Yes.

Financial institutions' use of cloud services is regulated by outsourcing regulations applicable to financial institutions. Relevant requirements may be found in the following:

• The Guidelines for Protection of Personal Information in the Financial Sector and Practical Guidelines about Secure Management Measures under the Guidelines for Protection of Personal Information in the Financial Sector
• The Security Guidelines on Computer Systems for Financial Institutions by the Center for Financial Industry Information Systems and other guidelines on security of computer systems introduced in "Discussion Paper — Organizing Issues and Practice for Financial Institution's Discussion on IT Governance" issued by the Financial Services Agency ("FSA")
• The Banking Act (Act No. 59 of 1981, as amended) ("Banking Act") and the related Ordinance for Enforcement of the Banking Act
• The Comprehensive Supervision Guidelines for Banks issued by the FSA, which includes specific outsourcing guidelines
• The Financial Instruments and Exchange Act (Act No. 25 of 1948, as amended) ("FIEA")
• The Comprehensive Supervision Guidelines for Financial Instruments Business Operators (as defined under the FIEA)

Additionally, if the cloud service in question receives and processes personal data, the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) will apply to the financial institutions' use of those cloud services, with this being regarded as a "transfer" of personal data or "subcontracting" of processing. 

However, regulator guidance indicates that, if a cloud service provider agrees in a contract with a financial institution that the cloud service provider does not handle the personal data stored on its servers and proper access control is implemented, the Japanese data protection authority does not consider that such use of those cloud services falls within the scope of the regulations.