Regulatory storm is coming: FSA attacks on multiple fronts
In the "Report on Advanced Monitoring of Internal Audits of Financial Institutions (2024)" released in September this year, the Japan Financial Services Agency (FSA) clearly pointed out that the internal audits of financial institutions must be significantly upgraded, and specifically named cryptocurrency exchanges as needing to strengthen internal controls. and safety measures. Based on this report, the FSA plans to update the relevant guidance on "Current Situation and Issues" on December 25, and will hold a discussion called "Roundtable on Strengthening Internal Auditing of Financial Institutions" in late January 2025. In addition to inviting representatives from the Bank of Japan and the Association, it was also emphasized that it would cooperate with the Japan Cryptocurrency Exchange Association (JVCEA), hoping to jointly formulate new standards to respond to the risks and trends of the global encryption market.
The Financial Services Agency had mentioned the importance of "international trends" many times before the meeting, indicating that Japanese officials hope to integrate with foreign regulatory agencies while taking into account domestic characteristics. Looking back at several major hacking incidents this year, especially the DMM Bitcoin theft of approximately US$370 million (including more than 4,500 Bitcoins), it shows that once a major security breach occurs, it will have serious consequences for exchanges and even the entire financial market. impact. This time, the FSA not only issued strict guidelines for traditional banks, but also explicitly required crypto exchanges for the first time to carry out internal control inspections at the same level as banks. This move was seen as another major step towards "financial integration supervision" in Japan. The industry generally believes that the ensuing hacker attacks in 2024 will become the trigger for the official to launch heavy rectification.
Source: FSA FSA will hold a roundtable titled "Strengthening Internal Auditing in Financial Institutions" in late January 2025
The aftermath of the DMM Bitcoin hack: North Korean hackers become a target
If we talk about where the impetus for this strengthened audit comes from, we have to mention the DMM Bitcoin hacking incident that shocked the industry in May. The attack was determined by the Japanese police and the FBI, and the culprit behind the attack was most likely the Trader Traitor organization, which has close ties with the North Korean government. The case resulted in the loss of more than 4,500 Bitcoins from DMM Bitcoin, worth approximately $307 million. Although DMM Bitcoin subsequently claimed that it had received compensation from the group for losses, the strong negative perception caused the exchange to announce the closure of some businesses soon after, and there were even rumors that it might completely withdraw from the market.
"The hackers sneaked into the internal system without anyone noticing, and used employees to mistakenly click on malicious links to obtain key permissions, and finally successfully withdrew a huge amount of bitcoins." A security expert who asked not to be named explained, "This is revealing the encrypted transaction The common human vulnerabilities are a combination of inadequate employee education and weak internal firewalls.”
Nowadays, North Korean hackers have become the "number one public enemy" of Japanese financial and government departments. The so-called TraderTraitor, also known as Jade Sleet, UNC4899 or Slow Pisces, has committed many crimes in Asia. Various signs have made the FSA more vigilant and determined that it must improve audits, regularly check employee operating procedures and strengthen information security infrastructure to be able to block such high-level attacks.
Both crypto and traditional finance are affected: an integrated regulatory landscape is taking shape
Obviously, this new measure of the FSA is not just for a single block, but is intended to create "integrated supervision": in the past, under Japan's financial supervision system, the payment system was under the control of the central bank, while digital assets fell under the scope of the Securities and Exchange Act, resulting in the encrypted Market supervision is relatively loose and information security is even more fragile. Now the FSA has bluntly stated that it will include traditional banks and crypto exchanges in more stringent internal audit standards, indicating that the official wants to use the same standards to review the risk control process. For exchanges, this means starting to conduct in-depth inspections of their own systems, including employee safety training, system access level division, and effective multi-signature management. These are all key points.
At the roundtable to be held in January next year, in addition to traditional financial leaders, JVCEA will also play a central role as a representative of the "autonomous supervision" of the Japanese encryption industry. In recent years, the association has worked hard to promote higher standards of capital preparation and technical auditing on exchanges, but the results have been limited. Many international exchanges still have serious concerns about the Japanese market. On the one hand, there is the threat of hackers, and on the other hand, there is regulatory uncertainty. After the FSA runs in, if a clear audit structure can be established, it may help to improve this atmosphere.
Outlook: Can a safe ecosystem be created?
It cannot be denied that the Japanese digital asset market is currently facing external threats and internal worries. In terms of external threats, the activities of North Korean hacker organizations continue to intensify; in terms of internal worries, there is fragmentation at the regulatory level and insufficient industrial self-discipline. However, the FSA’s comprehensive adjustment of internal audit regulations also shows that the official is trying to reverse the image and security of Japan’s encryption industry. Although the follow-up details are still to be finalized at the roundtable meeting, if the relevant terms can be implemented, it will help consolidate investor confidence and may also inject a boost to overseas funds that the Japanese market lacks.
According to market observations, if the audit mechanism is indeed improved, when foreign or local capital is deployed in Japan in the future, the time to assess risks may be significantly shortened, which will help the recovery of overall transaction volume. However, for exchanges, costs are bound to increase: more funds will be invested in hiring senior security experts, deploying high-intensity audit tools, and strengthening employee education and training, which may test the viability of some small and medium-sized operators.
Overall, the strict audit required by the Japan Financial Services Agency represents the government’s high requirements for market order and security, and is also intended to prevent similar DMM Bitcoin attacks from happening again. As for whether hacker breaches can be completely eliminated, I am afraid that it still requires long-term cooperation between the industry and the authorities. However, at least from the perspective of regulators, Japan is gradually forming a new financial model that strengthens self-discipline and regulations. This will be a benchmark worthy of attention for the Japanese encryption industry and even the global market.
"DMM takes big action after being hacked!" The Japan Financial Services Agency requires strengthening audits, and exchanges welcome strict supervision. This article was first published in "Crypto City"
