crypto

The 4th Meeting of the Financial System Council Working Group on Crypto-Assets

Norbert Gehrke

27 Oct 2025 — 14 min read

The Financial Services Agency (FSA) hosted the 4th Meeting of the Financial System Council Working Group on Crypto-Assets on October 22, 2025. The discussion focused heavily on cybersecurity, the strengthening of the self-regulatory organization (SRO) Japan Virtual and Crypto Assets Exchange Association (JVCEA), and the future regulatory framework for crypto assets, including investor protection and market integrity.

The following covers:

Financial Services Agency (FSA) Presentation: Cybersecurity and Regulatory Framework
JVCEA Presentation: Organizational Status and Disclosure
FSA Presentation: Review of Regulatory Issues
Dealing with Unregistered Operators and DEXs
Unfair Trading Regulation
Financial Literacy

I. Financial Services Agency (FSA) Presentation: Cybersecurity and Regulatory Framework

The FSA began by detailing its multi-pronged approach to cybersecurity, emphasizing the integration of crypto asset exchanges into the broader financial stability framework.

A. Existing Cybersecurity Initiatives

The FSA's efforts are structured around three pillars: Guidance, Monitoring, and Public Assistance (Kōjo).

Guidance and Standards:

Issuing the Financial Administration Policy and sector-specific supervisory guidelines.
Issuing warnings regarding vulnerabilities.
Requesting actions such as system establishment, vulnerability testing, and enhancement of monitoring/analysis capabilities (e.g., phishing countermeasures).
Active participation in the G7 Cyber Expert Group.
Addressing the transition to post-quantum cryptography.

Monitoring:

Conducting fact-finding exercises, on-site/off-site inspections, monitoring, and incident response.

Public Assistance (Kōjo):

Delta Wall Exercises: Cross-sectoral cybersecurity drills.
Cybersecurity Self-Assessment (CSSA).
Threat-Led Penetration Testing (TLPT): Promoting the sharing of TLPT findings and conducting demonstration projects for regional financial institutions.
Issuing analytical reports on IT resilience in the financial sector.

The FSA’s 2025 Business Year Financial Administration Policy highlights the increasing cyber risk, exacerbated by geopolitical tensions, and commits to continued public-private collaboration, including cross-sectoral Delta Wall exercises. It also focuses on strengthening third-party risk management due to incidents involving service providers.

B. Cybersecurity Guidelines and Risk-Based Approach

The FSA noted the issuance of the detailed "Cybersecurity Guidelines for the Financial Sector" in October 2024, which explicitly apply to crypto asset exchanges. The guidelines emphasize:

Top Risk Recognition: Cyber risk is recognized as a top management risk requiring prioritization.
Public-Private Collaboration: Essential for countering both external and internal threats.
Risk-Based Approach (RBA): Recognizing that risk profiles differ by institution, the guidelines mandate a flexible approach (RBA) rather than a rigid checklist, combining self-help (Jijo), mutual assistance (Kyōjo), and public assistance (Kōjo).
Core Components: The guidelines cover: Management structure, risk identification, protection, detection, incident response/recovery, and Third-Party Risk Management.

C. Threat Landscape and Incident Response

The FSA highlighted the increasing sophistication of attacks, noting that recent incidents often involve social engineering, making defense more challenging.

State Actor Involvement: Reports from the National Police Agency and the Public Security Intelligence Agency (PSIA) detailed cyberattack groups (e.g., TraderTraitor, allegedly backed by North Korea) specifically targeting crypto asset exchanges for theft, often for funding WMD programs.
Response to Major Domestic Incident (May 2024): Following a significant outflow incident at a domestic VASP, the FSA issued alerts and requested mandatory self-inspections focused on:
- Management Commitment: Ensuring senior management recognizes outflow risk as paramount for user protection and maintains effective governance systems.
- Asset Management Systems: Requiring compliance with guidelines, verification of the effectiveness of the "Three Lines of Defense," and detailed review of:
  - Cold Wallet Management: Procedures for deposits/withdrawals, risk mitigation measures, and analysis of outflow risks associated with external wallets.
  - Incident Analysis: Verification of transaction logs to ascertain the cause of any illicit activity.
Social Engineering Alert: Following confirmation of specific social engineering methods used in the incident, the FSA, in collaboration with the National Police Agency and NISC, issued a joint warning outlining example tactics and mitigation strategies, urging immediate secondary self-inspection.

