Background
IBA Japan member firms generally have AML/CFT policies based on their group standards. These standards are based upon globally accepted standards issued by FATF and other complementary standards like Wolfsberg.
The challenge for our members is implementing global policies using a risk-based approach whilst ensuring compliance with the Japanese CDD regime. Some aspects unique to Japan are rule-based and not necessarily conducive to the best outcome in AML/CFT. Below is a list of areas in the CDD regime in Japan which could be improved.
- Silo-based CDD
In Japan, AML/CFT is governed by two primary laws; the Act on Prevention of Transfer of Criminal Proceeds (the Act) and the Foreign Exchange and Foreign Trade Act (FEFTA). The former is administered by the National Police Agency (NPA) and the latter by the Ministry of Finance (MOF).
It is the Act on Prevention of Transfer of Criminal Proceeds which requires CDD (i.e., verification at the time of transaction and on-going due diligence beyond) to be conducted by an individual specified business operator (i.e. financial institutions and DNFBPs).
However, in the case of a financial group (Japanese or foreign) which operates through multiple channels (e.g., bank, securities firm, etc.) it is common to have a client transacting with multiple group companies. Consequently, this requirement results in duplication of effort and reduced efficiency using resources available for the battle against money laundering and terrorist financing (hereinafter “ML/TF”).
Silo-based CDD reduces effectiveness and therefore increases risk, when a bank and a securities firm belonging to the same financial group were dealing with the same customer. AML officers in the respective companies in the second line of defense (i.e., compliance section) were permitted to share the customer’s non-public information, but AML officers in the first line of defense were not, until in June 2022 when the FSA relaxed the prohibition of information sharing.
The FSA started to allow sharing of customer’s non-public information between AML officers in the first line of defense of a bank and a securities company belonging to the same financial group, provided that the sharing is for AML purposes and they have put in place appropriate controls to prevent such information from being used for marketing/solicitation purposes.
This is a positive step forward, bringing Japan in line with other major jurisdictions where such information sharing has long been permitted.
- Reliance
Under the current regime, the Act requires each financial institution to conduct CDD. Reliance on CDD conducted by another financial institution is not generally permitted.
As a result;
- A bank cannot rely on CDD requirements fulfilled by another bank in the same group which is a separate legal entity even if the customer has a bank account.
- A bank cannot rely on CDD requirements fulfilled by a securities company which belongs to the same financial group even if the customer already has a securities account.
- A foreign bank in Japan cannot rely on CDD requirements fulfilled by another branch or legal entity outside of Japan which belongs to the same bank or financial group.
The Banking Act does not recognize the head office or other branches outside of Japan as a legitimate bank licensed under the Banking Act. Similarly, the NPA does not allow for cross-border reliance.
As a result, financial institution’s resources are locked in to duplicative/redundant CDD processes. If reliance is permitted, valuable resources could be released and allocated to other AML/CFT priority issues. Ultimately, it would increase efficiency and reduce AML/CFT risk.
Duplicative procedures are not in the best interest of customers.
The NPA should allow greater reliance, especially in the cross-border context.
- Reliance (in the context of online verification at the time of transaction, effective from November 2018)
In November 2018, a new method of online CDD was introduced for banks:
- Method 1: Receiving a soft copy of customer’s photo and photo ID.
- Method 2: Receiving a soft copy of customer’s photo and electronic data stored in an IC chip in his/her photo ID.
- Method 3: Reliance on CDD already conducted by another bank [in Japan only], and receiving either a soft copy of the customer’s photo or electronic data of the customer’s ID.
- Method 4: Making a small amount of remittance to the customer’s account already opened at another bank [in Japan only] which had conducted CDD, and receiving either a soft copy of the customer’s photo or electronic data of the customer’s ID.
Method 1 and 2 are allowed for customers inside or outside of Japan.
Method 3 and 4, however, are not fully allowed for foreign banks; a bank (Japanese or foreign) in Japan can rely on a foreign bank in Japan, but is not allowed to rely on a foreign bank located outside of Japan.
Such asymmetric treatment is constraining foreign banks in Japan. The NPA should take a more reciprocal approach and ensure a level playing field.
- Japan-centric narrow definition of documents eligible for identification
The scope of documents eligible for identification is defined rather narrowly on a rule-basis, which poses difficulty in transactions with foreign customers. Some of the examples are as follows.
The Act allows for IDs such as a Japanese driver’s license, passport, etc.
When such documents do not include all of the required evidence (e.g. customer photo or residential address, etc.), a supplementary document [to the primary ID] is required; for example, a receipt for utility payments showing the residential address.
When dealing with a non-resident customer (e.g. Japanese emigrant to Brasil), foreign banks are challenged by the limited scope of eligible supplementary documents.
This is because utility receipts issued by a service provider in Japan are eligible, but those issued by a service provider outside of Japan are eligible only when the provider is a government entity.
However, utility services outside Japan more often than not are provided by private companies, not by a government entity (this is also the case in Japan).
In addition, a utility receipt is eligible, but a utility bill is not. In some countries, however, only a bill is issued, not a receipt.
