Lifecycle Management of Products, Services and Activities

Discussion Paper (Provisional Translation) Lifecycle Management of Products, Services and Activities June 2024

Table of Contents I. Introduction.............................................................................................................................. 1

1. Lifecycle Management of Products, Services, and Activities at Financial Institutions........1
2. Background to the Discussion Paper........................................................................................................2
3. Purpose of the Discussion Paper................................................................................................................3 II. Lifecycle Management of Products................................................................................ 4
4. New Product Approval..................................................................................................................................4
5. Ongoing Risk Management of Products..............................................................................................12
6. Expectations for Top Managers..............................................................................................................14 III. Practices of New Product Approval ...........................................................................16 IV. JFSA’s Monitoring Activities.......................................................................................22 Appendix 1: Incidents Related to Lifecycle Management of Products..................23 Appendix 2: Related International Discussions and Guidelines...............................25

1 I. Introduction

1. Lifecycle Management of Products, Services, and Activities at Financial Institutions For financial institutions, providing added value to customers and markets through new products and services, and starting new activities are essential aspects as corporations to find new revenue sources and achieve sustainable growth. If financial institutions do not continue to take risks to create innovative businesses, they may find it difficult to survive. Nevertheless, new businesses may pose new risks for financial institutions. It is the role of management to identify all the risks inherent in new products before providing the products, evaluate whether the products are consistent with their strategy or within their risk appetite, and determine whether to take the risks, that is, whether to introduce the new products or not. When introducing new products, it is indisputable that speed is important in order to respond to customers' needs and to stay ahead of competitors. However, the business environment for financial institutions has become more complex due to technological innovation, globalization, rising geopolitical risks, and the increasingly high social expectations for financial institutions. In addition, the speed of change has increased the uncertainty in the business environment. Given such circumstances, it is necessary to consider a wide range of risks, both financial risks and non-financial risks such as reputational risks, in order to prevent financial institutions from incurring unintended risks through the introduction of new products. In other words, new products must be introduced under an internal control environment that enables timely decision-making based on thorough identification and assessment of risks. Furthermore, after the introduction of new products, risks that were not anticipated at the time of introduction may arise, such as becoming unable to meet customer needs due to changes in the business environment or governance becoming inadequate due to the expansion of transaction volume. It is important for financial institutions to identify such risks in a timely manner and take appropriate measures to ensure customer protection and their safety and soundness. It is necessary for financial institutions to establish ongoing risk management of products that enables identification of emerging risks and strengthening of risk management accordingly, and even make decisions to suspend the handling of a product if it deviates from their strategy. In this paper, "lifecycle management of products" is defined as the continuous management of risks associated with products from the stage of development through to discontinuation, always keeping in mind the consistency with strategies (see [Figure 1]). Under the complex and constantly changing business environment, financial institutions are required to examine which risk management system is appropriate for each stage of the lifecycle of the products and services they provide and the businesses they handle, and continue to update their risk management system in a timely manner.

2 [Figure 1] Overview of Lifecycle management of products Source: JFSA 2. Background to the Discussion Paper With the business environment becoming increasingly complex and undergoing rapid change, there is an increasing need for financial Institutions to review and upgrade their product management. 1 In recent monitoring activities, JFSA identified multiple cases where risks in products, services, and activities surfaced due to inadequate risk assessment and inadequate implementation. There were also cases where the risk management framework or operations that had been established at the time of implementation were not updated soon enough in response to changes in the business environment and expansion of businesses. This document highlights JFSA’s fundamental approach to the lifecycle management of products. It is based on the results of a survey on the management of products at G-SIBs’ Japanese entities, 2 major Japanese banks, and major Japanese securities firms, who require advanced management of product risks, in light of their size, global nature of business and

1 The "Principles for Customer-Oriented Business Conduct" (March 30, 2017, as amended on January 15, 2021) stipulates the pursuit of customers' best interests (Principle 2). Furthermore, the "Act on Provision and Improvement of Environment for Utilization of Financial Services" (Act No. 101 of 2000) requires business operators engaging in the provision of financial services to conduct their business in a sincere and fair manner while taking into account customers' best interests. Financial institutions are also required to conduct their business in a sincere and fair manner while taking into account customers' best interests in order to add value to society and at the same time ensure the sustainability of their business. 2 G-SIBs selected by the Financial Stability Board (FSB), excluding financial institutions designated by the JFSA as G-SIBs.

3 operations, and the risk profiles of the products they handle. 3 3. Purpose of the Discussion Paper "JFSA’s Supervisory Approaches" (June 2018), outlines key principles for supervision. 4 As described in the paper, JFSA issues discussion papers to enhance communication on specific themes. This is a discussion paper that addresses the lifecycle management of products and services at financial institutions. JFSA intends to utilize this paper to facilitate dialogues between JFSA and financial institutions towards better practices. The primary scope forsuch dialogues is large Japanese banks, large Japanese securities firms, and Japanese entities of G-SIBs. JFSA will not superficially apply each item to financial institutions or use them as checklists. When holding dialogues with financial institutions using this document, JFSA will give due consideration to the type and size of the specific financial institution, its global business operations, and the risk profile of the products it handles, since the frameworks and resources required for the management of products differ depending on those characteristics. In particular, JFSA will not require small financial institutions to engage in unnecessarily complex discussions. On 26 April 2024, JFSA published a draft version of this discussion paper for public consultation. A summary of the comments received and the JFSA’s position on them are now published on the JFSAwebsite. 5 JFSAwill continue our discussions with a wide range of stakeholders, including financial institutions and their users, and may revise this paper as necessary, to encourage financial institutions to enhance their product lifecycle management.

