Japan Shifts AML Focus From Compliance Frameworks to Demonstrable Effectiveness
Key Takeaways
- Supervisory Priorities Evolve: The Financial Services Agency says most Japanese financial institutions have established basic AML/CFT risk control frameworks, with supervisory attention now shifting toward verifying and improving their effectiveness.
- Financial Crime Continues to Escalate: The regulator warns that online and telephone scams, phishing, unauthorized access and other financial crimes are becoming more sophisticated, with reported losses from online and telephone scams reaching JPY 325.7 billion in 2025.
- FATF Evaluation Drives Reform: Preparations for the FATF Fifth Round Mutual Evaluation are shaping Japan's regulatory agenda, including expanded inspections, revised guidance and closer attention to the experiences of countries already assessed.
- Collaboration Becomes Central: The FSA emphasizes stronger information sharing among financial institutions, greater cooperation with law enforcement and continued public-private collaboration as essential components of an effective response to financial crime.
- Emerging Risks Remain a Priority: Financial institutions are expected to continue strengthening AML/CFT programs while monitoring evolving risks associated with crypto-assets, stablecoins, online casinos and other emerging threats.
Deep Dive
The work of fighting money laundering has always invited a certain temptation: to mistake the existence of controls for the existence of control. Japan's Financial Services Agency is now pushing firmly against that instinct. In its latest assessment of anti-money laundering, counter-terrorist financing and financial crime efforts, the regulator makes clear that the question facing financial institutions is no longer whether they have built the necessary frameworks. It is whether those frameworks can withstand contact with the world as it actually is.
That shift matters because, by the FSA's own assessment, the first phase of Japan's AML/CFT reforms is largely complete. Almost all financial institutions have established basic risk control frameworks. For several years, that was the objective. Today it is merely the starting point. As Japan prepares for the Financial Action Task Force's Fifth Round Mutual Evaluation, the emphasis is moving from construction to proof. Regulators want evidence that systems are effective, that weaknesses are identified before they become failures, and that institutions are improving their defenses as risks evolve rather than preserving them as if compliance were a finished project.
The FSA has already begun testing that proposition. Since the 2025 program year, which spans July 2025 through June 2026, it has incorporated effectiveness verification into inspections and other supervisory activities. Those examinations have, in turn, informed revised case study collections intended to show financial institutions not simply what the rules require but how meaningful implementation looks in practice. The regulator also updated its AML/CFT Guidelines and frequently asked questions in March 2026, describing further revisions as an ongoing process rather than a completed exercise.
There is a quiet but important change in philosophy running beneath these measures. The report repeatedly suggests that resilience cannot be demonstrated by policy documents alone. Financial institutions are expected to test their own assumptions, challenge their own controls and continue refining them, while paying close attention to the experiences of countries that have already completed the first wave of Fifth Round Mutual Evaluations. The lessons emerging from Malaysia, Belgium, Italy, Austria and Singapore are presented not as distant case studies but as advance notice of the questions Japan itself will soon face.
The urgency becomes easier to understand when the report turns from regulation to crime. Financial crime, the FSA argues, has become more varied, more technically sophisticated and more expensive with each passing year. Investment scams and romance scams conducted through social media platforms continue to proliferate alongside phishing attacks, unauthorized account access and fraudulent transactions that increasingly blur the line between cybercrime and traditional financial fraud. The damage from online and telephone scams alone reached JPY 325.7 billion during 2025, a 1.6-fold increase over the previous year. Behind that figure lies the regulator's broader concern: criminal methods evolve faster than static compliance programs.
That is why the report argues for something more comprehensive than isolated controls. Financial institutions, it says, must develop measures that correspond to the techniques criminals use at every stage of their activity, protecting customers while ensuring that legitimate financial services cannot easily be repurposed for criminal ends. The objective is not simply to intercept suspicious transactions after they occur but to make the financial system progressively less useful to those seeking to exploit it.
No institution, however sophisticated, can accomplish that alone. The FSA describes financial crime prevention as a collaborative domain, one that depends as much on relationships as technology. Information sharing among financial institutions, closer cooperation with police and stronger public-private partnerships all feature prominently throughout the report. Criminal organizations exchange information readily. The regulator's message is that defenders must become equally effective at doing the same.
That cooperative approach extends beyond Japan's borders. Alongside domestic supervisory reforms, the report surveys international developments that are steadily reshaping AML expectations. It examines the FATF Ministerial Declaration, the first completed Fifth Round Mutual Evaluations and the continuing importance of the risk-based approach that has become the organizing principle of modern AML supervision. It also highlights revisions to FATF Recommendation 16 intended to improve transparency in cross-border payments, together with two FATF reports published in March 2026 addressing crypto-assets and stablecoins. These are presented not as emerging curiosities but as risks that financial institutions are expected to understand now rather than later.
The report also acknowledges that institutional maturity remains uneven. Building an effective AML program still depends on decisions that cannot be delegated to software or compliance departments alone. Board-level commitment, sufficient staffing, adequate budgets, coordination across business units and robust internal audit all remain works in progress at varying degrees across the financial sector. Technical capability, the FSA suggests without quite saying so directly, rarely compensates for organizational indifference.
The same philosophy shapes the agency's broader approach to financial crime. Preventing victimization remains one pillar of the strategy, whether through consultation services for consumers, action against unregistered financial instruments businesses, measures addressing fraudulent social media advertisements, responses to online casinos or continued efforts against phishing and unauthorized access. The second pillar focuses on denying criminals the infrastructure they rely upon. The report points to stronger Internet banking countermeasures, tougher penalties for account trading, the introduction of penalties for remittance-related crimes, improved detection of fraudulent transactions, stricter identity verification and expanded information sharing regarding fraudulently used accounts. Financial and regulatory support for system development to strengthen that information sharing is scheduled to begin in April 2027.
The final element lies outside financial institutions altogether. Public awareness campaigns, coordinated across government agencies, industry and the National Police Agency, remain an explicit part of the strategy. The FSA views fraud prevention not simply as a matter of stronger controls inside banks but as a problem that also requires fewer opportunities outside them, whether that means discouraging illegal account trading or helping consumers recognize phishing attempts before they become victims.
Running through the report is a recognition that regulation has entered a more demanding phase. Establishing an AML framework is no longer sufficient because financial crime has long since stopped standing still. The institutions most likely to earn the confidence of regulators, international assessors and the public will not necessarily be those with the thickest manuals or the largest compliance departments. They will be the ones that can demonstrate, repeatedly and with evidence rather than assurance, that their controls continue to adapt as quickly as the threats they were built to confront.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

