Japan Open Banking Framework

Financial Services Agency (FSA)

Japan

Banking

Open Banking

• Payment initiation
• Account authorisation

Technical Guideline from the Japanese Bankers Association

Report of Review Committee on Open APIs: Promoting Open Innovation

JSON | REST

Regulated

Any third-party accessing customer data from financial institutions via APIs must be registered with the FSA.

The regulations govern electronic payment services, which in Japan include both services that allow transfers to multiple accounts and account aggregation services. The Japanese Bankers Association (JBA), in consultation with financial institutions, academics, and other stakeholders, produced a report to establish standard norms for creating API specifications.

OAuth 2.0 is used as the authorization framework.

Banks are required to evaluate the security suitability of Third-Party Providers (TPPs). This assessment should consider whether the TPP meets security standards, has any history of security breaches and subsequent corrective actions, and whether it has the necessary systems and resources for continuously enhancing security measures based on user profiles and transaction risks.

In carrying out this eligibility assessment, banks may rely on independently developed security policies, external security documentation, and certifications obtained by the TPP, such as ISO 27001 or TRUSTe.

The Act on the Protection of Personal Information was revised in 2020, granting individuals the right to request the removal of their personal data.

Following the Working Group on Payment and Transaction Banking’s report issued in December 2015, and the Japanese Government’s Japan Revitalization Strategy 2016, policies were developed to encourage collaboration between banks and other financial service providers, particularly through opening banking system APIs. The goal was to support the creation of new services in partnership with banks while maintaining strong information security standards.

In 2017, the Banking Act was amended to address the regulatory treatment of intermediary service providers involved in banking settlements. Legislation governing “Electronic Payment Intermediate Service Providers” came into force in June 2018, introducing mandatory registration with the Financial Services Agency (FSA). Banks were also required to prepare systems for open API adoption within two years— a deadline that was later extended to 2020 due to the COVID-19 pandemic. Despite the delay, 97% of banks met the target. By January 2019, 21 entities were registered, and this number had nearly doubled to 40 by the end of March.

Electronic Payment Intermediate Services are broadly defined, covering not only the transmission of payment instructions but also the processing of key account information, including balances and transaction histories.

In 2024, the New Financial Services Intermediary Business Operator (FSIBO) framework was introduced. March 2024 also saw the Bank of Japan revise its monetary policy framework. Later, in October 2024, the FSA issued new Cybersecurity Guidelines for the financial sector. Additionally, Japan’s Ministry of Economy, Trade and Industry (METI) mandated that all e-commerce credit card transactions adopt EMV 3-D Secure by March 31, 2025.

Between 2024 and 2025, Japan is completing the final phase of implementing the Basel III regulatory framework, aimed at strengthening global banking standards. The FSA is adopting a national approach to the Basel Endgame rules through a phased schedule extending into 2025 and possibly beyond.

Under the law, an electronic payment service provider (EPSP) must sign a service agreement with the partnering bank, which must specify that the EPSP is responsible for compensating users for any loss or damage related to its electronic payment services. This includes requirements for the proper management and secure handling of user information, as well as measures the bank may impose if the EPSP fails to meet these obligations.

Additionally, each financial year, an EPSP is required to prepare and submit a written report on its electronic payment services to the Financial Services Agency (FSA), in line with Cabinet Office Order provisions.

If the FSA determines that it is necessary to ensure the proper and sound operation of an EPSP’s services, it may authorize officials to enter the EPSP’s offices or facilities, question personnel about business or financial matters, and inspect books, documents, and other relevant materials.

Governance matters will be discussed jointly by the regulator, the JBA, and the Japan Association for Financial API.

Protection of Personal Information Law