D. Importance of Mutual Assistance

The FSA emphasized the crucial role of Kyōjo (mutual assistance) for the VASP industry, citing its inclusion in the Guidelines and the JVCEA's rules:

Information Sharing: Financial institutions should proactively utilize financial ISACs for sharing best practices, technical challenges, and intelligence on the latest cyberattack trends.
Self-Regulatory Mandate: The JVCEA's System Risk Management Rules require members to establish systems for information collection and sharing through designated sharing organizations.
Conclusion on Kyōjo: The FSA stated that tackling state-level attacks requires a combination of self-help, mutual assistance, and public assistance. The development of industry-wide mutual assistance is essential, and the FSA is prepared to support these efforts.

II. JVCEA Presentation: Organizational Status and Disclosure

The Japan Virtual and Crypto Assets Exchange Association (JVCEA) provided data on its current operations, governance, and financial status, highlighting the challenges of maintaining effective self-regulation.

A. Status of Timely Disclosure

The JVCEA monitors timely disclosure (TD) for crypto assets, requiring members to establish a governance structure that is independent of the sales division ("Second Line of Defense").

IEO-Related Disclosures: A review of Initial Exchange Offering (IEO) tokens shows wide variation in disclosure frequency, suggesting that highly active tokens (e.g., PLT) generate significantly more material information (e.g., changes in staking rewards, stock issuances, litigation). Less active tokens show minimal or no disclosures.
Non-IEO Disclosures: Disclosures outside of IEOs primarily concern technical events like hard forks, software updates, or token rebranding, along with any associated constraints on transactions (e.g., suspension of transfers).
Monitoring Mechanism:
- The JVCEA regularly inspects member websites for disclosure content.
- For members approved under the GL (Green List) or CASC (expedited review) systems (currently 12 firms), the JVCEA conducts quarterly monitoring of significant events like hard forks and confirmation of customer communication status.
Governance Requirements: JVCEA rules mandate:
- Independent Review Bodies: Establishment of departments (Risk Management, Compliance, Audit) separate from business operations to handle crypto asset review.
- Timely Disclosure System: Firms must strive to collect and disclose information that could affect the price or risk of traded crypto assets.
- Monitoring Department: Required for IEO issuers to track compliance with disclosure requirements.
- Post-Listing Review: For all crypto assets (IEO and non-IEO), the JVCEA requires members to conduct internal reviews for certain events (e.g., blockchain changes) and coordinate verification with the JVCEA, similar to the initial listing process.

B. Financial and Organizational Status

The JVCEA's financial statements revealed its structural challenges:

Financial Reliance: Income relies heavily on membership fees (¥7.2 million annually for exchanges, ¥9.6 million for those also conducting derivative business), which are considered high relative to other industry associations, plus fees for crypto asset screening (e.g., ¥3 million for IEOs).
Revenue vs. Expenditure: While the JVCEA generally operates without massive deficits, its financial situation is tight (e.g., projected surplus of ¥3.16 million for 2025).
Staffing: Staff numbers have remained limited (35 employees planned for 2025), which constrains the association’s ability to handle complex and specialized regulatory work. The association anticipates stability will improve as more operators join, including electronic payment instrument providers and intermediary service providers.
Organizational Structure: The JVCEA's structure includes a Management Division, an IT/System Division, an Investigation Division, a Supervisory/Guidance Division, an Audit Division, and a Legal Division. Key regulatory committees include the Self-Regulatory Committee and the Security Committee.

C. Future Enhancement of Systems

The JVCEA outlined future priorities based on past reviews and working group feedback:

Security: Strengthening the security foundation through the utilization of Security Management Standards and enhanced coordination with JP Crypto ISAC.
AML/CFT: Accelerating compliance with the FATF Travel Rule, including expanding covered jurisdictions, and strengthening coordination with the National Police Agency/Metropolitan Police Department.
Asset Review: Developing effective processes tailored to the unique characteristics of individual crypto assets, and expanding monitoring capacity for already-listed assets and members, while improving the accuracy of issuer disclosure information.
Market Supervision: Strengthening market monitoring and enhancing the monitoring of issuer-related parties by members.
Investor Protection: Enhancing customer suitability checks based on audit results and complaints.