3 Seven Japanese entities of overseas G-SIBs, three major Japanese banks, and five major Japanese securities companies. The JFSA also investigated the risk management of products of material subsidiaries that conduct banking or securities businesses to understand the risk management framework of the financial group. 4 https://www.fsa.go.jp/en/wp/supervisory_approaches_revised.pdf 5 https://www.fsa.go.jp/news/r5/sonota/20240619-2/20240619.html

4 II. Lifecycle Management of Products The management of products, services, and activities (collectively, "products") at financial institutions consists of the management of new products, services, and activities (collectively, "new products"), in which new products are introduced after broad risk assessment, well prepared implementation, and the ongoing risk management of products in business as usual. 6

1. New Product Approval Over the years, financial institutions have developed, implemented, and enhanced their management of new products, which consist of a generally common process: proposals for new products by product owners, risk assessments by risk assessment divisions, approvals by new product committees, 7 implementation by product owners, and post implementation reviews by product owners and relevant divisions. This chapter explains JFSA's basic approach to further enhancing the risk management of new products. 8 (1) Group-wide risk management While there are various forms of governance at financial groups, the management in charge of group governance should, under the responsibility of the Board, develop a new product approval framework that allows the management to make timely decisions on the introduction of new products, ensuring that the new products are aligned with the group's strategy and the risk appetite. In particular, with regard to overseas subsidiaries that require a higher level of risk management, it is necessary to develop a risk management framework in which the head office responsible for business management can place necessary control over the introduction of new products, based on the premise that new products of overseas entities may affect the safety and soundness of the group. G-SIBs have a centralized group-wide new product approval framework. Under the framework that defines the scope of new products and the approval process, each line of

6 BAU. 7 Any committee whose main purpose is to discuss or approve the introduction of new products is collectively referred to as the "New Product Committee." 8 The "Comprehensive Supervisory Guidelines for Major Banks" includes a supervisory viewpoint that financial institutions should fully examine system risk at the time of introducing new products. The "Comprehensive Supervisory Guidelines for Financial Instruments Business Operators" includes similar supervisory viewpoints regarding system risk and counterparty risk. This paper discusses that financial institutions should fully examine a wide range of risks, both financial and non-financial, regarding the products and services they provide to customers and markets as well the products they own and their own activities or operations.

5 business, 9 region, or local entity have their own processes. In addition, the decision on whether to introduce new products is generally made at the group level. 10 The introduction of new products by Japanese entities of G-SIBs is also determined at the group level, except for low-risk products. In the group-level new product approval process, decision making is based on risk assessment with regard to Japanese laws, regulations and operations, as well as the assessment of consistency with the group strategy. In addition, the Japanese entity will also determine whether to introduce the new products based on an assessment of alignment with strategy and detailed risk assessment in terms of Japanese laws, regulations and operations. The risk management framework of G-SIBs is reasonable in terms of group-wide risk management. It is also understandable based on the fact that risks inherent in products are considered to be basically the same regardless of the location, and that back-office and middle-office operations, such as the origination and sale of products, booking, operation, and financing, are conducted across locations. However, it should be noted that, at the Japanese entities, excessive reliance on group-wide risk assessments could lead to insufficient reviews from the perspective of compliance with Japanese laws and regulations. It is important for Japanese entities to conduct risk assessments and make decisions on its own initiative so that it can fulfill its responsibility to ensure compliance with Japanese laws and regulations. With regard to major Japanese banking groups, some groups have a new product approval framework developed by the holding company that is generally common across its subsidiaries. There are also groups in which each subsidiary has a different framework. Some holding companies request consultation with subsidiaries before new products are launched and conduct risk assessment and decision-making, and others require subsidiaries to report after the subsidiaries’ approval.Among the banks within each group, there are also differences in the level of subsidiary governance. Among the major Japanese securities firm groups, there are groups that have a centralized product approval framework including subsidiaries, groups that have a broadly shared framework between the headquarters and subsidiaries, and groups that have frameworks that differ between the head office and subsidiaries. In groups that do not have a centralized control environment, some group headquarters are informed of all the new products of their subsidiaries in advance, and depending on the risks, conduct risk assessment and decision making through the new product approval process of the headquarters. On the other hand, some group headquarters do not even receive information after the approval at the subsidiaries. Therefore, there are significant differences in the status of risk management as a group. However, some firms are reviewing the framework at subsidiaries and strengthening controls by the head office to

9 It often includes an investment banking division, or retail finance division. 10 Many financial institutions make decisions at the group level for each line of business.

