Cloud Compliance Center

Japan

Select a Topic
Quick Links
Start Comparison

Japan

This content was last reviewed around April 2023.

Cloud-neutral

1. Are financial institutions legally permitted to use cloud services?

Yes, if the institution meets all applicable legal requirements for the use of cloud services.

2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes.

Financial institutions' use of cloud services is regulated by outsourcing regulations applicable to financial institutions. Relevant requirements may be found in the following:

  • The Guidelines for Protection of Personal Information in the Financial Sector and Practical Guidelines about Secure Management Measures under the Guidelines for Protection of Personal Information in the Financial Sector
  • The Security Guidelines on Computer Systems for Financial Institutions by the Center for Financial Industry Information Systems and other guidelines on security of computer systems introduced in "Discussion Paper — Organizing Issues and Practice for Financial Institution's Discussion on IT Governance" issued by the Financial Services Agency ("FSA")
  • The Banking Act (Act No. 59 of 1981, as amended) ("Banking Act") and the related Ordinance for Enforcement of the Banking Act
  • The Comprehensive Supervision Guidelines for Banks issued by the FSA, which includes specific outsourcing guidelines
  • The Financial Instruments and Exchange Act (Act No. 25 of 1948, as amended) ("FIEA")
  • The Comprehensive Supervision Guidelines for Financial Instruments Business Operators (as defined under the FIEA)

Additionally, if the cloud service in question receives and processes personal data, the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) will apply to the financial institutions' use of those cloud services, with this being regarded as a "transfer" of personal data or "subcontracting" of processing. 

However, regulator guidance indicates that, if a cloud service provider agrees in a contract with a financial institution that the cloud service provider does not handle the personal data stored on its servers and proper access control is implemented, the Japanese data protection authority does not consider that such use of those cloud services falls within the scope of the regulations.

3. Are there any specific contractual requirements for cloud outsourcing?

Secure Management Guidelines

The Guidelines for Protection of Personal Information in the Financial Sector and Practical Guidelines about Secure Management Measures under the Guidelines for Protection of Personal Information in the Financial Sector ("Secure Management Guidelines") published by the Financial Services Agency ("FSA") require banks, Financial Instruments Business Operators (as defined under the Financial Instruments and Exchange Act) (Act No. 25 of 1948, as amended) and other financial institutions to set up internal operational systems/structures, to ensure information security and to implement sufficient client care in relation to internet banking and other financial services. The Secure Management Guidelines also require relevant financial institutions to take appropriate measures in relation to their control, administration, security and monitoring of computer systems used in the financial institutions. One of the appropriate measures included in the Secure Management Guidelines is to conclude an appropriate data processing agreement if a financial institution outsources handling of personal information to a service provider containing, among other things, provisions on the following items:

  • The financial institution's right against the service provider in relation to supervision, inspection and reporting requests
  • Prohibition on leakage, misuse, alteration and unauthorized use of personal data by the service provider
  • Conditions for subcontracting by the service provider
  • Liability of the service provider in case of a security incident such as data leakage

FISC Guidelines

The Security Guidelines on Computer Systems for Financial Institutions by the Center for Financial Industry Information Systems ("FISC Guidelines") recommend the inclusion of several contract provisions relating to ongoing oversight, such as provisions requiring cloud providers to disclose information to a financial institution in the event of increased risk of information leakage or in the event the cloud provider's internal controls have weakened.

Although the application of the FISC Guidelines in a cloud computing environment is not required by regulation, most financial institutions in Japan that implement cloud services have built information systems that satisfy these security standards, and it can be difficult to justify deviating from them.

