Who Must Comply
APTCP obligations apply across a broad range of financial institutions. For mid-market institutions, the primary categories are:
- City banks, regional banks (first and second tier), trust banks, and foreign bank branches.
- Securities firms, investment managers, investment advisers, and commodity dealers regulated under the FIEA.
- Insurance companies and intermediaries under the Insurance Business Act.
- Electronic payment instrument service providers, funds transfer service providers, and crypto-asset exchange service providers (CASPs) under the Payment Services Act.
- Credit card companies and instalment sales finance companies.
Core Compliance Obligations
Customer Due Diligence
CDD is required at onboarding and at prescribed trigger points throughout the customer relationship. The FSA’s 2024 FAQ update extended domestic PEP obligations explicitly — institutions must now apply enhanced due diligence to Japanese nationals who hold or have held prominent public functions, not only to foreign PEPs.
The risk-based approach requires CDD intensity to be proportionate to assessed risk. That proportionality must be documented, demonstrably applied, and subject to periodic review. A CDD programme that applies the same process to every customer regardless of risk profile does not satisfy the FSA’s current expectations.
Transaction Monitoring
Effective transaction monitoring requires more than generating alerts. The FSA expects risk-calibrated parameters, efficient alert management, and genuine detection of suspicious activity. High false positive rates that prevent real review are treated as an effectiveness failure — the FSA’s position is that an unmanageable alert queue is itself a compliance gap, not merely an operational inconvenience.
Under the March 2026 revised guidelines, institutions must document the rationale for monitoring parameter calibration and evidence that those parameters reflect the institution’s risk assessment. Generic off-the-shelf rule sets without documented calibration will not satisfy this requirement.
Suspicious Transaction Reporting
STR filing must meet both volume and quality standards. Inconsistent filing at mid-tier institutions — particularly the gap between assessed risk exposure and actual filing rates — was a specific finding in Japan’s 2021 FATF evaluation. The 2028 assessment will examine directly whether this has improved. Institutions whose filing rates remain below what their risk profile would indicate face both FSA examination risk and adverse contribution to Japan’s national FATF statistics.
Record-Keeping and Audit Trails
CDD records, screening results, alert disposition decisions, and STR filings must be retained for prescribed periods and available to the FSA on request. The quality of that evidence — its completeness, consistency, and tamper-evidence — is now a direct factor in how the FSA assesses programme effectiveness. Manually maintained records that require compilation before presentation to examiners carry material credibility risk.
What the FSA Now Expects from Compliance Infrastructure
Meeting the effectiveness standard the FSA applies from 2026 forward requires specific technical capabilities. The following are, in practice, required for mid-market financial institutions:
- Real-time PEP and sanctions screening against global watchlists and Japan-specific lists, with continuous monitoring that detects status changes as they occur — not only at periodic re-screening intervals.
- Domestic PEP database coverage: a PEP database that includes Japanese politically exposed persons, not only international ones. The FSA’s 2024 FAQ update made this a specific requirement, and absence of domestic PEP coverage is the most frequently identified gap in FSA examinations.
- Transaction monitoring with documented, risk-calibrated parameters: alert thresholds connected to the institution’s risk assessment, with calibration rationale maintained and periodically reviewed.
- Integrated STR workflow from alert generation through investigation to JAFIC submission, with system-timestamped evidence at every stage.
- Case management capability that records the reasoning behind alert disposition decisions — both decisions to file and decisions not to file.
- API integration with core banking and customer management systems for automated, continuous monitoring rather than periodic batch processing.
- Management reporting that produces the board-level information required by the FSA’s governance expectations.
| What the FSA is looking for in 2026-2028 The FSA’s supervisory focus has shifted decisively from framework existence to operational effectiveness. Examiners now assess whether monitoring parameters reflect actual risk, whether alert management catches genuine threats before they are missed, whether STR filing is consistent with the institution’s risk exposure, and whether board governance provides meaningful oversight. Mid-market institutions whose programmes were built to the former basic requirements standard face the most significant gap between their current state and the new mandatory baseline. |
|---|
Why Technology Infrastructure Is Now a Regulatory Risk Decision
Manual compliance processes cannot generate the consistency, evidence quality, or operational scale that FSA effectiveness assessments require. For mid-market institutions, the question of whether to invest in automated compliance infrastructure is no longer a technology budget decision. It is a regulatory risk management decision.
An institution that faces an FSA effectiveness examination with manually maintained records, inconsistent alert management, and a fragmented compliance system faces adverse examination findings that are structurally difficult to remediate quickly. The time to address that risk is before the examination cycle — which, for the 2028 FATF evaluation, means before the end of 2026.
MemberCheck, Nexiant’s enterprise AML/CTF platform, is purpose-built for this environment. With over 15 years of deployment across regulated financial services, it delivers integrated PEP and sanctions screening, transaction monitoring, KYC/KYB verification, adverse media monitoring, and case management — within a single platform that generates the evidence trails the FSA requires.
Frequently Asked Questions
AML Compliance in Japan: Guide for Financial Institutions | Nexiant
A practical guide to Japan’s AML/CTF compliance obligations under the APTCP and FSA Guidelines — covering who must comply, core obligations, and system requirements.
Speak to our teamThis article was accurate at the time of publication in June 2026 and is intended for general informational purposes only. It does not constitute legal, regulatory or compliance advice. Organisations should seek qualified professional guidance in relation to their specific obligations.




