Domestic VASP security / audit / ISMS certification landscape
Confidence Likely
Updated 2026-05-19
Review by 2026-09-21
Sources 2
Machine-translated Original (JA) #exchanges#vasp#security#audit#isms#iso27001
On this page
Overview
Domestic VASPs bear security + audit obligations across three layers: FSA supervisory guidelines + JVCEA self-regulatory rules + industry self-standards. In addition to statutory requirements, obtaining third-party certifications such as ISMS (ISO/IEC 27001) and SOC2 Type II reports has effectively become standard, serving as a prerequisite for institutional-investor onboarding + overseas collaboration + B2B custody engagements. Following the Coincheck NEM theft (2018) + the DMM Bitcoin Lazarus theft (2024), obtaining certification has reached a state of “voluntary but you cannot stay in the industry without it.”
Statutory obligations (amended Payment Services Act + supervisory guidelines)
- System-risk management framework: management involvement + risk assessment + internal audit (annual)
- Segregated management of customer assets: trust custody + internal audit + external audit by an audit firm
- Cold storage 95% / hot 5%: JVCEA rules · operational-audit obligation
- AML/CFT internal controls: compliance with the Act on Prevention of Transfer of Criminal Proceeds + JAFIC reporting framework
- Personal information protection: Act on the Protection of Personal Information (APPI) + extraterritorial application of GDPR (where overseas customers exist)
Third-party certifications (voluntary but effectively mandatory)
- ISMS (ISO/IEC 27001): obtained by all major firms including bitFlyer / Coincheck / GMO Coin / SBI VC Trade / bitbank
- SOC2 Type II: centered on institutional OTC / custody (Crypto Garage / Custodiem / Komainu Japan, etc.)
- PCI DSS: related to fiat-currency card payments (some)
- Certified Internal Auditor (CIA) / Certified Information Systems Auditor (CISA): mandatorily placed in internal-audit departments
VASPs by audit firm
- EY ShinNihon: bitFlyer / Coincheck
- PwC Aarata: SBI VC Trade
- Deloitte Touche: GMO Coin
- KPMG AZSA: Custodiem / Mercury group
- The global 4 majors hold a 100% oligopoly — small and mid-sized audit firms find it difficult to enter VASP auditing (specialized talent + cost + risk tolerance)
International comparison
- U.S.: SOC2 + per-state MTL individual audits + NYDFS Part 500 (BitLicense)
- EU: MiCA + DORA strengthen ICT third-party auditing (2025-)
- South Korea: ISMS-P (integrated personal-information + information-protection) mandatory
- Japan: ISMS + internal audit + FSA monitoring three layers — a unique structure in which self-regulation (JVCEA) effectively mandates obtaining certification
Related
Discovery
Keep reading
Read next
- Domestic Web3 / Crypto-Asset Public Policy Body Layer (METI Web3 Policy Office / LDP web3 PT / Cabinet Secretariat) This entry sits under exchanges index. Read it against JCBA — 日本暗号資産ビジネス協会 for peer / contrast context and FSA 暗号資産交換業登録制度 for the broader system / regulatory boundary. exchanges/jp-web3-policy-public-body-layer
- JVCEA: Overview of the Self-Regulatory Framework 1. Membership screening: Reviews the structure and compliance of VASPs applying for membership, both before and after FSA registration 2. Token review (White List): Prior-review framework fo... exchanges/jvcea-self-regulatory-overview
- JVCEA Domestic Spot Trading Volume Statistical Analysis (2017-2026) This entry sits under exchanges index. Read it against JVCEA — 日本暗号資産取引業協会 自主規制制度 for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system / regulatory bounda... exchanges/jvcea-spot-volume-statistics-analysis
Links here
- Crypto-asset custody provider landscape matrix — Japan + Global institutional custody 10 社 technology / regulation / customer comparison The institutional crypto-asset custody market is differentiated along three axes: (1) technology model (cold storage / MPC / hybrid) × (2) license tier (Trust Charter / VASP / vendor only) ×... exchanges/crypto-custody-provider-landscape-matrix
- Global crypto-asset forensics-vendor layer — Chainalysis / Elliptic / TRM / Crystal comparison This entry sits under exchanges index. Read it against 国内 VASP 犯収法 + FATF Travel Rule 国内実装 (2023-) for peer / contrast context and FSA 暗号資産交換業登録制度 — 番号体系・財務局管轄・登録要件 for the broader system /... exchanges/global-crypto-forensics-vendor-layer
- JBA — Japan Blockchain Association This entry sits under exchanges index. Read it against JCBA — 日本暗号資産ビジネス協会 for peer / contrast context and JVCEA — 認定自主規制協会 for the broader system / regulatory boundary. exchanges/japan-blockchain-association-jba
- Japan crypto audit-firm landscape — Big4 + Grant Thornton Taiyo + BDO Sanyu crypto-practice comparison This entry sits under exchanges index. Read it against 国内 VASP セキュリティ監査・認証取得状況 for peer / contrast context and FSA 暗号資産交換業登録制度 for the broader system / regulatory boundary. exchanges/japan-crypto-audit-firm-landscape
- Etherscan verified-source poisoning — why \"verified\" is not \"the bytecode\" This entry sits under security domain. Read it with bytecode forensic three-tier verify as the hands-on counterpart, and against proxy-upgrade rug pattern for the case where the shown source... security/etherscan-verified-source-poisoning