III. FSA Presentation: Review of Regulatory Issues

The FSA presented discussion points on four key regulatory domains, transitioning the focus from the current Fund Settlement Act (FSA) framework to the more comprehensive Financial Instruments and Exchange Act (FIEA) framework.

A. Industry Regulation: Foundational Principles

The guiding principle is to apply regulations equivalent to Type I Financial Instruments Business (FIEA) to crypto asset exchange businesses, while retaining unique provisions suited to crypto assets currently in the FSA, transferring them to the FIEA.

Key areas of alignment with FIEA include: Management/Governance (e.g., internal control systems, capital adequacy), Market Integrity (e.g., prohibition of market manipulation, front-running, name-lending), and Investor Protection (e.g., disclosure, best execution, segregation of client assets).

Unique Crypto Asset Provisions (retained/enhanced): These include segregation of client assets, protection of managed assets (e.g., Cold Wallet management), and the priority payment right for crypto assets.

B. Individual Regulatory Issues

Concurrent Business (Ken-gyō) Regulation:

Current Status: Under the current FSA regime, crypto exchanges face no specific concurrent business restrictions, despite engaging in diverse operations.
Proposal: Moving to the FIEA framework mandates concurrent business regulation to prevent risks from other ventures from jeopardizing the core crypto business. The FSA proposes a system where activities non-ancillary to the core business require either ex-ante approval or ex-ante notification, rather than just ex-post notification (as is common in FIEA). This is crucial as the crypto sector may see more entries from firms not specialized in finance (e.g., communication companies).

Management of Client Assets:

Current Requirements (FSA): Firms must generally manage client crypto assets in Cold Wallets (offline), and those assets kept in Hot Wallets must be backed by matching resources for immediate compensation in case of loss.
Proposal: Given the rise of social engineering and sophisticated attacks, the FSA proposes strengthening asset protection by mandating a statutory duty of safe management of client assets across the entire supply chain. Specific security measures would be detailed in guidelines, ensuring flexibility with technological advancements. The FSA also raised concerns about non-custodial wallet services offered by non-registered entities.

Liability Reserve Fund:

Current Requirements (FIEA): Type I Financial Instruments Businesses must maintain a liability reserve fund to facilitate compensation payments in case of security accidents, but usage requires administrative approval and is typically reserved for losses stemming from the operator's illegal or unjust actions.
Proposal: The current FIEA rules do not explicitly cover losses due to hacking. If FIEA rules are applied directly, compensation for hacking losses (without illegal action by the operator) would require specific, potentially lengthy administrative approval, delaying client redress. The FSA proposed adapting the rule to allow compensation for hacking losses without requiring individual approval, provided that an appropriate level of reserve is maintained, based on past incident data. It also asked whether securing compensation funds through insurance (in lieu of, or alongside, the reserve fund) should be recognized.

Business Management System:

Proposal: In addition to existing FSA measures (e.g., suspension of suspicious transactions), moving to the FIEA framework should require a robust business management system focused on enhanced investor protection. Examples include:
- Review system for handling crypto assets.
- Mechanism for confirming clients trade within their risk tolerance.
- Monitoring system for trading activities.
- System to suspend dealing with assets whose issuers violate information disclosure rules.

Return of Client Assets During Withdrawal/Bankruptcy:

Current Status: FIEA rules ensure the return of segregated client assets during business withdrawal or cancellation. However, recent FIEA cases have shown that when management abandons the firm, client assets remain under the firm's control, leading to prolonged delays in recovery.
Proposal: The FSA is considering introducing a mechanism, currently applied to banks and insurance companies, to appoint an administrator (金融整理管財人/保険管理人) when the existing management is deemed incapable of appropriate operation. This administrator would manage operations and assets on behalf of the firm. The FSA proposed extending this mechanism to crypto asset exchanges to ensure the smooth transfer or return of client assets during withdrawal or bankruptcy.