6 establish a centralized control environment. The Japanese financial groups should establish a new product approval framework that can sufficiently control the introduction of new products by companies within the group, including overseas entities. Specifically, it is necessary to clearly define the scope of new products within the group, and when subsidiaries should consult with the group prior to their own approvals, so that the management in charge of group governance can make decisions on new products that could have an impact on the safety and soundness of the group. In addition, it is necessary to establish a new product approval framework at the subsidiaries that enables them to make appropriate decisions based on sufficient risk assessment, including new products for which prior consultation is not required from the group. (2) Role of management It is the responsibility of senior management to make a comprehensive judgment on whether or not new products should be introduced, taking into account whether generating profits from new products is consistent with strategies and whether financial risks and non-financial risks, including reputational risks, are within the risk appetite. It is necessary to clarify the responsibilities of the senior management in charge of the product owner and the risk assessment division, and to develop a new product approval framework that enables them to fulfill their responsibilities. In many G-SIBs, a new product committee for each line of business discusses and approves new products from a broad perspective, including consistency with strategies. The approvers are determined according to the risks of new products. They are generally at the managing director level or higher 11 from the product owners and risk assessment divisions. In addition, for the Japanese entities, new products are approved by the head of each relevant division 12 at the new product committee. At major Japanese banks, high-risk new products are discussed and approved by a management committee or new product committee by the executives of the product divisions and risk assessment divisions. At some banks, however, discussions and approval by executives are limited. The authority for middle- to low-risk, new products is broadly delegated to the head of the risk management department and below. 13 Most of the major Japanese securities companies discuss and approve high-risk, new products at the management committee. Other proposals are approved by the executives of the product owner and the risk assessment divisions. Some companies have a new product committee for the executives of relevant divisions to discuss high-risk new

11 Generally one or two levels below members of the group's management board. 12 Typically a member of a management committee or a lower level in the Japan office. 13 In some financial institutions, the product division gives separate approval.

7 products. On the other hand, some companies do not require discussion and approval by senior management in principle. In addition to the approval phase, there are various other occasions on which senior management may be involved, such as the phase of deciding to put new products through the approval process by the product owner division, the stage of confirming the results of risk assessment by the risk assessment division, and the stage of confirming that risk mitigation measures have been completely implemented. Senior managers of financial institutions should duly consider how to fulfill their responsibilities with regard to the determination to introduce new products in accordance with their risks, taking into account group governance perspectives. (3) Risk-based management framework In order to realize timely decision-making with regard to the introduction of new products based on sufficient identification and assessment of risks, it is important to appropriately define the scope of new products subject to the new product risk management framework. It is also necessary to develop processes in accordance with the risks of the new products. G-SIBs, major Japanese banks, and major Japanese securities firms all define new products as “products that are new to the firm” and “changes to existing products.” Changes to existing products include changes to the region where the product is sold, changes to the customers to whom the product is sold, and the addition of new asset classes. These changes significantly change the characteristics of the product and require implementation based on cautious risk assessment. On the other hand, there are minor changes that do not require such detailed risk assessment or preparation for implementation. It is an important issue to determine the extent of changes that warrants new product management. If the scope of a new product risk management framework is narrowed, more new products will be introduced without sufficient risk identification and assessment by the product owner and risk assessment divisions, increasing the possibility of incurring unexpected risks. However, if the scope is excessively broadened without taking risks into account, there may be incentives for the product owner divisions to avoid the new product management process. In addition, the burden on the risk assessment divisions may be excessive, and resources may not be allocated to projects that should be carefully assessed, resulting in insufficient risk assessment. G-SIBs have adopted risk-based proposal, risk assessment, and approval processes to enable a wide range of products to become subject to risk management. Some G-SIBs prioritize the assessment of new products that are strategically important. Although many of the major Japanese banks and securities firms have multiple risk-based approval

8 processes in place, the processes for proposing new products and assessing risk are generally the same regardless of risk, and efforts to prioritize important initiatives are limited. To enhance the effectiveness of the new product management framework, financial institutions need to fully consider the definition of the scope of new products, and processes accordingly. (4) Roles of the new product management team In order to realize a risk-based management framework for new products, important judgments, such as applicability to new products, and the magnitude of risks must be appropriately made by people that participate in the new product approval process. The team that develops and manages the new product management framework (hereinafter called “new product management team”) stands between the product owner division and the risk assessment division and has an important role of ensuring appropriate judgments throughout the process. G-SIBs have a dedicated new product management team as either the first or second line of defense at the group level, line of business level, or regional level. The main roles of the new product management team are to develop policies and procedures, develop various templates, including the list of considerations for risk assessment, develop IT infrastructure, provide training on new product management framework, and promote the new product management process. In particular, in the new product management process, the new product management team plays a role in proactively operating the new product management process and ensuring its effectiveness by determining whether the proposal falls under a new product, deciding which risk assessment division to participate in the process, checking the appropriateness of risk assessments, and checking the completion of risk mitigation measures. Many Japanese entities have similar teams 14 that govern the new product management process both globally and locally in collaboration with lines of business and regional new product management teams. At major Japanese banks, the risk management department as the 2nd line of defense assumes the role of the new product management team. At major Japanese securities firms, some have dedicated teams in the risk management department in the 2nd line. Others have the role carried out by the risk management department, or the corporate planning department, or jointly by multiple departments, including the compliance department. All of the teams in these companies play the same role as G-SIBs in developing rules and various forms. However, with regard to the governance of the new product management process, some teams fulfill the same role as G-SIBs, while others only collect the risk assessment results of each risk management department.

