Region

Jurisdiction

Regulator

2022-12-14

Guideline for Supervision of Funds Transfer Service Providers

Issued by Japanese supervisory authorities following the May 2021 revision of the Payment Services Act, this guideline establishes comprehensive supervisory standards for Type I, II, and III Funds Transfer Service Providers. It mandates rigorous assessments of business management, legal compliance, user protection, and IT system risk management, while imposing specific restrictions on fund retention and transaction limits based on service type. The document further outlines administrative procedures for registration, inspection, and cross-border transactions to ensure the safety and efficiency of the national funds settlement system.

Japan

Financial Services Agency Japan

1 14 Guideline for Supervision of Funds Transfer Service Providers （Provisional Translation） I. GENERAL...................................................................................................................................... 5 I-1 Structure of these Guidelines.......................................................................................................... 5 I-2 Matters concerning Article 2-2 of the Act (Acts falling under “exchange transactions”) .............. 5 II. ITEMS TO ASSESS COMMON TO ALL TYPES OF FUNDS TRANSFER SERVICE PROVIDERS .................................................................................................................................. 6 II-1 Business Management, etc.............................................................................................................. 6 II-1-1 Major Supervisory Viewpoints............................................................................................6 II-1-2 Supervisory Methods and Measures....................................................................................7 II-2 Appropriateness of Business Operations, etc. ................................................................................ 7 II-2-1 Compliance with Laws and Regulations, etc. .....................................................................7 II-2-1-1 Legal Compliance Framework, etc................................................................................8 II-2-1-1-1 Major Supervisory Viewpoints..............................................................................8 II-2-1-1-2 Supervisory Methods and Measures......................................................................8 II-2-1-2 Measures for Verification at the Time of Transaction, etc.............................................9 II-2-1-2-1 Major Supervisory Viewpoints..............................................................................9 II-2-1-2-2 Supervisory Methods and Measures....................................................................15 II-2-1-3 Prevention of Damage that May be Inflicted by Anti-Social Forces...........................15 II-2-1-3-1 Major Supervisory Viewpoints............................................................................16 II-2-1-3-2 Supervisory Methods and Measures....................................................................19 II-2-1-4 Supervisory Action to Misconduct ..............................................................................19 II-2-1-4-1 Major Supervisory Viewpoints............................................................................19 II-2-1-4-2 Supervisory Methods and Measures....................................................................20 II-2-2 Provision of Information and Consultation Function, etc. for Protection of Users...........20 II-2-2-1 User Protection Measures............................................................................................20 II-2-2-1-1 Major Supervisory Viewpoints............................................................................20 II-2-2-1-2 Supervisory Methods and Measures....................................................................24 II-2-2-2 Books and Documents.................................................................................................24 II-2-2-2-1 Major Supervisory Viewpoints............................................................................25 II-2-2-2-2 Supervisory Methods and Measures....................................................................26 II-2-2-3 Control Environments for Management of User Information .....................................27 II-2-2-3-1 Major Supervisory Viewpoints............................................................................27 II-2-2-3-2 Supervisory Methods and Measures....................................................................30 II-2-2-4 Dealing with Complaints, etc.(including Financial ADR System)..............................30 II-2-2-4-1 Major Supervisory Viewpoints concerning Establishment of Internal Control Environment for Handling Complaints, etc.........................................................31 II-2-2-4-2 Responses to the Financial ADR System ............................................................34 II-2-2-4-2-1 Major Supervisory Viewpoints in Cases Where a Designated Dispute Resolution Organizations for Funds Transfer Service Business (Designated ADR Body) exists......................................................................................34 II-2-2-4-2-2 Major Supervisory Viewpoints in Cases without Designated Dispute Resolution Organizations for Funds Transfer Service Business (Designated ※As of June 2021

2 ADR Body) ................................................................................................36 II-2-2-4-3 Provision of Information to Users.......................................................................39 II-2-2-4-4 Supervisory Methods and Measures....................................................................39 II-2-3 Administrative Operations ................................................................................................39 II-2-3-1 IT System Risk Management.......................................................................................40 II-2-3-1-1 Major Supervisory Viewpoints............................................................................40 II-2-3-1-2 Supervisory Methods and Measures....................................................................48 II-2-3-2 Administrative Risk Management ...............................................................................50 II-2-3-2-1 Major Supervisory Viewpoints............................................................................50 II-2-3-2-2 Supervisory Methods and Measures....................................................................50 II-2-3-3 Outsourcing .................................................................................................................51 II-2-3-3-1 Major Supervisory Viewpoints............................................................................51 II-2-3-3-2 Supervisory Methods and Measures....................................................................52 II-2-4 Responses to Persons with Disabilities.............................................................................53 II-2-4-1 Major Supervisory Viewpoints....................................................................................53 II-2-4-2 Supervisory Methods and Measures............................................................................53 II-2-5 Linkage with Services Provided by Other Service Providers such as Account Transfer Service...............................................................................................................................53 II-2-5-1 Major Supervisory Viewpoints....................................................................................54 II-2-5-2 Supervisory Methods and Measures............................................................................57 II-2-6 Compensation for Damage due to Improper Transactions................................................57 II-2-6-1 Major Supervisory Viewpoints....................................................................................58 II-2-6-2 Supervisory Methods and Measures............................................................................59 III. ITEMS TO ASSESS IN SUPERVISING TYPE I FUNDS TRANSFER SERVICE PROVIDERS ...................................................................................................................................................... 59 III-1Business Implementation Plan...................................................................................................... 59 III-1-1 Strict Restriction on Retention of Funds...........................................................................60 III-1-1-1 Major Supervisory Viewpoints....................................................................................60 III-1-1-2 Supervisory Methods and Measures............................................................................62 III-1-2 Method of Providing Services...........................................................................................62 III-1-2-1 Major Supervisory Viewpoints....................................................................................62 III-1-2-2 Supervisory Methods and Measures............................................................................63 III-1-3 IT System Risk Management ............................................................................................63 III-1-3-1 Major Supervisory Viewpoints....................................................................................63 III-1-3-2 Supervisory Methods and Measures............................................................................65 III-1-4 Countermeasures against Terrorist Financing and Money Laundering.............................65 III-1-4-1 Major Supervisory Viewpoints....................................................................................65 III-1-4-2 Supervisory Methods and Measures............................................................................66 III-1-5 Upper Limit of Exchange Transactions.............................................................................67 III-1-5-1 Major Supervisory Viewpoints....................................................................................67 III-1-5-2 Supervisory Methods and Measures............................................................................67 III-1-6 Response Policy to Incidents Related to Exchange Transactions .....................................67 III-1-6-1 Major Supervisory Viewpoints....................................................................................68

3 III-1-6-2 Supervisory Methods and Measures............................................................................68 III-2Provision of Information to Users ................................................................................................ 68 III-2-1 Major Supervisory Viewpoints..........................................................................................68 III-2-2 Supervisory Methods and Measures..................................................................................69 IV. ITEMS TO ASSESS IN SUPERVISING TYPE II FUNDS TRANSFER SERVICE PROVIDERS ...................................................................................................................................................... 69 IV-1Restriction on Retention of Funds................................................................................................ 69 IV-1-1 Major Supervisory Viewpoints..........................................................................................69 IV-1-2 Supervisory Methods and Measures..................................................................................70 V. ITEMS TO ASSESS IN SUPERVISING TYPE III FUNDS TRANSFER SERVICE PROVIDERS ...................................................................................................................................................... 70 V-1 Restriction on Retention of Funds (Upper Limit for Exchange Transactions)............................. 71 V-1-1 Major Supervisory Viewpoints..........................................................................................71 V-1-2 Supervisory Methods and Measures..................................................................................72 V-2 Control Environment, etc. for Management Using the Method of Management by Bank Deposits or Savings..................................................................................................................................... 72 V-2-1 Major Supervisory Viewpoints..........................................................................................72 V-2-2 Supervisory Methods and Measures..................................................................................73 V-3 User Protection Measures Pertaining to Type III Funds Transfer Services.................................. 74 V-3-1 Major Supervisory Viewpoints..........................................................................................74 V-3-2 Supervisory Methods and Measures..................................................................................75 VI. ITEMS TO ASSESS IN SUPERVISING FUNDS TRANSFER SERVICE PROVIDERS WHO OPERATE MULTIPLE TYPES OF FUNDS TRANSFER SERVICES ...................................... 75 VI-1 Prevention of Adverse Effects in Cases Where a Funds Transfer Service Provider Operates Multiple Types of Funds Transfer Services ................................................................................. 75 VI-1-1 Major Supervisory Viewpoints..........................................................................................75 VI-1-2 Supervisory Methods and Measures..................................................................................76 VII. BASIC VIEWS ON FOREIGN FUNDS TRANSFER SERVICE PROVIDERS ........................ 76 VII-1 Prohibition of Solicitation by Foreign Funds Transfer Service Providers.........................76 VII-2 Cross-Border Transactions by Foreign Funds Transfer Service Providers Using the Internet, etc........................................................................................................................77 VIII.POINTS TO NOTE REGARDING ADMINISTRATIVE PROCESSES FOR INSPECTION AND SUPERVISION OF FUNDS TRANSFER SERVICE PROVIDERS........................................... 77 VIII-1 Basic Views and General Administrative Processes, etc........................................................... 77 VIII-1-1 Basic Views on Inspection and Supervision......................................................................77 VIII-1-2 General Supervisory Affairs..............................................................................................78 VIII-1-3 Coordination among Supervisory Authorities...................................................................81 VIII-1-4 Cooperation, etc. with Certified Associations for Payment Service Providers.................82 VIII-1-5 Internal Delegation............................................................................................................83 VIII-2 Various Administrative Procedures........................................................................................... 83 VIII-2-1 Application for Registration and Acceptance of Notification ...........................................84 VIII-2-2 Application for Registration and Acceptance of Notification ...........................................88

4 VIII-2-3 Written Reports under Article 53 of the Act......................................................................90 VIII-2-4 Treatment of Discontinuation, etc. ....................................................................................91 VIII-2-5 Procedures for Security Deposits for Providing Funds Transfer Services........................92 VIII-2-6 Points of Attention regarding Statements in Reports Submitted by Funds Transfer Service Providers............................................................................................................................93 VIII-2-7 Points of Attention regarding Written and Face-to-Face Procedures................................93 VIII-2-8 Points of Attention when Submitting Applications, etc.....................................................94 VIII-3 Points of Attention in Enforcing Administrative Dispositions.................................................. 94 VIII-4 Relationship with the Administrative Procedure Act and Other Relevant Acts........................ 97 VIII-5 System for Exchange of Opinions ............................................................................................ 97 VIII-6 Ascertainment of Location of Business Office ......................................................................... 98 VIII-7 Communication with Relevant Authorities in Japan and Overseas Regulators........................ 98 VIII-8 Basic Stance for Public Disclosure of Adverse Dispositions.................................................... 98 VIII-9 Notification of Administrative Disposition............................................................................... 99

5 I. General I-1 Structure of these Guidelines The revised Payment Services Act (Act No. 59 of 2009, hereinafter referred to as “the Act”) came into effect in May 2021, whereby multiple categories of Funds Transfer Service Providers were newly established. Specifically, the revised Act has introduced and defined “Type I Funds Transaction Services” and “Type III Funds Transaction Services.” Type I Funds Transaction Services are the Funds Transfer Services that are allowed to carry out exchange transactions for the transfer of funds exceeding 1 million yen, which is established in order to respond to remittance needs exceeding the previous maximum amount of 1 million yen including overseas remittances, such as individuals' purchases of high-priced goods and services and payments between companies. Type III Funds Transaction Services are Funds Transfer Services of carrying out only exchange transactions for the transfer of funds at amounts not exceeding 50,000 yen, which are considered to be significantly below the previous maximum amount of exchange transactions and relatively low risk. In this revised Act, the former “Funds Transfer Service Provider” is defined as the “Type II Funds Transfer Service Providers.” Note: A Funds Transfer Service Provider engaged in Type I Funds Transfer Service shall be hereinafter referred to as a “Type I Funds Transfer Service Provider,” and a Funds Transfer Service Provider engaged in Type II Funds Transfer Service shall be hereinafter referred to as a “Type II Funds Transfer Service Provider.” Accordingly, a Funds Transfer Service Provider engaged in Type III Funds Transfer Service shall be hereinafter referred to as a “Type III Funds Transfer Service Provider.” These Guidelines are intended to be used comprehensively for the supervision of various Funds Transfer Service Providers while reducing duplication of the same information applying to them. For this reason, Sections “I” and “II” basically cover all type of Funds Transfer Services (Type I Funds Transfer Service, Type 2 Funds Transfer Service, and Type 3 Funds Transfer Service) and are intended for all types of Funds Transfer Service Providers. Following that, Sections from “III” to “V” describe additional points of attention specific to each type of Funds Transfer Services, and Section “VI” describes points of attention for business operators who are operating multiple types of Funds Transfer Services together. While Section “VIII” is also intended for all types of Funds Transfer Service Providers, please note that it includes some statements specific to Type I Funds Transfer Service. Therefore, those who supervise these Funds Transfer Service Providers should first refer to Sections “I” and “II” and also refer to relevant parts of Sections “III” to “VI” that describe specific points of attention to the type subject to supervision according to the attributes thereof. I-2 Matters concerning Article 2-2 of the Act (Acts falling under “exchange transactions”) When receiving an inquiry, etc. regarding the applicability of an act prescribed by Article 2-2 of the Act that satisfies the requirements specified by the Cabinet Office Order on Funds Transfer Service Providers (Cabinet Office Order No. 4 of 2010; hereinafter referred to as “Cabinet Office Order”), the supervisory authorities shall make a judgment in light of the requirements prescribed by Article 2-2 of the Act and Article 1-2 of the Cabinet Office Order. However, the following points should be noted. The provision of Article 2-2 of the Act is to confirm that an act prescribed in Article 2-2 of the Act that meets the requirements specified by Cabinet Office Order falls under “exchange transaction”. However, since there is a possibility that a new

6 business model will emerge in the future, it does not mean that an act that does not fall under the act prescribed in Article 2-2 of the Act or an act that falls under the act prescribed in Article 2-2 of the Act but does not fall under the requirements specified by Cabinet Office Order does not immediately fall under “exchange transaction” in the future. Whether an act of a business operator falls under “exchange transaction” shall be finally determined in a specific manner depending on the content of transactions conducted by the business operator. II. Items to Assess Common to All Types of Funds Transfer Service Providers II-1 Business Management, etc. Funds Transfer Services play an important role in the funds settlement system. In order to maintain the safety, efficiency, and convenience of the fund settlement system, it is necessary to ensure that the outstanding obligations are preserved and the funds are transferred in proper manner. Also, in order to maintain and improve business operation frameworks, it is important to ensure that management discipline functions effectively and that business management is conducted appropriately. In supervising a Funds Transfer Service Provider, it is necessary to respect its autonomy and to take measures based on the actual conditions of said Funds Transfer Service Provider while considering that Funds Transfer Service Providers are not subject to any specific business rules and that they have a wide range of business types and sizes. II-1-1 Major Supervisory Viewpoints (i) Does the management team, in order to ensure not only business performance such as business promotion and profit expansion, but also compliance with laws and regulations and proper business operations, regard matters related to the establishment and development of internal control environments as one of the most important management issues, such as the strengthening of the functions of the Internal Control Department and the Internal Audit Department, and take sincere and proactive measures to formulate and disseminate specific policies for the implementation thereof? Note: The term “Internal Control Department” as used in these Guidelines refers to the divisions in charge of management of internal affairs, the legal division, etc. for ensuring business operations in compliance with laws and regulations as well as internal rules, etc. In addition, the term “Internal Audit Department” refers to the divisions in charge of inspection, the divisions in charge of auditing, etc. independent from the sales departments, and does not include inspections, etc. conducted by the departments, etc. that are subject to audit as part of internal control. (ii) With regard to monitoring, etc. according to the authority of the sales manager, does the management team have frameworks in place to conduct monitoring/verification and formulate improvement measures, which are designed to ensure appropriate business operations for divisions in which the Internal Control Department deals with users? (iii) Does the management team recognize the importance of internal audits concerning exchange transactions, and appropriately set the objectives of internal audits? In addition, has the management team established an environment in which the Internal Audit Department can fully exercise its functions? Also, does the management team take appropriate measures, such as formulating and implementing improvement measures, with regard to the results of internal audits?

7 (iv) Is the management team fully aware that banning and eliminating relations with anti-social forces in a resolute manner is essential for maintaining public trust in Funds Transfer Service Providers as well as for the appropriateness of Funds Transfer Service Providers’ businesses? And has the management team decided a basic policy in light of the details of “Guidelines for Enterprises to Prevent Damage Caused by Anti-Social Forces” (Agreement at a Meeting of Cabinet Ministers Responsible for Anti-Crime Measures, issued on June 19, 2007; hereinafter referred to as the “Government Guidelines” in II-1-1) and declared it both internally and externally? Moreover, does the management team clearly define the prevention of damage from anti-social forces as one of the issues in the firm’s compliance and risk management? For example, are frameworks to realize the basic policy based on the Government Guidelines developed? And is the effectiveness of those systems verified on a regular basis? (v) Does the Internal Control Department conduct appropriate monitoring and verification to ensure appropriate business practices for overall business operations in accordance with laws and regulations, as well as internal rules, etc.? In addition, if any serious problem is identified, is it reported to the management team appropriately? (vi) Does the Internal Audit Department have any frameworks in place to conduct effective internal audits independent from the departments that are subject to audit so that sufficient checks can be exercised against the audited departments? In principle, it is necessary that the frameworks for the Internal Audit Department should be developed. However, if it is considered more effective to introduce an external audit in light of the size of the Funds Transfer Service Provider, an external audit may be used in lieu of internal audit. In this case, has the Funds Transfer Service Provider established a control environment to give the external auditor clear instructions about the purpose of the audit and to utilize the audit results for business improvement? II-1-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the business management of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2 Appropriateness of Business Operations, etc. II-2-1 Compliance with Laws and Regulations, etc.

