FSA Meets with "Neobanks" to Discuss Financial Crime Prevention

The Financial Services Agency held an opinion exchange meeting on financial crime prevention measures with the management of 13 neobanks at the beginning of June. This was conducted against the backdrop of diversifying customer needs and the advancement of cashless payments, where new forms of banks with distinctive business models are gaining prominence - such as banks that provide services exclusively online and banks that primarily provide payment services by installing ATMs in convenience store networks. The meeting involved exchanging opinions on various challenges surrounding these new forms of banks as follows:

1. Account Misuse Survey - Follow-up on financial institutions' responses to fraud prevention measures
2. Comprehensive Anti-Fraud Measures 2.0 - New government strategy including information sharing systems
3. Online Casino Prevention - Measures to prevent illegal gambling through financial services
4. Anti-Money Laundering Effectiveness - Requirements for financial institutions to verify and improve their AML systems
5. Account Security Strengthening - Response to recent unauthorized access incidents, emphasizing stronger authentication methods
6. Post-Quantum Cryptography Migration - Urgent preparations needed for quantum-resistant encryption by 2035

1. Survey on Account Misuse Request Letters

While financial institutions have been strengthening their responses to financial crimes including special fraud, criminal methods are becoming more sophisticated and diversified.

In light of this situation, in August 2024, a request letter was issued regarding the strengthening of measures against misuse of deposit accounts, including corporate accounts.

As a follow-up to the response of each financial institution to this request, the Financial Services Agency sent out a survey to each financial institution on January 24, 2025, regarding their response status to the request, and collected responses by the end of February 2025.

Regarding the survey results, detailed briefing sessions were held for financial institutions, and the aggregation and analysis of each financial institution's response status will be published separately.

Among the survey items, there were items where a high percentage of financial institutions answered that they had not yet started implementation. For financial institutions where the status of voluntary initiatives cannot be grasped, such as those with an extremely high number of items answered as "not yet started," individual hearings are being considered.

This follow-up is planned to continue in the future. Financial institutions are requested to implement measures systematically under the leadership of management and further strengthen and improve misuse prevention measures.

2. "Comprehensive Measures 2.0 to Protect Citizens from Fraud"

In April 2025, "Comprehensive Measures 2.0 to Protect Citizens from Fraud" was formulated. New items include information sharing regarding fraudulent accounts among deposit-taking financial institutions, new investigative methods using fictitious name accounts and amendments to related laws, and strengthening measures related to internet banking.

Fraud damage amounts in 2024 increased to nearly double those of 2023, making countermeasures urgent. In light of this situation, the FSA plans to request responses including strengthening measures related to internet banking, such as confirmation when raising usage limits.

Additionally, the FSA would like to proceed with the construction of a framework for sharing fraudulent account information being promoted by the Japanese Bankers Association in a public-private partnership.

3. Prevention of Gambling Crimes Related to Online Casinos

Regarding online casinos, even when legally operated overseas, connecting from within Japan to engage in gambling is a crime. According to a commissioned survey by the National Police Agency, payment methods used for online casinos include "credit cards" (55.4%), "electronic payment services and payment agents" (29.8%), and "bank transfers (bank remittances)" (27.4%). The same survey indicates that over 40% of people were not aware of the illegality of online casinos.

In light of this situation, on May 14, 2025, a request was issued to deposit-taking financial institutions, fund transfer service providers, prepaid payment instrument issuers, and crypto asset exchange operators regarding the following:

• Alerting users that connecting to online casinos from within Japan to engage in gambling is a crime
• Clearly stating in terms of use that the use of services for payments related to gambling and other criminal acts at online casinos, including acts violating laws and regulations or public order and morals, is prohibited
• Stopping payments when it is determined that users are attempting to make payments at domestic or overseas online casinos

Each financial institution is requested to appropriately work on preventing gambling crimes related to online casinos based on the above request.

