FinWiki
EN

Domestic VASP security / audit / ISMS certification landscape

Confidence: Likely Updated 2026-05-19 Review by 2026-09-21 Sources 2 Machine-translated Original (JA)
#exchanges#vasp#security#audit#isms#iso27001
On this page

Overview

Domestic VASPs bear security + audit obligations across three layers: FSA supervisory guidelines + JVCEA self-regulatory rules + industry self-standards. In addition to statutory requirements, obtaining third-party certifications such as ISMS (ISO/IEC 27001) and SOC2 Type II reports has effectively become standard, serving as a prerequisite for institutional-investor onboarding + overseas collaboration + B2B custody engagements. Following the Coincheck NEM theft (2018) + the DMM Bitcoin Lazarus theft (2024), obtaining certification has reached a state of “voluntary but you cannot stay in the industry without it.”

Statutory obligations (amended Payment Services Act + supervisory guidelines)

  • System-risk management framework: management involvement + risk assessment + internal audit (annual)
  • Segregated management of customer assets: trust custody + internal audit + external audit by an audit firm
  • Cold storage 95% / hot 5%: JVCEA rules · operational-audit obligation
  • AML/CFT internal controls: compliance with the Act on Prevention of Transfer of Criminal Proceeds + JAFIC reporting framework
  • Personal information protection: Act on the Protection of Personal Information (APPI) + extraterritorial application of GDPR (where overseas customers exist)

Third-party certifications (voluntary but effectively mandatory)

  • ISMS (ISO/IEC 27001): obtained by all major firms including bitFlyer / Coincheck / GMO Coin / SBI VC Trade / bitbank
  • SOC2 Type II: centered on institutional OTC / custody (Crypto Garage / Custodiem / Komainu Japan, etc.)
  • PCI DSS: related to fiat-currency card payments (some)
  • Certified Internal Auditor (CIA) / Certified Information Systems Auditor (CISA): mandatorily placed in internal-audit departments

VASPs by audit firm

  • EY ShinNihon: bitFlyer / Coincheck
  • PwC Aarata: SBI VC Trade
  • Deloitte Touche: GMO Coin
  • KPMG AZSA: Custodiem / Mercury group
  • The global 4 majors hold a 100% oligopoly — small and mid-sized audit firms find it difficult to enter VASP auditing (specialized talent + cost + risk tolerance)

International comparison

  • U.S.: SOC2 + per-state MTL individual audits + NYDFS Part 500 (BitLicense)
  • EU: MiCA + DORA strengthen ICT third-party auditing (2025-)
  • South Korea: ISMS-P (integrated personal-information + information-protection) mandatory
  • Japan: ISMS + internal audit + FSA monitoring three layers — a unique structure in which self-regulation (JVCEA) effectively mandates obtaining certification