14 Not necessarily a dedicated team.

9 Some new product management teams at major Japanese banks and major Japanese securities companies track all new products of subsidiaries and operate the new product management process in accordance with the management framework as a group. Some other companies generally do not track new products of subsidiaries. Financial institutions are required to provide the new product management team the authority and resources necessary to develop and implement the new product management framework as a group, in light of the characteristics of business operations and the risk profiles of the products it handles. The new product management team must proactively participate in the new product management process and strive to ensure quality. (5) Risk ownership by the first line of defense and challenges by the second line of defense The risk management framework for new products cannot work without the risk ownership of the product owner division, which is the first line of defense that proposes new products. The product owner division must be proactively and autonomously aware that it knows best the risks of new products and bears the responsibility for them. The product owner must identify all the risks of new products, including consistency with the strategy, and bring them up for discussion with the risk management division. In order to realize new products as businesses with appropriately controlled risks, the risk management division and the compliance division, which form the second line of defense, as well as each corporate function 15 need to scrutinize whether there are any risks overlooked by the product owner divisions through forward-looking and constructive discussions with the product owner division, fully consider effective and feasible risk mitigation measures, and clearly set conditions for introduction from the viewpoint of securing commitment by the product owner divisions. Financial institutions should appropriately allocate resources so that the risk assessment division can fully exercise its challenge function. The risk assessment division should strive to improve its expertise through the accumulation of experience and knowledge and constantly update the viewpoints of risk assessment. Through these efforts, it is expected that the product owner division and the risk assessment division will build a sound relationship for the common purpose of realizing businesses in which risks are appropriately controlled.

15 For example, operations, technology, and finance.

10 (6) Role of internal auditors Internal audit, as the third line of defense, is responsible for evaluating the effectiveness and adequacy of the governance, risk management, and control processes of the organization, and actively providing management with useful suggestions for improving them. Also, internal auditors are expected to provide assurance that add value to the managers of the organization in response to changes in the business environment. 16 With regard to new product management, internal audit is required to validate the effectiveness and adequacy of the framework from an independent perspective, and make recommendations to the management for improvement. Internal auditors may verify whether the group-wide risk management framework is developed, whether proposals that fall under a new product are appropriately judged so, whether the risk assessment divisions are appropriately selected, whether the various templates including risk assessment items are appropriate, whether the completion of risk mitigation measures are confirmed, and whether the whole process is managed meaningfully without falling into mere formality. Furthermore, internal auditors may verify the effectiveness of the ongoing risk management of products from a lifecycle perspective. G-SIBs, major Japanese banks, and major Japanese securities firms all conduct audits of their new product management framework. There have been important recommendations for enhancing their new product management framework and ongoing risk management of products. In addition, internal auditors of G-SIBs and some major Japanese banks regularly gather and analyze information by, for example, participating as observers in new product approval committees, in order to flexibly respond to changes in risks associated with new products. If they have concerns, they can make recommendations to the product owner divisions and the risk assessment divisions before new products are introduced. Furthermore, in some financial institutions, when internal auditors identify large-scale, high-risk projects through information gathering, they provide real-time assurance from the initial stage of the projects. In these audit activities, internal auditors participate in various meetings and exchange opinions with related parties, to ensure that the project is managed under appropriate governance, such as thorough identification and assessment of risks by the first line of defense and the second line of defense, and appropriate reporting to management, and to timely assess whether the risk mitigation measures are valid. In this way, internal auditors, while independent from the first line and second line, provide assurance that adds value to management by proactively gathering information from relevant parties and identifying changes in risks from an early stage.

16 This concept is described in "The Current Status and Challenges of Enhancing Internal Audits at Financial Institutions" (June 2019). See this link below. https://www.fsa.go.jp/news/30/20190628_naibukannsa.html

11 It is important for financial institutions to consider the appropriate involvement of internal auditors so that they can fulfill their role, from the viewpoint of establishing an effective new product management framework. (7) Corporate culture The new product approval process relies on appropriate judgments made at each stage of the process by individuals involved in accordance with their responsibilities. Therefore, a sound corporate culture that supports such appropriate judgments must be fostered in order to realize a truly effective new product management framework. In addition to efforts to cultivate a sound corporate culture on a day-to-day basis, it is important to foster, through training and other means, a corporate culture in which product owner divisions are encouraged to consult with the new product management team and risk assessment divisions when they are uncertain whether a product falls under the category of a new product, to ensure that important decisions involved in the new product approval process are made appropriately. A financial institution with a new product management framework that is supported by a sound corporate culture may be able to constantly develop employees' ideas for innovative businesses with a sense of security that risks are appropriately controlled in the new product approval process. (8) IT infrastructure It is also important to pay attention to the IT infrastructure that supports the new product approval process. G-SIBs have a workflow system for group-wide management of new products. Each process, including primary assessments by product owner divisions, risk assessments and setting of conditions by risk assessment divisions, and confirmation of completion of risk mitigation measures are implemented on the workflow system. At major Japanese banks and major Japanese securities firms, the development and utilization of workflow systems was generally limited, thus the new product approval process seemed to require complicated manual work. In the new product approval process, there are many steps required for sufficient risk assessment and preparation for implementation, such as the preparation of materials that explain the new product, discussion with various risk assessment divisions, and confirmation of completion of risk mitigation measures. Therefore, it is important to reduce such burdens from the viewpoint of improving the effectiveness of the new product management framework. Developing a workflow system may be an effective measure.

