The main regulator is the Financial Services Agency (FSA), which is in charge of the supervision of financial institutions, including insurance companies.

Although the Ministry of Economy, Trade and Industry (METI) is not the regulator of the financial sector, it is very supportive of the introduction and promotion of fintech/insurtech‑related businesses to the Japanese market and organizes study groups on fintech. See Question 4.

Activities related to insurance business may be regulated under the Insurance Business Act and the relevant subordinated regulations and guidelines. The Act on the Protection of Personal Information (APPI) as well as the relevant subordinated regulations and guidelines is also
highly relevant as many new insurance products and services related to fintech/insurtech are likely developed through personal information.

Businesses related to payment, fund transfer, settlement and moneylending are subject to the Banking Act, the Money Lending Business Act, the Act for Regulation, etc., of Receiving of Capital Subscription, Deposits, Interest on Deposits, etc., the Payment Services Act, the Installment Sales Act, the Foreign Exchange and Foreign Trade Act and the Act on Prevention of Transfer of Criminal Proceeds (Japanese primary regulations for KYC and AML) as well as their respective subordinate regulations.

Businesses related to investment advisory and investment management would be subject to the Financial Instruments and Exchange Act (FIEA) as well as the subordinate regulations.

The draft amendments to the various financial regulations such as the Banking Act and the Money Lending Business Act, as well as the amendments to the Payment Services Act with the aim of regulating virtual currency exchange businesses, were submitted to the Diet on 4 March 2016 and were passed on 25 May 2016. The amended regulations together with the relevant subordinated regulations came into effect on 1 April 2017.

The draft amendments to the Banking Act, with the aim of regulating electronic collection agency businesses, were submitted to the Diet on 3 March 2017 and were passed on 26 May 2017.

The introduction of fintech/insurtech to the Japanese financial market seems to be still at an early stage and a desirable regulatory framework on fintech/insurtech is still under study and discussion by the regulator and market players, although many regulations related to fintech/insurtech have been recently introduced (please see 4 below). Further regulatory amendments, with the aim of covering the cross-sectoral and cross-border development of fintech/insurtech, may therefore be promoted and implemented.

The FSA is supportive of the introduction of fintech/insurtech and intends to strongly support fintech/insurtech start-ups. The Financial Administration Policy for 2015-2016 issued by the FSA in September 2015 expressly states that the FSA will anticipate the trend of fintech/insurtech and will prepare the environment so that technological innovation can contribute to economic and financial development in Japan. The Financial Administration Policy for 2016-2017 issued by the FSA in October 2016 also states that the movement of integration of finance and IT represented by fintech has been progressing on a global scale and revolutionizing both financial services and market and that it is important to provide better services through innovation of financial services in Japan (collectively, Financial Administration Policy). Based on the Financial Administration Policy, the FSA established the Fintech Support Desk in December 2015 to serve as point of contact for consultation and information exchange on financial regulations regarding fintech. The FSA also established the Expert Panel on FinTech Venture in April 2016 to discuss desirable environment for development of fintech.

The METI is also supportive of the introduction and promotion of fintech/insurtech‑related businesses to the Japanese market. The METI has held a series of meetings of Study Group on the Integration of Industry, Finance and IT (Study Group) since October 2015. The METI
started to seek public comments on 11 agenda items identified relating to fintech on 21 April 2016 and the public comments period ended on 23 May 2016. Since 1 July 2016, the METI has started to hold a series of meetings of Review Committee for Issues and Future Direction
of FinTech (FinTech Review Committee). The METI put together the discussions held in the FinTech Review Committee and issued the final report titled “FinTech Vision” in May 2017.

The licenses required will depend on the specific activities contemplated. We recommend seeking the advice of local counsel as it is even difficult to identify under which regulations a particular activity should be regulated. In brief overview:

