KYC Requirements in Japan 2026: FSA Rules and the Act on Prevention of Transfer of Criminal Proceeds

Japan’s Financial Services Agency (FSA) issued revised anti-money laundering and counter-terrorist financing (AML/CFT) guidelines that took effect on 31 March 2026, sharpening supervisory expectations on transaction monitoring, outsourcing controls, and technology adoption for every regulated institution in the country. For banks, fintech platforms, and crypto exchanges, the update shifts the compliance question from whether a policy exists to whether the controls can be demonstrated to work. This post covers what the updated KYC requirements Japan compliance teams face, which businesses the framework applies to, and the digital identity verification tools Japan banks and fintechs are deploying to meet the new standard.

What is the Act on Prevention of Transfer of Criminal Proceeds?

The Act on Prevention of Transfer of Criminal Proceeds (APTCP), enacted in 2007 under Japan’s National Police Agency, is Japan’s primary anti-money laundering law and the legal foundation for all KYC requirements in the country. Under this law, “specified business operators” must verify customer identity at the point of a qualifying transaction, retain identity and transaction records for at least seven years, and file suspicious transaction reports with the Japan Financial Intelligence Center (JAFIC).

Japan’s definition of “specified business operators” covers a wide scope. Banks, securities firms, insurance companies, money exchange operators, crypto asset exchange service providers, real estate agents, and dealers in precious metals all fall within the APTCP’s reach. Each sector has its own transaction thresholds and due diligence triggers, but the underlying obligation to verify customer identity, maintain records, and report suspicious activity applies across all of them.

For individuals, acceptable identification documents include the My Number Card, passport, driver’s license, and residence card for foreign nationals. Corporate customers face an additional layer of verification. The APTCP requires businesses to verify the identity of natural persons who exercise substantial control over the entity, an obligation drawn from the Financial Action Task Force (FATF) beneficial ownership standards.

Who regulates KYC in Japan?

KYC Japan regulations are enforced by two bodies operating with distinct mandates. The FSA supervises financial institutions, including banks, securities firms, insurance companies, and crypto asset exchange service providers registered under the Payment Services Act. JAFIC operates under the National Police Agency, receives suspicious transaction reports, coordinates financial intelligence, and supports law enforcement on money laundering investigations.

FSA Japan KYC rules follow a risk-based approach, formalised in the 2021 revision to the FSA guidelines and reinforced by the March 2026 update. Under this model, institutions self-assess their money laundering risk, design controls proportionate to that risk, and demonstrate operational effectiveness to examiners rather than simply presenting policy documents. The 2021 FATF Mutual Evaluation Report on Japan placed Japan in enhanced follow-up, identifying gaps in the effectiveness of preventive measures and in the confiscation of criminal proceeds. Japan’s 2026 FSA guidelines are a direct response. Institutions are now required to submit suspicious transaction report data broken down by country and customer attribute and to grant the regulator access to board-level AML/CFT reports.

What do Japan’s KYC regulations require in practice?

AML compliance Japan under the APTCP breaks into four discrete obligations that every covered institution must meet. These are not policy checkboxes but operational requirements the FSA expects to audit through records, system logs, and governance documentation, and each carries its own evidentiary burden in an examination.

Customer identity verification

At onboarding and at qualifying transactions, businesses must verify the customer’s identity using an accepted document. For customer due diligence on individuals, the APTCP recognises My Number Card, passport, driver’s license, and residence card for foreign nationals. Corporate customers’ verification extends to beneficial owners with substantial control. AML transaction screening Japan against JAFIC-relevant watchlists is required before the relationship commences.

Record-keeping obligations

Identity records and transaction records must be retained for seven years from the date of the transaction or the close of the business relationship. The FSA can request these records during examination, and incomplete retention is treated as a standalone compliance failure independent of whether the original verification was conducted correctly.

Continuous KYC monitoring Japan

Continuous KYC monitoring Japan is an explicit requirement under the 2026 FSA guidelines. The updated framework moves KYC from a one-time onboarding step to an ongoing risk process. Perpetual KYC Japan, the model in which customer data is refreshed on a risk-event trigger rather than a fixed calendar schedule, fits this expectation. For high-risk customers, institutions must conduct enhanced due diligence (EDD) and document that its scope matches the specific risk profile of that customer.