8 II-2-1-1 Legal Compliance Framework, etc. It is important for Funds Transfer Service Providers to be fully aware of their role as players of fund settlement systems, to strictly comply with laws and regulations and internal rules, etc., and to strive for proper and reliable business operations, in order to establish the trust in Funds Transfer Service Providers from users. In addition, from the perspective of ensuring appropriate and reliable business operations, Funds Transfer Service Providers are required to establish internal rules, etc. for their businesses in accordance with their scale and characteristics; review them constantly; and conduct internal education for officers as well as employees engaged in the Funds Transfer Service business and other employees (hereinafter referred to as “officers and employees”). They are also required to verify the status of compliance therewith. For example, Funds Transfer Service Providers who are engaged in the business of international remittance have to conduct business operations in consideration of the intent and purpose of relevant laws and regulations, including the Foreign Exchange and Foreign Trade Act (Act No. 228 of 1949) and the Act on Submission of Statement of Overseas Wire Transfers for Purpose of Securing Proper Domestic Taxation (Act No. 110 of 1997), in addition to the Act. In this regard, even if a Funds Transfer Service Provider fails to respond literally as described in each of the supervisory viewpoints in these Guidelines, it shall not be regarded as inappropriate if it is deemed that there are no particular problems from the viewpoint of protecting the interests of users in light of the scale and characteristics of such Funds Transfer Service Provider. When supervising Funds Transfer Service Providers, the following points, for example, shall be taken into consideration. II-2-1-1-1 Major Supervisory Viewpoints (i) Has the Funds Transfer Service Provider regarded compliance as one of the most important management issues and formulated a basic policy to put the recognition into practice, along with a more specific implementation plan (Compliance Program) and a code of conduct (Ethics Code and Compliance Manual), etc.? Also, are these policies, etc. thoroughly known and understood by officers and employees, and are they put into practice in daily business operations? (ii) Does the Funds Transfer Service Provider evaluate and follow up the implementation plan and the code of conduct on a regular basis or as needed? Also, does the Provider review their contents? (iii) Has the Funds Transfer Service Provider established and enhanced a system for training and education on compliance? Does it strive to foster and improve compliance awareness among its officers and employees? In addition, does the Funds Transfer Service Provider make efforts to ensure the effectiveness of the training by, for example, evaluating and following up the training in a timely manner and reviewing the details?. II-2-1-1-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the environment of a Funds Transfer Service Provider for compliance with laws and regulations, etc., which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary,

9 collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-1-2 Measures for Verification at the Time of Transaction, etc. The establishment of an internal control environment in relation to verification at the time of transaction, preservation of transaction records, notification of suspicious transactions, etc. (which refer to the measures for verification at the time of transaction, etc. prescribed in Article 11 of the Act on Prevention of Transfer of Criminal Proceeds (Act No. 22 of 2007; hereinafter referred to as “Anti-Criminal Proceeds Act”); hereinafter referred to as “measures for verification at the time of transaction, etc.”) bears significant meaning in preventing the abuse of financial services by organized crime and in ensuring confidence in the Japanese financial market as well. When supervising Funds Transfer Service Providers, the supervisors shall check the status of various internal controls in light of the size and characteristics of Funds Transfer Service Providers based on the “Guidelines on Countermeasures against Money Laundering and Terrorist Financing,” including a risk-based approach (hereinafter referred to as the “Guidelines on Anti-Money Laundering/Terrorist Financing Measures”), and pay attention to the following points, for example. Note: Risk-based approach means that Funds Transfer Service Providers are expected to identify and assess money laundering and terrorist financing risks to which they are exposed and take appropriate measures to mitigate the risks effectively. II-2-1-2-1 Major Supervisory Viewpoints With regards to operations of a Funds Transfer Service Provider, the supervisors must check whether the Funds Transfer Service Provider has established the following frameworks in order to prevent its exploitation for organized crimes such as terrorist financing, money laundering, and illicit use of funds transfer services, by properly taking measures for verification at the time of transaction, etc. and measures listed in the Guidelines on Anti-Money Laundering/Terrorist Financing Measures. (1) Has the Funds Transfer Service Provider developed a centralized control environment for appropriately implementing the measures for verification at the time of transaction and the measures listed in the Guidelines on Anti-Money Laundering/Terrorist Financing Measures? Is the environment properly functioning? In particular, has the Funds Transfer Service Provider implemented the following measures in developing the centralized control environment? Note: In order to appropriately implement measures for verification at the time of transaction, etc., reference must be made to the “Points to Note Concerning the Act on Prevention of Transfer of Criminal Proceeds” (FSA, October 2012). (i) Whether the Funds Transfer Service Provider has selected and appointed an appropriate person as supervisory manager, as stipulated in Article 11(iii) of the Anti-Criminal Proceeds Act, such as a person at a managerial level who is in charge of compliance on

10 countermeasures against terrorist financing and money laundering. (ii) Whether the Funds Transfer Service Provider has taken the following measures in order to research and analyze risks used for terrorist financing and money laundering, etc. and to take action based on the results. (A) Considering the details of the risk report related to transfer of criminal proceeds, which is prepared and published by the National Public Safety Commission based on Article 3(3) of the Anti-Criminal Proceeds Act, whether the Funds Transfer Service Provider properly researches and analyzes the risks in which its own transactions are used for terrorist financing and money laundering, in terms of transaction/commodity characteristics, forms of transactions, countries/regions associated with transactions, customer attributes, etc.; and prepares and regularly reviews documents, etc. describing the results (hereinafter referred to as “risk assessment report by a specified business operator, etc.”). In particular, for a Funds Transfer Service Provider who is engaged in overseas remittance, attention should be paid to whether the Funds Transfer Service Provider fully assesses the risks of each country or region involved in transactions, whether it assesses risks according to the period of stay of foreign customers who are involved in such remittance, whether it assesses risks of remittance through agents, or whether it assesses and examines risks of non-face-to-face transactions, etc. (B) Whether the Funds Transfer Service Provider has formulated a customer acceptance policy and developed specific methods for customer management and preservation of transaction records, etc., by taking into consideration the content of the risk assessment report by a specified business operator, etc. In addition, whether the Funds Transfer Service Provider has reviewed the policies and methods developed, periodically or upon identification of a new event that could have a significant impact on countermeasures against terrorist financing and money laundering. (C) In conducting transactions for which strict customer management stipulated in the first sentence of Article 4(2) of the Anti-Criminal Proceeds Act is deemed to be particularly necessary, or transactions to which special attention must be given in performing the customer management stipulated in Article 5 of the Regulation for Enforcement of the Act on Prevention of Transfer of Criminal Proceeds (hereinafter referred to as “Anti-Criminal Proceeds Enforcement Regulations”), or other transactions in which the risk level of terrorist financing and money laundering is deemed to be high by giving consideration to the details of the risk report related to transfer of criminal proceeds (hereinafter referred to as “high risk transactions”), whether the supervisory manager of the Funds Transfer Service Provider approves those transactions, prepares documents describing the results of collected and analyzed information, and stores them together with verification records or transaction records, etc. Whether the Funds Transfer Service Provider verifies the accuracy and appropriateness of verification records and transaction records in a timely manner. (D) Whether the Funds Transfer Service Provider formulates a policy for continuous customer management and ensures the implementation of said policy, such as the investigation of customer information at a frequency commensurate with the customer risk assessment based on the risk assessment report by a specified business operator, etc. In addition, whether the Funds Transfer Service Provider reviews the customer risk assessment upon occurrence of an event that affects the customer risk assessment.

11 (iii) Whether the Funds Transfer Service Provider adopts the measures for verification at the time of transaction that is appropriate according to the risks, while taking into consideration the risk assessment report by a specified business operator, etc. In addition, whether the Funds Transfer Service Provider regularly and timely recognizes and evaluates risks and improves measures for verification at the time of transaction including the introduction of public personal authentication, taking into account changes in the environment, including the sophistication of methods and modes of organized crime, such as terrorist financing, money laundering, and illicit use of funds transfer services, as well as the occurrence of incidents at the Provider itself or other business operators. (iv) When conducting the verification at the time of transaction, etc., whether the Funds Transfer Service Provider appropriately screens the customers, such as by checking sanction lists from relevant countries including Japan, in addition to fulfilling the relevant obligations under the Anti-Criminal Proceeds Act. Also, whether it conducts rescreening at the time of updating various relevant lists. (v) Whether the Funds Transfer Service Provider establishes proper policies for recruitment of employees and acceptance of users. (vi) Whether the Funds Transfer Service Provider conducts necessary audit. (vii) Whether the Funds Transfer Service Provider prepares a manual of the user management method including measures for verification at the time of transaction, etc., disseminates it to employees, and in addition, conducts proper and continuous training to employees so that they can use the manual properly. (viii) Whether the Funds Transfer Service Provider establishes an appropriate reporting framework (policy, method, information management system, etc.)for cases related to the abuse of financial services through organized crimes which an employee has found, for example, during verification at the time of transaction or by detecting suspicious transactions. (ix) In agency management, whether the Funds Transfer Service Provider has established a control environment enabling it to verify and evaluate that each agent, who is required to do so, implements continuous customer management measures according to risk. In addition, whether the Funds Transfer Service Provider assesses the risks of each agent and monitors its control environment in accordance with such risks. (2) Has the Funds Transfer Service Provider established a control environment for properly performing verification at the time of transaction, such as seeking reliable evidence of a substantial controller in a transaction with a corporate customer, confirmation of eligibility of foreign PEPs (Note), and proper treatment of identification documents, including treatment of personal identification numbers and basic pension numbers? Note: Foreign PEPs refer to heads of foreign countries and persons occupying an important position in a foreign government, etc. listed in each item of Article 12(3) of the Order for Enforcement of the Act on Prevention of Transfer of Criminal Proceeds (hereinafter referred to as the “Anti-Criminal Proceeds Act Enforcement Order”) and in each item of Article 15 of the Anti-Criminal Proceeds Act Enforcement Regulations. In particular, when conducting transactions for which there is an especially strong necessity for conducting rigid customer management as mentioned in the below (A) through (D), based on the first sentence of Article 4(2) of the Anti-Criminal Proceeds Act and each paragraph of Article 12 of the Anti-Criminal Proceeds Act Enforcement Order, has the Funds Transfer

12 Service Provider established an environment in which (re-)verification at the time of transaction is done in a proper manner, such as that a customer’s identification matters are confirmed not only in a normal way but also in a more rigid way in which customer identification documents or supplementary documents are additionally received? In addition, when confirmation of the conditions of assets and revenues is obligated, has the Funds Transfer Service Provider established an environment in which such confirmation is done in a proper manner? (A) A transaction in the case where a counterparty to the transaction is suspected of impersonating a customer, etc., or representative, etc., for whom related verification at the time of the transaction is conducted (B) A transaction with customer, etc., who is suspected of having falsified matters subject to related verification at the time of transaction when such verification has been conducted (C) A specified transaction, etc., with a customer, etc., who resides or is located in a country or region in which the establishment of a system to prevent the transfer of criminal proceeds as specified in Article 12(2) of the Anti-Criminal Proceeds Act Enforcement Order is not considered sufficient (D) A specified transaction with a customer, etc. who is a foreign PEP. In addition, does the Funds Transfer Service Provider properly perform verification at the time of transaction by regarding as specified transactions those into which one transaction is apparently divided in order to reduce the amount of money per transaction below the threshold (the transactions are limited to those listed in each item of Article 7(3) of the Anti-Criminal Proceeds Act Enforcement Order.)? (3) When reporting suspicious transactions, has the Funds Transfer Service Provider established an environment for appropriate examination and judgment based on Article 8(2) of the Anti-Criminal Proceeds Act and Articles 26 and 27 of the Anti-Criminal Proceeds Enforcement Regulations? Such examination and judgment should be made after comprehensively considering the user attributes, the status at the time of transaction, and other specific information held by the Funds Transfer Service Provider and related to the transaction. Does the Funds Transfer Service Provider pay full attention especially to the following points in establishing the environment? (i) Whether the Funds Transfer Service Provider, according to its operations and business profile, has established an environment for detecting, monitoring, and analyzing suspicious users and transactions, etc. by using the relevant systems and manuals, etc. (ii) In transaction monitoring, are threshold values set appropriately based on the risk assessment of each customer? Also, are scenarios for detecting suspicious transactions appropriately set based on the business model? Has the Funds Transfer Service Provider analyzed suspicious cases, regardless of whether reported or not, and periodically reviewed scenarios and threshold values as to whether investigations leading to such reporting are appropriate? (iii) After considering the details of the risk report related to transfer of criminal proceeds, whether the Funds Transfer Service Provider fully considers the following aspects: the user’s nationality (whether the user’s home country falls within the FATF’s list of non-cooperative countries and territories), eligibility of foreign PEPs, the customer attributes of the business in which the user is engaging, transaction patterns such as the value and number of transactions in light of the user attributes, and others. Whether the Funds Transfer Service Provider conducts proper confirmation and judgment based on

13 transaction categories such as continuous transactions with existing customers and high risk transactions? (4) With regard to the correspondent agreement, has the Funds Transfer Service Provider established the following control environment based on Articles 9 and 11 of the Anti-Criminal Proceeds Act, Articles 28 and 32 of the Anti-Criminal Proceeds Enforcement Regulations, and the Guidelines on Anti-Money Laundering/Terrorist Financing Measures? Note: “Agreement under which the business operator conducts continuous and repetitive foreign exchange transactions with a foreign exchange transaction service provider located in the foreign country” in Article 9 of the Anti-Criminal Proceeds Act means an agreement with the foreign exchange transaction service provider (the counterparty of the correspondent agreement) to entrust or accept banking services such as payment of telegraphic transfers, collection of bills, intermediation of letters of credit, settlement, etc., and cash management for the purpose of international settlement (correspondent agreement). (A) Whether the Funds Transfer Service Provider appropriately conducts screening and makes decisions on whether to execute/renew a correspondent agreement via the decision-making process involving the supervisory manager after appropriately evaluating the counterparty of the correspondent agreement through efforts to collect information on the counterparty’s customer base and businesses and the status of development of the system to prevent terrorism financing/money laundering; and the status of supervision by the authority in the relevant jurisdiction. (B) Whether the Funds Transfer Service Provider clarifies the allocation of responsibilities between it and the counterparty of the correspondent agreement, etc. in relation to the prevention of terrorist financing/money laundering, by means of documenting such responsibilities or any other means. (C) Whether the Funds Transfer Service Provider confirms that the counterparty of the correspondent agreement is not a bank that does not operate any business (a so-called shell bank), and that the counterparty will not permit a shell bank to use a bank account owned by the counterparty. Additionally, if, as a result of such confirmation, it is found that the counterparty is a shell bank, or the counterparty has been permitting a shell bank to use the counterparty’s bank account, whether the Funds Transfer Service Provider systematically stops executing or discontinues the correspondent agreement with said counterparty. (5) In order to prevent unauthorized use, etc. of the Funds Transfer Services, does the Funds Transfer Service Provider examine how to prevent damage due to unauthorized use of the Funds Transfer Services and take necessary measures, such as performing verification at the time of transaction or confirming the purpose of use of the account as necessary, when concluding a contract under which the Funds Transfer Service Provider conducts continuously or repeatedly payment of cash and/or exchange transactions as prescribed in Article 29(1)(ii) of the Act (hereinafter referred to as “account opening contract, etc.”)? In particular, based on Article 31(i) of the Cabinet Office Order, the Funds Transfer Service Provider needs to put the following frameworks in place for cases where there is a suspicion that a criminal act has been committed with respect to the Funds Transfer Services provided by it, in consideration of the information provided by investigative authorities, etc. to the effect that the transaction pertaining to the Funds Transfer Services has been used for fraud or any other

14 criminal act as well as in light of other circumstances. (i) Framework to promptly suspend the relevant exchange transaction that is suspected of having been used for a criminal act (ii) Framework to suspend the withdrawal of funds from a person who has concluded an account opening contract, etc. when the person is suspected of using the contract for a criminal act Note: In a case where an exchange transaction or disbursement of funds pertaining to the Funds Transfer Service Services has been suspended pursuant to (i) or (ii), and where there are reasonable grounds to find that such exchange transaction has been used for a criminal act, or where there are reasonable grounds to find that a person who has concluded an account opening contract, etc. is using the contract for a criminal act, it is desirable to take measures for recovery of damage, such as returning to the victim the funds related to said exchange transaction that is under the management of the Funds Transfer Service Provider as well as the funds related to the disbursement of funds. (6) With regard to the commission of examination issued by a court of unauthorized use of transactions pertaining to the Funds Transfer Services and inquiries based on the Attorney Act, etc., has the Funds Transfer Service Provider established a framework for making proper judgment of each individual specific case, in line with the purpose of these systems, while considering the confidentiality obligation imposed on the Funds Transfer Service Provider? (7) Has the Funds Transfer Service Provider established a framework for appropriately implementing countermeasures against terrorist financing and money laundering at its overseas business locations (branches, overseas subsidiaries, etc.)? (i) Even at its overseas business locations, does the Funds Transfer Service Provider take countermeasures against terrorist financing and money laundering at the same level as in Japan to the extent permitted by local applicable laws and regulations? Note: In particular, it should be noted that, even at an overseas business location in a country or region to which the FATF Recommendation is not applied or is insufficiently applied, control environments of a similar level as in Japan are required. (ii) In the case where the country where the overseas business location is situated applies stricter criteria for the countermeasures against money laundering and terrorist financing than in Japan, does it take measures corresponding to such stricter local criteria? (iii) In the case where the overseas business location is not able to take the countermeasures against money laundering and terrorist financing properly at the same level as in Japan because doing so is prohibited by local laws and regulations, does it promptly provide the following information to the FSA or the Local Finance Office that has jurisdiction over the region where the Funds Transfer Service Provider’s headquarters is located? • Name of the country or region • Specific reasons why it cannot take the countermeasures against terrorist financing and money laundering • If it takes alternative measures for the countermeasures against terrorist financing and money laundering, the content of such alternative measures.

15 II-2-1-2-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the measures for verification at the time of transaction, etc. or the measures mentioned in the Guidelines on Anti-Money Laundering/Terrorist Financing Measures, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). Note: With regard to the handling of the verification at the time of transaction, it should be noted that necessary measures may be taken separately based on the Anti-Criminal Proceeds Act. II-2-1-3 Prevention of Damage that May be Inflicted by Anti-Social Forces Eliminating anti-social forces from society is a task critical to ensuring the order and safety of society, so it is necessary and important for corporations to promote efforts to ban any relations with anti-social forces from the viewpoint of fulfilling their social responsibility. In particular, Funds Transfer Service Providers who play an important economic role are required to exclude anti-social forces from financial transactions in order to prevent not only Funds Transfer Service Providers themselves and their officers and employees, but also their users and other stakeholders from suffering damage inflicted by anti-social forces. Needless to say, if Funds Transfer Service Providers are to maintain the soundness and appropriateness of their business operations, it is essential that they deal with anti-social forces in accordance with laws and regulations without bowing to pressure from them. Therefore, Funds Transfer Service Providers must strive, on a daily basis, to develop a control system for banning any relations with anti-social forces in accordance with the purpose of the “Guidelines for Enterprises to Prevent Damage Caused by Anti-Social Forces” (Agreement at a Meeting of Cabinet Ministers Responsible for Anti-Crime Measures, issued on June 19, 2007). In particular, anti-social forces in recent times have become increasingly sophisticated in their efforts to obtain funds, disguising their dealings as legitimate economic transactions through the use of affiliated companies in order to develop business relations with ordinary companies. In some cases, the relations thus developed eventually lead to problems. In order to deal with such cases properly, the management team of Funds Transfer Service Providers need to take a resolute stance and implement specific countermeasures. It should be noted that if a Funds Transfer Service Provider delays specific actions to resolve a problem involving anti-social forces on the grounds that unexpected situations, such as threats to the safety of its officers and employees, could otherwise arise, the delay could increase the extent of the damage that may be ultimately inflicted on the Funds Transfer Service Provider and its officers and employees, etc. (Reference) “Guidelines for Enterprises to Prevent Damage Caused by Anti-Social Forces”

16 (Agreement at a Meeting of Cabinet Ministers Responsible for Anti-Crime Measures, issued on June 19, 2007) (i) Basic principles on prevention of damage that may be inflicted by anti-social forces Firm-wide response Cooperation with external expert organizations Ban on any relations, including transactions, with anti-social forces Legal responses, both civil and criminal, in the event of an emergency Prohibition of engagement in secret transactions with and provision of funds to anti-social forces (ii) Identification of anti-social forces In judging whether specific groups or individuals constitute “anti-social forces,” which are defined as groups or individuals that pursue economic profits through the use of violence, threats, and fraud, it is necessary not only to pay attention to whether they fit the definition in terms of their affiliation, such as whether they constitute or belong to “Boryokudan” crime syndicates, “Boryokudan” affiliated companies, “Sokaiya” racketeer groups, groups engaging in criminal activities under the pretext of conducting social campaigns or political activities, and crime groups specialized in intellectual crimes, but also to whether they fit the definition in terms of the nature of their conduct, such as whether they are committing violent acts of demand, or making unreasonable demands that go beyond the limits of legal liability (refer to the “Key Points of Measures against Organized Crime,” a directive issued in the name of the Deputy Commissioner-General of the National Police Agency on December 22, 2011.) II-2-1-3-1 Major Supervisory Viewpoints When examining the control environment of a Funds Transfer Service Provider for banning any relationship with anti-social forces and for dissolving any relations with anti-social forces as soon as possible after the counterparty has been found to be an anti-social force in cases where it has established a relationship with an anti-social force unwittingly, as well as the control environment for dealing with unreasonable demands by anti-social forces appropriately, the supervisory authorities, while also giving consideration to the characteristics of specific transactions, shall pay attention to the following points. (1) Firm-wide response In light of the need and importance of an action to ban any relationship with anti-social forces organically, does the Funds Transfer Service Provider respond to the matter as an organization through appropriate engagement of the management team rather than leaving it solely to the person or department in charge? Does the Funds Transfer Service Provider make efforts as a group to eliminate anti-social forces in order to ban the relationship with anti-social forces not only in the Funds Transfer Service Provider itself but also in the Funds Transfer Services? Moreover, is there a policy to exclude anti-social forces when providing Funds Transfer Services by entrusting a part of operations to other companies outside the group? (2) Development of a centralized control environment through Anti-Social Forces Response Division Has the Funds Transfer Service Provider established a division in charge of supervising responses to ban any relationship with anti-social forces (hereinafter referred to as “Anti-Social

