DMM Bitcoin receives business improvement order

The Kanto Local Finance Bureau has today issued an administrative disposition to DMM Bitcoin based on the provisions of Article 63–16 of the Payment Services Act as follows:

1. Business Improvement Order

1. Analysis and investigation of specific facts and root causes of this outflow incident

As the reports submitted by the Company in accordance with the report collection orders issued on May 31, 2024, and July 2, 2024, based on Article 63–15, Paragraph 1 of the Act have not yet clarified the specific facts of this outflow incident, analyze and investigate the specific facts and root causes of the incident.

2. Response to customers

Continue to thoroughly protect affected customers. In addition, provide sufficient explanation and disclosure to customers regarding this incident and appropriately respond to customer complaints.

3. Ensuring proper and reliable business operations

Take necessary measures for business operations concerning the following matters to ensure proper and reliable execution of cryptocurrency exchange business:

1 — Strengthening the system risk management structure
After analyzing and evaluating the fundamental causes, such as the normalization of inappropriate system risk management structures, review and strengthen the system risk management structure to enable sufficient improvement.

2 — Establishing a structure for appropriate response to cryptocurrency outflow risks
Establish a structure for appropriate response to outflow risks, including implementing effective reduction measures for outflow risks related to cryptocurrency transfers.

3 — Clarification of management responsibility and strengthening of management structure
Clarify management responsibility for this incident. The representative director and directors shall discuss risks corresponding to cryptocurrency exchange business operations and steadily implement countermeasures. Furthermore, strengthen the functions of the board of directors and establish an effective management structure, internal control structure, and internal audit structure necessary for compliance with laws and regulations and proper and reliable business operations.

4. Transaction Resumption

When resuming transactions currently suspended as of September 26, 2024, and opening new accounts, ensure effectiveness by implementing responses based on (2) and (3) above, along with establishing necessary structures based on the cause investigation described in (1) above.

5. Initial Reporting Obligations

Report on the above (1) to (4) (including a business improvement plan with specific measures and implementation timeline for (3) and (4)) by Monday, October 28, 2024.

6. Ongoing Reportng Obligation

Regarding the business improvement plan for (3) and (4), report on the progress and implementation status monthly by the 10th of the following month until completion (with the initial reporting date set as November 30, 2024).

2. Reasons for Disposition

On May 31, 2024, an incident occurred where cryptocurrencies (BTC) managed by the Company were improperly sent externally, resulting in the outflow of customer deposits (4,502.9 BTC).

In light of this, a report was requested from the Company based on Article 63–15, Paragraph 1 of the Act, and the Kanto Local Finance Bureau began an on-site inspection to confirm the Company’s business operations. As a result, the following serious issues were identified regarding the Company’s system risk management structure and response to cryptocurrency outflow risks:

1. System Risk Management Structure

Since the start of operations, the Company has not appointed a director to oversee systems without considering the system risks affecting cryptocurrency exchange business. Furthermore, authority for system risk management, system development and operation management, and information security management is concentrated in a few individuals, and the system risk management department is made to monitor itself, resulting in a lack of checks and balances in the system risk management structure.

Additionally, the Company has not assigned personnel with auditing skills, and audits are conducted by the departments being audited, compromising the independence of internal audits.

Moreover, when introducing external wallets, the Company did not discuss outflow risks associated with cryptocurrency transfers, did not verify the appropriateness of security management evaluations for external wallets, and began using wallets without understanding how to respond to potential issues.

Under these circumstances, deficiencies in the structure as described in (2) below have been identified, indicating that a system for proper and reliable execution of cryptocurrency exchange business has not been established.

2. Response to Cryptocurrency Outflow Risks

Regarding the handling of private keys for cryptocurrency transfers, the Company conducts signing operations individually without checks and balances, and manages private keys collectively. Despite recognizing that these practices contradict the “Supervisory Guidelines for Financial Companies, Volume 3: Cryptocurrency Exchange Providers,” the Company continued these practices.

Furthermore, despite recognizing the need to diversify risks as the scale of cryptocurrency holdings increased, the Company did not consider risk-appropriate measures such as setting up multiple wallets for distributed management.

Additionally, the Company has not considered the retention period for logs related to evidence preservation in case of cryptocurrency outflow, and has not appropriately preserved evidence necessary for prompt investigation and cause analysis of the current unauthorized outflow incident.

As described above, the Company has not taken appropriate measures to prevent unauthorized outflow of cryptocurrencies, resulting in a lack of security against internal fraud and theft. The management of cryptocurrency transfers is found to be sloppy, and internal audits have condoned such management practices and are not functioning properly. Consequently, the Company has not established a structure for appropriate response to cryptocurrency outflow risks.

Fundamentally, addressing cryptocurrency outflow risks is one of the most critical management issues, and taking appropriate measures to prevent unauthorized outflow of cryptocurrencies is essential for the sound and appropriate business operations of cryptocurrency exchange providers. Therefore, the management structure should be highly effective. However, as stated in (1) and (2) above, the representative directors, etc., have neglected to establish a system risk management structure, concentrated authority in a few individuals without implementing checks and balances, and have not discussed or considered the importance of addressing cryptocurrency outflow risks. As a result, they have not taken appropriate measures to prevent unauthorized outflow of cryptocurrencies. Thus, the Company’s structure shows significant deficiencies in what is required of a cryptocurrency exchange provider managing customer assets.

Although the specific methods of this outflow incident have not yet been elucidated, the Company’s management structure for system risks and response to cryptocurrency outflow risks necessary for proper and reliable execution of cryptocurrency exchange business requires immediate and fundamental improvement from the perspective of user protection, regardless of the specific methods of the incident. This situation is deemed to fall under “when deemed necessary for proper and reliable execution of cryptocurrency exchange business,” and therefore, a business improvement order is issued based on the provisions of Article 63–16 of the Act.

Please follow us to read more about Finance & FinTech in Japan, like hundreds of readers do every day. We invite you to also register for our short weekly digest, the “Japan FinTech Observer”, on Medium or on LinkedIn.

We also provide a daily short-form Japan FinTech Observer news podcast, available via its Podcast Page. Our global Finance & FinTech Podcast, “eXponential Finance” is available through its own LinkedIn newsletter, or via its Podcast Page.

Should you live in Tokyo, or just pass through, please also join our meetup. In any case, our YouTube channel and LinkedIn page are there for you as well.