Rules applicable to institutions regulated under the Banking Act

Under the Banking Act (Act No. 59 of 1981, as amended) ("Banking Act") and the related Ordinance for Enforcement of the Banking Act, where a bank delegates its business to a third party, the bank must take measures to ensure the proper execution of the business and other sound and appropriate operations. Therefore, the outsourcing agreement between a bank and a third-party service provider must include certain minimum provisions, including the following:

  • An authority for the banks to monitor the operations of the service provider
  • A reservation of the right of termination of the agreement in favor of the bank
  • Confidentiality obligations and requirements for information management system
  • An obligation for the service provider to supervise subcontractors
  • Provisions on business and information reporting
  • Provisions dealing with responses to regulatory authorities' inspections

The Comprehensive Supervision Guidelines for Banks issued by the FSA

The Comprehensive Supervision Guidelines for Banks issued by the FSA has a section setting out outsourcing guidelines. These guidelines provide the following:

  • A bank should ensure that its outsourced service provider manages client information properly, including by entering into a confidentiality agreement.
  • A bank's outsourcing agreements should specifically and properly stipulate the following:
  • The nature and quality of the outsourced services
  • Necessary procedures to terminate the outsourcing agreement
  • Allocation of liability for damage arising from nonperformance by the service provider
  • Reporting requirements regarding the outsourced services
  • How the service provider is to cooperate with supervisions/inspections from the bank and the regulators

4. When does cloud outsourcing fall within the scope of the rules?

Generally, how the Japanese financial regulatory regime applies depends on which type of financial license is held by the relevant entity.

In this respect, banks are regulated under the Banking Act (Act No. 59 of 1981, as amended).

Financial instruments and exchange business operators will be regulated mainly under the Financial Instruments and Exchange Act (Act No. 25 of 1948, as amended) ("FIEA").

The Comprehensive Supervision Guidelines for Financial Instruments Business Operators have a section for requirements that Financial Instruments Business Operators (as defined under the FIEA) must comply with.

Some of the above and other requirements apply generally to the relevant institution's operations, whereas some apply only where there is outsourcing, including the use of a cloud service provider's services.

There are also certain rules regarding information protection that apply to all business operators located in Japan, regardless of which financial license they hold. The main rules are contained in the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended) ("APPI"). According to the current guidance issued by the Personal Information Protection Commission, use of a third party's cloud services involving transfer of personal data to the cloud constitutes transfer of personal data for subcontracting regulated by the APPI if the cloud service provider "handles" the personal data transferred to the cloud server by users. That guidance also clarifies that if a cloud service provider agrees in a contract with a business that the cloud service provider does not handle the personal data stored on its servers and proper access control is implemented, the use of those cloud services does not constitute a "transfer" of personal data in the context of the APPI.

5. Does the outsourcing need to be notified to the regulator?

Under the Banking Act (Act No. 59 of 1981, as amended) ("Banking Act") and the related Ordinance for Enforcement of the Banking Act, there is a requirement to notify the regulator when some types of business, such as agency or intermediary for contracts regarding debt guarantees or the purchase of securities, are entrusted to another person. However, this does not apply to the outsourcing of cloud-based data storage, system development and maintenance, and other services used for the internal operations of financial institutions.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

Consequences applicable to banks

If a bank's internal control system for the outsourcing of its business is found to be problematic, it may be required to report to the prime minister in accordance with Article 24(1) of the Banking Act (Act No. 59 of 1981, as amended) ("Banking Act"). Failure to comply with this requirement would result in imprisonment for up to one year and/or a penalty of up to JPY 3 million (approximately USD 27,250). Additionally, if the bank is found to have a serious problem regarding the outsourcing of its business, an order for improvement of management may be issued in accordance with Article 26 of the Banking Act. Failure to comply with such an order would result in imprisonment for up to two years and/or a penalty of up to JPY 3 million (approximately USD 27,250).

If a problem is found in the business operations of a third-party service provider to which a bank outsources its business, the service provider may additionally be required to report to the prime minister on the facts, an analysis of the causes of the problem and necessary matters such as improvement and countermeasures, etc., in accordance with Article 24(2) of the Banking Act. Failure to comply would result in imprisonment for up to one year and/or a penalty of up to JPY 3 million (approximately USD 27,250).

Consequences applicable to Financial Instrument Business Operators ("FIBOs")

Under Article 56-2 of the Financial Instruments and Exchange Act (Act No. 25 of 1948, as amended), when the prime minister finds it necessary and appropriate for the public interest or the protection of investors, it may order an FIBO or a business provider that has outsourced business from such FIBO to report on the status of such business, etc., and have officers inspect their business venue. Violation of such order would result in imprisonment for up to one year and/or a penalty of up to JPY 3 million (approximately USD 27,250).