17 Forces Response Division”) so as to develop a centralized control environment for preventing infliction of damage by anti-social forces? Is this division properly functioning? In particular, does the Funds Transfer Service Provider pay sufficient attention to the following points in developing the centralized control environment? (i) Does the Anti-Social Forces Response Division actively collect and analyze information on anti-social forces? Has it developed a database to manage such information in a centralized manner? And does it have a system to appropriately update it (such as addition, deletion, or change of information in the database)? Further, is the Anti-Social Forces Response Division making efforts to share information within the group in the process of collecting and analyzing such information, while making active use of information provided by external expert organizations such as the police, the Center for Removal of Criminal Organizations, and lawyers? In addition, does the Anti-Social Forces Response Division have a system to take advantage of such information on anti-social forces for screening counterparties of transactions and evaluating the attributes of shareholders of the Funds Transfer Service Provider? (ii) Does the Funds Transfer Service Provider make sure to maintain the effectiveness of measures to ban any relations with anti-social forces by, for example, having the Anti-Social Forces Response Division develop a manual for dealing with anti-social forces, provide on-going training, and foster cooperative relationships with external expert organizations such as the police, the Center for Removal of Criminal Organizations, and lawyers on an ongoing basis? In particular, is the Funds Transfer Service Provider prepared to report to the police immediately when it faces the imminent prospect of being threatened or becoming the target of an act of violence, by maintaining close communications with the police on a daily basis so as to develop a systematic reporting system and build a relationship that facilitates cooperation in the event of a problem? (iii) Does the Funds Transfer Service Provider have a structure in which relevant information is swiftly and appropriately conveyed to the Anti-Social Forces Response Division for consultation when transactions with anti-social forces are found or such forces have made unreasonable demands? Further, does the Anti-Social Forces Response Division have a structure to swiftly and appropriately report relevant information to the management team? In addition, does the Anti-Social Forces Response Division have a structure to ensure the safety of individuals encountering anti-social forces in person and to support divisions involved in dealing with them? (3) Implementation of appropriate prior screening Does the Funds Transfer Service Provider take measures to ban allowing anti-social forces to become a counterparty to a transaction, by conducting appropriate advance screening using information on such forces in order to prevent transactions with anti-social forces, and making sure provisions regarding the exclusion of organized crime group are introduced in all contracts and terms of transactions? (4) Implementation of appropriate follow-up review Has the Funds Transfer Service Provider established a framework for conducting an appropriate follow-up review on existing contracts for the purpose of making sure that any relationships with anti-social forces are eliminated?

18 (5) Efforts to terminate transactions with anti-social forces (i) Does the Funds Transfer Service Provider have a system under which information confirming the existence of a transaction with anti-social forces is swiftly and appropriately reported to the management team, including directors, etc., via the Anti-Social Forces Response Division, and response to the situation is made under appropriate directions and involvement by the management team? (ii) Does the Funds Transfer Service Provider encourage termination of transactions with anti-social forces in close cooperation with external expert organizations such as the police, the Center for Removal of Criminal Organizations, and lawyers on an ongoing basis? (iii) Does the Funds Transfer Service Provider take care to prevent the provision of benefits to anti-social forces, such as severing the relationship as soon as possible if the counterparty has been found to be anti-social forces after initiation a transaction through a follow-up review? (iv) Does the Funds Transfer Service Provider have a structure to prevent providing funds or engaging in inappropriate or unusual transactions for whatever reason if the counterparty has been found to be an anti-social force? (6) Dealing with unreasonable demands by anti-social forces (i) Does the Funds Transfer Service Provider have a system under which the information that anti-social forces have made unreasonable demands is swiftly and appropriately reported to the management team, including directors, etc., via the Anti-Social Forces Response Division, and response to the situation is made under appropriate directions and involvement by the management team? (ii) Does the Funds Transfer Service Provider actively consult external expert organizations such as the police, the Center for Removal of Criminal Organizations, and lawyers on an ongoing basis when anti-social forces make unreasonable demands, and respond to such unreasonable demands based on guidelines set by the Center for Removal of Criminal Organizations and other organizations? In particular, does the Funds Transfer Service Provider have a structure to report to the police immediately when there is an imminent prospect of a threat being made or an act of violence being committed? (iii) Does the Funds Transfer Service Provider have a policy to take every possible civil legal action against unreasonable demands by anti-social forces and to avoid hesitating to seek the initiation of a criminal legal action, by proactively reporting damage to the relevant authorities? (iv) Does the Funds Transfer Service Provider ensure that the division in charge of handling problematic conduct promptly conducts a fact-finding investigation upon request from the Anti-Social Forces Response Division, in cases where unreasonable demands from anti-social forces are based on problematic conduct related to business activity or involving any of its officers or employees? (7) Management of shareholder information Does the Funds Transfer Service Provider manage shareholder information properly, through means such as regularly checking the transaction status of its own shares and examining information regarding the attributes of its shareholders?

19 II-2-1-3-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the control environments to ban relationships with anti-social forces of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider necessary measures of strict dispositions based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-1-4 Supervisory Action to Misconduct In case of occurrence of “an act in violation of laws and regulations with regard to the Funds Transfer Services by a director, etc. or an employee, or an act that hinders the sound and appropriate operation of the Funds Transfer Services by a director, etc. or an employee” as set forth in Article 39 of the Cabinet Office Order (hereinafter referred to as “misconduct”), the following supervisory actions shall be taken. Misconduct shall mean and include the following acts in addition to acts in violation of laws and regulations in relation to the business of the Funds Transfer Services. • Fraud, embezzlement, breach of trust, etc. in relation to the business of the Funds Transfer Services; which is likely to harm the interests of users thereof; • An act of being subject to a complaint or accusation by a user, or arrest with regard to the Funds Transfer Services; and • An act equivalent to those listed above that hinders or is likely to hinder the sound and appropriate operation of the business of the Funds Transfer Services II-2-1-4-1 Major Supervisory Viewpoints (i) In cases where any misconduct is found at a Funds Transfer Service Provider and the supervisory authorities receive an initial notice from said Funds Transfer Service Provider, the supervisors shall confirm the following points. The same shall apply to the case where no initial report has been made by a Funds Transfer Service Provider but a written notification has been submitted by the Provider. (A) Whether the Funds Transfer Service Provider has made a prompt report to the Internal Control Department and a report to the management team in accordance with internal rules, etc. (B) In cases where the act could constitute a criminal offense, whether the Funds Transfer Service Provider has reported it to the police and other relevant organizations. (C) Whether the Funds Transfer Service Provider has investigated and clarified the misconduct at an independent department (Internal Audit Department, etc.) (ii) The supervisors examine the appropriateness of the business of the Funds Transfer Service Provider in relation to the misconduct based on the following viewpoints.

20 (A) Whether the Funds Transfer Service Provider appropriately acted immediately after the misconduct came to light. (B) Whether the management team has been involved in the misconduct and whether there has been firm-wide involvement. (C) What impacts the misconduct is expected to have on users of Funds Transfer Services. (D) Whether the internal check-and-balance function is properly working. (E) Whether the Funds Transfer Service Provider has formulated improvement measures to prevent recurrence and sufficient self-cleaning functions, and whether it has clearly pursued the responsibilities of the parties concerned. (F) Whether the Funds Transfer Service Provider has made appropriate explanations to users thereof and responded to inquiries. II-2-1-4-2 Supervisory Methods and Measures When receiving a notification of misconduct from a Funds Transfer Service Provider, the supervisory authorities shall monitor the status of voluntary business improvement made by the Funds Transfer Service Provider by holding an in-depth interview regarding the facts (the business office where the misconduct occurred, the name, title, and job history of the person who committed such misconduct, a summary of the misconduct, the date when the misconduct was detected, the period of the misconduct, why the misconduct was detected), analysis of the cause of the misconduct, and improvement and response measures against the misconduct, and collecting a report based on Article 54 of the Act when necessary. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-2 Provision of Information and Consultation Function, etc. for Protection of Users II-2-2-1 User Protection Measures Article 51 of the Act and Articles 28 through 31 of the Cabinet Office Order require Funds Transfer Service Providers to provide information to users of Funds Transfer Services at the time of commencement of exchange transactions or conclusion of contracts, to deliver receipts at the time of receipt of money, etc., and to take other measures to protect the users. II-2-2-1-1 Major Supervisory Viewpoints (1) General viewpoints (i) In providing explanations and information to users, has the Funds Transfer Service Provider established a framework to explain the matters prescribed in each item of Article 28(2) and each item of Article 29(1) and (2) of the Cabinet Office Order, according to the form of transactions, such as face-to-face transactions, ATMs and other facilities, or non-face-to-face transactions via the Internet? (Note) In addition, has the Funds Transfer Service Provider established a framework to provide information in an appropriate manner, such as by issuing written documents (including

21 electromagnetic means) as necessary and then providing an explanation, in light of the knowledge and experience of the relevant users? Note: As a framework for providing an explanation according to the form of transactions, the following examples may be given, respectively: in the case of face-to-face transactions, a method in which the fact is recorded after delivering a written document or giving an oral explanation; in the case of an ATM transaction, a method in which the necessary information is displayed on the screen and the user is required to confirm it prior to the conclusion of the contract; and in the case of transactions through the Internet, a method in which the user reads the explanatory matters displayed on the screen of the personal computer operated by the user, and clicks a button on the screen after understanding the description. (ii) Has the Funds Transfer Service Provider established internal rules, etc. regarding User Protection Measures specified by laws and regulations, such as the obligation to provide information and deliver a written documents to users? In addition, has the Provider disseminated them through internal training, etc. so that its officers and employees properly handle cases in accordance with the internal rules, etc.? (iii) Are the internal check-and-balance functions such as internal control and internal audit properly working to ensure the effectiveness of User Protection Measures? (iv) Does the Funds Transfer Service Provider make sure to review its business framework for the Funds Transfer Services, based on the examination of the effectiveness of User Protection Measures? (v) In establishing frameworks for dealing with complaints and consultation, has the Funds Transfer Service Provider clearly specified procedures for cases where administrative processing errors have occurred? In addition, has the Provider established a system for smooth processing? (2) Prevention of misidentification with exchange transactions conducted by banks, etc. When providing explanations to prevent misunderstandings with exchange transactions conducted by banks, etc., are the following points explained as matters prescribed in Article 28(2)(iv) of the Cabinet Office Order, in addition to the matters prescribed in (2)(i) to(iii) of the same Article? (i) The fact that the system of security deposits for providing Funds Transfer Services has been established as a user protection framework (ii) With regard to the procedure for execution of security deposits for providing Funds Transfer Services under Article 59, the time when the right to receive a refund thereof is transferred from the remitter to the beneficiary Note: It should be noted that since the refund of security deposits for providing Funds Transfer Services is made to a person to whom a Funds Transfer Service Provider is indebted in relation to exchange transactions, the remitter is to receive the refund until the beneficiary actually receives the funds (unless otherwise set forth in the Terms and Conditions) as described in II-2-2-2-1 (iv) (Note 3). (3) Provision of information to users (i) Taking into account the users' knowledge and experience, etc., does the Funds Transfer Service Provider appropriately explain about the matters prescribed in each item of Article 29(1) and (2) of the Cabinet Office Order, according to the form of transactions?

22 (ii) In cases where a user needs to pay commissions, remuneration, or expenses (hereinafter referred to as “commissions, etc.”) to a person other than the Funds Transfer Service Provider, does the Provider explain the total amount of commissions, etc., or the maximum amount thereof, or the calculation method thereof, including those for the outsourced contractor? (iii) In the case where only the maximum amount or the calculation method is explained, not the actual amount of commissions, etc., does the Funds Transfer Service Provider make sure to additionally explain about the total estimated amount of commissions, etc. for the user to pay or a calculation example thereof? (iv) In light of the purposes of Article 51 of the Act and Article 29 of the Cabinet Office Order, as the matters set forth in Article 29(1)(i) of the Cabinet Office Order, does the Funds Transfer Service Provider explain, as necessary, matters that serves as references when a user decides whether or not to conclude a contract related to the exchange transaction? Note: Matters to be explained in accordance with Article 29(1)(i) of the Cabinet Office Order can include the following, for example. • Method of crediting funds pertaining to exchange transactions • Method of confirming the status of funds used for exchange transactions after issuing an exchange transaction request (v) As the matters set forth in Article29(1)(ii)(e) of the Cabinet Office Order, does the Funds Transfer Service Provider explain, as necessary, matters that serve as references when a user decides whether or not to conclude an account opening contract, etc.? Note: Matters to be explained in accordance with Article 29(1)(ii)(e) of the Cabinet Office Order can include the following, for example. • Matters listed in (iv) Note above • Matters related to the setting of a security code and other security matters • In cases where an account opening contract, etc. caps the amount that the Funds Transfer Service Provider can accept from each user, the upper limit amount (vi) With regard to the matters prescribed in each item of Article 29-2 of the Cabinet Office Order, has the Funds Transfer Service Provider developed a control environment for providing appropriate explanations and information to users in accordance with II-2-2-1-1(1)(i) hereof? Also, is the policy relating to compensation for losses of users and other response prescribed in Article 29-2(v) of the Cabinet Office Order based on II-2-6 hereof? (4) Delivery of receipt (i) Are the contents of documents to be provided written in a clear and easy-to-understand manner for users? (ii) When intending to receive the manifestation of intention of users to consent or withdraw the provision of information by electromagnetic means in lieu of delivering documents, does the Funds Transfer Service Provider record that the user has given consent, etc.? Note: In case of the provision of information by electromagnetic means in lieu of delivery of documents, it should be noted that Funds Service Providers should take care to ensure that users do not suffer any disadvantage even in cases where they do not manifest their intention to consent or where they manifest their intention to revoke consent.

23 (5) Measures to prevent the holding of users’ funds that are considered not to be used for exchange transactions Has the Funds Transfer Service Provider established a method for returning to users funds of said users that are deemed not to be used for exchange transactions? In the case where the return is made by other than the method of transfer to a bank account registered by the user in advance or other measures are taken, is the method appropriate from the viewpoint of promptness and convenience of the user? In addition, has the Funds Transfer Service Provider developed a framework for obtaining necessary information from users in advance in order to make returns, etc. in accordance with specified methods? Note: Regarding the cases in which interest is accrued on the balance of user’s funds, it is considered that a mechanism has been implemented to induce the acceptance of user funds for purposes other than exchange transactions, and that there is a risk of violating the prohibition on the receipt of the deposits under the Act Regulating the Receipt of Contributions, the Receipt of Deposits, and Interest Rates (Act No. 195 of 1954; hereinafter referred to as the “Investment Act”). (6) Measures to prevent funds received from users from being used as resources for loans, etc. In the case where a Funds Transfer Service Provider uses a guarantee contract of security deposits for providing Funds Transfer Services as a method of preserving user funds, if the Funds Transfer Service Provider uses the user funds for lending, it becomes problematic because this can virtually create credit without obtaining a license for banking business. In addition, the Funds Transfer Service Provider will be exposed to liquidity risk by converting the user funds it received for exchange transactions into loans, which are assets with low liquidity. This is also a problem from the viewpoint of ensuring sound and appropriate operation of the Funds Transfer Services including the interests of users. In light of these problems, has the Funds Transfer Service Provider taken measures to securely prevent funds received from users from being used for lending loans and discounting bills? For example, all of the following measures may be taken. (i) With regard to exchange transactions, do the internal rules specifically provide a method for managing funds received from users and funds to be used for loans in separate deposit accounts, and a method for reasonably confirming that funds received from users are not used for loans even when managing funds in one bank account? Note: The term “method for reasonably confirming that funds received from users are not used for loans” can mean, for example, a method to confirm that the amount of the loan is within the range of the amount of the funds to be used for the loan upon grasping in a timely and appropriate manner the amount of the own funds of a Funds Transfer Service Provider from which the fund received from the user is deducted. (ii) If funds received from users and funds to be used for loans are clearly separated by the above method, and if funds received from users and funds to be used for loans are managed in separate deposit accounts, does the Funds Transfer Service Provider verify that no contamination occurs between the accounts in a timely and appropriate manner? (iii) Has the Funds Transfer Service Provider taken measures such as not allowing persons in charge of managing funds received from users to serve as persons in charge of managing funds to be used for loans from the viewpoint of preventing accidents and fraud? In view that Funds Transfer Service Providers are required to conduct Funds Transfer Service in a proper and reliable manner, they are not allowed to freely use funds received from users

24 not only for lending but also for any other purposes than funds transfer. Therefore, it should be noted that Funds Transfer Service Providers are required to ensure sufficient liquidity to smoothly respond to instructions from users and to manage funds so that funds are not easily impaired. (7) Measures in conducting Internet transactions (i) Are links of the Funds Transfer Service Provider’s website configured to prevent a user from misrecognizing a counterparty of transaction? In addition, does the Funds Transfer Service Provider take proper anti-phishing measures in a manner befitting its business, such as providing for measures to allow users to verify the authenticity of the website accessed? (ii) Does the Funds Transfer Service Provider take measures to allow a user to easily confirm and correct the details of his/her instruction concerning an exchange transaction, such as displaying the details of the instruction and then requesting the user to confirm the details before sending it to the Funds Transfer Service Provider? (8) Other measures to ensure user protection With regard to the matters prescribed in Article 31(iv) of the Cabinet Office Order, has the Funds Transfer Service Provider developed a control environment for providing appropriate explanations and information to users in accordance with II-2-2-1-1(1)(i) hereof? Also, is the policy relating to compensation for losses and other response based on II-2-6 hereof? II-2-2-1-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the User Protection Measures of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-2-2 Books and Documents The obligation to prepare and preserve books and documents on the Funds Transfer Services is stipulated by law in order to contribute to the protection of the interests of users, by accurately reflecting the business of Funds Transfer Service Providers as well as the amount of outstanding obligations and the status of asset preservation and by requiring the deposit of security deposits for providing Funds Transfer Services based on the entry in said books. In examining such books and documents, the following points shall be taken into consideration in light of the abovementioned intent.