The approach to AML/CFT mandated in Japanese law is also inconsistent with the approaches in other areas of Japanese Government. For example, the Ministry of Foreign Affairs (MOFA) is taking a more flexible approach globally. When a non-resident Japanese would like to ask a Japanese embassy or consulate to validate their residential status for the purposes of receiving inheritance, pension payments, etc., they are allowed to provide the embassy/consulate with utility receipts issued by a service provider, public or private.
Identification of customers outside of Japan is challenging given such an unlevel playing field for eligible documents.
Such situation has become even more challenging since April 2020, when non face-to-face identification requirements were strengthened, and a second set of customer ID documents was required.
Based on the above, some foreign financial institutions will continue to struggle to obtain a second set of ID documents and satisfy the amended rules unless the scope of eligible foreign-issued supplementary documents is expanded.
The Japanese Government is strengthening identification requirements, but these will be less effective and have limited benefit unless there is a resolution of this issue (i.e. expanding the scope of eligible foreign supplementary documents).
- Identification of a corporate customer; requirement to obtain a hard copy of certification (typically, corporate registry information)
In the case of transactions with corporate customers, the Act requires a financial institution to obtain a hard copy of the certification (typically, corporate registry information) from a corporate customer, usually issued by a legal affairs bureau when the corporate is located in Japan.
In some jurisdictions (e.g. Singapore) an official hard copy of the corporate registration document is not available from a government entity; information is only observable on-line.
As a result, when a foreign financial institution in Japan needs to transact with a corporate customer in Singapore, for example, the institution has to obtain a hard copy, certified as genuine by local bank staff or the corporate customer’s company secretary etc., by having it sent to Tokyo, as a possible alternative to follow the Japanese CDD regulations. This process is inefficient and increases the risk of a forged document.
As part of the relaxation of regulations effective in November 2018, the NPA has allowed verification by corporate registry services [available in Japan] provided by the National Tax Agency and by the Civil Legal Affairs Association. By using these services, a financial institution can choose to conduct CDD on a corporate customer without asking for a hard copy. However, the NPA does not allow firms to rely upon corporate registry services outside of Japan.
The NPA should revisit this issue and allow for reciprocal/globally accepted identification practices.
- Refreshing customer information
In conducting CDD, it is always a challenge to keep customer information up to date; for example, deciding frequency, trigger event, etc.
Most of IBA Japan’s member firms take a risk-based approach. For example, classifying customers into high/medium and low risk, based on a range of factors that include country, industry segment, transaction types, etc. The risk rating will inform the frequency of customer review, although the approach may differ between institutions. For example, high risk customers may be reviewed every year or even more frequently, medium risk customers every two years, and low risk customers every three years.
Alternatively, some IBA Japan member firms use event driven CDD approaches. Triggers might include, irregular transactional pattern, changes in the management of a corporate customer, etc.
However, business models and customer profiles vary from firm to firm. If an inflexible one-size-fits-all timeframe is imposed, other variables (e.g., number of customers classified as high/medium/low risk respectively) would have to be adjusted accordingly, unless indefinite amount of resource is available for AML purposes.
For example, a firm might have to limit the number of customers classified as high risk and allow for a large number of customers classified as low risk. Then, however, the firm would need to “streamline” refresh procedures for low-risk customers (e.g., by only sending a simple questionnaire to them by post and deeming the refresh is completed if the questionnaire does not get bounced back.)
That would run counter to widely practiced and established global refresh policies and run the risk of compromising the quality of refresh, rather than improving it.
In line with the risk-based approach, Japan should allow flexibility based on different circumstances. At the same time, the FSA should require “customer refresh” not only on the part of financial institutions but also on their customers, by requiring them to provide financial institutions with their latest profile information without delay.
- Requirements to doublecheck residential status under MOF’s Foreign Exchange and Foreign Trade Act
CDD conducted under FEFTA is basically threefold; A) verification of individuals and legal entities (which is the same as under the Act), B) screening of sanctioned persons, and C) identification of “residential status”.
A and B are relatively straightforward. C is unique to FEFTA because FEFTA is meant to capture financial transactions involving non-residents; in other words, FEFTA is not meant to capture transactions between residents denominated in domestic currency, i.e. Japanese Yen.
To fulfill this mandate, FEFTA sets out provisions where financial institutions must identify the “residential status” of customers by checking their residential address recorded in their legitimate ID document (e.g. driver’s license, resident card issued for foreign residents, etc.). It is supposed to be a relatively simple procedure.
However, MOF says that the ID document alone is insufficient. FEFTA’s lower-level Notice issued in 1980 (“1980 Notice”) sets out that financial institutions have to double check the residential status of “foreigners” by verifying either A) whether the foreigner has lived in Japan for six months or longer; or B) whether the foreigner is employed in Japan.
As long as such “double-checking” is conducted on a risk basis, it would contribute to higher security, protect financial institutions, and protect the financial markets and economy of Japan. According to the MOF, however, the 1980 Notice does not employ a risk-based approach and must be followed to the letter.
