Proposed Revisions to FSA Supervisory Guidelines for Internet Trading

The Financial Services Agency (FSA) has compiled a draft partial revision to the Comprehensive Guidelines for Supervision of Financial Instruments Business Operators (and others), and released it for public comment until Monday, August 18, 2025.

This amendment is being made in light of the frequent cases of unauthorized access to and unauthorized trading (trading by third parties) in Internet trading services using customer information (login IDs, passwords, etc.) stolen from phishing sites disguised as securities company websites, in order to strengthen authentication methods and fraud prevention measures in Internet trading.

The proposed revision represents a significant shift from providing general, example-based guidance to establishing a comprehensive, mandatory, and highly specific regulatory framework for Internet trading security. Spurred by the rise in sophisticated phishing and unauthorized access attacks, the FSA is moving to mandate modern, robust security controls, enhance customer protection, and strengthen its own supervisory enforcement capabilities.

The core changes can be summarized in four key areas:

1. Structural Overhaul: Creation of a new, dedicated chapter for Internet trading security.
2. Mandatory Phishing-Resistant Authentication: The centerpiece of the revision is the requirement for strong, modern Multi-Factor Authentication (MFA).
3. Expanded Scope of Required Measures: The guidelines now detail specific technical and procedural controls covering the entire incident lifecycle.
4. Strengthened Supervisory Enforcement: New, explicit rules for incident reporting and potential regulatory action.