25 II-2-2-2-1 Major Supervisory Viewpoints (i) Has the Funds Transfer Service Provider established internal rules, etc. specifying how to prepare books and documents (Note 1) and disseminated them company-wide through internal training, etc. so that its officers and employees properly handle cases in accordance with such internal rules, etc.? Note 1: The amount of outstanding obligations for a remittance order denominated in foreign currencies needs to be calculated by converting it into Japanese currency, and then entered in the books and documents. Conversion into the Japanese currency shall be done at the middle rate of the spot telegraphic transfer selling rate and the spot telegraphic transfer buying rate on the business day on which the amount of outstanding obligations is calculated. Further, the source of such middle rate shall be, in principle, a principal financial institution of the Funds Transfer Service Provider, but if the Provider has been continuously using another reasonable source, such source may be allowed as well. (ii) Does the Funds Transfer Service Provider have a framework that enables it to promptly ascertain and restore the amount of outstanding obligations by each user in the event of any damage to the books and documents, including those backups? (iii) Does any department, such as the Internal Audit Department, other than the books-and-documents-preparation division, verify the accuracy of the description of the books and documents? (iv) Has the Funds Transfer Service Provider established a system for appropriately recognizing the outstanding obligations in accordance with its approach to the points of time at which such obligations are generated, transferred, and extinguished (Note 2 to 4)? In particular, in the case of international remittance, does the Funds Transfer Service Provider appropriately recognize the time when the counterparty of its obligation transfers from a user in Japan to a user in a foreign state (Note 5)? Furthermore, in cases where the Funds Transfer Service Provider entrusts payments related to exchange transactions to another Funds Transfer Service Provider, etc. does the Funds Transfer Service Provider appropriately recognize the time when outstanding obligations are transferred to said other Funds Transfer Service Provider (Note 6)? Note 2: The generation of outstanding obligations in the process of funds transfer needs to be recognized at the latest upon receipt by Funds Transfer Service Providers (including their subcontractors) of funds from users. Note 3: Funds Transfer Service Providers should be aware that they are indebted to the remitter until the beneficiary actually receives funds by any of the methods listed in (A) through (D) below. In the case where separately agreed upon by the Funds Transfer Service Provider and the beneficiary in the terms and conditions, etc., the counterparty of the obligations of the Funds Transfer Service Provider shall be transferred from the remitter to the beneficiary in accordance with said terms and conditions, etc. (A) Deliver cash to the beneficiary. (B) Credit the amount to the deposit account of the beneficiary at a bank, etc. (including those equivalent thereto in foreign states), with which the beneficiary has an account. (C) Allocate the amount for the payment of goods or services purchased by the beneficiary from the Funds Transfer Service Provider. (D) Receive instructions from the beneficiary to remit the funds to a third party (In this case,

26 it should be noted that an outstanding obligation in the process of funds transfer is generated for the beneficiary as the remitter). Note 4: In the case of Note3 (B) above, it should be noted that, in order to recognize the extinguishment of outstanding obligations in the process of funds transfer, in principle, it is necessary to transfer the obligations owed to the beneficiary from the Funds Transfer Service Provider to the bank, etc. at which the beneficiary has a deposit account, and it is not appropriate for the Funds Transfer Service Provider to recognize the extinguishment of outstanding obligations at the time when the beneficiary gives instructions to said bank, etc. at which the recipient has a deposit account. It should be noted that the Funds Transfer Service Provider is not precluded from recognizing the extinguishment of outstanding obligations at the time when the period reasonably estimated as the period until the funds are credited to the deposit account of the beneficiary has elapsed after the Funds Transfer Service Provider has given a remittance instruction to the banks, etc. Note 5: Of the obligations for exchange transactions that the Funds Transfer Service Provider owes to users, obligations owed to overseas users may not be recorded as outstanding obligations. However, in order for the Funds Transfer Service Provider to be permitted to practice such treatment, it needs to develop the following systems. (A) The address (whether domestic or foreign) of each user must be confirmed. (B) The criteria for classification are clear. (C) Records on the books and documents are classified in accordance with said criteria. Note 6: Even if payment related to exchange transactions is entrusted to another Funds Transfer Service Provider or a money transfer business operator (meaning a person/entity who operates a Funds Transfer Service in a foreign state (excluding a Funds Transfer Service Provider)), in principle, said outstanding obligations for exchange transactions shall not be extinguished until the beneficiary actually receives funds from said entrustee. Provided, however, that in the case where said beneficiary has concluded an agreement with said entrustee to conduct exchange transactions continuously or repeatedly, and where said entrustee will owe obligations to said beneficiary, the outstanding obligations pertaining to said exchange transactions shall be extinguished at the time when said entrustee owes the obligations to said beneficiary. II-2-2-2-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the preparation and preservation of the books and documents of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If

27 a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-2-3 Control Environments for Management of User Information Information regarding individual users of Funds Transfer Services needs to be handled in an appropriate manner in accordance with the provisions of Articles 24 to 26 of the Cabinet Office Order, as well as the Act on the Protection of Personal Information (Act No. 57 of 2003; hereinafter referred to as the “Personal Information Protection Act”) as well as the Guidelines on the Act on the Protection of Personal Information (General rules) (Provision to foreign third parties), (Obligation to confirm and record at the time of provision to third parties), (Anonymized information) (hereinafter collectively referred to as the “Personal Information Protection Guidelines”), the Guidelines on the Protection of Personal Information in the Financial Sector (hereinafter referred to as the “Financial Sector Personal Information Protection Guidelines”) and the Guidelines for Practical Affairs regarding Safety Control Measures specified in the Guidelines on the Protection of Personal Information in the Financial Sector (hereinafter referred to as the “Practical Guidelines”). In addition, personal information including credit card information (number and expiration date, etc.)(hereinafter referred to as “credit card information, etc.”) needs to be strictly managed because secondary damage such as spoofed purchase via unauthorized use of such information may occur if it is leaked. In light of the above, when supervising Funds Transfer Service Providers, the following points, for example, shall be taken into consideration. II-2-2-3-1 Major Supervisory Viewpoints (1) Control environments for management of user information (i) Does the management team of the Funds Transfer Service Provider recognize the necessity and importance of ensuring the appropriateness of managing information of users? Has the Funds Transfer Service Provider developed an internal control environment, such as establishing an organizational structure (including establishing appropriate checks between departments) and formulating internal rules to ensure the appropriate management of such information? (ii) Has the Funds Transfer Service Provider formulated a specific standard for the handling of user information and communicated it to all officers and employees through the provision of training and other means? In particular, with regard to the transmission of such information to third parties, has the Funds Transfer Service Provider established the handling standard after sufficient consideration to ensure that procedures are carried out in accordance with the provisions of the aforementioned laws and regulations, the Personal Information Protection Guidelines, the Financial Sector Personal Information Protection Guidelines, and the Practical Guidelines? (iii) Has the Funds Transfer Service Provider established frameworks necessary for examining the management status of user information in a timely and appropriate manner? Such frameworks include management of access to user information (such as preventing access rights assigned to certain people from being used by others), measures to prevent the misappropriation of user information by insiders, and a robust information management system that prevents unauthorized access from the outside. Also, has the Funds Transfer Service Provide taken appropriate measures for preventing

28 wrongful acts utilizing user information, such as the dispersal of authority concentrated upon specific personnel and the enhancement of controls and checks over personnel who have broad powers? (iv) Has the Funds Transfer Service Provider established frameworks for appropriately reporting to responsible divisions when user information has been leaked, and notifying relevant users, reporting to the authorities, and disclosing to public in a prompt and appropriate manner to prevent secondary damage? Also, does the Funds Transfer Service Provider analyze the causes of information leaks and implement measures designed to prevent recurrence? Furthermore, in light of incidents of information being leaked at other companies, does the Funds Transfer Service Provider examine measures needed to prevent a similar incident from occurring at its organization? (v) Does the Funds Transfer Service Provider conduct audits covering the broad range of business operations handling user information by its independent Internal Audit Department on a periodic or as-needed basis? Also, has the Funds Transfer Service Provider implemented appropriate measures, such as training programs, in order to increase the specialization of the staff engaged in audits pertaining to the management of user information? (vi) With regard to a Funds Transfer Service Provider who is a member of a Certified Association for Payment Service Providers, does the Funds Transfer Service Provider regularly have its officers and employees participate in training sponsored by the Certified Association for Payment Service Providers or equivalent training in order to ensure the appropriate handling of information? Also, with regard to a Funds Transfer Service Provider who is not a member of a Certified Association for Payment Service Providers, does the Funds Transfer Service Provider regularly have its officers and employees participate in training with equivalent content to that mentioned above in order to ensure the appropriate handling of information? (2) Management of personal information (i) With regard to information concerning individual users, has the Funds Transfer Service Provider implemented the following necessary and appropriate measures for its safe management and supervision of persons in charge in order to prevent such information from being leaked, lost, or damaged, in accordance with Article 25 of the Cabinet Office Order? (Necessary and appropriate measures concerning safety management) (A) Measures based on Article 8 of the Financial Sector Personal Information Protection Guidelines (B) Measures based on I, and Appendix 2 of the Practical Guidelines (Necessary and appropriate measures concerning supervision of persons in charge) (C) Measures based on Article 9 of the Financial Sector Personal Information Protection Guidelines (D) Measures based on II of the Practice Guidelines (ii) Has the Funds Transfer Service Provider implemented measures to ensure that information regarding the race, religious beliefs, family origin, registered domicile, healthcare, and criminal records of individual users, as well as other specified non-disclosure information (Note), are not used except for the cases specified in each item under Article 5(1) of the Financial Sector Personal Information Protection Guidelines? Note: Other specified non-disclosure information includes the following;

29 (A) Information regarding labor union membership (B) Information regarding ethnicity (C) Information regarding sexual orientation (D) Information regarding matters set forth in Article 2(iv) of the Enforcement Order of the Act on Protection of Personal Information (E) Information regarding matters set forth in Article 2(v) of the Enforcement Order of the Act on Protection of Personal Information (F) Information regarding facts that he/she has suffered damage by crime (G) Information regarding social status (iii) For credit card information, etc., has the Funds Transfer Service Provider implemented the following measures? (A) Has the Funds Transfer Service Provider set an appropriate period of time for keeping credit card information, etc., which takes into account the purpose of use and other circumstances? Does it limit the locations where such information is kept, and dispose of the information in a prompt and appropriate manner after the retention period has lapsed? (B) Has the Funds Transfer Service Provider implemented appropriate measures when displaying credit card information, etc. on computer monitors, such as not displaying whole credit card numbers, unless needed for business operations? (C) Does the independent Internal Audit Department of the Funds Transfer Service Provider conduct internal audit on a periodic or as-needed basis on whether the rules and systems for protecting credit card information, etc. are functioning effectively? (iv) When intending to entrust part of its business to a third party located in a foreign state or to engage in business alliance with such foreign third party, does the Funds Transfer Service Provider confirm the personal information protection system in the foreign state and the measures taken by the third party for the protection of personal information, and then develop a system to appropriately manage personal information in relation to business entrustment or business alliance? (v) Has the Funds Transfer Service Provider taken measures to comply with Article 12 of the Financial Sector Personal Information Protection Guidelines and other applicable provisions with regard to the provision of personal data to third parties? In particular, does the Funds Transfer Service Provider obtain consents from individual users while paying attention to the following points according to the nature and methods of the business? (A) When obtaining a consent from an individual user for the provision of his/her information to a third party in a non-face-to-face manner such as via PC or smartphone, etc., has the Funds Transfer Service Provider designed the relevant webpage so that individual customers can easily understand the content and purpose of use of information provided to such third party by making it more customer-friendly in terms of the text of consent, letter size, screen specifications, manner of giving consent, etc. in accordance with Article 3 of the Financial Sector Personal Information Protection Guidelines? (B) Even in the case where the Funds Transfer Service Provider has obtained a consent for the provision of personal information to a third party from an individual user in the past, if the third party to which the information is provided or the content of information to be provided is different from the past case or if the scope of provision of such information exceeds the necessary extent to achieve a utilization purpose specified before, does the Funds Transfer Service Provider obtain a consent from such individual user again? (C) In cases where personal information of individual users is provided to multiple third

30 party contractors or where the purpose of use of personal information varies at each third party contractor, does the Funds Transfer Service Provider consider the scope of the third parties for which a consent of the user must be obtained, and how and when to obtain such consent in a proper manner so that the individual users are able to understand the fact that their information will be provided to multiple third parties, as well as the purpose of use at each third party contractor? (D) In obtaining a consent for the provision of personal information to third parties, is the Funds Transfer Service Provider mindful not to cause any risk of abuse of superior position or conflict on interests between it and the individual user? For example, is an individual user forced to give a consent beyond the reasonable scope of provision in terms of the third parties to which the personal information is provided, the purpose of use, or the content of information to be provided? II-2-2-3-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning control environment for management of user information of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). Note: With regard to the handling of personal information, note that there are some cases in which necessary measures should be taken according to the delegation of authority to the competent minister for the relevant business under the Act on the Protection of Personal Information as needed. II-2-2-4 Dealing with Complaints, etc.(including Financial ADR System) In terms of user protection, one of important activities for Funds Transfer Service Providers is to sincerely respond to consultations, complaints, and disputes, etc. (hereinafter referred to as “complaints, etc.”) from users so as to get their understanding that such effort has the meaning of supplementing their accountability to users ex post facto. In recent years, the importance of dealing with complaints, etc. ex post facto has been further increasing from the viewpoint of protecting users and ensuring the reliability of the Funds Transfer Service Business (which refers to the business of Funds Transfer Services conducted by Funds Transfer Service Providers; the same shall apply hereinafter). Based on these perspectives, a financial ADR system has been introduced as a framework for simply and expeditiously processing complaints and resolving disputes (refer to Note for description of ADR), and Funds Transfer Service Providers are required to appropriately handle complaints, etc. taking into account this financial ADR system.

31 Note: ADR (Alternative Dispute Resolution) An alternative method to litigation for resolving disputes which is based on agreement by the parties, such as mediation or arbitration. ADR is expected to result in prompt, simple, and flexible dispute resolution in a manner suited to the nature of the case, the circumstances of the parties, and so on. In addition to consultations, there may be various forms of allegations regarding Funds Transfer Service Business, including representation of dissatisfaction, such as so-called complaints and disputes, from customers. It is important for Funds Transfer Service Providers to appropriately deal with these various forms of allegations, and they are required to develop an appropriate internal control environment to enable such responses. In addition, Funds Transfer Service Providers are also required to develop appropriate control environments respectively for complaints and disputes in the financial ADR system. However, it must be added that the distinction between these complaints and disputes is relative and they are connected with each other. In particular, in light of the requirement in the financial ADR system for designated ADR bodies (Note) to ensure links between complaint processing procedures and dispute resolution procedures, rather than dealing with individual cases by formally dividing allegations made by users into “complaints” and “disputes,” it is important that Funds Transfer Service Providers deal with complaints and dispute appropriately while taking into consideration their relativity and connections. Note: Designated ADR bodies refer to Designated Dispute Resolution Organizations for Funds Transfer Service Business (“Designated Dispute Resolution Organizations” as defined in Article 2(13) of the Act, for which the category of Dispute Resolution Services is Funds Transfer Service Business). II-2-2-4-1 Major Supervisory Viewpoints concerning Establishment of Internal Control Environment for Handling Complaints, etc. The supervisors shall examine the respective internal control environments of Funds Transfer Service Providers to grasp how they deal with complaints, etc. by paying attention to the following points, for example. (i) Establishment of an internal control environment by the management team Does the management team exercise its functions properly with regard to the establishment of the company-wide internal control environment for the function of dealing with complaints, etc.? (ii) Development, dissemination, and thorough implementation of internal rules, etc. (A) Has the Funds Transfer Service Provider specified the divisions in charge of complaint, etc., their responsibilities and authorities, as well as the procedures for dealing with complaints, etc. in its internal rules, etc. so that such complaints, etc. can be responded to and dealt with in a prompt, fair, and appropriate manner? In addition, has the Provider established procedures concerning business improvement so that the views of users are reflected in the conduct of business operations? (B) Has the Funds Transfer Service Provider developed a control environment to disseminate internal rules, etc. to its officers and employees and thoroughly implemented them by means of training and other measures (including the distribution of manuals and so forth) so that business operations for dealing with complaint, etc. can be conducted based on those internal rules, etc.? Particularly in cases where complaints, etc. are being made frequently by users, does the

32 Funds Transfer Service Provider first confirm how internal rules, etc. (not only those for dealing with complaint, etc.) are publicized and enforced at business offices? And then does the Funds Transfer Service Provider examine the causes and problem areas in terms of control environments? (iii) Control environment for dealing with complaints, etc. (A) Has the Funds Transfer Service Provider appropriately appointed staff in charge of dealing with complaints, etc.? (B) Has the Funds Transfer Service Provider developed a control environment wherein relevant divisions cooperate and promptly deal with complaints, etc. from users? In particular, has the Funds Transfer Service Provider developed a control environment wherein the responsible division or person in charge of dealing with complaints, etc. strives to fully understand complaints, etc. faced by individual employees, and reports promptly to the relevant divisions? (C) Has the Funds Transfer Service Provider developed a control environment wherein it promptly settles any outstanding cases and prevents the occurrence of any long-term outstanding cases by conducting progress management aimed at the resolution of such complaints, etc.? (D) Has the Funds Transfer Service Provider developed a control environment wherein it improves the response provided at contact points according to the occurrence of complaints, etc., and wherein it can receive complaints, etc. extensively, such as by setting access hours and means of access (for example, multiple channels such as e-mail, telephone, and facsimile) that are considerate of user convenience? Also, has the Funds Transfer Service Provider developed a control environment wherein it extensively publicizes these contact points and ways of making allegations, and wherein it makes them well known to users in an easy-to-understand manner taking into account their diversity? (E) In dealing with complaints, etc., has the Funds Transfer Service Provider developed a control environment for ensuring the proper handling of personal information in accordance with the Act on the Protection of Personal Information and other applicable laws and regulations, the Financial Sector Personal Information Protection Guidelines, etc.? (See “II-2-2-3 Control Environments for Management of User Information.”) (F) With regard to complaints, etc. concerning outsourced business operations conducted by an outsourced contractor, has the Funds Transfer Service Provider developed a control environment for handling complaints, etc. promptly and appropriately, such as by establishing a system of direct communication to the Provider itself (see “II-2-3-3 Outsourcing”)? (G) Has the Funds Transfer Service Provider developed a control environment wherein it can communicate quickly with relevant divisions and cooperate with the police and other relevant organizations where necessary, in order to distinguish any pressure by anti-social forces disguised as complaints, etc. from ordinary complaints, etc. and to take a resolute stance against them? (iv) Responses to users (A) Does the Funds Transfer Service Provider go beyond perceiving the dealing with complaints, etc. as a simple problem of processing procedures, and instead regard it as a question of a control environment for providing ex post facto explanations? And has it established a control environment to sincerely respond to and resolve complaints, etc.