Such treatment of foreign customers is unbalanced compared to the treatment of Japanese customers in that the 1980 Notice sets out similar double-checking procedures for “Japanese customers” but our understanding is that such procedures are in practice not conducted.
In conclusion, the double-checking procedures (or “requirements”, according to MOF) in the 1980 Notice lacks robust legal foundation, and as such administration thereof is open to ambiguous interpretations.
MOF should amend the 1980 Notice and make it clear that double-checking should be done taking a risk-based approach.
While keeping the 1980 Notice unchanged, in June 2023, MOF and the FSA requested financial institutions to take a flexible approach in treating non-resident non-Japanese; treating them equally as residents as much as possible in terms of bank account opening, ATM services, cross-border remittances by the internet banking, even if they are non-residents (provided that such non-Japanese are not sanctioned by the authorities in Japan or abroad.)
MOF and the FSA said such flexible treatment should help non-Japanese entrepreneurs who would come to Japan and establish start-up companies as well as students and trainees coming to Japan.
This relaxation is a positive step forward, accepting a long-standing relaxation request made by IBA Japan. The remaining issue (i.e., amending 1980 Notice) should also be reviewed by MOF without further delay.
- Weak aliases
The United Nations’ Security Council makes a resolution and periodically releases an updated list of sanctioned individuals that require screening at each regulated financial institution.
The Ministry of Finance of Japan (MOF) provides financial institutions with a translated version of the sanctions list a couple of weeks after publication of the UN resolution.
However, there are often subtle differences in the information released by the UN and the translation by MOF. This has a significant impact on a financial institution’s AML/CFT screening operations.
For example, the UN list shows sanctioned individual names, with “Good quality” aliases plus “Low quality” aliases, if any.
Not allowing for a risk-based approach, MOF’s list includes both “Good quality” and “Low quality” aliases without making distinction between the two. As a result, financial institutions are required to screen for all aliases, including low quality ones, taking additional time and resources which could be allocated to higher priority AML/CFT issues.
As recommended by, for example the Wolfsberg Group or US OFAC, financial institutions should be permitted to take a risk-based approach to avoid them needing to allocate an unreasonable level of resources to review a large number of “false positives”. This will also free up resources that they could allocate to other high priority AML/CFT purposes.
MOF should allow for such a risk-based approach.
- Timeframe for completing screening sanctioned persons
In April 2022, the FSA amended “Frequently Asked Questions” regarding AML Guidelines, indicating that financial institutions must screen their customer database against sanctioned persons “within 24 hours” after publication of such sanctions.
We are not aware, however, that such “within 24 hours” is officially required in any other major jurisdiction.
Many global financial institutions follow and observe sanctions released in major jurisdictions (e.g., not only by the UN but also US, UK, EU, etc.). In practice, they contract with and rely on data service providers who follow such sanction releases around the clock. In general, a data service provider may take up to 24 hours to incorporate new sanctions into their database and feed it into their customer financial institutions.
Then, the financial institution may take up to another 24 hours to upload the data, screen their customer database, and block accounts and remittances if they are identified positive.
Financial institutions must take an immediate response to newly released sanctions and they already do so by taking a realistic approach as fast as possible. Japan should take into account such global practices when referring to the timeframe of “within 24 hours”.
- Looking forward; centralized KYC
Currently, financial institutions conduct KYC by checking multiple databases including internal databases, and databases from other sources such as public media, commercial vendors, industry associations, etc. It would be more efficient and effective if all this information were unified into one database and a central third-party did initial customer screening on behalf of all financial institutions, rather than each financial institution collating databases and screening customers individually.
When it comes to foreign financial institutions, they are challenged with screening Japanese customers because their database is usually using the alphabet, while databases available in Japan are usually in Chinese characters (“Kanji”) or Japanese alphabet (“Katakana”). We hope that if centralized KYC is introduced in the future, it will accommodate the unique needs and requirements of foreign financial institutions.
In January 2023, the Japanese Bankers Association (JBA) established Cooperation Agency for Anti-Money Laundering (“Agency”) as its subsidiary.
The Agency will provide those banks which sign up for it with two types of services; a) AI-based screening & monitoring services and b) AML advisory services.
In July, the Agency indicated to JBA member banks that the Agency will start AML advisory services in April 2024.
If a bank is interested in using the Agency’s services, they need to pay the initial participation fee and user fee going forward (e.g., monthly, yearly).
Banks may want to know more about issues including, but not limited to, the following, before deciding whether to use the Agency:
- To what extent the Agency’s services are relevant for foreign banks’ businesses in Japan.
- Whether the initial fee and on-going user fee are set appropriately, given that the Agency was partly subsidized by the Government during its preparation period.
- To what extent the Agency’s services will be provided by its internal staff or by contracted external experts (which would have some impact on the fee level to be charged).
- Distinction between the JBA’s AML-related services to date (as part of the JBA’s general services) and separate fee-based services to be provided by the Agency.
- How soon the AI-based services will be rolled out.
- AI-based services seem to be designed based on data from Japanese banks. To what extent such services are useful for foreign banks and how the fee level will be adjusted according to the level of usefulness.
Please log in with you member account to access the full IBA Insights Article (JA)