Secure Management Guidelines

The Guidelines for Protection of Personal Information in the Financial Sector and Practical Guidelines about Secure Management Measures under the Guidelines for Protection of Personal Information in the Financial Sector ("Secure Management Guidelines") published by the Financial Services Agency ("FSA") require banks, Financial Instruments Business Operators (as defined under the Financial Instruments and Exchange Act) (Act No. 25 of 1948, as amended) and other financial institutions to set up internal operational systems/structures, to ensure information security and to implement sufficient client care in relation to internet banking and other financial services. The Secure Management Guidelines also require relevant financial institutions to take appropriate measures in relation to their control, administration, security and monitoring of computer systems used in the financial institutions. One of the appropriate measures included in the Secure Management Guidelines is to conclude an appropriate data processing agreement if a financial institution outsources handling of personal information to a service provider containing, among other things, provisions on the following items:

• The financial institution's right against the service provider in relation to supervision, inspection and reporting requests
• Prohibition on leakage, misuse, alteration and unauthorized use of personal data by the service provider
• Conditions for subcontracting by the service provider
• Liability of the service provider in case of a security incident such as data leakage

FISC Guidelines

The Security Guidelines on Computer Systems for Financial Institutions by the Center for Financial Industry Information Systems ("FISC Guidelines") recommend the inclusion of several contract provisions relating to ongoing oversight, such as provisions requiring cloud providers to disclose information to a financial institution in the event of increased risk of information leakage or in the event the cloud provider's internal controls have weakened.

Although the application of the FISC Guidelines in a cloud computing environment is not required by regulation, most financial institutions in Japan that implement cloud services have built information systems that satisfy these security standards, and it can be difficult to justify deviating from them.

Rules applicable to institutions regulated under the Banking Act

Under the Banking Act (Act No. 59 of 1981, as amended) ("Banking Act") and the related Ordinance for Enforcement of the Banking Act, where a bank delegates its business to a third party, the bank must take measures to ensure the proper execution of the business and other sound and appropriate operations. Therefore, the outsourcing agreement between a bank and a third-party service provider must include certain minimum provisions, including the following:

• An authority for the banks to monitor the operations of the service provider
• A reservation of the right of termination of the agreement in favor of the bank
• Confidentiality obligations and requirements for information management system
• An obligation for the service provider to supervise subcontractors
• Provisions on business and information reporting
• Provisions dealing with responses to regulatory authorities' inspections

The Comprehensive Supervision Guidelines for Banks issued by the FSA

The Comprehensive Supervision Guidelines for Banks issued by the FSA has a section setting out outsourcing guidelines. These guidelines provide the following:

• A bank should ensure that its outsourced service provider manages client information properly, including by entering into a confidentiality agreement.
• A bank's outsourcing agreements should specifically and properly stipulate the following:

• The nature and quality of the outsourced services
• Necessary procedures to terminate the outsourcing agreement
• Allocation of liability for damage arising from nonperformance by the service provider
• Reporting requirements regarding the outsourced services
• How the service provider is to cooperate with supervisions/inspections from the bank and the regulators