33 with the understanding and agreement of each user wherever possible while suitably interviewing the respective users on the circumstances according to the nature of complaints, etc.? (B) Has the Funds Transfer Service Provider developed a control environment wherein it provides users who have made complaints, etc. with appropriate explanations, as necessary, according to the progress of the procedures for dealing with complaints, etc. while also being considerate of the specific characteristics of the respective users, from the time complaints, etc. are made to after the settlement (for example, an explanation of the procedures for dealing with complaints, etc., notification to the effect that the allegation has been received, an explanation on the progress, an explanation of the results, etc.)? (C) Has the Funds Transfer Service Provider developed a control environment wherein it not only deals with such complaints, etc. on its own but also refers the relevant users to appropriate external organizations (including the external organization that the Funds Transfer Service Provider uses under the financial ADR system), according to details of complaints, etc. and user requests, etc.? In addition, has the Provider developed a control environment wherein it provides information, such as the outline of its standard procedures? In cases where there is more than one means of processing a complaint or resolving a dispute (including the financial ADR system), users should be able to choose freely, and so in referring users to external organizations, care should be taken so that each user’s choice is not unduly restricted. (D) Has the Funds Transfer Service Provider developed a control environment wherein, even during a period when proceedings for dealing with one of complaints, etc. are pending at an external organization(including the external organization that the Funds Transfer Service Provider uses under the financial ADR system), the Provider takes appropriate action where necessary with respect to the user who is the other party to said proceedings (such as ordinarily providing the user with general materials or explanations)? (v) Information sharing, business improvements, etc. (A) Has the Funds Transfer Service Provider developed a control environment wherein the complaints, etc. categorized into typical patterns and their respective results, etc. are reported to the Internal Control Department and the Sales Division, and wherein information necessary for the particular case is shared between those concerned, such as promptly reporting cases that are recognized as important to the Audit Department and the management team? (B) Does the Funds Transfer Service Provider properly and accurately record and store information on the contents of complaints, etc., and the results of dealing with them, including both complaints, etc. it deals with on its own, and those dealt with through the mediation of an external organization? Also, has the Funds Transfer Service Provider developed a control environment wherein it analyzes the contents of complaints, etc., and the result of dealing with them, taking into consideration information, etc., provided by a designated ADR body, and applies this on an ongoing basis to the improvement of control environments for dealing with users and conducting administrative processes and to the formulation of measures for preventing any occurrence or recurrence of complaints, etc.? (C) Has the Funds Transfer Service Provider developed a control environment wherein the internal checks and balances functions, such as those of inspection and audit, can

34 function properly to ensure the effectiveness of how complaints, etc. are dealt with? (D) In reflecting the results of dealing with complaints, etc. in the conduct of business operations, has the Funds Transfer Service Provider developed a control environment wherein the management team supervises over any decisions to implement measures for business improvement or recurrence prevention, as well as any examination and ongoing review of how the control environment for dealing with complaints, etc. should be? (vi) Relationship with external organizations (including the external organization that the Funds Transfer Service Provider uses under the financial ADR system) (A) Has the Funds Transfer Service Provider developed a control environment wherein it cooperates appropriately with external organizations in working toward the prompt resolution of complaints, etc.? (B) In filing a petition for dispute resolution procedures for itself, has the Funds Transfer Service Provider developed a control environment wherein it first responds sufficiently to the allegation of complaints, etc. from the user and goes through an appropriate internal deliberation on the need for the petition, rather than simply filing a petition without fully exhausting its own procedures? II-2-2-4-2 Responses to the Financial ADR System II-2-2-4-2-1 Major Supervisory Viewpoints in Cases Where a Designated Dispute Resolution Organization for Funds Transfer Service Business (Designated ADR Body) exists In order to enhance user protection and improve user confidence in the Funds Transfer Services, it is important to ensure substantial equality between Funds Transfer Service Providers and users, and to resolve users’ complaints, etc. in a neutral, fair, and effective manner. Therefore, in the financial ADR system, complaint processing and dispute resolution from a third-person perspective are conducted by designated ADR bodies with the participation of experts and others. Under the financial ADR system, responses to complaint processing and dispute resolution are primarily regulated according to a basic contract for execution of procedures (Article 99(1)(viii) of the Act) concluded between Funds Transfer Service Providers and designated ADR bodies. Funds Transfer Service Providers are required to appropriately address their obligations, etc. set forth in their basic contracts for execution of procedures, while bearing in mind the objective of processing complaints or resolving disputes at designated ADR bodies. The supervisors shall examine how Funds Transfer Service Providers respond to the financial ADR system, by paying attention to the following points, for example. (i) Basic contract for execution of procedures (A) Has the Funds Transfer Service Provider promptly concluded a basic contract for execution of procedures with a designated ADR Body with regard to the Funds Transfer Service Business it conducts? For example, even if there are changes such as a designated ADR body having its designation rescinded or a new ADR body being designated, does the Funds Transfer Service Provider select the best measure from the perspective of user convenience and promptly implement any necessary measures (such as implementing new complaint processing measures or dispute resolution measures, or concluding a basic contract for execution of procedures)? Also, does the Funds Transfer Service Provider take appropriate action, such as making it known to all users?

35 (B) Has the Funds Transfer Service Provider developed a control environment to faithfully perform the basic contract for execution of procedures concluded with a designated ADR body? (ii) Publication, dissemination, and response to users (A) Has the Funds Transfer Service Provider properly publicized the name or trade name and the contact address of a designated ADR body with which it has concluded a basic contract for execution of procedures? With regard to methods of publication, Funds Transfer Service Providers are required to take measures suitable to the size and specific characteristics of their business operations, for example, presenting information on their websites, putting up posters at their branches, producing and distributing pamphlets, and conducting publicity activities through the mass media. Even supposing that a Funds Transfer Service Provider has posted information on its website, if it is assumed that there are users who cannot view this information, the Funds Transfer Service Provider is required to give consideration to these kinds of users. In publicizing such information, does the Funds Transfer Service Provider present it in a manner that is easy for users to understand? (For example, in the case of publicizing information on a website, the page should be so designed that users can easily access the page that provides information on the use of the financial ADR system.) (B) Has the Funds Transfer Service Provider developed a control environment wherein it disseminates any necessary information to users, such as the flow of standard procedures by the designated ADR body and the effects of using a designated ADR body (such as the effect of interruption of prescription), in light of the basic contract for execution of procedures? (iii) Complaint processing procedures and dispute resolution procedures (A) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it receives a request from a designated ADR body for compliance with procedures, submission of materials, or the like, it responds to the request promptly, unless there is a justifiable reason not to do so? (B) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it refuses a request from a designated ADR body to comply with procedures, submit materials, or the like, the Funds Transfer Service Provider conducts a proper examination as an organization with respect to such decision of refusal, rather than the division that caused the complaint or dispute simply deciding by itself to refuse the request? Also, has it developed a control environment wherein, wherever possible, it explains the reasons (justifiable reasons) for that decision? (C) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it is presented with a recommendation to accept a reconciliation plan or with a special conciliation proposal from a dispute resolution committee member, it makes prompt decisions on whether or not to accept it? (D) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it has accepted a reconciliation plan or a special conciliation proposal, the division in charge takes prompt action, and the Inspection/Audit Department(s) conduct(s) a follow-up examination on matters, including the progress of its fulfillment? (E) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it rejects acceptance of a reconciliation plan or a special conciliation proposal, it promptly explains its reasoning and takes necessary action, such as

36 instituting legal proceedings, in light of the operational rules (which refer to the “operational rules” as defined in Article 52-67(1) of the Banking Act, which will be applied mutatis mutandis pursuant to Article 101 of the Act)? II-2-2-4-2-2 Major Supervisory Viewpoints in Cases without Designated Dispute Resolution Organization for Funds Transfer Service Business (Designated ADR Body) In the financial ADR system, even in cases where there is no designated ADR body, there is a legal requirement for Funds Transfer Service Providers to instead implement complaint processing measures and dispute resolution measures. Funds Transfer Service Providers are required to ensure complete user protection and to strive to improve user confidence by implementing these measures properly and by resolving any complaints or disputes regarding Funds Transfer Service Business in a simple and expeditious manner. The supervisors shall examine cases where Funds Transfer Service Providers implement complaint processing measures and dispute resolution measures by paying attention to the following points, for example. (i) Selection of complaint processing measures and dispute resolution measures Does the Funds Transfer Service Provider, in view of the nature of its Funds Transfer Service Business, the occurrence of complaints, etc., its trading area, and other factors, appropriately select one or more of the following measures prescribed by laws and regulations as its complaint processing measures or dispute resolution measures? In such cases, it is desirable that the Funds Transfer Service Provider, in doing so, should have measures in place that enhance convenience for the user in making complaints or disputes, such as providing an environment that makes it easier for the user to access relevant services in terms of geography. (A) Complaint processing measures a) Have consumer counselors or the like with certain experience provide advice and guidance to employees engaged in complaint processing; b) Establish and publicize its own business management system and internal rules; c) Use a Certified Association for Payment Service Provider; d) Use the National Consumer Affairs Center of Japan or a local consumer affairs center; e) Use a designated ADR body for another business category; and f) Use a corporation capable of fairly and appropriately executing complaint processing services. (B) Dispute resolution measures a) Use the certified dispute resolution procedures set forth in the Act on Promotion of Use of Alternative Dispute Resolution; b) Use a bar association; c) Use the National Consumer Affairs Center of Japan or a local consumer affairs center; d) Use a designated ADR body for another business category; and e) Use a corporation capable of fairly and appropriately executing dispute resolution services. (C) Has the Funds Transfer Service Provider developed a control environment wherein it continuously monitors the processing status of complaints and disputes, and where necessary, reviews and revises its complaint processing measures and dispute resolution measures? (D) In cases where the Funds Transfer Service Provider utilizes a corporation that can

37 conduct complaint processing services or dispute resolution services in a fair and appropriate manner ((A)f or (B)e above), does the Funds Transfer Service Provider assess whether said corporation is a corporation who has a financial basis and personnel structure that are sufficient to fairly and appropriately carry out operations pertaining to the complaint processing and dispute resolution (Article 32-4(1)(v) and (2)(iv) of the Cabinet Office Order), in a reasonable manner based on considerable materials and other factors? (E) In cases where the Funds Transfer Service Provider utilizes an external organization, although it is not a requirement for the Funds Transfer Service Provider to necessarily enter an outsourcing contract with said external organization, it is desirable to make arrangements in advance regarding matters such as the flow of standard procedures and terms and conditions regarding the burden of expenses. (F) With regard to cases where expenses arise when the procedures of an external organization are used, has the Funds Transfer Service Provider taken measures to prevent the expenses from becoming an impediment to the filing of a petition for complaint processing or dispute resolution, such as taking measures likely to prevent the user’s share of expenses from becoming excessive? (ii) Operation The supervisory authorities shall examine whether the Funds Transfer Service Provider has made inappropriate use of the complaint processing measures and dispute resolution measures, such as limiting the scope of application excessively. It should also be kept in mind whether the Funds Transfer Service Provider has maintained appropriate coordination between complaint processing measures and dispute resolution measures. (iii) Points to note regarding complaint processing measures (in cases where Funds Transfer Service Providers develop their own control environments) (A) Cases where a control environment is developed wherein consumer counselors or the like give guidance and advice to employees a) Has the Funds Transfer Service Provider developed a control environment wherein it improves the skills of its employees engaged in processing complaints, such as periodically conducting training run by consumer counselors or the like? b) Has the Funds Transfer Service Provider developed a control environment wherein it utilizes the specialized knowledge and experience of consumer counselors and the like, where necessary, for processing individual cases, such as building a network with consumer counselors and the like? (B) Cases where a Funds Transfer Service Provider develops its own operational system and internal rules a) Has the Funds Transfer Service Provider properly developed an operational system and internal rules according to the status of occurrence of complaints? And has it developed a control environment wherein it processes complaints in a fair and appropriate manner based on said system and rules? b) Has the Funds Transfer Service Provider made users aware of the contact point for making complaints in an appropriate manner? And has it properly published the operational system and internal rules pertaining to complaint processing? In terms of the content of the dissemination and publications, although publishing the full text of the internal rules is not necessarily needed, in order for users to confirm for themselves whether complaints are being processed in accordance with appropriate

38 procedures, it is important that the contact for inquiry about the complaint processing and the flow of standard operations be clearly indicated. In light of this, the supervisors should check whether the Funds Transfer Service Provider has published the information covering these matters. For the methods of publicity and publication, refer to II-2-2-4-2-1(ii). (iv) Points to note regarding complaint processing measures (when using external organizations) and dispute resolution measures (A) In cases where a Funds Transfer Service Provider is using an external organization, from the perspective of user protection, it is desirable that the Funds Transfer Service Provider disseminate and publish information on the external organization, including, for example, the fact that users are eligible to use the external organization for making complaints or disputes, the name of the external organization, its contact information, instructions on how to use it, and so forth, in a manner that is easy for users to understand. (B) If the petition for complaint processing or dispute resolution is outside the scope handled by the external organization to which the user was first referred by the Funds Transfer Service Provider because of geographical reasons, the nature of the complaint or dispute, or for any other reason, or if the petition is suitable for handling by another external organization, etc. (not limited to external organizations used by the Funds Transfer Service Provider as complaint processing measures or dispute resolution measures), has the Funds Transfer Service Provider developed a control environment for referring users to other external organizations? (C) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it receives a request from an external organization for compliance with complaint processing or dispute resolution procedures, a request for an investigation of the facts, a request for the submission of relevant materials or the like, it responds to the request promptly in light of the rules, etc. of the external organization? (D) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it refuses a request for compliance with complaint processing or dispute resolution procedures, a request for an investigation of the facts, a request for the provision of relevant materials or the like, the Funds Transfer Service Provider conducts a proper examination as an organization with respect to such decision of refusal, in light of the details of the complaint or dispute, the nature of the facts or materials, and the rules, etc. of external organizations, rather than the division that caused the complaint or dispute simply deciding by itself to refuse the request? Also, has the Funds Transfer Service Provider developed a control environment wherein it explains the reasons for the refusal wherever possible in light of the rules, etc. of the external organization? (E) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it is presented with a proposed solution such as a reconciliation plan or mediation plan from an external organization that has commenced dispute resolution procedures (hereinafter referred to as a “proposed solution”), it makes prompt decisions on whether or not to accept the proposed solution, in light of the rules, etc. of the external organization? (F) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it has accepted a proposed solution, the division in charge takes prompt action, and the Inspection/Audit Department(s) conduct(s) a follow-up examination on matters, including the progress of its fulfillment?

39 (G) Has the Funds Transfer Service Provider developed a control environment wherein, in cases where it rejects acceptance of a proposed solution, it promptly explains its reasoning and takes necessary action, in light of the rules, etc. of the external organization? II-2-2-4-3 Provision of Information to Users Under laws and regulations, Funds Transfer Service Providers are required to clearly indicate how they respond to the financial ADR system as information to users. When providing such information, in cases where there is no designated ADR body, Funds Transfer Service Providers are required to explain the details of their complaint processing measures and dispute resolution measures. In addition to this, it should be kept in mind that Funds Transfer Service Providers need to explain relevant information in the context of their actual situation such as, if, for example, a Funds Transfer Service Provider utilizes an external organization, the name and point of contact thereof, etc. (in cases where part of the services pertaining to the complaint processing or dispute resolution are entrusted to another organization, then including such other organization). II-2-2-4-4 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning control environment of a Funds Transfer Service Provider for dealing with complaints, etc. including the Financial ADR System, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). In cases where there is a designated ADR body, even if a Funds Transfer Service Provider is found to be in breach or negligence of the obligation to comply with procedures, this is the Funds Transfer Service Provider’s nonfulfillment pertaining to the basic contract for execution of procedures with the ADR body and does not immediately result in administrative disposition. Being mindful of this, the supervisory authorities should make a relevant judgment by overseeing the Funds Transfer Service Provider’s responses comprehensively and continuously. It should also be kept in mind that an individual dispute that arises between a user and a Funds Transfer Service Provider is, in general, a problem pertaining to a private-law contract, and as such, is basically a matter to be resolved between the parties via ADR or other judicial or legal proceedings. II-2-3 Administrative Operations

40 II-2-3-1 IT System Risk Management Information technology (IT) system risk refers to the risk of loss incurred by a user or a Funds Transfer Service Provider due to a computer system failure, malfunction, or other inadequacies, and/or the risk that a user or a Funds Transfer Service Provider incurs a loss due to the unauthorized use of a computer systems. Due to the nature of their business, Funds Transfer Service Providers often have sophisticated and complex information systems that are linked to various services and systems (including those provided by outside operators). In addition, the risk of unauthorized access to and leakage of important information has increased along with the spread of computer networking. The safe and stable system operation is a major prerequisite for ensuring the reliability of the payment service system and Funds Transfer Service Providers. It is extremely important to enhance and strengthen the control environment for managing IT system risk. In addition, IT strategies of Funds Transfer Service Providers are critical issues that influence their business model in light of recent changes in the financial environment, and there is an increasing need for Funds Transfer Service Providers to consider management strategies and IT strategies in an integrated manner. From these viewpoints, it is extremely important for the management team of a Funds Transfer Service Provider to show leadership, link information technologies to management strategies according to the scale and characteristics of the Funds Transfer Service Provider, and thereby have “IT governance,” which is a mechanism to create corporate value through such initiatives, work properly and well. In this regard, however, even if a Funds Transfer Service Provider fails to respond literally as described in each of the following supervisory viewpoints, it shall not be regarded as inappropriate if it is deemed that there are no particular problems from the viewpoint of user protection in light of the size of the Funds Transfer Service Provider, the role of the computer system in its Funds Transfer Service Business, and other characteristics. Reference: Summary of Issues and Practices for Dialogue on IT Governance of Financial Institutions (June 2019) II-2-3-1-1 Major Supervisory Viewpoints (1) Recognition of IT system risk (i) Have officers and employees, including the representative director, fully recognized the importance of IT system risk, reviewed it regularly, and formulated a basic policy for the company-wide management of IT system risk? (ii) Has the representative director recognized that prevention of an IT system failure and cybersecurity incident (hereinafter referred to as “IT system failures, etc.”) and efforts for speedy recovery on the occurrence of such IT system failures, etc. is an important issue for the management of the Funds Transfer Service Provider, and developed an appropriate control environment? Note: “Cybersecurity incidents” refer to instances of cybersecurity being threatened by so-called “cyberattacks”, including unauthorized intrusion, theft, modification, and destruction of data, failure or malfunction of information systems, and execution of illegal computer programs and DDoS attacks, committed via the Internet through malicious use of information communication networks and information systems. (iii) Does the Board of Directors appoint an officer who oversees and manages IT system, fully recognizing the importance of IT system risk? It is desirable that the officer in charge of IT systems should be a person who has sufficient knowledge and experience in IT systems to

41 properly pursue the relevant operations. (vi) Have the representative director and directors (or directors and executive officers in case where the Funds Transfer Service Provider is a company with nominating committee, etc.) determined their specific responsibility to assume and response to take in case of crisis where an IT system failure, etc. occurs? Also, do they conduct drills giving directions by themselves and ensure the effectiveness thereof? (2) Control environment for managing IT system risk (i) Has the Board of Directors established the risk management environment while fully understanding that, due to a highly networked computer system, if risk becomes apparent, the impact would cause chain reaction, spread widely and seriously, and adversely affect the management of the Funds Transfer Service Provider? In addition, in cases where the Funds Transfer Service Provider conducts the Funds Transfer Service Business as part of multiple integrated services, has the Funds Transfer Service Provider developed a risk management system covering the overall system of these multiple services? (ii) Has the Funds Transfer Service Provider established the basic policy for managing the IT system risk? Does the basic policy for managing the IT system risk contain the security policy (a basic policy for proper protection of information assets of an organization) and the policy on outsourced contractors? (iii) Is the Funds Transfer Service Provider basing the details of its control environment for managing the IT system risk on criteria that allow it to judge objective levels of its details? Also, does the Funds Transfer Service Provider revise, on a continual basis, its control environment for managing the IT system risk according to identification and analysis of system failures, etc., results of implementation of risk management, progress of technology, etc.? (3) Assessment of the IT system risk (i) Does the division in charge of managing the IT system risk recognize and assess risks periodically and in a timely manner by recognizing that risks are becoming diversified due to changes in the external environment, such as seen in the examples of IT system failures, etc. induced by large-scale transactions as a result of increased customer channels and efforts to enhance information networks that bring more diverse and broad-based impact? Also, does it take sufficient measures to address the risks that have been identified? If the Funds Transfer Service Provider has sophisticated and complex information systems that are linked to various services and systems (including those provided by outside operators), are the following included in the IT system risk? • Risks arising from the use of diverse services and systems; and • Risks associated with linking with a variety of services and systems, including responding to a surge in transactions. In cases where transactions are expected to increase sharply, does the Funds Transfer Service Provider take necessary measures by coordinating in advance the number of expected transactions with other companies that use the linked IT systems? (ii) Does the division in charge of managing the IT system risk identify and manage the upper limit of the transactions through the computer system, such as the number of transactions possible per day, for example? And does it consider system and administrative measures for