12 2. Ongoing Risk Management of Products After new products are introduced and treated as existing products, risks that were not expected at the time of introduction may occur. Financial institutions manage products on an ongoing basis within their frameworks for managing financial risks, such as credit risk and market risk, as well as compliance risk and operational risk management frameworks, including complaints management, operational incidents management, and risk control self-assessments (RCSA). However, complaints and operational incidents may not necessarily lead to a review of products if the analysis of the connection with products is insufficient. Furthermore, some of the risks that occur after the introduction of new products are difficult to identify unless they are consciously managed from the perspective of products. For example:  Risk that products become inconsistent with the firm’s strategy due to changes in the business environment.  Risk that products may no longer meet customer needs as expected at the time of introduction due to changes in the business environment.  A risk that the risk management frameworks and operations become inadequate due to business expansion, since small-scale handling was expected at the time of introduction.  A risk that attention declines due to a decrease in the handling of products, resulting in a weaker risk management framework and a hotbed of fraud, or a risk that management costs will increase and affect profitability. The key to the lifecycle management of products is to establish an ongoing risk management framework for products, identify these risks before they materialize, strengthen the risk management framework and review operations, or make a decision to discontinue handling products if they are not aligned with strategy any more. Some G-SIBs, major Japanese banks, and major Japanese securities firms are developing frameworks to conduct periodic reviews from the perspective of products, notwithstanding the large number of products, and limited resources. It is desirable that other financial institutions also initiate risk management of products on an ongoing basis, taking into account their framework for managing financial and non-financial risks as well as the risk profiles of the products they handle. In periodic reviews from the perspective of products, the division in charge of the ongoing risk management of products 17 integrates and provides necessary information to the product owner divisions. The product owner divisions use this information to conduct reviews on its own initiative. The risk assessment division verifies the results of these reviews and reports them to the risk management committee. The following points are considered particularly

17 Could be at the first line of defense or the second line of defense depending on the firm. G-SIBs have dedicated teams at their headquarters.

13 important for financial institutions when starting their efforts for the ongoing management of products. (1) Risk-based approach It is not necessary to review all products at the same frequency. It is important to develop a framework to efficiently review products by identifying changes or increases in risks in advance. In selecting products to be reviewed, the following methods may be adopted: (i) select products that may have increased risks from specific viewpoints, such as the volume of transactions, the number and trends of complaints and operational incidents; (ii) utilize the voice of employees, including employees of branch offices; (iii) select products for which risks surfaced at other financial institutions, (iv) select products for which relevant laws and regulations have been amended; (v) select products related to areas of increasing social demand; (vi) focus on risks and issues identified in the new product approval process; and (vii) assign risk ratings in the new product management process and set the frequency of reviews, for example, every one to three years, depending on the ratings. To this end, it is necessary to group products by characteristics, aggregate data, such as the volume of transactions, revenue, risk information (including the amount of risk and risk rating), and information on complaints and operational incidents, and provide the information to the product owner divisions. Some financial institutions regularly summarize and report such information to managers as part of the management information system. Regarding the perspective of reviewing products, if a product is selected due to a large number of complaints, the details of the complaints will be analyzed in detail and the necessity of reviewing the characteristics of products will be discussed. For products selected based on risk ratings determined in the new product approval process, risks may be reassessed from the viewpoint of whether the risk rating remains appropriate and whether the risk management framework needs to be strengthened. For example, when the transaction volume of a product with an initial low risk rating due to low transaction volume significantly increases, the initial operation and risk management framework may need to be strengthened. It is necessary to report the results of the periodic review to the risk management committees so that they can be used to amend products or strengthen the control framework. This can be done as part of the new product management process. (2) Product Inventory Some G-SIBs and major banks in Japan maintain an inventory of the products they

14 handle for use in the ongoing management of products. 18 In many cases, the inventory is maintained separately from the list of new product approvals and the permitted product list related to the Volcker rule. 19 Some financial institutions maintain the inventory at the granularity of individual products, while others maintain the list by grouping products that have common characteristics, such as asset classes. The style of the product inventory is determined according to the purpose and method of the ongoing management of products and the number of products. When new products are approved in the new product approval process, they are newly added to the inventory or some information is updated with regard to the existing products. The products subject to periodical review would be extracted from the inventory. Moreover, because the products that should be managed and the responsible owners of the products are recorded in the inventory, when an issue occurs, it is possible for the owners and relevant parties to take prompt action. In addition, when a risk related to a certain product is identified, it is easy to examine similar products. Furthermore, from the viewpoint of improving management efficiency, it may become clear which products should be considered for exit. Due to the benefits of lifecycle management of products, financial institutions may consider developing a product inventory, while taking into account the constraints on resources. (3) Suspension or exit of products. In the course of the ongoing risk management of products, financial institutions may decide to suspend or discontinue the handling of products based on changes in the business environment. When suspending or discontinuing the handling of products, it is natural to take all possible measures to respond to affected customers’ needs. But it is also necessary to avoid a situation in which the suspension of operations related to the products would have an unexpected impact on the handling of other products. Therefore, it is desirable to go through the prescribed procedures before suspending or discontinuing the handling of products. This may be implemented in the new product management process. 3. Expectations for Top Managers The speedy introduction of new products by financial institutions leads to their strengthened competitiveness. As such, top managers should recognize the significance of a new product management framework that enables both speed and sufficient identification and assessment of risks, and should display the significance to the managers and employees who are responsible for the development of the framework, as well as to the managers and employees in the product owner divisions and other relevant divisions. Such an attitude of top managers

18 For G-SIBs, arrangements are made at the group level. 19 A list of trading products that is prepared to comply with the U.S. Volcker Rule.

