Generally, how the Japanese financial regulatory regime applies depends on which type of financial license is held by the relevant entity.

In this respect, banks are regulated under the Banking Act (Act No. 59 of 1981, as amended).

Financial instruments and exchange business operators will be regulated mainly under the Financial Instruments and Exchange Act (Act No. 25 of 1948, as amended) ("FIEA").

The Comprehensive Supervision Guidelines for Financial Instruments Business Operators have a section for requirements that Financial Instruments Business Operators (as defined under the FIEA) must comply with.

Some of the above and other requirements apply generally to the relevant institution's operations, whereas some apply only where there is outsourcing, including the use of a cloud service provider's services.

There are also certain rules regarding information protection that apply to all business operators located in Japan, regardless of which financial license they hold. The main rules are contained in the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended) ("APPI"). According to the current guidance issued by the Personal Information Protection Commission, use of a third party's cloud services involving transfer of personal data to the cloud constitutes transfer of personal data for subcontracting regulated by the APPI if the cloud service provider "handles" the personal data transferred to the cloud server by users. That guidance also clarifies that if a cloud service provider agrees in a contract with a business that the cloud service provider does not handle the personal data stored on its servers and proper access control is implemented, the use of those cloud services does not constitute a "transfer" of personal data in the context of the APPI.