42 cases where the transactions exceed the upper limit? (iii) Do the departments in charge of users cooperate with the division in charge of managing the IT system risk at the time of introduction of the services and/or at the time of any change in the contents and methods thereof? And does the department in charge of managing the IT system risk evaluate a relevant IT system regardless of whether the system is newly developed or not? (4) Management of information security (i) Has the Funds Transfer Service Provider developed a policy, prepared organizational readiness, introduced internal rules, and developed an internal control environment in order to appropriately manage information assets? Also, is it making continuous efforts to improve its information security control environment through the PDCA cycle, taking notice of illegal incidents or lapses at other companies? (ii) Does the Funds Transfer Service Provider manage information security by designating individuals responsible for it and clarifying their roles/responsibilities in efforts to maintain the confidentiality, integrity, and availability of information? Also, are the individuals responsible for information security tasked to handle the security of IT system, data, and network management? (iii) Does the Funds Transfer Service Provider take measures to prevent unauthorized use of computer systems, unauthorized access, and intrusion by malicious computer programs such as computer viruses? (iv) Does the Funds Transfer Service Provider comprehensively identify, grasp and manage important information on users for which it should be responsible? Does the scope of important information to be identified by the Funds Transfer Service Provider cover information and data used in the course of business operations or stored in IT systems and kept by outsourced contractors and include data, for example, as listed below? • Data stored in the areas within the IT system that are not used in ordinary operations; • Data output from the IT system for analyzing system failures; and • Data, etc. transferred to outsourced contractors and partners (v) Does the Funds Transfer Service Provider assess importance and risks regarding important user information that has been identified? Also, has it developed rules to manage information, such as those listed below, in accordance with the importance and risks of each type of information? • Rules to encrypt or mask information; • Rules for utilizing information; and • Rules on handling data storage media, etc. (vi) Has the Funds Transfer Service Provider introduced measures to discourage or prevent unauthorized access, unauthorized retrieval, data leakage, etc. such as those listed below, for important user information? • Provision of access rights limited to the extent necessary according to the respective roles of the divisions and sites (including overseas ones) • Provision of access rights limited to the extent necessary according to the authority of employees • Storage and monitoring of access logs • Introduction of mutual checking functions such as by separating the individuals in charge

43 of development and those responsible for operations, or system administrators and system users, etc. (vii) Has the Funds Transfer Service Provider introduced rules for controlling confidential information, such as encryption and masking? Also, has it introduced rules regarding the management of encryption programs, encryption keys, and design specifications for encryption programs, etc.? Note that “confidential information” refers to any information that may cause damage or loss to customers if it is disclosed or stolen, such as PINs, passwords, credit card information, etc. (viii) Does the Funds Transfer Service Provider give due consideration to the necessity of holding/disposing of, restricting access to, and taking outside, confidential information, and treat such information in a stricter manner? (ix) Does the Funds Transfer Service Provider periodically monitor its information assets to see whether they are managed properly according to management rules, etc. and review the control environment on an ongoing basis? (x) Does the Funds Transfer Service Provider conduct security education (including securities education at outsourced contractors) to all officers and employees in order to raise awareness of information security? (xi) Has the Funds Transfer Service Provider taken measures in case of data loss, such as taking backup of data on a regular basis? (5) Cyber security management (i) Has the Board of Directors, etc. introduced the necessary control environment upon recognizing the importance of cybersecurity amid increasingly sophisticated and cunning cyberattacks? (ii) Has the Funds Transfer Service Provider introduced systems to maintain cybersecurity, such as those listed below, in addition to making the organization more secure and formulating internal rules? • Monitoring systems against cyberattacks; • Systems to report cyberattacks and public-relation system when attacks occur; • Emergency measures by an in-house Computer Security Incident Response Team (CSIRT) and systems for early warning; and • Systems of information collection and sharing through information-sharing organizations, etc. (iii) Has the Funds Transfer Service Provider introduced a multi-layered defense system against cyberattacks that combines security measures respectively for inbound perimeter control, internal network security control, and outbound perimeter control? • Security measures for inbound perimeter control (e.g. installation of a firewall, web application firewall, anti-virus software, unauthorized intrusion detection system, unauthorized intrusion prevention system, etc.); • Internal measures (e.g. proper management of privileged IDs and passwords, deletion of unnecessary IDs, monitoring of execution of specific commands, securing of production systems (between servers) (packet filtering and encryption of communications), separation of networks in development environments (including test-phase environments) and use-phase environments, separation of network segments according to usage purposes, etc.)

44 • Security measures for outbound perimeter control (e.g. retrieval and analysis of communication/event logs, detecting/blocking inappropriate communication, etc.) (iv) Has the Funds Transfer Service Provider taken measures such as those listed below to prevent damage from expanding when cyberattacks occur? • Identifying IP addresses of attackers, and blocking off attacks; • Functions to automatically decentralize accesses against DDoS attacks; and • Temporary suspension, etc. of the entire system or part thereof (v) Are necessary measures introduced for vulnerabilities in the IT system, such as updating of the operating system and application of security patches, in a timely manner? (vi) Does the Funds Transfer Service Provider, as part of cybersecurity measures, assess its security levels periodically by using network intrusion tests or relevant vulnerability scanning, etc. and make efforts to improve security? (vii) When conducting non-face-to-face transactions using the Internet and other means of communication, has the Funds Transfer Service Provider introduced an appropriate authentication method that matches the risks of transactions, such as the following? Also, in light of changes in the domestic and overseas environment and the occurrence of accidents and incidents, does the Funds Transfer Service Provider recognize and evaluate risks periodically and in a timely manner and review the certification methods as needed? • Authentication methods that do not rely solely on fixed IDs and passwords, such as multi-factor authentication that combines effective elements such as variable passwords, biometrics, and electronic certificates; • Transaction authentication through multiple channels by using, for example, a device that is different from a PC or smart device used for transactions; • Adoption of a trading password that is different from the login password (Note that the same password cannot be set.); and • Terminal authentication function that allows only specific terminals to be used, etc. Note: It should be kept in mind that it is necessary to introduce a robust authentication method for registering and changing information used for authentication, such as telephone numbers, email addresses, and passwords. (viii) When conducting non-face-to-face transactions using the Internet and other means of communication, has the Funds Transfer Service Provider taken following anti-fraud measures, for example, corresponding to the business? • Interrupting communications from invalid IP addresses; • Taking measures to encourage users to introduce and update security software that allows them to detect and remove viruses, etc.; • Introduction of a system to detect unauthorized log-ins, abnormal transactions, etc. and promptly notify such anomalies to users; • Stopping the use of IDs that have been confirmed to be used for unauthorized purposes; • Displaying the last login (logoff) date and time on the screen; and • Notifying users at the time of transaction, etc. (ix) Has the Funds Transfer Service Provider developed contingency plans against potential cyberattacks? And does it conduct exercises and review such plans? Also, does it participate in industry-wide exercises as necessary? (x) Has the Funds Transfer Service Provider formulated plans to train and develop personnel responsible for cybersecurity and implemented them?

45 (6) IT system planning/development/management (i) Does the Funds Transfer Service Provider make continuous efforts to identify risks inherent in the current IT system and make investment in maintaining such efforts and eliminating risks in a planned manner? When planning and developing IT system, it is desirable to clarify the IT system strategy policy as a part of the management strategy and to formulate a medium to long-term development plan approved by the Board of Directors. (ii) Are rules to authorize plans, development, and transitions of IT system development projects clearly established? (iii) Does the Funds Transfer Service Provider appoint and assign a responsible person to each IT system development project and manage the project according to the development plan? (iv) When conducting non-face-to-face transactions using the Internet and other means of communication, are the following security requirements included in the rules related to the system design/development stage? • Clarifying specific security requirements; • Taking measures to prevent any vulnerability in the system, such as secure coding; and • When linking with other companies' systems, the system should have a security design considering not only the linked part but also the entire service, etc. (v) When linking with other companies’ systems, or when a large number of users are expected to use the funds transfer system, has the Funds Transfer Service Provider formulated rules and policies, etc., including the following viewpoints, and implemented them appropriately in order to ensure the quality of the entire system? • Establishing test implementation policies to ensure quality; • Formulating a plan for performance capacity management of the IT system with a threshold value corresponding to surging transaction based on examples of other companies (including cases where the number of temporary transactions is expected to increase, such as large-scale sales promotion activities); • Setting monitoring items, monitoring of load conditions, and implementing necessary control, taking into consideration the limits of performance and capacity of various resources; and • Grasping system limits during the IT system development, etc. (vi) In developing IT systems, does the Funds Transfer Service Provider work out a test plan and conduct a test in an appropriate and sufficient manner, such as by involving departments in charge of users in it? (vii) Has the Funds Transfer Service Provider secured personnel who are familiar with the mechanisms of the current IT system and have expertise in system planning, development, and operation management? It is desirable to formulate and implement a specific plan for the succession of the current IT system and development technology, as well as for the development of human resources with expertise. (7) IT system audit (i) Does the Internal Audit Department, which is independent from the IT Systems Department, conduct periodic IT system audits by personnel familiar with IT system matters? Note: External audits may be used instead of internal audits if it is considered more effective to introduce IT system audits by external auditors.

46 (ii) Does the audit cover all business operations involving the IT system risk? (iii) Are the results of the IT system audit reported to the Board of Directors in a proper manner? (8) Outsourcing management (i) Does the Funds Transfer Service Provider, in selecting outsourced contractors (including IT system-related subsidiaries), assess them based on selection criteria and give careful consideration? (ii) When using external services such as cloud services, does the Funds Transfer Service Provider examine risks associated with the services used and take necessary measures? For example, does it implement the following measures? • Grasping sites that process and store critical data; • Reflecting the authority to audit and monitor, etc. in the contract • Confirming and evaluating assurance reports, third-party certifications, etc.; and • Understanding cloud-specific risks, etc. (iii) Does the Funds Transfer Service Provider, in entering an outsourcing contract with an outsourced contractor, set out the division of roles and responsibilities with the contractor, supervising authority to audit outsourced work, subcontracting procedures, level of services provided, etc. in the contract? Also, does the Funds Transfer Service Provider present to the outsourced contractor rules that its officers and employees are required to adhere to and security requirements, as well as define them in the contract, etc.? (iv) Is risk management carried out properly in outsourced IT system work (including multi-tiered outsourcing)? In particular, in cases where the Funds Transfer Service Provider outsources its IT system work to two or more contractors, related administrative work becomes complicated and higher risk management is required. In this context, has the Funds Transfer Service Provider developed a control environment upon fully understanding such fact? In cases where IT system-related administrative work is outsourced to contractors, too, does the Funds Transfer Service Provider properly manage the risk thereof in the same manner as outsourcing of IT system work? (v) Does the Funds Transfer Service Provider, as an outsourcer, regularly check and monitor to confirm that outsourced work (including multi-tiered outsourcing) is carried out appropriately? Also, does the Funds Transfer Service Provider take necessary measures not to leave everything to contractors by, for example, placing its staff at a contractor site to monitor the outsourced work, etc.? In addition, does the Funds Transfer Service Provider put in place a control environment that allows the Provider, as an entrustor, to monitor and track the status of user data being processed at outsourced contractors? (vi) Does the Funds Transfer Service Provider audit its important outsourced contractors by its Internal Audit Department, IT system auditors, etc.? (9) Contingency plan (i) Has the Funds Transfer Service Provider formulated a contingency plan and established arrangements and procedures for dealing with emergencies? In cases where IT system-related operations are outsourced, has the Funds Transfer Service Provider established an emergency system (including communication systems with service

47 providers and system partners) including important outsourced contractors? (ii) Is the Funds Transfer Service Provider basing the details of its contingency plan on guides that allow it to judge objective levels of its details (such as “Manual for the Development of Contingency Plans in Financial Institutions (Plans for Measures in the Event of Emergencies)” compiled by the Center for Financial Industry Information Systems)? (iii) When formulating a contingency plan, does the Funds Transfer Service Provider assume not only contingencies due to natural disasters but also system failures, etc. due to internal or external factors? Also, does the plan include sufficient risk scenarios assuming the following risks? • Cyberattack • Disaster and pandemic • IT System failure • Information leakage, etc. (iv) Does the Funds Transfer Service Provider review assumed scenarios in its contingency plan in a timely and appropriate manner by, for example, taking into consideration case studies of IT system failures, etc. at other Funds Transfer Service Providers and results of deliberations at the Central Disaster Management Council, etc.? (v) Does the Funds Transfer Service Provider regularly conduct a drill based on its contingency plan? Is the drill based on the contingency plan conducted at the organization-wide level of the Funds Transfer Service Provider? And is it periodically conducted jointly with outsourced contractors and IT system partners according to the degree of importance and risks? Is the contingency plan reviewed as needed based on training results? (vi) Has the Funds Transfer Service Provider introduced off-site backup IT systems, etc. in advance for important IT systems whose failure could seriously affect business operations? And has it developed a control environment to address disasters or IT system failures, etc. so that normal business operations can be speedily brought back? (10)Response to IT system failures (i) Has the Funds Transfer Service Provider taken appropriate measures to avoid causing unnecessary confusion among users in the event of IT system failures, etc.? Also, has it developed a control environment, upon assuming a worst-case scenario in preparation for IT system failures, etc. to take necessary measures accordingly? (ii) Has the Funds Transfer Service Provider clarified reporting procedures and the framework of command and supervision covering outsourced contractors in preparation for IT system failures, etc.? (iii) Upon occurrence of an IT system failure, etc. that may significantly affect its business operations, is the Funds Transfer Service Provider prepared to promptly notify the representative director and other directors and report the greatest potential risk it poses under the worst-case scenario (for example, if there is a possibility that the failure could gravely affect users, the reporting persons should not underestimate the risk but immediately report the highest risk scenario)? In addition, is it prepared to launch a task force, have the representative director, etc. issue appropriate instructions and orders, and seek resolution of the issue in a swift manner? (iv) Has the Funds Transfer Service Provider clearly established the support framework for IT system failures, etc. to promptly gather experts having relevant know-how and experience

48 from the IT Systems Department, other departments, or outsourced contractors, for example, through prior registration of these experts? (v) When an IT system failure, etc. occurs, does the Funds Transfer Service Provider disclose the details of the failure, the cause of the failure, and expected recovery time (Note)? And does it promptly take measures, such as establishing call centers and consultation desks as necessary, and asking the Certified Association for Payment Service Providers for help in responding, if it is a member of the association, in order to properly respond to inquiries from customers, etc.? Also, does the Funds Transfer Service Provider clarify arrangements and procedures as to how to provide relevant business departments with necessary information in preparation for IT system failures, etc.? Note: In addition to posting an announcement on its website, the Funds Transfer Service Provider should directly notify users, etc. through smart devices if possible. (vi) Has the Funds Transfer Service Provider conducted analysis of causes of IT system failures, etc., investigation about impact until recovery, corrective action, and preventive measures for recurrence in a proper manner? Also, does it periodically analyze tendencies of factors that have led to IT system failures, etc. and take measures according to them? (vii) Has the Funds Transfer Service Provider established a systematic framework to minimize impacts of IT system failures, etc. such as a system to bypass the affected part? Reference: As reference materials relating to the IT system risk, there are, for example, “FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions” (The Center for Financial Industry Information Systems). II-2-3-1-2 Supervisory Methods and Measures (1) When a problem is found With regard to issues and challenges, etc. concerning control environment for IT system risk of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). (2) When a system failure has occurred (i) The supervisors shall require a Funds Transfer Service Provider, upon finding occurrence of an IT system failure or cybersecurity incident, to immediately notify the relevant authorities

49 of the fact and then to make a report to the authorities in a form of the “Report on Occurrence of IT System Failure, etc.” (Appended Form 1). In addition, the Funds Transfer Service Provider is also required to submit a report on recovery of the system and causes of the system failure when they are identified. Provided, that in cases where the causes are not identified, the Funds Transfer Service Provider must report the actual situation within one month from the occurrence of the IT system failure. Upon receipt of a report from the Funds Transfer Service Provider, Local Finance Bureaus shall immediately contact the relevant division of the Financial Services Agency. Note: IT system failures, etc. that must be reported Failure or trouble that occurred in IT systems and devices (both hardware and software) currently used by a Funds Transfer Service Provider for whatever reason and; (A) that delays or suspends, or may delay or suspend business operations pertaining to the Funds Transfer Services; or (B) that may otherwise be deemed similar to above in the course of business. However, this reporting requirement does not apply in cases where, even when a part of an IT system or device is failed or troubled, there is no substantial impact or damage because the affected part is able to be promptly replaced by another system or device (e.g. cases where even when funds payment or receipt service is not available at some stores due to an IT system failure, users can use the service at other or nearby stores.) Even though a failure or trouble does not actually occur, a Funds Transfer Service Provider is required to make a report when the users or business operations are affected or are highly likely to be affected because it receives an advance notice of cyberattack or it has found a cyberattack in its IT system. (ii) The supervisory authorities shall require the Funds Transfer Service Provider to submit an additional report pursuant to Article 54 of the Act, as needed, and if it is found that the Funds Transfer Service Provider has a serious problem, the supervisory authorities shall issue an order to improve business operations pursuant to Article 55 of the Act. (iii) In particular, when a major IT system failure has occurred, or when it takes considerable time for the Funds Transfer Service Provider to solve the causes of the failure, the supervisory authorities, while watching the Funds Transfer Service Provider activate its contingency plan including general announcement of the details of the failure to the public and responses to users at stores, etc., requires the Funds Transfer Service Provider to promptly identify the causes and asks for prompt recovery, and requires a prompt report pursuant to Article 54 of the Act. (3) Responses at the time of IT system update and integration, etc. When a Funds Transfer Service Provider updates or integrates important IT systems, the supervisors require the Funds Transfer Service Provider to submit a report based on Article 54 of the Act as needed, and confirm plans and progress, as well as the appropriateness and effectiveness of project management, and then take actions such as issuing an order for business improvement based on Article 55 of the Act if significant problems are found. (4) Response to outsourced contractors When it deems necessary, for example, in cases where there is concern that outsourced contractors fail to properly operate IT systems work that has been outsourced, the FSA takes actions under III-2-3-3-2 hereof.

