This article was written by Yoshiki Tsurumaki.
Since the theft by hackers of Tokyo-based Coincheck's NEM tokens, the Financial Services Agency of Japan (the "FSA") has been considering changes to the current policy of receptive cultivation of virtual currency business. This follows the establishment in March this year of a Study Group on Virtual Currency Exchange Service Providers (the "Study Group"). The aim of this article is to clarify the current registration requirements as well as expected checkpoints by reviewing the published discussions of the Study Group.
Current Registration Requirements
Through its website, the FSA announced that as a general rule, the basic application requirements to be met when a company seeks registration with the FSA as a virtual currency exchange service provider are set out in the Payment Services Act of 2009. These primary requirements include:
- a minimum required financial base (capitalised at a minimum of JPY10 million (minimum net assets amount: a positive net amount));
- systems to ensure adequate operation and legal compliance;
- a "clean registration" in Japan as a virtual currency exchange service provider i.e. registration should not have been revoked in the past five years;
- non-violation of related/relevant legislation;
- confirmation that no public interest has been harmed;
- confirmation that the provider's directors do not include any disqualified individuals;
- systems to ensure that customers are informed about the characteristics of virtual currency;
- the segregation of money from virtual currencies as well as related audit requirements;
- IT system risk management – a monitoring and review policy; and
- measures for the protection of customers
The applicants must show the FSA that they meet these requirements as part of the application process. The FSA publicizes guidelines through its website so as to provide a more detailed description of some of the more abstract requirements. However, many of them still remain quite vague.
Aftermath of Coincheck Scandal
Triggered by the Coincheck scandal, the FSA conducted on-site inspections and examinations at various ongoing virtual currency exchange service providers (both registered and those deemed as such by the Payment Services Act) in March and April this year. The FSA discovered instances of non-compliance with critical requirements by not only many of the deemed virtual currency exchange service providers but also some of the registered providers. As a result, the FSA brought administrative actions against two registered providers and ten deemed providers. Consequently, many of those concerned announced the withdrawal of applications for official registration.
At the same time, the FSA established the aforementioned Study Group to review how they might amend the regulations in the light of the lessons learned from their inspections into compliance standards by the existing providers.
Study Group Discussion Points
Based on the discussion papers of the Study Group that have been disclosed, the FSA developed the following policies to address the issues that emerged from its review of the application process for registration:
- The conduct of professional on-site inspections at the applicants in order to review the applicants' management systems (including cyber security, business contingency planning, proper management of crypto key and wallet), anti-money laundering policies as well as those in place to combat the financing of terrorism (AML/CFT), the management of how money and virtual currencies are segregated and customer protection policies (including those covering the prohibited use of fraudulent coins and the proper explanation of risks); and
- The collection and analysis of risk information relating to the applicants' managers, shareholders, their affiliates and auditors.
In addition, based on the meeting minutes available to date from the FSA's website, the following issues have been discussed in connection with further potential regulation or administrative oversight through an incoming self-regulatory organization. These meeting minutes shed some light on the aforementioned slightly vague requirements and may be helpful in the case of future applications for registration.
Virtual currency exchange service providers will be required to adhere to strong security standards. They will not be allowed to store virtual currencies in a hot wallet (in internet-connected computers) and will have to use multiple authentication for currency transfers.
Virtual currency exchange service providers will be required to develop thorough know-your-customer (KYC) processes. The user verification system process must prevent money laundering activities being conducted through large transfers. In particular, the commencement of a virtual currency transaction without the prior completion of the KYC process will be strictly prohibited, even in the short term.
Virtual currency exchange service providers must ensure more thoroughly the internal and external monitoring of account balances as well as the assets they hold in trust for customers.
Given that for the most part, virtual currency trades are leverage based transactions, legislation addressing the margin trading of leveraged virtual currency may be introduced.
By way of an analogy with securities transactions, related parties may be prohibited from conducting insider trading, market manipulation and other unfair activities. Also, virtual currency exchange service providers may be required to ensure compliance by related parties with these restrictions through internal rules and policies.
Dealing with Anonymous Virtual Currency
Anonymous virtual currencies can often be used to prevent governments from tracing the identity of parties to transactions. As a result, a restriction on dealing with certain types of anonymous virtual currencies may be introduced.
Establishment of Fund for the Protection of Customers
Should the Study Group conclude that the existing obligations owed by registered providers to manage segregation between cash and virtual currency are insufficient, providers may in the future be required to contribute funding (by way of an analogy with a bank's deposit insurance) to cover the risk of loss suffered by customers caused by the bankruptcy of providers.
As an additional response to the recent discovery of non-compliance by some providers, the FSA also discussed the strengthening of disclosure requirements imposed on a providers' business.
Regardless of whether a tightening of regulations will be implemented once the Study Group's deliberations have been concluded, it is clear these issues are of importance to the FSA. It would therefore be worthwhile for those considering an application to register as a virtual currency exchange service provider to review and prepare for the likely introduction of stricter measures. It is essential for not only domestic providers but foreign ones who enter the virtual currency market of Japan from now to:
- carefully watch discussions of the Study Group;
- understand the lessons of Coincheck scandal and the recent administrative actions;
- retain or receive advice from those who are familiar with Japanese virtual currency (or financial) and AML/CFT regulations and their practical experience;
- institute workable internal rules to fulfil these regulations;
- establish strong security and monitoring system; and
- prepare to convince the FSA that the applicants erect the above.