Suspicious transaction reporting

Institutions must file a suspicious transaction report (STR) with JAFIC whenever a transaction or pattern of activity gives reasonable grounds to suspect money laundering or terrorist financing. As of March 2026, the FSA requires STR data to be reported broken down by country and customer attribute, a more granular standard than the previous framework demanded.

Which sectors must comply with Japan’s KYC rules?

The APTCP applies to a broader set of industries than traditional banking alone. Japan’s supervised sectors face active FSA examination and carry the clearest operational requirements for identity verification. Each sector has its own transaction thresholds and due diligence triggers, but the KYC obligation applies uniformly.

Banking and financial institutions

Banks, regional banks, shinkin banks, and securities firms are the primary focus of FSA examinations on AML compliance Japan. These institutions must identify customers at account opening, apply EDD to politically exposed persons (PEPs) and their associates, and maintain transaction monitoring systems that generate audit-ready records. Digital identity verification Japan banks are preparing for an additional mandate. Regulations expected in 2027 will require banks and credit card companies to use IC chip-based verification for remote account openings. Biometric Update reported that IC chip-based verifications using My Number Cards and driver’s licenses nearly doubled to 14 million in 2024, pointing to strong early adoption well before the formal deadline.

Fintech and payment services

KYC fintech Japan obligations align closely with banking requirements. The APTCP 2024 amendments brought Electronic Payment Instrument Service Providers (EPISPs) fully into scope, including Travel Rule obligations, effective August 2025 per the FSA enforcement announcement. Money exchange operators face a customer identification trigger at transactions over 200,000 JPY. KYC fintech solutions that automate document and biometric checks are now standard practice among regulated payment platforms, and the 2026 FSA guidelines reinforce the point. Manual processes cannot deliver the audit trail that regulators now require.

Crypto asset exchanges

Crypto asset exchange service providers registered with the FSA must comply with the full scope of AML compliance Japan obligations, including the Japan Travel Rule. Japan’s Travel Rule threshold is 0 JPY, meaning all transfers, regardless of amount, require originator and beneficiary data. This applies under the APTCP and the Japan Virtual Currency Exchange Association (JVCEA) self-regulatory framework, and stands in contrast to the 1,000 EUR minimum under EU transfer regulations, making Japan one of the strictest travel-rule regimes globally.

How is digital identity verification changing KYC in Japan?

The digital identity verification tools Japan banks and fintech platforms are deploying fall into three main methods, with IC chip reading gaining adoption fastest. Document OCR and biometric face matching have been standard for several years, covering document authenticity and holder presence. IC chip reading goes further by extracting encrypted identity data directly from ePassports and My Number Cards, a method that is harder to spoof than image-based checks alone and one that the FSA notes as the direction for remote account opening verification.

The FSA’s 2026 guidelines moved the use of AI, blockchain, and process automation within AML programmes from “expected” to “important,” a material shift in how the regulator frames technology adoption. Institutions that rely on manual review cannot scale with transaction volume, and the 2026 framework ties supervisory expectations to evidence of operational effectiveness rather than policy documentation alone.

For fintech platforms where KYC fintech Japan onboarding volumes are high and manual backlogs accumulate quickly, FSA approved KYC software that combines automated document verification, biometric matching, and AML screening reduces both processing time and compliance risk. FSA guidance on outsourced compliance tools requires institutions to verify that any third-party vendor maintains a control environment equivalent to their own, a standard that applies to software tools and outsourced service providers alike.

How Shufti helps fintechs meet Japan’s KYC requirements?

KYC requirements in Japan, under the APTCP cover identity verification, ongoing monitoring, and AML transaction screening in Japan, and every one of those obligations must produce audit-ready records. For fintechs and payment platforms handling high onboarding volumes, the gap between those requirements and what manual processes can deliver is real and measurable.

Shufti’s identity verification service covers document capture and biometric face matching across more than 10,000 document types, including Japanese-issued passports, driver’s licenses, My Number Cards, and residence cards for foreign nationals. KYC fintech solutions that pair document verification with liveness detection address the FSA’s specific concern about non-face-to-face onboarding risk. For continuous KYC monitoring Japan, Shufti’s AML screening runs real-time checks against more than 100,000 data sources, including JAFIC-relevant watchlists, PEP profiles covering 2.6 million individuals, and 215+ sanction regimes, with data refreshed every 15 minutes. Businesses looking for FSA approved KYC software need a system that updates screening results as customer risk status changes throughout the relationship, not only at onboarding.