50 II-2-3-2 Administrative Risk Management Administrative risk refers to the risk that a Funds Transfer Service Provider incurs a loss due to its officers and/or employees failing to perform accurate administrative work or due to their problematic conducts or wrongful acts. Funds Transfer Service Providers need to strive to ensure their reliability and creditworthiness by properly developing an internal control environment regarding administrative risk and maintaining the soundness and appropriateness of their business operations. The following points, for example, shall be taken into consideration. II-2-3-2-1 Major Supervisory Viewpoints (1) Control environment for managing administrative risk (i) Has the Funds Transfer Service Provider developed an appropriate control environment for managing administrative risk based on the understanding that such risk is involved in all business operations? (ii) Has the Funds Transfer Service Provider implemented specific measures to reduce administrative risk based on the recognition of the importance of reducing such risk? (iii) Has the Funds Transfer Service Provider developed a control environment wherein the division in charge of administrative work is able to perform the internal check-and-balance function sufficiently? Also, has the Funds Transfer Service Provider established rules and regulations regarding administrative work and processes? (iv) Does the Funds Transfer Service Provider treat important legal compliance issues relating to identity verification and submission of a notification of “suspicious transactions” as a legal compliance issue to deal with on a company-wide basis, rather than processing them as a mere administrative problem? (2) Administrative risk management by internal audit function Does the Internal Audit Department properly conduct internal audits in order to examine the control environment for managing administrative risk? (3) Control environment for managing administrative risk in business offices Has the division in charge of managing administrative risk at headquarters taken measures for checking business offices’ control environments for managing administrative risk? II-2-3-2-2 Supervisory Methods and Measures When problems are found with regards to the internal control environment for administrative risk management of a Funds Transfer Service Provider, the business operations of its outsourced contractors, and the appropriateness of their operations, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview with the Funds Transfer Service Provider and its outsourced contractors and, when necessary, collecting a report based on Article 54 of the Act. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities

51 shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-3-3 Outsourcing Even when a Funds Transfer Service Provider outsources part of its business to a third party (including multi-tiered outsourcing), the Provider is not exempted from the final responsibility pertaining to such outsourced work. Therefore, in order to ensure the protection of users and the proper and secure conduct of the business, it is necessary to pay attention to the following points, for example, depending on the nature of the business of the Funds Transfer Service Provider. It should be noted that the following points are only general points of view, and additional verification may be required, depending on the content of the outsourced work. II-2-3-3-1 Major Supervisory Viewpoints (i) Has the Funds Transfer Service Provider established internal rules, etc. specifying criteria for selecting contractors or measures to be taken when outsourcing risk appears, and disseminated them company-wide such rules, etc. through internal training, etc. so that its officers and employees properly handle cases in accordance with such internal rules, etc.? (ii) Has the Funds Transfer Service Provider taken appropriate measures regarding the development of a legal compliance system at the outsourced contractor, such as issuing necessary instructions? In addition, has the Funds Transfer Service Provider taken measures to ensure that outsourcing does not hinder the performance of obligations to supervisory authorities regarding inspections, reporting orders, submission of records, etc.? (iii) Has the Funds Transfer Service Provider made it clear that the outsourcing of business operations does not cause any change in the contractual rights and obligations involving it and its users and that the users continue to have the same rights as if the business operations were conducted by the Funds Transfer Service Provider itself? Note:Outsourcing includes cases where a Funds Transfer Service Provider is deemed to substantially outsource its business to an external contractor even if a formal contract is not concluded, or where the outsourced work is performed overseas. (iv) In the case of outsourcing the operation relating to cash payment and receipt with users, when the outsourced contractor receives and pays cash from or to users, has the Funds Transfer Service Provider taken measures to promptly identify increases and decreases in the outstanding obligations pertaining to the receipt and payment of cash? (v) Has the Funds Transfer Service Provider developed a control environment that prevents users from suffering inconveniences if the Funds Transfer Service Provider cannot be provided with the services agreed under the outsourcing contract with its outsourced contractor? (vi) When outsourcing the handling of information of individual users to an outsourced contractor, has the Funds Transfer Service Provider taken the following measures to supervise the outsourced contractor as necessary and appropriate measures to prevent such information from being leaked, lost, or damaged based on Article 10 of the Financial Sector Personal Information Protection Guidelines and III of the Practice Guidelines? (vii) With regard to the management of outsourced contractors, does the Funds Transfer Service Provider clarify the responsible division and confirm that outsourced contractors are properly managing information related to users, such as by monitoring on a periodic or as-needed basis how business operations are being conducted at outsourced contractors?

52 (viii) Has the Funds Transfer Service Provider confirmed that outsourced contractors have systems in place to take appropriate actions and to promptly report to the Funds Transfer Service Provider in the event that information is leaked, lost, or damaged at outsourced contractors? (ix) Does the Funds Transfer Service Provider restrict the access right by outsourced contractors to the information related to users possessed by the Funds Transfer Service Provider to the extent necessary according to the nature of the outsourced business? On that basis, does the Funds Transfer Service Provider check whether the officers and employees at outsourced contractors to whom access rights are given have been defined, along with the scope of their access rights? Furthermore, does the Funds Transfer Service Provider confirm that the access rights are being managed thoroughly at outsourced contractors on a periodic or as-needed basis, such as by checking how the access rights are used (including crosschecking authorized persons with actual users) in order to prevent the access rights assigned to certain people from being used by others? (x) In cases of multi-tiered outsourcing, does the Funds Transfer Service Provider check whether the outsourced contractor is adequately supervising its subcontractors and other business operators? In addition, does the Funds Transfer Service Provider directly supervise such subcontractors and other business operators as needed? (xi) With regard to complaints, etc. pertaining to the outsourced service, has the Funds Transfer Service Provider developed an appropriate complaint consultation system, such as a system to accept direct communication from users to the Funds Transfer Service Provider who outsourced such service? II-2-3-3-2 Supervisory Methods and Measures When problems are found with regards to the internal control environment for outsourcing of the Funds Transfer Services of a Funds Transfer Service Provider, the business operations of its outsourced contractors, and the appropriateness of such operations, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider, by holding an in-depth interview with the Funds Transfer Service Provider and its outsourced contractors and, when necessary, collecting a report based on Article 54 of the Act. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). Note: Interviews shall basically be conducted with a Funds Transfer Service Provider who outsourced services in order to understand the facts of a case, etc. However, in the light of the urgency and seriousness of the case, the supervisors shall consider having an interview with outsourced contractors in parallel as needed. When having an interview with an outsourced contractor, the supervisors shall ask the Funds Transfer Service Provider, who has outsourced its service to the outsourced contractor, to attend

53 the interview as needed. II-2-4 Responses to Persons with Disabilities The Act for Eliminating Discrimination against Persons with Disabilities (Act No. 65 of 2013; hereinafter referred to as the “Disability Discrimination Act”) prohibits a company from engaging in unfair discriminatory treatment for persons with disabilities and requires it to make efforts to improve reasonable accommodation to implement elimination of social barriers. In addition, the “Guidelines concerning Promotion of Elimination of Discrimination on the Basis of Disability in Business Fields under the FSA’s Jurisdiction” (Public Notice No. 3 of 2016; hereinafter referred to as the “Guidelines for Eliminating Discrimination against Persons with Disabilities”) has specified how Funds Transfer Service Providers should respond to those with disabilities. When supervising the response to persons with disabilities, the following points shall be taken into consideration in light of the abovementioned intent. II-2-4-1 Major Supervisory Viewpoints Has the Funds Transfer Service Provider developed an internal control environment for responding to persons with disabilities, such as by taking appropriate actions in accordance with the Disability Discrimination Act and the Guidelines for Eliminating Discrimination against Persons with Disabilities, including in terms of user protection and user convenience, and by grasping and verifying the response status and reviewing response methods? II-2-4-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the response to persons with disabilities by a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the development of the relevant internal control environment by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. based on the viewpoints mentioned above. Also, when any doubt arises regarding the development of the internal control environments by the Funds Transfer Service Provider, the supervisors shall inspect it, as needed, by requiring the Funds Transfer Service Provider to submit a report (including those under Article 54 of the Act). If any problem is found in such development, the supervisors shall encourage the Funds Transfer Service Provider to improve. II-2-5 Linkage with Services Provided by Other Service Providers such as Account Transfer Service Some Funds Transfer Services are offering services collaborated with services provided by other business operators such as account transfer services provided by banks, etc. (hereinafter referred to as “collaborative service”). While such collaborative service may become highly convenient for users of the Funds Transfer Services, there is a possibility of introducing risks different from those inherent in the services provided by a Funds Transfer Service Provider alone, for example, a risk that a malicious third party impersonates a depositor of a savings account linked to the Funds Transfer Services (hereinafter referred to as the “linked account”) and makes improper transaction through the Funds Transfer Services. In addition, with the progress of innovation of technologies, collaboration and linkage between business operators will increase in the future, and the risk associated with these kinds of collaboration may also increase. Based on the above, from the viewpoint of ensuring sound and appropriate operation of the Funds

54 Transfer Services including the protection of the interests of users of the Funds Transfer Services and users of services provided by business partners (hereinafter referred to as “users, etc.” in II-2-5 and II-2-6), it is important for a Funds Transfer Service Provider who provides collaborative services to establish a control environment suited to the risks in cooperation with the business partners. When supervising a Funds Transfer Service Provider who provides collaborative services, the supervisors shall pay attention to the following points, for example. In addition, the following viewpoints are given, mainly assuming the cases of linking with the account transfer service. Similarly, when providing other collaborative services that may cause economic loss to users, etc. due to vulnerability in security, etc., it is important for Funds Transfer Service Providers to take necessary measures according to the risk, taking the following points into consideration. II-2-5-1 Major Supervisory Viewpoints (1) Development of internal control environment (i) Does the management team have the Internal Control Department identify inherent risks, including problems pertaining to the protection of the interests of users, etc., with regard to the entire collaborative services at the time of introduction of the services or at the time of any change in the contents and methods thereof, and develop a system to reduce risks in a timely manner based on these? (ii) Does the Internal Control Department collect and analyze information on the occurrence of relevant crimes and methods thereof based on the types of crimes that are expected to occur in collaborative services? And does it improve the system for the operation of collaborative services (including fraud prevention measures), taking into account possible future crime methods? Also, does it report the content thereof to the management team on a regular and timely basis? (iii) Does the Internal Audit Department audit the control environment (including fraud prevention measures) for the operation of collaborative services on a regular and timely basis? Also, does it report the audit result to the management team? (iv) Does the management team create an environment in which the so-called PDCA cycle, which consists of risk analysis, the formulation and implementation of risk mitigation measures, and the evaluation and review thereof, functions as described above? (2) Security (i) From the viewpoint of preventing improper transactions, does the Funds Transfer Service Provider assess possible risk of the entire collaborative service in cooperation with its business partners at the time of introduction of the services or at the time of any change in the contents and methods thereof? Also, does it cooperate with the business partners in assessing the risk? (ii) Has the Funds Transfer Service Provider clarified the division of roles and responsibilities with the business partners? (iii) Based on the risk assessment, does the Funds Transfer Service Provider crosscheck information on users in cooperation with the business partners, and take appropriate and effective measures commensurate with risks to prevent fraud? For example, when linking with the account transfer service, does the Funds Transfer Service Provider take appropriate and effective measures to prevent fraud, such as verifying the identity of users of the Funds Transfer Services and depositors by carrying out effective

55 verification at the time of transactions by means of public personal authentication and other methods, and by collating information of the users confirmed by identity verification documents, etc. with information held by business partners? Note: In collating information with business partners, it is desirable to include addresses and telephone numbers in addition to the names and dates of birth of users, except when using official personal authentication. In addition, has the Funds Transfer Service Provider confirmed that partner banks, etc. that offer the account transfer service have introduced multi-factor authentication and other authentication methods that combine effective elements, such as, for example, the use of variable passwords using hardware tokens and software tokens, and the use of electronic certificates such as public personal authentication, in addition to the use of fixed ID and passwords for personal authentication? Note: It should be noted that fraud prevention measures taken by a Funds Transfer Service Provider do not overlap with those taken by the partner banks, etc. In addition, it should be kept in mind that the partner banks, etc. must adopt a robust authentication method for registering and changing information used for authentication, such as telephone numbers. (iv) Does the Funds Transfer Service Provider regularly and in a timely manner check and re-evaluate risks in light of changes in the environment, including the sophistication of crime methods, and the occurrence of incidents at the Provider itself or other business operators, and improve measures to prevent fraud, including the introduction of public personal authentication? (v) If, as a result of risk assessment, it is found that there is a problem from the viewpoint of ensuring the sound and appropriate operation of the Funds Transfer Services, including the protection of the interests of users, etc., does the Funds Transfer Service Provider temporarily suspend all or part of its services, including collaborative services, or take other appropriate measures until the problem is resolved? (3) Outsourcing management, etc. When a Funds Transfer Service Provider who provides collaborative services intends to carry out a verification at the time of transaction by the method prescribed in Article 13(1)(i) of the Ordinance for Enforcement of the Anti-Criminal Proceeds Act with regard to a user of the Funds Transfer Services, said Funds Transfer Service Provider shall be required to confirm that another specified business operator has carried out a verification at the time of transaction with regard to said user and has preserved a record of the verification at the time of transaction (hereinafter referred to as “confirmation about verified status at the time of transaction”). Note: It should be noted that the confirmation about verified status at the time of transaction includes the confirmation of the identity of the users of the Funds Transfer Services and the depositors, etc. of the transfer account (linked account). When entrusting the business related to the verification at the time of transaction including the confirmation about verified status at the time of transaction to a business partner or when conducting such business in cooperation with a business partner, attention should be paid to the following points, for example. (i) Has the Funds Transfer Service Provider formulated standards of requirements partner companies should abide by, including an effective method of the confirmation of verified status at the time of transaction, and evaluated and examined such standards prior to

56 entering into a contract? (ii) Has the Funds Transfer Service Provider specified in the contract the content of the business related to the verification at the time of transaction, the division of roles and responsibilities with the partner, and matters necessary to implement (iii) below? (iii) Does the Funds Transfer Service Provider conduct necessary and appropriate supervision, etc. of the business partner, such as verifying whether the business partner is performing the business appropriately and reliably, and having the business partner make improvements as necessary, by confirming the status of implementation of the business related to the verification at the time of transaction on a regular basis or as necessary? (iv) From the viewpoint of ensuring effective confirmation of verified status at the time of transactions and enhancing continuous customer management by the Funds Transfer Service Provider, does the Funds Transfer Service Provider verify the accuracy of the identifying matters (name, address, and date of birth) reported by users of the Funds Transfer Services by, for example, collating them with the corresponding information owned by its business partners? In cases where it is difficult to confirm the accuracy of addresses at that point, has the Funds Transfer Service Provider formulated a plan to enable such confirmation? (v) Has the Funds Transfer Service Provider taken necessary measures, such as changing or canceling contracts, if necessary from the viewpoint of the proper and secure performance of its business, including protection of the interests of users, etc.? (4) Notification to users, etc. When engaging in the linked account transfer service, etc., with business partners, does the Funds Transfer Service Provider take measures to enable users, etc. to confirm that such service is a collaborative service and the content of such service in a timely manner by cooperating with the partner to notify users, etc. at their contact information such as the telephone number and e-mail address (including SMS (short message service) to telephone numbers) registered with the partner in advance, so that users, etc. can be aware of fraud or other damage, if any, at an early stage? Note: When the Funds Transfer Service Provider implements the above measures by notifying users, etc. via their contact information registered with the business partner, it should be kept in mind that the Funds Transfer Service Provider needs to confirm that the partner has introduced a robust authentication method for registering and changing contacts such as phone numbers and e-mail addresses. (5) Detection of improper transactions (Monitoring) With regard to the collaborative services, from the viewpoint of preventing improper transactions, has the Funds Transfer Service Provider developed a control environment for appropriately implementing the following matters, for example, in cooperation with business partners? • To promptly detect transactions suspected of being fraudulent by setting appropriate scenario or thresholds based on changes in the environment, including the sophistication of criminal methods, and the occurrence of incidents in it or other business entities • To share information on suspicious transactions detected based on the above with business partners in a timely manner, to take necessary measures including suspension of the services, and to investigate such suspicious transactions • To promptly notify persons who may be a victim of fraud of the incident

57 • To suspend the use of IDs that are confirmed to be used for improper transactions (6) Response to inquiries from users, etc. (i) Has the Funds Transfer Service Provider developed a control environment for accumulating and analyzing cases of inquiries and consultations from users, etc. concerning collaborative services (hereinafter referred to as “inquiries, etc.”) and utilizing them for early detection of risks, and for improvement of fraud prevention measures and responses to consultations from users, etc.? (ii) Has the Funds Transfer Service Provider developed a control environment for honestly and sincerely responding to users, including inquiries, etc. on business partners? Also, has it clarified how to cooperate and share the responsibilities with business partners in specific manners? (iii) Does the Funds Transfer Service Provider crosscheck with a business partner whether each of them has taken any inappropriate actions in responding inquiries, etc. from users, etc., such as inducing users, etc. who made an inquiry to either party to contact the other party? And if any inappropriate responses are found, does the Funds Transfer Service Provider, together with the partner, properly investigate the cause thereof, and take corrective measures and measures to prevent recurrence, etc.? II-2-5-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the provision of collaborative services of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, etc., the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). II-2-6 Compensation for Damage due to Improper Transactions Users, etc. may be damaged by improper transactions in connection with the Funds Transfer Services. When such damage occurs, it is important for a Funds Transfer Service Provider to take appropriate and prompt measures for the victim (including measures in cooperation with business partners when providing collaborative services) from the viewpoint of ensuring sound and appropriate operation of the funds transfer service business including the protection of the interests of users, etc. When supervising Funds Transfer Service Providers in terms of response to improper transactions, the following points, for example, shall be taken into consideration.

58 II-2-6-1 Major Supervisory Viewpoints (i) Based on Article 29-2(v) and Article 31(iv) of the Cabinet Office Order, has the Funds Transfer Service Provider formulated a policy concerning compensation for damage arising from improper transactions made in connection with the Funds Transfer Services and other measures (hereinafter referred to as “Compensation Policy”)? And has it provided users of the Funds Transfer Services with necessary information and made it available also to persons other than the users of the Funds Transfer Services who are likely to incur losses in the event of the occurrence of improper transactions? Note 1: The “damage arising from improper transactions made in connection with the Funds Transfer Services” includes not only any loss and damage incurred by users of the Funds Transfer Services arising from instructions given by unauthorized persons against the will of said users, but also any loss and damage incurred by users of a collaborative service provided by the business partner in connection with the provision of the collaborative service, such as loss or damage of an depositor of an account whose account is used for improper account transfer by users of the Funds Transfer Services who pretend to be such depositors, against the will of said depositors. Note 2: The “cases where it is deemed necessary in light of the content and method of the business regarding exchange transactions” prescribed in Article 31(iv) of the Cabinet Office Order means cases where, in light of the content and method of the Funds Transfer Services provided by the Funds Transfer Service Provider, damage is likely to be incurred by persons other than users of the Funds Transfer Services, such as cases where the Funds transfer Services are offered in a form of collaborative service linked with an account transfer service provided by banks, etc. (ii) Does the Compensation Policy include at least the following items? (A) Depending on the contents of the Funds Transfer Services, whether or not compensation for damage is to be provided to victims for each specific situation in which damage is likely to occur, and the content of and requirements for compensation, if any; (B). Content of the compensation procedure; (C) In cases of collaborative services, particulars concerning the sharing of compensation between the Funds Transfer Service Provider and the business partner (including those who provide compensation to victims); (D) Inquiry and contact for compensation; and (E) Standards for disclosure of improper transactions Note: With regard to the matters specified in (C) above, it is not necessary to notify users of all the contents of the agreement with the business partner with regard to such matters, based on Article 29-2(v) and Article 31(iv) of the Cabinet Office Order, but it should be kept in mind that it is necessary to provide users with at least information on those who provide compensation for the victims. (iii) Has the Funds Transfer Service Provider developed a control environment for appropriately and promptly providing compensation in accordance with the established Compensation Policy (in the case of collaborative services, including a system for cooperation with business partners)? (iv) Does the Funds Transfer Service Provider share necessary information with business partners (if any) and a Certified Association for Payment Service Providers (if it is a member thereof), etc. concerning risks of improper transactions and actual cases thereof,

59 such as inquiries, etc. from users, etc. concerning improper transactions? II-2-6-2 Supervisory Methods and Measures (1) When a problem is found With regard to issues and challenges, etc. concerning the response to improper transactions of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by the Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of its business including the interests of users, the FSA shall issue to said Funds Transfer Service Provider an order to improve business operations pursuant to Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). (2) When an improper transaction occurs Upon detecting any improper transaction, the Funds Transfer Service Provider is required to make a report to the relevant authority in the form of “Report on Improper Transaction”. III. Items to Assess in Supervising Type I Funds Transfer Service Providers Type I Funds Transfer Service Providers may engage in high value exchange transactions of an amount exceeding 1 million yen per transaction. High value exchange transactions are likely to have significant social and economic impacts if they are not surely implemented, which may result in difficulties of beneficiaries in raising funds, etc. Accordingly, the importance of countermeasures against terrorist financing and money laundering will also be relatively increased. Therefore, Type I Funds Transfer Service Providers are required, in addition to establishing a system to properly and reliably conduct Type I Funds Transfer Services, to establish a system that is more robust than other types of Funds Transfer Service Providers, taking into account the risks associated with conducting high value exchange transactions in particular with respect to IT system risk management, security measures, terrorist financing and money laundering measures, etc. Note: As measures considering the risks associated with high value exchange transactions, a Funds Transfer Service Provider who is intending to engage in Type I Funds Transfer Services must formulate a business implementation plan and obtain approval of the Commissioner of the Financial Services Agency. When supervising a Type I Funds Transfer Service Provider, the supervisors should pay attention to the following points in addition to checking whether the Provider has properly taken measures as described in each supervisory viewpoint under Section II. III-1 Business Implementation Plan Type I Funds Transfer Service Providers must perform its services properly and reliably in accordance with the approved business implementation plan.

