Under the APPI, businesses must adhere to strict rules regarding the processing of personal information, in particular when it comes to the disclosure or transfer of such information. However, in the financial services industry, there are additional rules, the Comprehensive Guidelines for Supervision of Financial Instruments Business operators, etc. (the “Guidelines”), that increase the bar for compliance considerably. Let’s look at what they are, how they compare to the APPI, and how Private AI can ease the compliance burden.
1. Control Environment and Internal Management:
Under the Guidelines, Financial Instruments Business Operators (FIBOs) are expected to establish a robust control environment that ensures proper management of personal and corporate-related information. This includes having a management team that recognizes the importance of data security, establishing organizational structures to manage data appropriately, and formulating internal rules and controls. This importantly includes checks between divisions, presumably to ensure that data is not shared internally beyond what is permitted.
Under the APPI, businesses are required to take necessary and appropriate action to safely manage personal information against leaks, loss, inappropriate use, or disclosure (APPI, Chapter IV, Section 2). However, the APPI does not explicitly mandate the development of internal organizational structures or the recognition of data management’s importance by the management team.
Comparison:
The financial sector requirements are more specific and onerous, demanding a structured and formally recognized internal control environment, which goes beyond the APPI’s general call for necessary measures.
2. Oversight and Access Control:
FIBOs are required to establish systems to monitor the management of sensitive information continuously. This includes controlling access rights to prevent unauthorized use, securing information from insider threats, and protecting against external threats. There must also be specific measures to handle the dispersal of authority and enhance oversight of individuals with significant control over data.Access controls are not specifically mandated by the APPI but likely captured under the broader concept of necessary and appropriate measures for managing the security of personal data (Article 23) and the required oversight over employees handling personal data (Article 24).
Comparison:
The Guidelines are somewhat more concrete with regard to oversight and access controls but don’t appear to be requiring anything surprising or particularly onerous in light of the APPI provisions that address the same privacy aspects.
3. Outsourcing and Contractor Management:
When outsourcing the handling of customer information, FIBOs must ensure outsourced contractors manage the data appropriately. This includes verifying that contractors have adequate security systems in place, regularly auditing their practices, and restricting access to necessary personnel only. FIBOs are also responsible for managing subcontractors through direct supervision if data handling is further outsourced.
The APPI requires that when entrusting personal information to a third party, the entrusting party must supervise the trustee to ensure the secure management of the information (Article 25). However, the APPI lacks specific guidelines on auditing practices or the layered supervision of subcontractors.
Comparison:
The financial sector guidelines are much more detailed, particularly in terms of auditing and the hierarchical supervision of contractors and subcontractors, which are not explicitly addressed under the APPI and which impose a considerably higher compliance burden on FIBOs.
4. Incident Management and Response:
Procedures must be established for timely reporting to the relevant divisions, notifying affected customers and the public, and communicating with authorities if a data breach occurs. Additionally, FIBOs should analyze causes of data leaks to prevent recurrence and review preventive measures periodically.The APPI mandates that businesses must promptly take necessary measures if personal information is leaked (Article 26). However, it does not specify requirements for public notification or detailed post-incident analysis.
Comparison:
The financial sector requirements provide a more comprehensive framework for incident response, emphasizing transparency and preventive measures post-incident, which are more demanding than the APPI’s general approach.
5. Audit and Compliance:
Regular audits of information management practices should be conducted by independent internal or external auditors subject to the Guidelines. FIBOs must also ensure that staff involved in audits are adequately trained and specialize in data security.
The APPI does not contain any audit requirements.
Comparison:
The detailed audit requirements in the financial sector are novel as compared to the APPI, adding another level of scrutiny regarding personal data handling processes.
6. Specific Measures for Sensitive Information:
Under the APPI as well as the Guidelines, there are additional requirements for handling sensitive information, but their definitions differ. Notably, financial details like credit card information are not considered sensitive under neither the APPI nor the Guidelines.
APPI | FSA Guidelines |
Race | Race |
Creed | Religious belief |
Social status | Family lineage |
Medical history | Health and medical records |
Criminal record | Criminal Records |
Suffered damage by a crime | [no equivalent] |
other identifiers or their equivalent prescribed by Cabinet Order as those of requiring special care so as not to cause unjust discrimination, prejudice or other disadvantages to that person – FIB Cabinet Office Ordinance adds additional identifier “domicile of origin” | Birthplace |
[no equivalent] | Ethnicity |
[no equivalent] | Labour union membership |
[no equivalent] | Sexual orientation |
The additional requirement under the APPI for handling sensitive personal data, insofar as the private sector is concerned, is that consent must be obtained for the acquisition of sensitive personal data, except one of the 8 exceptions set out in the act applies.
The Guidelines go considerably further. By referring to the Guidelines for Personal Information Protection in the Financial Field which also include the additional identifier of “political views” in its definition of sensitive information, sensitive information shall not be acquired, used, or disclosed to a third party, except in limited specified cases (Art. 6(1)), one of which is that the individual’s consent has been obtained and that this is necessary for the appropriate conduct of business operations in insurance and other financial field businesses. The other exceptions overlap significantly with those under APPI but also include necessary disclosure for inheritance purposes for example.
7. Exchange of Non-Disclosure Information with Subsidiaries and Parents
Securities companies, another entity type the Guidelines address, must manage non-disclosure information (defined similar to sensitive information in the lengthy Art. 78 APPI) shared with parent and subsidiary corporations under strict guidelines. This includes defining the scope of the information exchange in advance, ensuring rigorous access control, and implementing measures to prevent misappropriation and illegal access.
Perhaps most importantly, securities companies must provide corporate customers with the opportunity to opt out of sharing their non-disclosure information with parent/subsidiary corporations. This process includes notifying customers in advance about the scope of information to be shared, the entities involved, and the methods of information exchange and management. The customers must be clearly informed about their rights to opt out and the procedures to follow should they choose to do so. Needless to say, when a customer opted out of the information sharing, their information must not be shared with the parent/subsidiary.
How Private AI can Help
Onerous compliance aspects that stand out from the comparison of the Guidelines and the APPI are those around privacy incidents and disclosure to third parties, including parents and subsidiaries. Private AI’s solution equips businesses such as the ones subject to the Guideline with the tools to facilitate the required post-incident analysis by identifying affected data reliably even in large, unstructured data sets. In addition, Private AI supports redaction or removal of personal information, facilitating the pseudonymization or anonymization of data sets containing personal identifiers. According to the Guidelines on the Act on the Protection of Personal Information (Pseudonymized and Anonymously Processed Information), anonymized data can be freely shared with any third party, and pseudonymized data gives rise to lower compliance burdens in terms of change of use notification, for example, making it possible to unlock otherwise inaccessible value in an organization’s data.
Conclusion
To conclude, the FSA Guidelines impose significantly more stringent requirements on Financial Instruments Business Operators in Japan compared to the general provisions of the APPI. These additional obligations encompass comprehensive internal controls, detailed oversight mechanisms, stringent contractor management, extensive incident response protocols, regular audits, and specific measures for handling sensitive information. The Guidelines also introduce unique requirements for securities companies regarding the exchange of non-disclosure information with parent and subsidiary corporations. While these regulations present considerable compliance challenges, technological solutions like Private AI can play a crucial role in easing this burden. By facilitating post-incident analysis, data redaction, and anonymization, such tools enable financial institutions to better manage personal information, reduce compliance risks, and unlock value from their data assets while adhering to the strict standards set by the FSA. As the regulatory landscape continues to evolve, leveraging such advanced technologies will become increasingly important for financial institutions operating in Japan to maintain compliance and protect customer information effectively.