15 will foster a sound corporate culture that supports the new product management framework, and will prevent, for example, cases where the introduction of new products is mistimed due to an excessive new product approval process, or cases where new products are introduced without sufficient identification and assessment of risks because of falling into mere formality. In order to continue to provide added value to customers and markets through products and services and to ensure the safety and soundness of the firm, the top management of financial institutions is expected to envision the ideal lifecycle management for products and proactively promote necessary initiatives, including the fostering of a corporate culture, toward the realization of the framework.

16 III. Practices of New Product Approval This chapter provides an overview of each stage of the new product approval process that were generally common among the financial institutions surveyed and some informative practices. (1) Proposal and primary assessment by product owner divisions New products subject to a new product management framework are generally defined as: (i) products, services, and operations that are completely new to the group, and (ii) certain changes to existing products, services, and operations (relatively large changes in product attributes, reference assets, target audiences, regions for sales, and internal processes). However, it is often difficult to judge whether or not to put a proposal through the approval process. For example, changes in the currency of a product or reference asset may be introduced without changing existing operations, systems, or risk management frameworks, but other products could require considerable preparation. Therefore, the product owner divisions often consult with the new product management team when determining whether a product that they want to start handling falls under a new product. If it is determined to fall under a new product, the new product management team decides which risk assessment and approval process to go through depending on its newness, complexity, and degree of impact. At the same time, the product owner division shall make a decision to put the proposal through the new product approval process. In consultation with the risk management division, the division in charge of products shall fill in the outline of the project (product characteristics, novelty, expected volume of transactions and profits, rationale of handling the product). It will also conduct a primary assessment of various risks (including risk mitigation measures) utilizing a predetermined template. The new product management team shall confirm the sufficiency of the content and initiate the new product approval process. Practices  Many financial institutions provide specific examples, lists of items to be checked, and questions in templates and manuals so that whether or not a proposal is a new product can be accurately and promptly determined. Some financial institutions judge whether a proposal is new by checking the product inventory.  Regarding the risk assessment and approval process for new products with little novelty, complexity, or impact, financial institutions had simple templates for summarizing the project outline and for risk assessment, or limited the risk assessment divisions that should participate in the process, and the final approver was the head of the enterprise risk management group or in a lower position.  Some financial institutions stated that they could not proceed with the new product

17 approval process unless the MD level of each product owner confirmed that the proposal is consistent with the group strategy.  In investment bank G-SIBs, 20 which have a large number of new products, the senior managers of the group determines the priority of projects for the entire group from the viewpoint of strategically and effectively utilizing limited resources.  Some financial institutions conduct risk assessment by the risk assessment division for all potential new products and determine whether they are new products and, if so, who will be the final approver. In this case, efforts were also made to reduce the burden on the product owner divisions by introducing a workflow system.  Some financial institutions ensured the involvement of the senior managers even in projects that were deemed low-risk, by entrusting the decision as to which assessment and approval process is to be used to the CRO (chief risk officer).  Even in cases where the headquarters and subsidiaries have established independent new product management frameworks, some subsidiaries' new￾product management teams regularly share projects, including pipelines, 21 with the headquarters’ new product management team from the viewpoint of ensuring collaboration between parent and subsidiary companies at the early stage. Some subsidiaries also require approval from the headquarters in order to determine whether a subsidiary's proposal falls under a new product. (2) Risk assessment by risk assessment divisions After the primary assessment by the product owner division, the risk assessment divisions assess the risks and set conditions and restrictions necessary for approval. In order to prevent risks arising due to changes in the business environment caused by consuming unnecessary time for risk assessment, the new product management team sets a target deadline and manages the progress of the process. The risk categories that are broadly common across firms are: market risk, credit risk, operational risk, reputational risk, technology, legal, compliance, financial crime, tax and finance. For each risk category, there are often templates that set out the important points to be assessed. The content and method of setting conditions and restrictions vary among financial institutions. Many of them have conditions that should be completed before new products are approved, before implementation, or before the first transaction, or that should be completed within a certain period after implementation or after the first transaction. Examples of the former include system development and preparation of manuals, while

20 G-SIBs with large investment banking business. 21 A project that is in the initial stage of consideration at a subsidiary.

