Banking Act and the other is the special type bank like Shinkin Bank (or community bank) prescribed under special acts like the Shinkin Bank Act.
The Shinkin Banks gather investments from their members and provide services mainly to such members in a certain region. We believe that ordinary bank is the option that you would prefer over Shinkin Bank, etc. Thus, we will focus on ordinary banks.

Main Requirements (Banking Act Article 10):
-2-billion-yen capital
-Ensure financial basis to conduct banking business soundly and efficiently and shall have good prospects for income and expenditure pertaining to the business
-A Kabushiki Kaisha (stock corporation)
-Shall not fall under any other permit rejection criteria (e.g. relationship with crime organizations)

The requirements can be found in the (i) Banking Act, (ii) Banking Act Enforcement Order, (iii) Banking Act Enforcement Ordinance, and (iv) Financial Service Agency’s Supervisory Guideline. For internet banks operating on the internet, the requirements are mitigated in part (See section VII-1-5 of the said Supervisory Guideline), but the basic regulatory frameworks applicable are the same.

Main Obligations
-Required to provide certain information to customers (Banking Act Article 12-2)
-Required to comply with limits to extension of credit (Banking Act Article 13)
-Required to contract with an ADR handling institution (Banking Act Article 12-3)
-Required to ensure that its transaction(s) with related party(ies) are at arm’s length (Article 13-2)
-Required to ensure internal control to ensure compliance (Article 13-3-2)
-Required to ensure stability (Banking Act Article 14-2)
-Is prohibited to have a subsidiary that engages in business other than those permitted under the Banking Act (Banking Act Article 16-2)
-Is prohibited to acquire or maintain 5% or more shareholding in another domestic company that engages in business other than those permitted under the Banking Act (Banking Act Article 16-4)
-Required to administer management of the whole group, meaning itself and its subsidiaries (Banking Act Article 16-3)
-Required to make April 1 to March 31 its business year (Banking Act Article 17);
-Required to make business reports (Article 19)
-Required to file occurrence of certain incidents (Banking Act Article 53)

Extent of Business
An Ordinary Bank may conduct inherent banking activities or koyu gyoumu (e.g. acceptance of deposit, making loans, and provision of funds transfer service) as well as ancillary activities and other permitted activities, but may not engage in other activities. To provide (i) trust services (e.g. to become a trust bank), (ii) securities brokerage activities (e.g. to become an investment bank), (iii) prepaid card services, (iv) credit card services, or (v) bank agent services, etc. such other permits or registration may be required.

(2) Option 2: Acquiring a Foreign Bank Branch Permit

Main Requirements (Article 47, Item 2 of the Banking Act):
-Required to have a 2-billion-yen fund for the Japan branch;
-Required to ensure financial basis to conduct banking business soundly and efficiently and shall have good prospects for income and expenditure pertaining to the business; and
-Shall not fall under any other permit rejection criteria (e.g. relationship with crime organizations).
The applicant is not required to be a Kabushiki Kaisha. AG will suffice.

Main Obligations
Some obligations such as item (vii) to (x) are exempt. For item (vi), the standard for foreign branches is not provided for, so it is virtually exempt. Item (xii) is not applicable, but foreign branches are required to file occurrence of certain incidents under Article 49 of the Banking Act instead. Other provisions are basically fully applicable or partially applicable (Article 47, Item 2 of the Banking Act).

Extent of Business that can be Conducted
This is virtually the same as the bank sub case as described in (1) above.
A branch office in Japan of a foreign bank can also apply for a license under the JBA.

Foreign Bank Agency Services
A bank may operate a foreign bank agency business for each foreign banking group (refers to a foreign bank and a group of foreign banks that are subsidiaries of the foreign banking group and other persons specified by a Cabinet Office Ordinance) with which a foreign bank belongs to upon approval. (Article 52, Item 2, Clause 2 of the Banking Act).

Bank Agency Services

Definition (Article 2, Item 14 of the Banking Act)
-Acting as an agent or intermediary of a contract for the acceptance of deposits or fixed-term deposits, etc.
-Acting as an agent or intermediary for the conclusion of a contract for the lending of funds or the discounting of notes
-Agency or intermediary in concluding a contract with foreign exchange transactions

Main Requirements (Article 52, Item 38 of the Banking Act)
-A financial basis that is deemed necessary to carry out banking agency business.
-In light of the composition of the human resources, has the necessary ability to perform the banking agency business accurately, fairly and efficiently, and who has sufficient social credibility.
-Not deemed to be likely to interfere with the proper and reliable operation of the bank agency business by engaging in any other business.

The financial basis mentioned in (a) differs between companies (5 million yen) and individuals (300 thousand yen) (Article 34, Item 36 of the Banking Act Ordinance).

(10) Financial Instruments and Exchange Service
There are 4 types of Financial Instruments Businesses: Type I Financial Instruments Business, Type II Financial Instruments Business, Investment Management Business, and Investment Advisory and Agency Business.

Type I Financial Instruments Business
Categories of businesses under Type I include those that handle the purchase and sale of securities, market derivatives transactions on securities, and FX. Type I has the strictest requirements out of the four types of Financial Instruments Businesses, and here are a few:
(1) The company must be a joint stock company with a board of directors and corporate auditors or committees.
(2) Net assets and capital must be 50 million yen or more.
(3) Capital adequacy ratio must be 120% or more.
(4) The major shareholder must not be a disqualified person.
(5) Must have sufficient human resources to accurately conduct Type I Financial Instruments Business.
Even after registration is completed, business reports need to be filed within three months prior of the end of the fiscal year, and registration forms must be filed if there are any changes to the trade name, head office location, etc.

