Japan’s regulatory regime is keeping pace with the growing interest in information banking. Recent amendments will enhance customer experience, writes Kenichi Tanizaki of Atsumi & Sakai
The information banking business is beginning to gain popularity. This is evident in recent applications by several major players, among them large financial institutions and renowned IT vendors, for certification to conduct information banking businesses.
Information banking is defined as a business that manages customer data (including personal data) by leveraging a personal data store (PDS) system under a data use agreement executed with each customer. The PDS provides customer data to third parties – other business operators – on behalf of the customer, based either on the customer's instruction or on some other predetermined conditions. Despite the appearance of the word banking in the name of the business activity, a banking licence is not required to run an information banking business. The objective is to act as a reliable agent for customers and provide a mechanism for promoting data distribution and use with the active participation of data subjects.
How does an entity obtain certification as an information banking business operator? A study by the Ministry of Internal Affairs and Communications (MIC) concluded that: 'it is desirable to have a voluntary certification system governed by rules established by the private sector in order to achieve social recognition and reliability of entities which successfully meet the requirements to become an information banking business operator.'
In other words, there is a public-private joint certification system with self-imposed restraints under which the MIC and the Ministry of Economy, Trade and Industry (METI) formulate standards to certify private sector bodies as certification bodies, which in turn certify information banking business operators.
The study group organised by the MIC and METI formulated the 'Guideline of Certification Schemes Concerning Functions of Information Trust ver.1.0' (the Certification Guideline). The Certification Guideline provides: (1) standards for the certification of information banking businesses; (2) items to be included in agreements between an information banking business operator, its data subjects and/or third parties to which personal information will be disclosed; and (3) the scheme under which the private certification bodies will certify the information banking business operator.
In June 2019, a Certification Guideline ver.2.0 draft was released, for which the MIC and METI called for public opinions by July 4 2019.
Based on the Certification Guideline, the MIC appointed the Information Technology Federation of Japan as the certifying body. The Federation then issued its 'Guidebook on Application for Certification as an Information Banking Business ver.1.0', clarifying the standards for the certification of information banking business operators. Any entity seeking to be certified as an information banking business operator will have to submit an application to the Federation and undergo its scrutiny. Since a wide range of businesses are eligible to be certified and because there are no limits on the scope of the methods of use of the personal information, the pool of certified information banking business operators is expected to be quite diverse.
Studies and substantive experiments are being carried out, not only in the finance industry but also in a number of other industries including IT, travel, advertising, retail and paper manufacturing. Certification under the Certification Guideline is only meant to be used for the purpose of obtaining public recognition and as a mark of reliability, as a matter of practice, and not as a means fulfilling legal requirements; as such, certification will not be needed to engage in the information banking business.
The proposed Certification Guideline ver.2.0 includes some significant developments on ver.1.0. Unlike the existing Certification Guideline, proposed ver.2.0 will cover credit card numbers and bank account numbers. Therefore, after the new Certification Guideline comes into effect, information banking businesses will be permitted to handle those additional categories of information.
Financial groups that own credit card companies through subsidiaries will have a strong incentive to become certified as information banking business operators in order to obtain the public mark of reliability. However, certain security measures will need to be taken to handle the newly included types of information; for example, for an information banking business operator to possess credit card numbers, it must comply with the self-regulatory security standards (PCI DSS) established by the credit card industry.
Banking Act reform
It is also worthwhile noting that a bill to reform the Banking Act was passed on May 31 2019 under the initiative of the Financial Services Agency. The Banking Act amendments provide for 'services to provide customer information, with customer consent, and services to provide any other information held by a bank, to third parties, both of which contribute to the advancement of banking services or the enhanced convenience of bank customers' to be treated as services incidental to a bank's main business (the 'information provision service'). The amended Banking Act is scheduled to take effect in 2020.
While the concept of information banking is expected to be quite broadly defined under the Certification Guideline and therefore quite diverse, banks, which are regulated under the Banking Act, are permitted to engage in information banking businesses only within the framework of an 'information provision service' under the Banking Act.
In other words, such services must contribute to the advancement of banking services or the enhanced convenience of bank customers. The scope of information provision services is more limited than those services permitted for the subsidiaries of banks under the 2016 Banking Act Reform. These latter are prescribed as: 'services that contribute or are expected to contribute to the advancement of banking services or the enhanced convenience of bank customers.' The language 'are expected to' expands the range of options available to bank subsidiaries. Therefore, the scope of information provision services should be carefully scrutinised and needs to be interpreted strictly.
Having said that, however, it is noteworthy that a bank itself is allowed to offer information provision services, as a bank possesses an enormous volume of information.
In 2018, five operators from several industries, including travel, electric utilities and finance, were selected for pilot studies which are expected to further contribute to the progress of information banking businesses. With the implementation of Certification Guideline ver.2.0, it is also anticipated that the public recognition and mark of reliability for an information banking business along with added convenience for customers will be enhanced. As such, the launch of diverse information banking businesses will, in turn, lead to the provision of services that further enhance the customer convenience.
|About the author|
Kenichi Tanizaki, a partner of Atsumi & Sakai, has experience advising major banks, financial institutions and fintech companies on a wide range of banking and finance matters. His practice focuses primarily on newly developed technology transactions, regulation and compliance issues in the financial services industry. His regulatory advisory practice includes banking, securities, insurance law and regulations, customer protection, data and cyber security, KYC, AML/CFT issues, and contract drafting and negotiations.
Kenichi's primary focus has been banking and financial service regulations, advising financial institutions, including major multi-national and domestic banks, insurance companies and securities houses. He regularly speaks at fintech related seminars held publicly and privately regarding recent fintech developments including bank API and EDI systems, information banking businesses and cashless settlement.