• Insurance business. A license may be required to perform life or non-life insurance business. The criteria to obtain the license are specified under the relevant provisions in the Insurance Business Act and the Ordinance for Enforcement of the Insurance Business
  Act. The standard processing period designated under the relevant regulations is 120 days. A license may be also required to create new insurance products. The criteria to obtain the license are specified under the relevant provisions in the Insurance Business Act. The standard processing period designated under the relevant regulations is 90 days. However, the Comprehensive Guidelines for Supervision of Insurance Companies (Insurance Supervision Guidelines) express that the FSA shall endeavor to reduce the review period in light of assistance in prompt product development. In particular, it is expressed that stylized and simple products and the products that are substantially the same as the other companies' existing products shall be, in principle, reviewed within 45 days.
• Insurance broker business. A registration may be required to run a insurance broker business. The criteria to be registered are specified under the relevant provisions in the Insurance Business Act. The standard processing period designated under the relevant regulations is 30 days.
• Accepting deposits. In order to accept deposits from customers, a license may be required. The criteria to be registered are specified under the relevant provisions in the Banking Act and other Ordinance for Enforcement of the Banking Act. The standard processing period designated under the relevant regulations is one month.
• Money lending and credit provision for settlement. In order to perform moneylending and credit provision for settlement (including credit card), a license or registration may be required depending on the type of activities. For banking business license, please see
  item 3 above. For moneylending business, the criteria to be registered are specified under the relevant provisions in the Money Lending Business Act. The standard processing period designated under the relevant regulations is two months. For credit provision for settlement, the criteria to be registered are specified under the relevant provisions in the Installment Payment Act. The standard processing period designated under the relevant regulations is 60 days.
• Prepaid card or other prepaid type of service. Issuers of prepaid payment instruments for third-party business need to be registered. The criteria to be registered are specified under the relevant provisions in the Payment Services Act. The standard processing period designated under the relevant regulations is two months.
• Funds transfer service. In order to run a fund transfer service, a license or registration may be required depending on the monetary amount to be transferred. For banking business license, please see item 3 above. For fund transfer service providers under the
  Payment Service Act, the criteria to be registered are specified under the relevant provisions in the Payment Service Act. The standard processing period designated under the relevant regulations is two months.
• Investment advisory and investment management business. In order to perform investment advisory or investment management business, a registration may be required. The criteria to be registered are specified under the relevant provisions in the FIEA. The standard processing period designated under the relevant regulations is two months.
• Crowdfunding. A registration as type II financial instruments business operator may be required for crowdfunding made through collective investment scheme. The criteria to be registered are specified under the relevant provisions in the FIEA. The standard
  processing period designated under the relevant regulations is two months.
• Virtual currency exchange. In order to perform virtual currency exchange business, a registration may be required. The criteria to be registered are specified under the relevant provisions in the Payment Services Act. The standard processing period designated under the relevant regulations is two months.

There are no specific regulations for the use of telematics. However, any insurance product that uses the telematics must ensure that the use is compliant with any existing insurance regulations such as approval for new insurance products.

In relation to the use of biometrics, the Guidelines for Personal Information Protection in the Financial Sector (Personal Information Protection Guidelines) impose stringent restrictions on the collection, use and transfer of sensitive personal information in addition to the restrictions to be generally applied to the collection, use and transfer of any personal information under the APPI. Although the collection, use and transfer of sensitive personal information are generally prohibited under the Personal Information Protection Guidelines, the collection, use and transfer of biometrics, falling under the category of sensitive personal information for the purpose of identity verification, are permitted exceptions, subject to consent of the data subject. Under the Personal Information Protection Guidelines, financial institutions must, in particular, carefully handle sensitive personal information to avoid any collection, use and transfer deviating
from the purpose mentioned above. The Practical Guidelines for Security Control Measures provided in the Guidelines for Personal Information Protection in the Financial Sector (Practical Guidelines) further set out the detailed measures that need to be taken in relation to biometrics falling under the category of sensitive personal information.

Based on the discussions in the Study Group and the FinTech Review Committee, drawing a clear distinction between institutions that are "too big to fail" and "too small to care" has not been a big focus. However, some regulations contain aspects such as the Payment Services Act, which defines fund transfer service as transfer of a certain limited fund (JPY1 million under the subordinate regulations) or less, whereas any fund transfer of a larger amount is supposed to be handled by licensed banks.The PPC and FSA Guidelines mention sensitive data (Sensitive Data) as Special Care-Required Personal Information, and information on union membership, family status, place of domicile, health and medical care, and sexual orientation (except for the information (a) disclosed by data subject or national or local government or pursuant to specific provisions of laws or (b) which is clear from the appearance recognized by sight or photographic
means). Insurance companies are required not to collect, use or transfer Sensitive Data unless otherwise provided in the PPC and FSA Guidelines. Further, the opt-out arrangement is not available for transfer of Sensitive Data.