Type II Financial Instruments Business
Financial Instruments and Exchange Act Article 29, Item 4 states the requirements for registering as Type II such as:
-If a company, capital must be more than 10 million yen.
-If a company, it must have a business office or office in Japan.
-If a foreign company, it must have an appointed representative in Japan.

Investment Management Business
As an Investment Management Business, a firm manages assets on behalf of its clients and provides fund management services. Further, it manages stocks and other securities with the investment capital deposited by clients and analyzes and reports on the status of assets.

To register as an Investment Management Business, a company must be a joint stock company with a minimum capital of 50 million yen and net assets of 5 million yen.

Investment Advisory and Agency Business
Investment Advisory and Agency Business deals with agency and intermediary business and investment advisory businesses.
Agency and intermediary business, the firm represents and mediates the conclusion of contracts, and in the investment advisory business, the firm provides investment advice.

Three Major Requirements
-A deposit of 5 million yen (business deposit)
-There are three persons in charge of, respectively, investment decisions, internal audit and compliance, and that there are sufficient human resources to accurately conduct Investment Advisory and Agency Business

How to Register
For all of the above cases, a registration form and supplementary documents must be filed at the Regional Finance Bureau. After a screening is completed, the Prime Minister will complete the registration.

(11) Issuer of Prepaid Payment Instruments
This provision applies to cases where the amount of sales made through prepaid installment sales is more than 10 million yen per year.

Supervising Authority
Financial Services Agency

Main Requirements
-That the amount of money or the quantity of goods/services (number of units, frequency, etc.) is recorded on vouchers, electronic devices, or other objects (vouchers, etc.) or in an electromagnetic manner.
-That the voucher with the amount of money or the quantity of goods/services described in the voucher or recorded in an electromagnetic manner is paid.
-That the amount of money or the quantity of the goods/services stated on it or recorded in an electronic manner, or a number, symbol, or other sign that is linked with the property value of those goods or services is issued.
-That the vouchers, numbers, symbols, other signs etc., are available for use by presentation, delivery, notice, or other means at the time of purchase of goods or provision of services.

(12) Electronic Payment Services

Supervising Authority
Financial Services Agency

Main Requirements
-Shall have a financial basis for the proper and reliable performance of Electronic Payment Services (Article 52-61-5(1)(a) of the Banking Act).
The only requirement for this financial basis is that net assets are not negative (Article 34-64-6 of Ordinance). Because Electronic Payment Services do not receive deposits of user funds themselves, their financial statements are not subject to the same standards3 as those of other industries that handle transactions. (3Funds transfer businesses are required to preserve the full amount of user funds that are being transferred.)
-Shall have a system to properly and reliably carry out Electronic Payment Services (Article 52-61-5, paragraph 1, item 1 (b) of the Banking Act).
-Applicants shall not have been subjected to certain punishments under the Banking Act, etc. (e.g., revocation of registration due to violation of this Act) and five years have not passed from the date of such punishment.

3 Important Points
For registration, it is necessary to create internal rules and manuals in compliance with relevant laws and guidelines and develop and maintain an internal system in line with these rules and manuals.

If you want to register as an acquirer, you may use contract templates according to your industry to simplify the process and significantly reduce the wait. However, it is necessary to formulate manuals in line with the company’s business model, secure human resources who will actually perform operations, and develop legal compliance systems that allows these personnel to function effectively. This is the most difficult part. For example, matters described in internal rules and manuals must be understood by the people in relevant systems department, sales department, etc. If a project is carried out without proper understanding, it may easily be delayed for a half a year to a couple of years when an insufficiency in the registration procedures is discovered later on.

On the other hand, in the case of global companies, there are already internal guidelines, rules, systems, etc., and there are efforts to make minimal changes as to comply with self-regulations. However, after analyzing a large quantity of English internal procedures and manuals, etc., we believe that it is not easy to pick and choose sections to modify in order to comply with Japanese laws, regulations and guidelines and then implement such amendments. Most cases require a great amount of translation and due to a lack of understanding of Japanese laws and regulations, it is not uncommon for the registration application to take a long time to be completed, as corrections are pointed out by the responsible authorities after it has been filed to the responsible authorities.

Most cases require a great amount of translations and are not easy tasks.

4 Our Law Firm’s Services
(1)Our Advantages
-Specialized in the fields of finance, payments, moneylending, and advertising/internet business.
-Strong in international trading (Communications made in English.).
-Experienced in the above fields.

We assist with:
-Preparing registration applications
-Creating Policies & Procedures, internal manuals, and Terms and Conditions, etc. for users and merchants
-Creating and modifying privacy and cookie policies
-Creating internal rules related to personal information
-Preparations to join credit bureaus such as CIC, JICC and CRIN
-Complying with the International Brand Rules
-Complying with the PCIDSS (in cooperation with partners)
-Negotiations with Acquirer regarding merchant agreements
-Provisions of ancillary services (company establishment, obtaining permits and licenses, obtaining Visa, creating Rules of Employment, etc.)
-Referral of service providers and contractors required for obtaining licenses
-Advice on how to handle identity verification
-and much more

(3)Service Fees
Application for Registration
  Starting from 1 million yen (depends on the amount of work and the level of difficulty). Please contact us for more details.