Revision of the Banking Act in Japan mandated an Open Banking environment. The Financial Services Agency (FSA) controls the regulatory framework of electronic payment service providers.
Japan Open Banking Framework
Financial Services Agency (FSA)
The Technical Guideline from the Japanese Bankers Association is the current industry standard (in Japanese).
Report of Review Committee on Open APIs: Promoting Open Innovation (in English).
In April 2018, MUFG Bank developed APIs enabling account information reference and transfer, allowing cost savings for small businesses when completing their accounting.
Ogaki Kyoritsu developed an external API to enable transfer using their bank accounts, and then expanded their service line-up so that account holders could use additional services via cooperation with Rakuten Bank, such as buying Rakuten Bank lottery tickets.
3rd Party accessing Customer Data of the financial institutions through API must be registered with the FSA.
The regulations control those of electronic payment services, which in Japan covers both a service which enables money transfers to multiple accounts, and account aggregator services. The Japanese Bankers Association (JBA) made a report, in consultation with financial institutions, academics amongst others, to generate the norm in the generation for API specifications.
The Act on the Protection of Personal Information was updated in 2020, and now gives citizens the right to request the deletion of their personal data.
OAuth 2.0 authorisation framework.
Banks are expected to assess the eligibility of Third Party Providers (TPPs) from a security perspective. The fulfilment of security principles, past cases of improper security-related conduct and improvements made and whether the TPP has arrangements in place and “devotes resources to continuous enhancement of security measures based on user characteristics and transaction risks”.
Banks may consider referring to security policies and security-related documents developed independently by third parties and information security-related certifications (e.g., ISO27001, TRUSTe) they have obtained when conducting the above eligibility review.
Following the report of the Working Group on Payment and Transaction Banking, released in December 2015, and the Japanese Government’s report on Japan’s Revitalization Strategy 2016, policies for the collaboration of the banking industry with other financial services market participants regarding the opening up of banking system APIs were formulated. This was to enable the creation of new services in partnership with banks while also ensuring information security.
The Banking Act was amended in 2017 with changes related to the treatment of intermediary service providers for banking settlements.
Legislation for “Electronic Payment Intermediate Service Providers” came into effect in Japan in June 2018, including a requirement to register with the FSA and banks were required to develop systems for the introduction of open APIs within two years (although this was was extended to 2020 because of the covid pandemic). 97% of banks made this deadline. By January 2019, 21 parties had done so, and at the end of March the count had almost doubled to 40.
Electronic Payment Intermediate Services are defined broadly and include the transmission of payment instructions as well as the processing of basic account, transaction and balance information.
The regulator, JBA, and Japan Association for Financial API will hold governance discussions.
By law, an electronic payment service provider (EPSP) must enter into a contract for electronic payment services with the bank, with the contract stipulating a liability of the EPSP to compensate users for any loss or damage sustained in connection with electronic payment services. This covers the proper handling and safe control of information on users, and the measures that may be taken by the bank if the EPSP does not take those measures.
Each business year, an EPSP must prepare a written report on its electronic payment services and submit it to the FSA, pursuant to the provisions of Cabinet Office Order.
If the FSA finds it to be necessary for ensuring the sound and appropriate management of an EPSP’s electronic payment services, the FSA may have relevant officials enter the business office, office or any other facilities of the electronic payment service provider, have those officials ask questions about its business or financial condition, and have them inspect its books, documents and any other articles.
Future consideration for OpenID Foundation’s Financial API.