The Insurance Supervision Guidelines contain the provisions regarding system risk management environment as one of the points to be assessed to examine the appropriateness of insurance companies' operational risk management environment.

The APPI applies to business operators handling personal information database. The APPI regulates the collection, use, storage, disclosure and transfer of personal data. However, there were discussions that it was unclear whether big data would fall under the category of
personal information and accordingly whether the APPI would apply. Under the amended APPI promulgated on 30 May 2017 (Amended APPI), the definition of personal information is expanded and it is clarified that anonymized and unrestorable personal information can be
used under certain relaxed requirements. 

In addition to the baseline requirements of the APPI, additional specific requirements under the Personal Information Protection Guidelines will apply to financial institutions, including insurance companies.

With respect to transfer of personal information, under the APPI, there were no specific provisions regulating the transfer of personal information to third parties who are located overseas and it was unclear whether the APPI would apply to such third parties. Under the
Amended APPI, in order to transfer personal information to third parties who are located overseas, unless (i) such third parties are located in countries that have personal information protection system comparable to that of Japan or (ii) such third parties establish the system
that meets the requirements necessary to continuously take measures corresponding to requirements under the Amended APPI, the transferor needs to obtain the data subject's consent to transfer to third parties who are located overseas.

With respect to big data, as discussed above, under the APPI, there were discussions whether the APPI would apply to the use of big data and therefore the relevant market players, including insurance companies, tended to hesitate to use big data. Under the Amended APPI,
the Guidelines for the Act on Protection of Personal Information (Edition of Anonymously Processed Information) clarified to what extent the business operators need to have personal information anonymized in order for the information to be treated as anonymized data,
which can enjoy the benefit of the relaxed requirements.

Although it is not specifically related to the insurance sector, the Japan Fair Trade Commission has an awareness of the issue about domination of big data by large companies. It published the report of its study group, the Review Committee of Data and Competition Policy, on 6 June 2017. The report mentioned the possibility of application of the Anti-Monopoly Act for certain activities such as unfair data collection or data hoarding.

The Basic Act on Cybersecurity provides the framework of the government's cybersecurity strategy and basic policies. The Cybersecurity Strategic Headquarters was established under the Cabinet based on this act and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established under the Cabinet based on the Order for Organization of the Cabinet Secretariat. The Insurance Supervision Guidelines contain the provisions regarding cybersecurity management as one of the points to be assessed to examine the appropriateness of insurance companies' system risk management environment.

In Japan, as mentioned in question 3 above, the direction and contents of insurtech innovations to be implemented are still under study and discussion by the regulator and market players, including insurance companies.

Since 2015, some non-life insurance companies introduced new insurance products utilizing telematics. In spring of 2016, it was reported that many leading life and non-life insurance companies would strengthen R&D on products utilizing insurtech such as non-life insurance
products using Internet of Things information and life insurance products using genetic information. In spring of 2017, it was also reported that large insurance companies are developing fintech insurance products utilizing AI and big data.

There have been a number of cases where administrative sanctions were imposed on financial institutions due to the lack of appropriate management of customer information; however, such cases were mere loss, leakage or misuse of customer information and were not necessarily fintech/insurtech-related cases. 

We are not aware of any fintech/insurtech-related competition cases.

• The lack of appropriate legislation covering the cross-sectoral and cross-border development of fintech/insurtech
• The high costs of development and innovation
• The lack of skilled personnel who have the capacity in both financial and technological areas and the limited mobility of such skilled personnel

Fintech/insurtech is expected to be a key driver in introducing new business opportunities and business models in the financial sector. It will also likely promote competition between existing financial institutions and new market entrants.

As mentioned in question 3 above, the next trends are still under study and discussion by the regulator and market players, although we already see some initial moves such as the formation of a JV by a car manufacturer and a non-life insurer on telematics insurance development. In the discussions held in the study group, it was pointed out that new market entrants from different business areas and the commoditization of risks due to technical innovation in various areas would disrupt traditional business model of insurance companies. Although it is not currently easy to expect the extent and speed of disruption, there will be an existing trend of insurance companies making significant investments in R&D on products utilizing insurtech. Please also see question 11 above.