JFSA inspection of crypto exchanges — interim summary

Interim summary of the JFSA inspection of virtual currency exchanges as published on August 10, 2018

Inspection Findings

The company size of the virtual currency exchanges expanded rapidly compared with the previous fiscal year (on average a 553% increase was observed). A small number of officers and employees manage these large amounts of user assets (handling JPY 3.3bn per person on average).

The volume of transactions has been rapidly expanding since the autumn of last year, and while expanding business development, the internal control systems have not kept pace with the increasing demand.

• Business (first line of defense): a proper risk evaluation of the cryptographic assets handled was not done; the companies sold cryptographic assets inappropriately; crypto exchanges continued aggressive advertisement while the internal control systems could not keep up.
  In selecting and handling the cryptographic assets, only the convenience and profitability of cryptographic assets are being considered, while the selection should also take into account risks such as security, anti-money laundering and terrorist financing, etc., and the maturity of the internal management systems
• Risk Management & Compliance (second line of defense): internal management was not compliant with minimum standards defined by rules and regulations; AML and terrorist financing counter-measures were not implemented; internal controls were not functioning; there is a shortage of security personnel; user protection was not ensured; outsourcing parties have not been sufficiently managed.
  Expertise necessary for advising on the first line such as account opening, understanding of various regulations relating to transfer of cryptographic assets, measures for providing anti-money laundering and anti-terrorism financing based on the risk characteristics of cryptographic assets was not secured. Compared to business volume, system personnel were understaffed. Companies have not developed risk scenarios and contingency plans on cyber attacks and have not conducted security training.
• Internal Audit (third line of defense): and internal audit division did not exist; an internal audit plan had been formulated, but not based on a risk Audit personnel with expertise and ability necessary for implementing anti-money laundering and anti-terrorist financing measures were not employed; no internal audit plan or internal audit has been carried out while internal audit personnel was conducting other work.
• Corporate Governance (impacting all three lines of defense): management gave priority to profit over compliance; the check function of the directors and corporate auditors is not demonstrated; lack of human resources who have knowledge of risk management in the financial industry; low consciousness of user protection and low spirit of legal compliance; reluctance to disclose management information or financial information.
  While the business is rapidly expanding, the management team does not reinforce the number of personnel corresponding to the business and review the system capacity; at the Board of Directors, discussion on risk management as a financial firm managing a large amount of user property has not been conducted; management information and financial information are not publicly announced.

Future Supervisory Response

Registration review & monitoring

• For registered crypto exchanges: improve risk profiling and frequent updates, continue to conduct on-going inspections, conduct deep monitoring, if necessary, take necessary administrative responses
• For exchanges in the application process: based on the results of the of the inspection report in response to the business improvement order, individually verify and judge whether to grant a license
• For future applicants: upon registration review, we will enrich documentation and evidence confirmation about the business plan of crypto exchanges and the state of improvement of effective internal control systems and accordingly, strengthen verification at the office location and interviews of officers; also, based on rapid changes in the environment and business surrounding cryptographic assets, newly registered vendors conducted on-site inspections at an early stage

Collaboration with Self-Regulatory Organizations (SROs)

• Based on certification applications from voluntary regulatory bodies, based on accreditation requirements of laws and ordinances, we judge appropriately so that effective self-regulatory functions are established

Collaboration with adjacent ministries and overseas organizations

• Continue to work closely with relevant ministries and agencies concerning domestic nonregistered suppliers and warning of investors; in addition, broader and closer cooperation with overseas authorities, such as correspondence to overseas nonregistered companies.

If you found value in this article, please “clap” (up to 50 times).

This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day. Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup.