Customer Due Diligence in Japan: APTCP and FSA Requirements for Mid-Market Financial Institutions

CDD under Japan's APTCP and FSA Guidelines operates across three tiers calibrated to customer risk. The FSA's 2024 FAQ update added domestic PEP obligations many institutions have not yet implemented.

Compliance  ·  June 2026  ·  RegTech

Simplified Due Diligence

Periodic Review Requirements

CDD is not a point-in-time exercise at customer onboarding. The FSA requires periodic re-verification of customer information at a frequency proportionate to the customer’s risk classification:

  • High-risk customers (including PEPs and customers in elevated-risk sectors) require more frequent review cycles — typically annually or more frequently depending on risk profile.
  • Standard-risk customers require review at intervals appropriate to their risk level — typically every two to three years, or more frequently where monitoring generates alerts.
  • Low-risk customers under SDD require periodic review to confirm that the low-risk basis remains valid.

Each periodic review must be documented in the customer’s compliance record, with the review date, reviewer identity, findings, and any CDD updates made as a result.

Trigger-Based Re-Verification

In addition to scheduled periodic review, the FSA requires trigger-based re-assessment where circumstances change materially. The triggers include:

  • Change in beneficial ownership structure: any change in the individuals who own or control the customer entity must trigger re-verification of the new controllers.
  • Transaction monitoring alert: an alert suggesting a significant change in the customer’s transaction behaviour profile may indicate a change in risk level requiring CDD re-assessment.
  • Adverse media identification: negative media coverage identifying the customer in connection with financial crime, corruption, or sanctions should trigger immediate CDD review.
  • PEP status change: a customer who acquires a qualifying public function after onboarding becomes a domestic PEP and requires the full EDD process — immediate re-classification, senior management approval, and source of wealth documentation.
  • Regulatory change: a new FATF designation, new FSA guidance, or a change in the risk classification of a jurisdiction or sector to which the customer is connected may require re-assessment of the customer’s risk classification.

Documentary Evidence Requirements

For each customer relationship, the compliance record should contain the following to satisfy FSA examination requirements:

  • Identity verification documents with the date obtained and the specific verification method applied.
  • The CDD tier assigned to the customer — SDD, standard CDD, or EDD — with documented rationale for the tier selection.
  • Beneficial ownership verification records, including the methodology used to identify and verify each UBO.
  • Where EDD applies: the triggering factor, the senior management approval, source of wealth and funds findings, and the enhanced monitoring calibration applied.
  • Periodic review dates, reviewer identity, outcomes, and any CDD updates made as a result of the review.
  • Transaction monitoring alert history relevant to the customer, with disposition records.
The 2024 domestic PEP gap in CDD programmes The FSA’s 2024 FAQ update created a specific domestic PEP compliance gap at many mid-market institutions. A compliant CDD programme now requires a PEP database with comprehensive Japanese domestic PEP coverage, integrated with both the onboarding workflow and the ongoing monitoring programme. Global PEP databases without specific Japanese domestic depth do not satisfy this requirement — and the gap applies not only to future onboarding but to the existing customer book, where domestic PEPs who were onboarded before the 2024 FAQ update have not yet been re-assessed.

Frequently Asked Questions

The three tiers are: simplified due diligence (SDD) for documented low-risk relationships, standard customer due diligence (SCDD) as the default for most relationships, and enhanced due diligence (EDD) for elevated-risk relationships including PEPs, high-risk jurisdiction customers, and complex ownership structures.
Financial institutions must identify all individuals who ultimately own or control more than 25% of the entity’s voting rights. The verification must trace through corporate layers to the ultimate individual controller — identification of an intermediate corporate entity is not sufficient.
EDD is required for PEPs (domestic and international), customers from FATF-designated high-risk jurisdictions, non-face-to-face customers, customers in elevated-risk sectors, customers with complex ownership structures, and customers whose explanation of transaction purpose is unclear or inconsistent with their financial profile.
In addition to scheduled periodic reviews, CDD re-verification is triggered by: changes in beneficial ownership structure, transaction monitoring alerts indicating a behaviour shift, adverse media identifying the customer in connection with financial crime, PEP status changes, and regulatory changes affecting the risk classification of a jurisdiction or sector connected to the customer.
The 2024 update requires systematic domestic PEP screening at onboarding and through ongoing monitoring. This requires a PEP database with comprehensive Japanese domestic PEP coverage integrated with the onboarding workflow. Global PEP databases without Japan-domestic depth do not meet this standard.

Customer Due Diligence Japan: APTCP & FSA Requirements | Nexiant

Japan’s three CDD tiers — simplified, standard, and enhanced — under the APTCP and FSA Guidelines. Covers domestic PEP obligations, periodic review, and documentary evidence requirements.

Speak to our team

This article was accurate at the time of publication in June 2026 and is intended for general informational purposes only. It does not constitute legal, regulatory or compliance advice. Organisations should seek qualified professional guidance in relation to their specific obligations.