7. Are there any data privacy and/or data security laws that would apply?

Yes.

The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended) ("APPI") is the local law relevant to the data privacy/security area, and the Personal Information Protection Commission ("PPC") is the relevant governmental authority.

The APPI provides for a general obligation on a business entity that outsources processing of personal data to a third party to exercise necessary and appropriate supervision over the processing activities of the processor (e.g., an IT vendor), with a view to controlling the security of the entrusted personal data. The APPI does not specify what measures would be needed to satisfy this requirement, and, overall, what constitutes necessary and appropriate supervision would depend on the situation and need case-by-case review. That said, the relevant guidelines on the APPI issued by the PPC require a business to take necessary and appropriate measures regarding matters such as selection of an appropriate processor, execution of a proper data processing agreement and monitoring of the data processing activities by the processor. The guidelines issued by the PPC also recommend imposing a reporting obligation on the IT vendor and/or obtaining audit rights to ensure that sufficient security controls are in place. 

8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?

Yes. There is a restriction on international transfer of personal data under the Act on Protection of Personal Information (Act No. 57 of 2003 as amended) ("APPI").

There are three justifications for international data transfer:

  • Consent: Obtaining consent from each data subject.
  • Equivalent measures: Transfer to a third party establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission ("PPC") as necessary for taking measures equivalent to those that a data owner must take concerning the handling of personal data pursuant to the provisions of the relevant articles of the APPI.
  • Adequacy recognition: Transfer to a foreign country establishing a personal information protection system recognized to have equivalent standards in Japan regarding the protection of an individual's rights and interests (so far, only the EU and the UK have been designated as meeting such standards by the PPC).

Since 1 April 2022, the APPI requires the following of a business when acting as a transferor of personal data:

  • When relying upon consent:

    Provide certain information (e.g., name of the recipient's country and an overview of the data protection law system in the country) to data subjects when obtaining their consent for international transfer

  • When relying upon equivalent measures:
  • Regularly check if (i) the recipient takes equivalent measures and (ii) there are data protection laws of the recipient's country that would prevent the recipient from taking such measures in conformity with the standards under the APPI
  • Upon request from the data subject, providing information relating to such measures

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

No.

10. Is express consent from customers or other data subjects required before moving data to the cloud?

Consent from data subjects is not required if the cloud service provider does not handle personal data transferred by users to the cloud server, as described in the Personal Information Protection Commission's guidance.

Even where a cloud service provider handles personal data, a data subject's consent (whether express or implied) is unnecessary for data transfers (including international data transfers) from a financial institution to the cloud service provider if the former can rely on another justification.

However, data subjects have rights to delete, or stop a business from using or transferring to a third party, their personal data even when they previously gave consent to data transfers to a third party. For example, when personal data has been obtained by fraudulent or other unlawful means or personal data is no longer necessary, the business is required to stop processing that personal data or transferring it to third parties.

11. Are there any local laws that require a cloud service provider to be able to access the data it hosts?

No.

12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes.

During criminal proceedings, cloud service providers may be requested or obliged to disclose certain information. If such a request is based on a writ issued by the court, it will be enforceable.

Although document disclosure during civil litigation is not extensive in Japan, in certain limited situations, a cloud service provider may be requested or ordered by the court to submit certain documents/information.

For completeness, a cloud service provider can be required to disclose certain information (e.g., the IP address) of a person who sends or transmits content that infringes a third-party's rights (e.g., intellectual property rights infringing content or defamation) through the provider's service under the Provider Liability Limitation Act. However, certain requirements should be met (e.g., the person whose rights are infringed by the content needs the information in question to identify the sender of the content in order to take action). The requesting party can go to court for this purpose, and the court will issue the order, which is enforceable, if the requesting party's application is granted. 

If an issue is found with the business operations of the cloud service provider to which a bank outsources its business, the cloud service provider may be required to report to the prime minister in accordance with Article 24(2) of the Banking Act (Act No. 59 of 1981, as amended) or Article 56-2 of the Financial Instruments and Exchange Act (Act No. 25 of 1948, as amended).

Quick Links
{{ $store.state.loadingScreen.message }} ...