18 examples of the latter include the development of reporting tools by the end of the quarter. Restrictions are often placed as requirements that must be observed continuously as long as the business continues or for a certain period of time. The former will be reflected in limits or policies and procedures, while the latter may be restrictions on the number of transactions until operations are stabilized. Practices  The new product management team of many financial institutions sets up kick-off meetings where the product owner division explains the outline of the proposal to the risk assessment divisions and holds a Q&A session. The advantage of having these meetings is identifying risks that may not be noticed through one to-one communication between the product owner division and each risk assessment division, and preventing the overlooking of risks that span multiple divisions.  At the initiative of the new products management team, some firms periodically reviewed their risk assessment templates and recently added third-party risk, operational resilience, and model risk to their risk assessment items. Some firms also used outside expertise in relatively new areas of risk assessment, such as economic security, green washing, climate risks, and AI risks.  Some firms tried to make risks visible in the risk assessment, by assigning a residual risk rating based on the inherent risks and risk mitigation measures. Some firms handed over the rating at the time of risk assessment to the ongoing risk management of products and used it to determine the frequency of periodic reviews.  Some financial institutions clarified where the responsibility lies by introducing a framework in which the assessment results done by the staff members are confirmed by senior staff at the MD level or above in the risk assessment division.  Some financial institutions tried to ensure sufficient assessment of both compliance and operational risks by having every risk assessment division assess compliance and operational risks arising from its own operation in relation to new products, and having the compliance department and operational risk department review the results of the assessment.  At some financial institutions, the new product management team convenes the product owner divisions and risk assessment divisions after all risk assessments have been completed, in order to confirm and share the details of the assessments.  Some financial institutions set conditions that should be met within a certain period after implementation, such as confirming whether operations and reporting are carried out as expected after executing the first transaction.  Some financial institutions set deadlines for the completion of post-implementation and post-first transaction conditions so that the completion of conditions would not be prolonged.

19 (3) Approval Based on the results of risk assessment (including risk mitigation measures, conditions, ratings) of new products, the new product committee, the management committee, or senior management and managers, depending on their novelty and size of risks, make final decisions such as approval, conditional approval, or rejection from a wide range of perspectives, including consistency with strategies, and reputational risk. Some firms determine whether a post-implementation review (see (5)) needs to be conducted after a certain period at this stage. In light of the fact that the risks of new products may change due to changes in the business environment, many financial institutions set approvals to expire at around six months to one year. If the product owner division intends to introduce new products or conduct their first transaction after the expiry, the new product approval process is required again. Practices  In some firms, high-risk products are first discussed by the new product committee, and then approved by the senior management (CxOs) of the product owner divisions and risk assessment divisions on their individual responsibility.  Some G-SIBs have taken the approach of submitting relatively minor changes to existing products to the new product committee to ensure engagement at the MD level or above. (4) Implementation of new products (Go-Live) The product owner division shall respond to the conditions that should be met before implementing a new product and the risk assessment division that set the conditions shall confirm the completion. The new product management team shall confirm the completion of all conditions and inform the product owner division that the product can be introduced. After introduction, the product owner shall inform the new product management team that the first transaction has been executed. Practices  At some financial institutions, this process is done efficiently. For example, the workflow system enables the product owner division to notify the risk assessment division that necessary actions have been completed with evidence. Then the risk assessment division confirms the appropriateness of the action and a senior member finalizes it on the same workflow system.  Conditions that have to be completed before implementation tend to be various

20 changes to operations, system enhancements, and notification to the authorities that require careful confirmation of the completion. Therefore, some financial institutions require confirmation at the MD level of the risk assessment division. Some financial institutions confirm the completion of a wide range of conditions by setting up a meeting of the new product management team with the participation of product owner divisions and the risk assessment divisions prior to implementation.  When it takes time to complete the conditions that should be met before the implementation of the new product, the business environment may change significantly from the time of risk assessment and approval, and thus risks may also change. Therefore, some financial institutions need to obtain approval from senior managers or directors before implementation. (5) Post Implementation / Execution Review After the implementation of a new product, the product owner division shall respond to the conditions that should be satisfied within a certain period, and the risk assessment division that set the conditions shall confirm the completion. Furthermore, as post implementation reviews, many financial institutions, for certain new products, examine whether transactions and operations are being conducted as approved, whether there are any problems, whether restrictions are being complied with, and whether risks other than those initially assumed have occurred, along with the volume of transactions and profits, approximately six months to one year after the implementation of new products or the first transaction. They then make decisions on whether to continue transactions or to make changes in operations. In general, the product owner division conducts the primary assessment in collaboration with the new product management team, and the risk assessment division verifies and reports the results to the new product committee. The type of new products subject to post implementation review shall be defined in advance or determined at each approval (see (3)). Practices  Regarding the scope of post implementation reviews, some financial institutions select all new products that went through the new product approval process. Others selected new products that went through the approval process for relatively new, complex or highly impactful new products.  Some financial institutions took into account the complexity of new products and the multitude of conditions set when making judgments each time new products were approved.  Some financial institutions conducted regular verification for about one year after

21 implementation, conducting both post implementation reviews and confirmation of the completion of conditions that should be completed within a certain period after implementation.  Some firms continued post implementation reviews until the residual risk rating assigned at the time of risk assessment became "low." For example, initially an operation was performed manually and the residual risk was assessed as "medium," but the residual risk was updated to "low" and the post implementation review was completed because the system was enhanced and thus the risk mitigation measures were enhanced.  Some financial institutions handed over issues identified in the post implementation review to the product inventory and continued verification during ongoing risk management. BOX: Harmonization of strong governance and speed When introducing new products, it is necessary to accurately identify and assess risks and prepare for introduction, including responses to conditions thoroughly with a certain level of quality. However, if unnecessary time is spent on risk assessment and responses to conditions, due to changes in the business environment and customer needs, it may become inappropriate to provide new products to customers and the market, and the resources spent may be wasted. The following initiatives taken by financial institutions are likely to contribute to shortening time and implementing necessary procedures while efficiently utilizing limited resources.  Prepare multiple assessment and approval processes depending on the risks of new products (See III (1)).  Select projects to be pursued at an early stage of proposal (see III (1)).  Management sets priorities (See III (1)).  Set deadlines for risk assessment and response to conditions (see III (2) (4)).  Set a deadline (for example, six months) from the start of the new product approval process to the completion of risk assessment. Under these initiatives, the time required from the proposal of new products to their implementation varies from one month to more than one year, and there were no major differences among financial institutions.