Intermediary Business Regulation:

Background: The 2025 FSA Act revision introduces a new category of Electronic Payment Instrument/Crypto Asset Service Intermediary (仲介業), aimed at simplifying the regulatory burden for firms acting solely as intermediaries (e.g., matching or introducing users to exchanges).
Proposal: Aligning with the FIEA framework, the FSA suggested applying basic FIEA intermediary regulations (e.g., external representative [外務員] system, disclosure obligations) to the new crypto intermediary business, while maintaining risk-appropriate distinctions (e.g., no strict financial requirements, as they do not custody client assets).

C. Banking/Insurance Groups and Crypto Exchange Business

The FSA addressed the sensitive issue of banks and insurance companies engaging in crypto asset activities, which is currently generally prohibited for the parent entity due to risks (AML/CFT, system, price volatility, reputational).

Parent Entity Handling (Issuance/Trading): Due to persistent risks, particularly the risk that clients might trade complex crypto products without proper risk assessment if offered by a trusted bank/insurance brand, the FSA concluded that allowing banks/insurance parent entities to issue or trade crypto assets requires continued cautious examination.
Parent Entity Handling (Proprietary Investment): Currently prohibited for investment purposes. The FSA asked whether, as the market matures and investor protection is enhanced, banks/insurance groups should be allowed to hold crypto assets for proprietary investment purposes (e.g., diversification), provided they establish adequate risk management systems.
Subsidiary Handling (Group Level): The FSA suggested that there is more latitude for subsidiaries (which often have broader business scopes and better risk separation from the parent entity) to handle crypto assets. The FSA proposed an equal footing approach with general financial instruments business operators, allowing securities subsidiaries of banks/insurance groups to engage in crypto issuance, trading, and intermediation, and allowing investment management subsidiaries to use crypto assets as investment targets.

IV. Dealing with Unregistered Operators and DEXs

The FSA addressed the challenge of non-registered operators, particularly foreign entities and decentralized exchanges (DEX).

A. Unregistered Operators

Enforcement Enhancement: Given the current situation where investment seminars and online groups promote crypto trading, the FSA proposed applying the FIEA's enforcement measures to unregistered crypto investment management and advisory activities.
Criminal Penalties: To deter illegal solicitations, the FSA proposed applying FIEA's severe criminal penalties for unauthorized financial instrument business (up to 5 years imprisonment and ¥5 million fine, or both).
Civil Remedies: The FSA also proposed strengthening civil remedies against unregistered operators, including judicial emergency cease-and-desist orders and investigative powers for the Securities and Exchange Surveillance Commission (SESC). The FSA noted the complexities of applying existing civil rules (which presume contracts for unregistered securities are void as usurious) to crypto assets, but acknowledged the need to address fraudulent solicitation by unregistered foreign firms.

B. Consumer Harm Prevention

Recent scams increasingly involve victims purchasing crypto assets from domestic registered exchanges and transferring them to an attacker’s unhosted wallet or a wallet managed by an unregistered foreign entity.

Proposed Mandate: To prevent the use of crypto assets as a payment vehicle for fraudulent investment schemes, the FSA proposed obligating VASPs to take steps, including:
- Issuing warnings about the possibility of fraudulent schemes.
- Confirming the purpose of transfer.
- Appropriate transaction monitoring.
- Mandating a cooling-off period for transfers made shortly after opening a new account or transferring to a new wallet address.

C. DEXs and Foreign Operators

Foreign Operators (Cross-Border): Based on the principle of modified effects doctrine (which applies Japanese law if foreign activity has a significant effect in Japan) and international precedents (IOSCO, MiCA), the FSA continues to issue warnings and requests for app store deletions against unregistered foreign operators soliciting Japanese residents via Japanese websites. The FSA noted that MiCA also regulates solicitation of EU residents by non-EU operators.
DEX Definition and Regulation:
- DEX protocols allow P2P crypto asset exchange via smart contracts, often without centralized management, a structure currently treated as outside the scope of Japanese VASP registration (similar to MiCA and the proposed US CLARITY Act).
- Risks: DEX, however, carries risks from protocol flaws and is vulnerable to money laundering due to inadequate AML/CFT measures.
- Proposal for Protocols: Developers/setters of DEX protocols (especially those that can be modified post-launch) should be subject to risk-appropriate, non-excessive regulations tailored to the technical nature of the activity, focusing on AML/CFT, pending international consensus.
- Proposal for UI Providers: Businesses offering User Interfaces (UIs) that facilitate user access to DEX should be considered for activity regulation, potentially applying rules similar to the new Intermediary Business (e.g., disclosure obligations regarding connection risks, and AML/CFT verification requirements).
- Immediate Action: The FSA will intensify public awareness campaigns regarding the risks of transacting with unregistered entities, including DEX.