4. Dialogue on "Effectiveness Verification" of Anti-Money Laundering Measures

Regarding anti-money laundering (AML) measures, it is important to enhance the effectiveness of the basic systems that each financial institution established by the deadline of the end of March 2024. The Anti-Money Laundering and Counter-Terrorism Financing Guidelines require each financial institution to verify the effectiveness of their AML measures and continuously review and improve them.

Also, in anticipation of the Financial Action Task Force (FATF) Fifth Round Assessment, it is important for each financial institution to be able to rationally and objectively explain the effectiveness of their AML measures.

The Financial Services Agency published reference concepts and actual case studies for conducting "effectiveness verification" in March 2025 to promote financial institutions' efforts regarding "effectiveness verification."

Going forward, the FSA plans to conduct dialogues with each financial institution regarding "effectiveness verification," and specific dialogue methods and focal points of the authorities are specified in published documents. Financial institutions are requested to proceed with "effectiveness verification" efforts under the leadership of management, referring to these documents.

5. Strengthening Measures Against Unauthorized Access and Fraudulent Transactions of Customer Accounts

Recent unauthorized access to securities accounts primarily involves methods where customers are guided through emails or SMS to phishing sites disguising themselves as websites of actual organizations, from which customer information (login IDs, passwords, etc.) is stolen for unauthorized account access. Other methods include attackers infecting customer terminals with malware, monitoring and operating the terminals in real-time while stealing customer information.

These incidents could shake trust not only in the securities industry but in the entire financial industry, and it is necessary to urgently advance measures such as strengthening authentication, strengthening countermeasures against website and email spoofing, strengthening detection of suspicious transactions, setting transaction limits, strengthening information sharing among financial institutions regarding methods and countermeasures, and strengthening customer alerts.

Not only is authentication using only IDs and passwords vulnerable, but one-time passwords via email or SMS messages are not very effective against modern phishing. It is necessary to mandate strong multi-factor authentication such as passkeys. Given the increasingly sophisticated nature of fraudulent methods, and assuming that methods that surpass countermeasures will emerge even after implementing measures, it is necessary to monitor trends in attack methods and countermeasure technologies.

If security cannot be guaranteed, service suspension should be considered. Rather than implementing countermeasures after damage occurs, the FSA asks that measures be advanced in advance. Protecting customer assets is essential for realizing customer-oriented management, and the FSA asks that management address this as their own issue.

6. Response to Migration to Post-Quantum Cryptography (PQC)

While the realization of practical quantum computers will bring benefits to society, there is a risk that attackers could exploit quantum computers to decrypt encryption used in internet banking, compromising the confidentiality of customer information held by financial institutions. If such risks materialize, customer information and assets would be endangered, potentially shaking trust in the financial system.

Therefore, important systems and services at risk due to quantum computer realization must migrate to those implementing Post-Quantum Cryptography (PQC).

Migration to PQC requires significant time, personnel, and investment from the preparation stage, including coordination with IT vendors. Currently, quantum computer practical implementation is targeted for around 2035, but large-scale system renewals are typically scheduled only once every few years, limiting opportunities for PQC migration. Considering the resources required for PQC migration, it would be inappropriate to postpone preparation by treating this as a future problem, and immediate action is requested.

Specifically:

• Financial institutions need to immediately create roadmaps in consultation with IT vendors for the entire process from consideration start to migration completion. While Financial ISAC is currently developing roadmap templates, there is no time to wait for template completion, and institutions must immediately begin what they can do themselves.
• Financial institutions should comprehensively understand their information assets to prioritize PQC migration responses, create inventories listing what encryption is used for each information asset, and begin risk assessment (risks of becoming vulnerable due to quantum computer realization, risks requiring current countermeasures against HNDL attacks without waiting for quantum computer realization, etc.) and importance/urgency evaluation.

The Financial Services Agency will promote and follow up on the response status of each financial institution and the entire financial industry toward PQC migration by coordinating with Financial ISAC and industry organizations, while utilizing inspections and monitoring.

FSA & NPA request further strengthening of fraud prevention measures

In recent years, there has been a sharp increase in “SNS-based investment and romance scams,” in which fraudsters gain the trust of others…

Japan FinTech ObserverNorbert Gehrke