22 IV. JFSA’s Monitoring Activities JFSA will not use this document as a checklist. In cases where JFSA recognizes through supervision that financial institutions are considering the introduction of new products, JFSA will, as necessary, confirm that sufficient risk assessment and preparation for introduction are conducted in the new product approval process, and accumulate knowledge if we identify good practices. When JFSA recognizes, through inspections and supervision, that there is room for improvement in a financial institution's framework for lifecycle management of products, JFSA will engage in dialogues with the firm to gauge the status of the framework and issues that the firm is aware of, and identify challenges for improvement. JFSA will also share good practices to resolve such challenges and encourage the firm to improve its management of products.

23 Appendix 1: Incidents Related to Lifecycle Management of Products Through its monitoring activities, JFSA identified several incidents. Some cases had a significant impact financially or legally, some had a significant impact on customers. In some cases, the impact was relatively small, but led to a review of the product management framework. We will discuss the importance of lifecycle management of products from three examples of these cases. [Case 1] Large financial institutions, including overseas firms, experienced significant losses due to the default of a U.S. investment company client 22 . The losses were mainly attributable to derivative transactions (total return swaps) at U.S. subsidiaries of the institutions as part of their prime brokerage services for the client. Prime brokerage services and total return swaps were not new for these financial institutions. While certain governance and risk management frameworks were in place, they were not commensurate with the business strategy at a group-wide level when their overseas subsidiaries began transactions with customers with uncommon attributes, like family offices, and their frameworks were not sufficiently strengthened in line with the subsequent expansion of transactions. The importance of scrutinizing new risks before engaging in transactions and ensuring that they are aligned with the firm’s strategy and risk appetite, and checking through periodic reviews as to whether the risks taken by the firm have changed due to changes in the environment, and considering whether the control framework is commensurate with the increased transaction volume can be understood from the perspective of lifecycle management of products. Many lessons can be learned from this case. [Case 2] Firm A sells investment trusts managed by an affiliate of the group to institutional investors. For some investment trusts, the management by the affiliated company was different from what was expected at the time of product design. As a result, unexpected losses occurred in the investment trusts. The investment trusts in question had different assets under management (for example, currency) from the ones that had been managed by then, but it was determined that they did not fall under the category of new products. It is not easy to determine whether a proposal should be treated as a new product. The degree to which a change in the currency of assets under management would lead to a change in risk depends on the characteristics of the products. In this case, risks related to the operations of the affiliate company, in particular, seemed to have changed significantly. Therefore, risk assessment through the new product approval process could have been an effective means of holding discussions among various relevant parties about the appropriate management in accordance

22 https://www.fsa.go.jp/news/r3/shouken/20220420_fsaletter.html

24 with the product design, and confirming whether the investment trusts would be managed as designed. In addition, in this case, operations were unable to catch up with the rapid increase in transactions caused by changes in the market environment, resulting in multiple complaints and operational incidents. From the viewpoint of ongoing risk management of products, it is also important to continuously check whether operations are in place to meet the expansion of business and to take appropriate measures in a timely manner. [Case 3] Firm B sells structured bonds to institutional investors, structured by an overseas affiliate of the group. However, some of the bonds were not structured according to the expected scheme due to operational deficiencies and were continued to be sold for many years. The structured bonds had a different scheme (governing law) from the bonds issued before then, but they were determined not to fall under new products. It is not easy to determine the applicability of new products, and the extent to which a change in the governing law would lead to a change in risks depends on the characteristics of the products. Multiple legal entities with various roles are involved in the structuring of structured bonds, and operations are conducted across those entities. Therefore, in order to confirm whether the operation is ready to address the points that are different from the existing schemes, it could have been effective to conduct risk assessment through the new product approval process in which all relevant parties participate.

25 Appendix 2: Related International Discussions and Guidelines The management of products is discussed by the Basel Committee on Banking Supervision and incorporated into several international principles, and guidance on the management of products has also been issued by major foreign supervisory authorities. This chapter provides a list of the major items. Basel Committee on Banking Supervision (BCBS) Principle 7 of “Principles for Sound Operational Risk Management (2021)” 23 Principle 7 of “Principles for Corporate Governance for Banks (2015)” 24 U.S. Office of the Comptroller of the Currency (OCC) “New, Modified, or Expanded Bank Products and Services: Risk Management Principles (2017)” 25 U.S. National Association of Securities Dealers (NASD) “New Products - NASD Recommended Best Practices for Reviewing New Products (2005)” 26

23 Revisions to the principles for the sound management of operational risk https://www.bis.org/bcbs/publ/d515.htm 24 Corporate governance principles for banks https://www.bis.org/bcbs/publ/d328.htm 25 OCC Bulletin 2017-43 https://www.occ.treas.gov/news-issuances/bulletins/2017/bulletin￾2017-43.html 26 Notice to members 05-26 https://www.finra.org/rules-guidance/notices/05-26