The Four Core Articles
Article 4: Customer Due Diligence
Article 4 requires identity verification at prescribed trigger points. The requirements differ by customer type and transaction nature:
- Individual customers: verification of full name, date of birth, residential address, and identity through a prescribed document — typically a government-issued ID, residence certificate, or equivalent.
- Corporate customers: verification of corporate name, address, and the identity of the representative; investigation of the purpose and nature of the transaction.
- Beneficial ownership: for corporate customers, identification and verification of individuals who ultimately own or control 25% or more of the entity’s voting rights — the standard applied in line with FATF Recommendation 10.
- PEPs: enhanced due diligence for foreign PEPs and — following the FSA’s 2024 FAQ update — domestic Japanese PEPs who hold or have held prominent public functions.
Verification must occur at the commencement of a business relationship and at prescribed intervals thereafter. Periodic re-verification is required when circumstances change materially: a change in beneficial ownership, a new product relationship, a monitoring alert suggesting a change in risk profile, or the identification of the customer as a PEP post-onboarding.
Article 8: Transaction Records
Article 8 requires the retention of records of transactions involving specified business operators. The record-keeping requirements cover:
- The nature of the transaction: amount, currency, counterparty, date, and stated purpose.
- Verification documents obtained during CDD, with date obtained and verification method applied.
- The risk assessment applied to the customer and the transaction.
- Any alert generated by monitoring systems and the disposition of that alert — including the documented rationale for decisions not to file an STR.
Records must be retained for seven years from the date of the transaction or the conclusion of the business relationship, whichever is later. They must be retrievable and presentable to supervisors or law enforcement on request. Institutions relying on paper records or manually maintained spreadsheets face serious operational risk as examination requests for specific records arrive under time pressure.
Article 9: Suspicious Transaction Reporting
Article 9 requires reporting to JAFIC where an institution suspects that a transaction involves the proceeds of crime or is connected to terrorism financing. Three points are critical to understand:
- No transaction value threshold exists. The reporting obligation is triggered by suspicion, not by the amount of money involved. A ¥50,000 transaction presenting behavioural anomalies requires the same STR consideration as a ¥50 million transaction.
- The standard is reasonable suspicion, not certainty. Institutions are not required to investigate to a conclusion before filing. The STR mechanism exists precisely to provide JAFIC with intelligence that assists in building cases from multiple sources.
- Non-filing is an offence. Persistent under-filing patterns are both a specific regulatory risk in FSA examinations and an adverse contribution to Japan’s FATF statistics.
Article 11: Internal Controls and Management
Article 11 requires the establishment of internal control systems adequate to ensure compliance with the APTCP’s requirements. This includes:
Designation of a compliance officer responsible for the AML/CTF programme.
Establishment of internal policies and procedures that implement the APTCP’s obligations.
Employee training programmes covering AML/CTF obligations and the institution’s internal procedures.
Internal audit arrangements that independently assess the effectiveness of the compliance programme.
It is Article 11 that provides the legislative basis for the FSA’s effectiveness assessment focus. An internal control system that exists on paper but does not function in practice does not satisfy Article 11’s requirements — and the FSA’s examination methodology is now specifically designed to identify that gap.
| The APTCP and the FSA Guidelines are one compliance architecture The APTCP sets the legal obligations. The FSA Guidelines specify how those obligations must be implemented and what evidence of implementation the FSA expects to find. A compliance programme that meets the APTCP’s minimum legal text but does not satisfy the FSA’s Guidelines is not compliant. The two documents must be read together — there is no meaningful distinction between legal compliance and guideline compliance in the FSA’s supervisory approach. |
|---|
Mapping APTCP Articles to System Requirements
Satisfying each APTCP article at the effectiveness standard the FSA applies requires compliance infrastructure with specific capabilities. The following mapping identifies what each article requires from a technology perspective:
- automated identity verification at onboarding with real-time PEP and sanctions screening; automated periodic re-verification triggered by monitoring events; domestic Japanese PEP database coverage; beneficial ownership verification workflow with supporting documentation capability. Article 4 (CDD):
- system-generated audit trails that capture each CDD step, each screening result, each alert generated, and each alert disposition decision with immutable timestamps; seven-year retention architecture with full retrieval capability. Article 8 (Records):
- integrated STR workflow from alert generation through investigation to JAFIC submission, with documented decision logic and filing timestamps at each stage; documented rationale for decisions not to file. Article 9 (STR):
- management reporting capability that gives compliance officers and board oversight committees real-time visibility of programme performance: false positive rates, alert resolution times, STR filing activity, periodic review completion rates. Article 11 (Controls):
The Most Common APTCP Compliance Gaps at Mid-Market Institutions
Based on FSA examination findings and FATF evaluation observations, the following gaps appear consistently at mid-market financial institutions:
- Beneficial ownership verification under Article 4: insufficient documentation of UBO identification for corporate customers, particularly in complex group structures. Many institutions identify the immediate corporate customer but do not trace through to the ultimate individual controllers.
- Domestic PEP identification under Article 4: no systematic process for identifying customers who meet the FSA’s 2024 FAQ definition of domestic PEPs. Institutions using international PEP databases without Japanese domestic coverage have a structural gap in their Article 4 compliance.
- Periodic review under Article 4: CDD reviews not conducted at the required frequency, not triggered by monitoring events as required, or not documented with adequate evidence of what was reviewed and what was updated.
- STR filing conservatism under Article 9: filing rates inconsistent with the institution’s assessed risk profile, driven by manual processes that create friction between alert generation and filing consideration, and conservative institutional cultures that set the threshold for filing higher than the APTCP requires.
- Audit trail quality under Article 8: alert disposition records that do not document the reasoning behind decisions to file or not file an STR. FSA examiners specifically look for evidence that the decision not to file was made deliberately and documentedly — a blank disposition field is not acceptable.
Frequently Asked Questions
APTCP Compliance: Japan’s Primary AML Law Explained | Nexiant
A practical guide to Japan’s Act on Prevention of Transfer of Criminal Proceeds (APTCP) — covering Articles 4, 8, 9, and 11 and their system requirements for mid-market institutions.
Speak to our teamThis article was accurate at the time of publication in June 2026 and is intended for general informational purposes only. It does not constitute legal, regulatory or compliance advice. Organisations should seek qualified professional guidance in relation to their specific obligations.




