AML Compliance in Japan: A Practical Guide for Financial Institutions

Japan's FSA now assesses AML/CTF effectiveness, not just framework existence. This guide covers the APTCP, FSA Guidelines, FATF 2028 obligations, and what mid-market institutions must do now.

AML Guide  ·  June 2026  ·  RegTech

Japan’s AML/CTF framework operates on three layers: primary legislation through the APTCP, supervisory expectations through the FSA Guidelines, and international obligations under FATF.

Who Must Comply

APTCP obligations apply across a broad range of financial institutions. For mid-market institutions, the primary categories are:

  • City banks, regional banks (first and second tier), trust banks, and foreign bank branches.
  • Securities firms, investment managers, investment advisers, and commodity dealers regulated under the FIEA.
  • Insurance companies and intermediaries under the Insurance Business Act.
  • Electronic payment instrument service providers, funds transfer service providers, and crypto-asset exchange service providers (CASPs) under the Payment Services Act.
  • Credit card companies and instalment sales finance companies.

Core Compliance Obligations

Customer Due Diligence

CDD is required at onboarding and at prescribed trigger points throughout the customer relationship. The FSA’s 2024 FAQ update extended domestic PEP obligations explicitly — institutions must now apply enhanced due diligence to Japanese nationals who hold or have held prominent public functions, not only to foreign PEPs.

The risk-based approach requires CDD intensity to be proportionate to assessed risk. That proportionality must be documented, demonstrably applied, and subject to periodic review. A CDD programme that applies the same process to every customer regardless of risk profile does not satisfy the FSA’s current expectations.

Transaction Monitoring

Effective transaction monitoring requires more than generating alerts. The FSA expects risk-calibrated parameters, efficient alert management, and genuine detection of suspicious activity. High false positive rates that prevent real review are treated as an effectiveness failure — the FSA’s position is that an unmanageable alert queue is itself a compliance gap, not merely an operational inconvenience.

Under the March 2026 revised guidelines, institutions must document the rationale for monitoring parameter calibration and evidence that those parameters reflect the institution’s risk assessment. Generic off-the-shelf rule sets without documented calibration will not satisfy this requirement.

Suspicious Transaction Reporting

STR filing must meet both volume and quality standards. Inconsistent filing at mid-tier institutions — particularly the gap between assessed risk exposure and actual filing rates — was a specific finding in Japan’s 2021 FATF evaluation. The 2028 assessment will examine directly whether this has improved. Institutions whose filing rates remain below what their risk profile would indicate face both FSA examination risk and adverse contribution to Japan’s national FATF statistics.

Record-Keeping and Audit Trails

CDD records, screening results, alert disposition decisions, and STR filings must be retained for prescribed periods and available to the FSA on request. The quality of that evidence — its completeness, consistency, and tamper-evidence — is now a direct factor in how the FSA assesses programme effectiveness. Manually maintained records that require compilation before presentation to examiners carry material credibility risk.

What the FSA Now Expects from Compliance Infrastructure

Meeting the effectiveness standard the FSA applies from 2026 forward requires specific technical capabilities. The following are, in practice, required for mid-market financial institutions:

  • Real-time PEP and sanctions screening against global watchlists and Japan-specific lists, with continuous monitoring that detects status changes as they occur — not only at periodic re-screening intervals.
  • Domestic PEP database coverage: a PEP database that includes Japanese politically exposed persons, not only international ones. The FSA’s 2024 FAQ update made this a specific requirement, and absence of domestic PEP coverage is the most frequently identified gap in FSA examinations.
  • Transaction monitoring with documented, risk-calibrated parameters: alert thresholds connected to the institution’s risk assessment, with calibration rationale maintained and periodically reviewed.
  • Integrated STR workflow from alert generation through investigation to JAFIC submission, with system-timestamped evidence at every stage.
  • Case management capability that records the reasoning behind alert disposition decisions — both decisions to file and decisions not to file.
  • API integration with core banking and customer management systems for automated, continuous monitoring rather than periodic batch processing.
  • Management reporting that produces the board-level information required by the FSA’s governance expectations.
What the FSA is looking for in 2026-2028 The FSA’s supervisory focus has shifted decisively from framework existence to operational effectiveness. Examiners now assess whether monitoring parameters reflect actual risk, whether alert management catches genuine threats before they are missed, whether STR filing is consistent with the institution’s risk exposure, and whether board governance provides meaningful oversight. Mid-market institutions whose programmes were built to the former basic requirements standard face the most significant gap between their current state and the new mandatory baseline.

Why Technology Infrastructure Is Now a Regulatory Risk Decision

Manual compliance processes cannot generate the consistency, evidence quality, or operational scale that FSA effectiveness assessments require. For mid-market institutions, the question of whether to invest in automated compliance infrastructure is no longer a technology budget decision. It is a regulatory risk management decision.

An institution that faces an FSA effectiveness examination with manually maintained records, inconsistent alert management, and a fragmented compliance system faces adverse examination findings that are structurally difficult to remediate quickly. The time to address that risk is before the examination cycle — which, for the 2028 FATF evaluation, means before the end of 2026.

MemberCheck, Nexiant’s enterprise AML/CTF platform, is purpose-built for this environment. With over 15 years of deployment across regulated financial services, it delivers integrated PEP and sanctions screening, transaction monitoring, KYC/KYB verification, adverse media monitoring, and case management — within a single platform that generates the evidence trails the FSA requires.


Frequently Asked Questions

AML compliance in Japan is governed by the APTCP (犯収法) and FSA AML/CTF Guidelines. Specified business operators — including banks, securities firms, insurance companies, electronic payment service providers, and CASPs — must comply. Obligations cover customer due diligence, suspicious transaction reporting to JAFIC, and record retention.
The March 2026 revision collapsed the previous three-tier framework into a single mandatory baseline. Former good practice standards are now required. Mid-market institutions calibrated to the basic requirements tier must conduct a gap assessment and remediate accordingly.
Japan’s FATF 5th Round on-site inspection is scheduled for August 2028. It assesses both technical compliance and operational effectiveness. Institutions should be building operational effectiveness evidence from mid-2026 to ensure an adequate evidence base exists by the examination period.
The most common gaps are: absence of domestic PEP screening coverage, STR filing rates inconsistent with the institution’s risk profile, monitoring parameters without documented calibration rationale, incomplete alert disposition records, and CDD records lacking consistency across the customer book.
The FSA expects real-time PEP and sanctions screening with continuous monitoring, domestic Japanese PEP database coverage, risk-calibrated transaction monitoring with documented parameters, an integrated STR workflow from detection to JAFIC submission, and management reporting sufficient for board-level governance.

AML Compliance in Japan: Guide for Financial Institutions | Nexiant

A practical guide to Japan’s AML/CTF compliance obligations under the APTCP and FSA Guidelines — covering who must comply, core obligations, and system requirements.

Speak to our team

This article was accurate at the time of publication in June 2026 and is intended for general informational purposes only. It does not constitute legal, regulatory or compliance advice. Organisations should seek qualified professional guidance in relation to their specific obligations.