The Japanese Financial Services Agency announced on the 15thPublication of a draft partial revision to the "Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, (draft)" They have started accepting public comments under the title. The deadline is Monday, August 18th at 17:00 JST (must arrive by this date).
This amendment is being made in light of the frequent cases of unauthorized access to and unauthorized trading (trading by third parties) in Internet trading services using customer information (login IDs, passwords, etc.) stolen from phishing sites disguised as securities company websites, in order to strengthen authentication methods and fraud prevention measures in Internet trading.
What might be of interest to readers of this blog probably are the following:
Taking "Guidelines for Cybersecurity in the Financial Sector" and,Japan Securities Dealers Association's "Guidelines for preventing unauthorized access in internet trading"into account, appropriate security measures shall be taken according to the content of the services provided. "Man-in-the-middle" and "man-in-the-browser" attacksneeds to be taken into account.
(..snip..)
During important operations such as logging in, withdrawing funds, and changing the withdrawal bank accountPhishing-resistant multi-factor authentication(Example: passkey authentication, PKI (public key infrastructure) based authentication)shall be implemented and made mandatory(set as default)
(Source) Financial Services AgencyPartial Revision of the "Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc." (Draft) [Comparison Table of Old and New Guidelines]
Phishing-resistant authentication is now mandatory. Here’s why it’s important:"The threat of real-time phishing that cannot be prevented by one-time passwords: The true nature of phishing resistance using passkeys"On the other hand, whether "multi-factor" is necessary is debatable. As I have been preaching for some time, it is time to move away from the "curse of multi-factor authentication" and focus more on "what threats it is responding to."
Other materials include:
(Appendix 1)Partial Revision of the "Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc." (Draft) [Comparison Table of Old and New Guidelines]
(Appendix 2)Partial Revision of the "Supervisory Guidelines for Credit Rating Agencies" (Draft) [Comparison Table of Old and New]
(Appendix 3)Partial Revision (Draft) of the "Supervision Guidelines for High Speed Traders" [Comparison Table of Old and New]
(Appendix 4)Partial Revision (Draft) of the "Supervision Guidelines for Investment Management-Related Business Operators" [Comparison Table of Old and New]
On the other hand, there are some incomprehensible reports - biometric authentication will not be mandatory!
On the other hand, there are some reports that are hard to understand why they wrote so. A typical example is the Nikkei's "Financial Services Agency and Japan Securities Dealers Association issue new guidelines to make biometric authentication mandatory to prevent securities account hijacking" Nikkin too"Financial Services Agency proposes strengthening measures against securities account hijacking by making biometric and other multi-factor authentication mandatory"i.e., they wrote Biometric Authentication will be mandatory.
However, the above-mentioned revised supervisory guidelines do not mention "biometric authentication." A passkey is given as an example, but a passkey is not biometric authentication. I wish they would write about this properly, instead of just evading the bait of "it's easy to understand." The important thing this time is,Mandatory phishing-resistant multi-factor authenticationYes, it is not biometric authentication. Obviously, you can't do local "biometric authentication" and then send your password to the site.
So I would like to ask those in the media to be very careful.
Biometric authentication can be local or remote. For those using mobile devices, the ISO has standardized the following. Both are publications of SC27 Information security, cybersecurity and privacy protection, of which I am currently the chairman of the relevant national technical sub-committee.
ISO / IEC 27553-1: 2022 Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: Local modes
ISO / IEC 27553-2: 2025 Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: Remote modes
Hope this helps.
By the way, if you do this, scraping will no longer be possible. Banks provide APIs, but the securities industry is behind in this regard, and there is a concern that it will not be possible to incorporate the data into household accounting software or asset management software. Therefore, it seems that this is something that should be considered along with providing APIs.