V. Unfair Trading Regulation

The FSA proposed a comprehensive framework for regulating unfair trading in crypto assets, mirroring the FIEA's securities regulations.

A. Insider Trading Regulation

The objective is to ensure market fairness and investor trust in the trading venues offered by domestic VASPs.

Scope: The regulation should target crypto assets handled by domestic registered exchanges, regardless of whether the transaction occurs on a conventional exchange, DEX, or P2P. Crypto assets for which a listing application has been filed should also be included, citing the need for pre-emptive regulation (as seen in the Coinbase case in the US and MiCA).
Material Facts: Given the limited history of established material facts in crypto, the FSA proposed identifying three categories for regulation, supplemented by a basket clause:
1. Material Facts related to Centralized Issuer Operations (e.g., issuer bankruptcy, major security breach).
2. Material Facts related to Exchange Handling (e.g., new listing, delisting, major outflow incident).
3. Material Facts related to Large-Scale Transactions (e.g., a trade significantly impacting price, defined by thresholds such as buying/selling 20% or more of issued assets).
Regulated Insiders: Individuals in a "special position" close to the material fact should be regulated, including:
- Issuer-related parties (officers, major shareholders, regulatory contacts).
- Exchange-related parties (officers, employees).
- Large-scale transaction parties.
Public Disclosure: Public disclosure methods should be restricted, likely limited to the exchange's website or the JVCEA's website, excluding social media (SNS) due to verification and reliability challenges.
Prohibited Acts/Exemptions: Prohibited acts should include selling, exchanging, and in-kind contributions (transfer of ownership). New issuance and original acquisition (purchase) of centralized crypto assets should also be prohibited (unlike in securities), given the lack of corresponding protection mechanisms found in corporate law. Exemptions (e.g., pre-planned transactions) should be cautiously considered.
Tip-Off/Recommendation Prohibition: The prohibition on tipping or recommending trades based on non-public material information should be applied to crypto assets to fully ensure market integrity.

B. Other Unfair Trading and Enforcement

Market Manipulation: The regulation prohibiting stabilization practices (相場操縦) should be applied to crypto assets, as the rationale (preventing losses from sudden price shifts induced by artificial market movements) is relevant.
General Prohibition/Fraud: Existing FIEA rules on the general prohibition of fraudulent acts (偽計) are applicable and should be maintained. Specific crypto-unique unfair practices may be addressed in the future if observed in practice.
Administrative Monetary Penalty (課徴金): The FSA proposed establishing an administrative monetary penalty system (similar to the FIEA regime) for violations of unfair trading rules to ensure enforcement effectiveness, even for violations not resulting in criminal prosecution. The penalty should be based on economic gain derived from the violation.
Investigative Powers: To ensure the effectiveness of the new regulations, the SESC's investigative authority should be extended to cover unfair trading cases involving crypto assets, including the ability to request cooperation from foreign regulatory authorities (in a reciprocal manner) for cross-border cases.

VI. Financial Literacy

The FSA emphasized the need to enhance financial literacy and protect investors from excessive risk.

Promoting Cautious Trading: The FSA proposed measures to ensure investors fully understand risks and trade within their tolerance:
- Prohibiting misleading representations that emphasize past gains or future forecasts.
- Mandating VASP systems to confirm clients trade within their risk-bearing capacity (linking to the customer suitability checks).
- Enforcing JVCEA rules on setting limits on transactions and holding amounts.
Risk Communication: Administrative bodies and VASPs must sufficiently publicize the risks of dealing with DEX and unregistered foreign operators.
Literacy Enhancement: The FSA plans to revise educational materials (via J-FLEC) to address the complexity and risks of crypto assets, focusing on:
- Price volatility driven by supply and demand.
- Outflow risk due to hacking (even with segregated assets).
- The necessity of understanding one's own risk tolerance and investing only within the limits of surplus assets.