Proposed Revisions to FSA Supervisory Guidelines for Internet Trading

The Financial Services Agency (FSA) has compiled a draft partial revision to the Comprehensive Guidelines for Supervision of Financial Instruments Business Operators (and others), and released it for public comment until Monday, August 18, 2025.

This amendment is being made in light of the frequent cases of unauthorized access to and unauthorized trading (trading by third parties) in Internet trading services using customer information (login IDs, passwords, etc.) stolen from phishing sites disguised as securities company websites, in order to strengthen authentication methods and fraud prevention measures in Internet trading.

The proposed revision represents a significant shift from providing general, example-based guidance to establishing a comprehensive, mandatory, and highly specific regulatory framework for Internet trading security. Spurred by the rise in sophisticated phishing and unauthorized access attacks, the FSA is moving to mandate modern, robust security controls, enhance customer protection, and strengthen its own supervisory enforcement capabilities.

The core changes can be summarized in four key areas:

1. Structural Overhaul: Creation of a new, dedicated chapter for Internet trading security.
2. Mandatory Phishing-Resistant Authentication: The centerpiece of the revision is the requirement for strong, modern Multi-Factor Authentication (MFA).
3. Expanded Scope of Required Measures: The guidelines now detail specific technical and procedural controls covering the entire incident lifecycle.
4. Strengthened Supervisory Enforcement: New, explicit rules for incident reporting and potential regulatory action.

1. Structural Overhaul: From Examples to a Formal Framework

The most fundamental change is structural. The previous guidelines addressed internet trading security within the general "System Risk" section (III-2-8-1) by providing a list of examples of good practices.

• Current Version: Lists examples like "variable passwords," "multi-path authentication," "transaction signing," and providing anti-virus software (Pages 1-2, 現行). These were suggestions, not explicit requirements.
• Proposed Version: Replaces this list with a reference to an entirely new, dedicated section: III-2-8-2 Internet Trading (Pages 3-9, 改正案). This new section is subdivided into:
  • III-2-8-2-1 Significance: Defines the risks and establishes the importance of security.
  • III-2-8-2-2 Main Checkpoints: Lays out specific, detailed requirements for firms.
  • III-2-8-2-3 Supervisory Method/Response: Defines how the FSA will monitor and enforce these rules.

Analysis: This structural change elevates internet trading security from a sub-topic of system risk to a primary area of regulatory focus. It moves firms from a position of "considering examples" to one of "complying with a detailed rulebook."

2. The Mandate for Phishing-Resistant Multi-Factor Authentication (MFA)

This is the most critical technical update and the core of the new requirements.

• Current Version: Suggests authentication methods beyond static ID/passwords, like "variable passwords" (Page 1, 現行).
• Proposed Version: Explicitly mandates the implementation and mandatory adoption (as a default setting) of "phishing-resistant Multi-Factor Authentication" for critical operations like logins, fund withdrawals, and changing account details (Page 6, 改正案).
  • It provides modern examples: Passkeys and PKI-based authentication.
  • It acknowledges implementation challenges by including pragmatic transitional measures (Notes 1 & 2 on Page 6):
    • Firms must provide alternative MFA for users who cannot use the primary methods (e.g., lack of a smartphone) but must monitor and aim to reduce the opt-out rate.
    • Firms are required to create and communicate a concrete implementation schedule to customers. During the transition, they must strengthen other detective controls like behavioral analysis.

Analysis: This is a direct response to the ineffectiveness of older MFA methods (like SMS OTPs) against modern phishing attacks (e.g., Man-in-the-Middle). Mandating phishing-resistant MFA by default significantly raises the security baseline for the entire industry.

3. Expanded Scope of Security and Customer Protection Measures

The new section III-2-8-2-2 introduces a wide range of specific requirements that cover technology, governance, and customer interaction.

Key New Requirements:

• Governance & Risk Management (Page 4):
  • Internet trading security must be treated as a top management priority.
  • A formal PDCA (Plan-Do-Check-Act) cycle for security measures is required.
  • Firms must consider specific, modern attack vectors like Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks.
• Specific Anti-Phishing Measures (Page 5):
  • A strict rule against including login URLs in emails or SMS messages.
  • A requirement to implement measures for users to verify a site’s authenticity and to plan for the adoption of email authentication technologies (e.g., DMARC).
• Enhanced Detective and Preventive Controls (Page 6):
  • Automatic account lockouts after repeated failed login attempts.
  • Customer notifications (via email, etc.) for high-risk activities like logins or changes to account information.
  • Implementation of behavioral analysis ("login behavior detection") to spot anomalies.
• Comprehensive Customer Response (Page 8):
  • Proactively educating customers on risks.
  • Providing customers with easy ways to review their transaction history.
  • Establishing a robust process for receiving and responding to fraud reports.
  • Most notably, establishing a system for investigating incidents and providing customer compensation (被害補償), considering the customer's circumstances.

Analysis: The proposed guidelines cover the entire lifecycle of a security incident—from prevention (MFA, education) and detection (behavioral analysis) to response (account lockout, customer support) and recovery (compensation). The explicit mention of customer compensation is a major step forward in consumer protection.

4. Strengthened Supervisory Enforcement

The FSA is giving itself more power to enforce these new, stricter rules.

• Current Version: No explicit enforcement mechanism was detailed in this section.
• Proposed Version: The new section III-2-8-2-3 Supervisory Method/Response (Page 9, 改正案) introduces clear enforcement actions:
  • Mandatory Incident Reporting: Firms must promptly submit a "Crime Occurrence Report" (犯罪発生報告書) to the FSA upon detecting unauthorized access or trading.
  • Business Improvement Orders: If the FSA finds that a firm has inadequate measures or that incidents are recurring, it can issue a Business Improvement Order under Article 51 of the FIEA.

Analysis: This puts real teeth into the guidelines. The threat of a formal, public business improvement order creates a powerful incentive for firms to invest in the required security measures and comply diligently.

Cybersecurity Guidelines for Financial Institutions

The Financial Services Agency published a draft revision to the “Comprehensive Supervision Guidelines for Major Banks, etc.” and a draft…

Japan FinTech ObserverNorbert Gehrke