60 III-1-1 Strict Restriction on Retention of Funds As Type I Funds Transfer Service Providers engage in high value exchange transactions, they are required to minimize the impact on users and the social and economic impact even in cases where they went bankrupt, etc. In addition, Type I Funds Transfer Service Providers are subject to strict restriction on retention of funds from users; for example, they must immediately start handling processes for the transfer of funds and ensure that the funds do not stay longer than the operationally and technologically required period. They need to comply with such restriction. It should be noted that a Funds Transfer Service Provider, who intends to implement exchange transactions as Type I Funds Transfer Service Provider, is subject to such restriction even when receiving instructions from users for exchange transactions of 1 million yen or less per transaction. III-1-1-1 Major Supervisory Viewpoints (1) Strict restriction on retention of funds Has the Funds Transfer Service Provider taken the following measures as a control environment in which the methods to implement and monitor the prohibition of retention of user funds have been established and function effectively? (i) Has the Funds Transfer Service Provider taken measures not to accept funds from users that are not accompanied by a specific instruction for exchange transactions? Note 1: A “specific instruction for exchange transactions” refers to the instruction that the remitter clearly specifies to the Type I Funds Transfer Service Provider (i) the amount to funds to be transferred, (ii) the date when the funds are to be transferred, and (iii) the party to whom the funds are to be transferred, and it should be noted that an instruction that does not satisfy all of the above requirements cannot be regarded as a specific instruction for exchange transactions. Note 2: The date when funds are to be transferred in (ii) of Note 1 above shall mean the scheduled date on which the funds transfer is complete (hereinafter referred to as “scheduled completion date”) in the course of handling processes for the transfer of funds when receiving a request for exchange transactions. In the case where the remitter does not designate the scheduled completion date in advance, the Funds Transfer Service Provider shall present the scheduled completion date to the remitter and obtain an approval from the remitter. In this case, the Funds Transfer Service Provider shall notify the remitter of the scheduled receipt date of funds that is calculated retroactively from the scheduled completion date, and must not accept the funds until the scheduled receipt date. (ii) Has the Funds Transfer Service Provider developed a system to ensure that the exchange transactions are completed within the period necessary for handling processes for the transfer of funds from the time when outstanding obligations are incurred? Note 3: The term “the period necessary for handling processes for the transfer of funds” refers to the operationally and technologically required period for transfer of the funds, and is reasonably calculated taking into consideration the minimum period necessary for handling processes for individual exchange transactions, such as confirmation and verification for countermeasures against terrorist financing and money laundering, communication to overseas bases and banks, etc., and money transfer to bank accounts. In cases where an event that is not attributable to the Funds Transfer Service Provider occurs as described in (iv) below, the period of time until the event is resolved shall be

61 included in such period, too. Note 4: In a cases where a Type I Funds Transfer Service Provider provides a service enabling a user of a Type I Funds Transfer Service Provider to withdraw funds deposited in advance by using a card issued by the Type I Funds Transfer Service Provider through an ATM, or a service under which funds are paid to the Type I Funds Transfer Service Provider, a remitter who has received an issued certificate (money order) equivalent to the amount of the funds sends it to the beneficiary and then the beneficiary receives cash in exchange for the certificate, it should be kept in mind that this may violate Article 51-2(2) of the Act because the Type I Funds Transfer Service Provider are deemed to bear obligations relating to exchange transactions beyond the period necessary for handling processes for the transfer of funds, even with specific instruction for exchange transactions. (iii) When the beneficiary receives funds, does the Funds Transfer Service Provider take measures to prevent unnecessary retention of the beneficiary's funds toward the completion of exchange transactions, such as depositing the funds directly into the beneficiary's bank account registered in advance? (iv) With regard to retention of funds, has the Funds Transfer Service Provider formulated a handling policy upon occurrence of an event that is assumed to be the “event where the funds cannot be transferred for reasons not attributable to Type I Funds Transfer Service Provider”? Note 5: “Events where the funds cannot be transferred for reasons not attributable to a Type I Funds Transfer Service Provider” are limited to truly unavoidable cases where the Funds Transfer Service Provider cannot avoid the retention of funds with its efforts alone, such as cases where there is an error in the information on the designated destination of funds transfer, or cases where the financial institution, etc. designated as the destination of funds transfer is closed for a holiday. (v) In cases where the Type I Funds Transfer Service Provider bears obligations in excess of “the period necessary for handling processes for the transfer of funds” (not including the period under the proviso of Note 3), does the Funds Transfer Service Provider verify the cause thereof by each exchange transaction and develop a control environment for preventing recurrence if the cause is attributable to the Type I Funds Transfer Service Provider? (vi) Has the Funds Transfer Service Provider established internal rules, etc. on how to implement and monitor the prohibition of retention of user’s funds and disseminated them company-wide through internal training, etc. so that its officers and employees properly handle cases in accordance with such internal rules, etc.? (2) Reliable preservation of the Required Amount as Security for Providing Funds Transfer Services In light of the risk in implementing high value exchange transactions, does the Funds Transfer Service Provider take the following points into consideration in order to minimize the impact on users in the event of bankruptcy, etc.? In light of the expected change in the Required Amount as Security for Providing Funds Transfer Services (meaning the Required Amount as Security for Providing Funds Transfer Services as prescribed in Article 43(2) of the Act) on each business day and from the viewpoint of ensuring user protection, does the Funds Transfer Service Provider properly manage the total

62 amount of security deposits, etc. for providing Type I Funds Transfer Services (meaning the total amount of security deposits, etc. for providing Funds Transfer Services defined in Article 17(1)(i) of the Order for Enforcement of the Payment Services Act (Cabinet Order No. 19 of 2010, and hereinafter referred to as “Order”))? Type I Funds Transfer Service Providers who have made a lump sum deposit under Article 58-2(5)(iv) of the Act (limited to those whose Funds Transfer Services subject to special provisions prescribed in paragraph 1 of the same article includes Type I Funds Transfer Service) are required to similarly manage the Required Amount as Security for Providing said Funds Transfer Services subject to special provisions and the Total Amount of security deposits for providing Funds Transfer Services subject to special provisions. III-1-1-2 Supervisory Methods and Measures (1) When a problem is found With regard to issues and challenges, etc. concerning the strict restriction of retention of funds of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by said Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). (2) When exceeding the period necessary for handling processes for the transfer of funds If a Type I Funds Transfer Service Provider has incurred obligations beyond the “period necessary for handling processes for the transfer of funds,” the supervisory authorities shall request it to periodically make a report to the supervisory authorities on the results of verification of the causes under III-1-1-1(1)(v). In addition, if said cause is “an event where the funds cannot be transferred for reasons not attributable to a Type I Funds Transfer Service Provider,” the Funds Transfer Service Provider shall also be requested to report the measures to prevent the recurrence of such an event. III-1-2 Method of Providing Services Type I Funds Transfer Service Providers must be fully aware of the risks involved in implementing high value exchange transactions, comply with strict restriction on retention of funds, and conduct proper and reliable business operations. III-1-2-1 Major Supervisory Viewpoints Are the services provided problematic from the viewpoint of compliance with strict restriction on retention of funds? Also, are there any problems in terms of IT system risk management, and

63 countermeasures against terrorist financing and money laundering? For example, the following points should be verified. • Method of crediting funds pertaining to exchange transactions; • Method of receiving funds pertaining to exchange transactions; • How to contact users in an emergency; • Countries and regions where the transfer of funds through exchange transactions occurs; and • Securing of remittance funds (including funds at the correspondent party) necessary for the smooth disbursement of funds to beneficiaries in the event of a concentration of exchange transaction orders. III-1-2-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the method of providing the Funds Transfer Services of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by said Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). III-1-3 IT System Risk Management Type I Funds Transfer Service Providers are likely to be targets of attackers because they engage in high value exchange transactions. Therefore, they are required to develop a more robust control environment and security measures for IT system risk management. In addition, it is expected that the impact on users will increase when services are stopped due to unforeseen circumstances such as an IT system failure. Therefore, it is necessary to take measures for the stable operation of the system. In such a case, in addition to the points described in II-2-3-1-1, the following points, for example, should be verified. III-1-3-1 Major Supervisory Viewpoints (1) Control environment for managing IT system risk Since Type I Funds Transfer Service Providers are able to engage in high exchange transactions, it is expected that the impact on users will be greater if the service is suspended due to unforeseen circumstances such as security incidents or IT system failures. Therefore, it is necessary to develop a more robust IT system risk management system. In addition, since risks are diversifying, such as having sophisticated and complex information systems linked to various services and systems, including those provided by external business operators, Type I Funds Transfer Service Providers are required to identify and assess risk concerning IT system risk management system in a timely manner in response to changes in the external environment.

64 (i) Is the officer in charge of IT systems a person who has sufficient knowledge and experience in IT systems to properly pursue the relevant operations including responses to emergencies? (ii) Does the Funds Transfer Service Provider conduct audits or assessments that incorporate knowledge from third parties with expertise (external organizations), etc., with regard to the IT system risk management system? (2) Security measures Because of the high probability of being a target of an attacker and the rapid evolution of attack methods, Type I Funds Transfer Service Providers are required to receive an appropriate assessment of cybersecurity by experts. In addition, since the risk of unauthorized access, unauthorized use, information leakage, etc. due to insufficient user authentication has become apparent, it is necessary to implement stronger countermeasures in the case of high value remittances, etc., in accordance with the risk of the amount remitted. (i) Does the Funds Transfer Service Provider, as part of cybersecurity measures, receive an objective assessment on its security levels by a third party with expertise (external organizations), etc. who conducts network intrusion tests or relevant vulnerability scanning, etc.? Also, does it take measures to address issues derived from assessment results? (ii) Does the Funds Transfer Service Provider implement functions equivalent to or stronger than the following, to minimize damage from unauthorized access or unauthorized use? • Function to enable the user to set the upper limit of the amount of exchange transactions per day and per transaction; • Function to enable the user to limit the remittance destinations; and • Function to notify the user when setting or changing the above information. Note: The “function to enable the user to limit the remittance destinations” may include, for example, a function in which the user registers the remittance destinations in advance, and when a remittance is made to an unregistered destination, the user is required to perform additional authentication. (iii) Has the Funds Transfer Service Provider taken robust security measures in accordance with the upper limit of exchange transactions, such as conducting risk assessment by a third party with expertise (external organization) at the time when a collaborative service is introduced or when the contents and methods thereof are changed? (3) Stable operation of IT system Type I Funds Transfer Service Providers are required to provide services to users in a stable manner. When an unforeseen event such as an IT system failure occurs, it is necessary to continue or promptly restore the service as much as possible and as soon as possible in order not to expand the impact of the service outage. In addition, they need to develop a system to safely and reliably recover important data in the course of restoring the service. (i) Has the Funds Transfer Service Provider established an effective backup system, etc. as an IT system mechanism for minimizing the effects of IT system failures, etc.? (ii) Has the Funds Transfer Service Provider established a mechanism to obtain backup data in order to avoid damaging the alignment and integrity of important data? Also, has the Type I Funds Transfer Service Provider prepared a manual to enable prompt restoration of data necessary for business continuity, and periodically conducted restoration tests to confirm the effectiveness of the manual?

65 III-1-3-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning IT system risk management of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). III-1-4 Countermeasures against Terrorist Financing and Money Laundering As Type I Funds Transfer Service Providers engage in high value exchange transactions, the importance of their countermeasures against terrorist financing and money laundering is relatively higher. Therefore, they are required to establish and maintain a robust control environment for managing terrorist financing and money laundering risk compared with other types of Funds Transfer Service Providers. As the international community faces threats such as terrorism, attention to countermeasures against terrorist financing and money laundering is rapidly becoming severe, as evidenced by the cases in which large amounts of monetary penalties are imposed by foreign authorities as a result of inadequate countermeasures against terrorist financing and money laundering, and the cases in which a Japanese financial institution is required to terminate a correspondent agreement by its counterparty, an overseas financial institution. In particular, financial institutions engaged in the business of overseas remittance, etc., are required to fully take into account not only trends in terrorist financing and money laundering in Japan but also trends in international terrorist financing and money laundering measures, including supervision by foreign authorities. It should be noted that the establishment and maintenance of a control environment for countermeasures against terrorist financing and money laundering based on a risk-based approach is not only a critical item in the FATF Recommendations, etc. from an international perspective, but also a matter that should be implemented by financial institutions, etc. (minimum standard), as this has already been a matter of course in major developed countries. III-1-4-1 Major Supervisory Viewpoints Does the Funds Transfer Service Provider, as a Type I Funds Transfer Service Provider, properly and surely implement the Guidelines on Anti-Money Laundering/Terrorist Financing Measures and matters under II-2-1-2? In particular, does the Funds Transfer Service Provider take the following measures in order to develop a more robust control environment for managing terrorist financing and money laundering risk compared with other types of Funds Transfer Service Providers? Note: In preparing countermeasures against terrorist financing and money laundering, it should be

66 noted that it is necessary to develop a risk management framework based on a risk-based approach. (i) Does the Funds Transfer Service Provider comprehensively and concretely identify and evaluate risks based on the target customer base (individual/corporation, occupation/business content, type of country of residence, etc.) and the target transaction types (handling amount, domestic remittance or overseas remittance, etc.) in the risk assessment report by a specified business operator, etc., and consider risk mitigation measures based on this? (ii) When conducting the verification at the time of transaction, does the Funds Transfer Service Provider appropriately screen the customers, such as by checking sanction lists from relevant countries including Japan, in addition to fulfilling the relevant obligations under the Anti-Criminal Proceeds Act? Also does it conduct rescreening at the time of updating various relevant lists? (iii) Does the Funds Transfer Service Provider conduct risk assessments appropriately for all customers based on products and services, transaction forms, countries and regions, and customer attributes? In addition, does it implement continuous customer management measures appropriately in accordance with risks? (iv) In transaction monitoring, are threshold values set appropriately based on the risk assessment of each customer? Also, are scenarios for detecting suspicious transactions appropriately set based on the business model? Has the Funds Transfer Service Provider analyzed suspicious cases, regardless of whether reported or not, and periodically reviewed scenarios and threshold values as to whether investigations leading to such reporting are appropriate? (v) In agency management, has the Funds Transfer Service Provider established a control environment enabling it to verify and evaluate that each agent, who is required to do so, implements continuous customer management measures according to risk? In addition, does the Funds Transfer Service Provider assess the risks of each agent and monitor its control environment in accordance with such risks? (vi) With regard to countermeasures against terrorist financing and money laundering, has the Funds Transfer Service Provider developed a control environment for maintaining and improving expertise and suitability, etc. by conducting appropriate and continuous training, etc., while securing and training personnel with expertise and suitability, etc. in accordance with their roles as necessary? III-1-4-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the countermeasures against terrorist financing and money laundering of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on

67 Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). III-1-5 Upper Limit of Exchange Transactions Type I Funds Transfer Service Providers are required to improve the risk management system in accordance with the upper limit of exchange transactions. III-1-5-1 Major Supervisory Viewpoints (i) Has the Funds Transfer Service Provider developed a control environment for risk management based on risk assessments conducted in accordance with the upper limit of exchange transactions? In addition, does it review risk assessment? (ii) Has the Funds Transfer Service Provider taken measures to ascertain, using systems, etc., that each amount of remittance by a user is within the upper limit of exchange transactions? III-1-5-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the upper limit of exchange transactions of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). III-1-6 Response Policy to Incidents Related to Exchange Transactions High value exchange transactions conducted by Type I Funds Transfer Service Providers may cause significant social and economic impacts in cases where the implementation thereof is not secured, as well as in cases where the transactions are wrongly performed based on instruction from an unauthorized person against the will of the users (see II-2-6), which may result in difficulties of users in raising funds. Therefore, it is important for Type I Funds Transfer Service Providers to appropriately and immediately respond to incidents related to exchange transactions from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the interests of users thereof. Therefore, when supervising Type I Funds Transfer Service Providers, the following points, for example, shall be taken into consideration. Note: “Incidents related to exchange transactions” refer to cases where a remittance is not made due to occurrence of IT system failures, etc., shortage of funds required for remittance to be

68 transferred to a bank account of a beneficiary, etc., and cases where erroneous exchange transactions (such as wrong destination of remittance and double remittance) occur. III-1-6-1 Major Supervisory Viewpoints (i) Has the Funds Transfer Service Provider formulated a policy on compensation and other measures for each incident related to exchange transactions that may occur, in accordance with the contents of the Funds Transfer Services provided by it? (ii) Has the Funds Transfer Service Provider developed a control environment for immediately compensating and taking other measures when an incident related to exchange transactions occurs? III-1-6-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the response policy to incidents related to exchange transactions of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider, by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). III-2 Provision of Information to Users With regard to Type I Funds Transfer Service Providers, the following points shall be taken into consideration in addition to II-2-2-1-1(3). III-2-1 Major Supervisory Viewpoints (i) In light of the purposes of Article 51 of the Act and Article 29 of the Cabinet Office Order, as the matters set forth in Article 29(1)(i) of the Cabinet Office Order, does the Funds Transfer Service Provider explain, as necessary, matters that will serve as references when a user decides whether or not to conclude a contract related to the exchange transaction? Note: Matters to be explained in accordance with Article 29(1)(i) of the Cabinet Office Order can include the following, for example. • Upper limit of exchange transactions; • Method of receiving funds pertaining to exchange transactions; • Inability to accept funds without specific instructions for exchange transactions; and • The period necessary for handling processes for the transfer of funds. (ii) As the matters set forth in Article29(1)(ii)(e) of the Cabinet Office Order, does the Funds Transfer Service Provider explain, as necessary, matters that serve as references when a user decides whether or not to conclude an account opening contract, etc.?

69 Note: Matters to be explained in accordance with Article 29(1)(ii)(e) of the Cabinet Office Order can include the items listed in (i) above, for example. III-2-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the provision of information to users of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider, by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type I Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). IV. Items to Assess in Supervising Type II Funds Transfer Service Providers IV-1 Restriction on Retention of Funds When a Funds Transfer Service Provider retains users’ funds whose use for exchange transactions is doubtful, the following problems may occur: (i) if the Funds Transfer Service Provider goes bankrupt while retaining users’ funds, it will take considerable time for the users to recover such funds, which will adversely affect user protection; (ii) the Funds Transfer Service Provider bears the costs of securing users’ funds that are originally unnecessary, which will impair their efficient business operation; (iii) such retention may infringe the prohibition on the receipt of the deposits under Article 2 of the Act Regulating the Receipt of Contributions, the Receipt of Deposits, and Interest Rates (Investment Act); and (iv) the increase in funds that are not used for economic activities, unlike bank deposits, may have an adverse economic effect. Type II Funds Transfer Service Providers have no quantitative restrictions on the acceptance of users’ funds and, as compared to Type I or Type III Funds Transfer Service Providers, are more likely to hold users’ funds that are not used for exchange transactions. Therefore, it is necessary to take measures to prevent them from holding such users’ funds. IV-1-1 Major Supervisory Viewpoints Measures to prevent the holding of users’ funds that are considered not to be used for exchange transactions Has the Funds Transfer Service Provider put in place a control environment in which, if the receipt amount per user exceeds 1 million yen, it checks whether such amount is used for exchange transactions, and when it is judged that such amount has a low probability of being used for exchange transactions, the Funds Transfer Service Provider requires the user to withdraw it, and if the user refuses to do so, the Funds Transfer Service Provider takes measures to prevent the holding of such amount by, for example, returning it to the user?

70 In judging whether users’ funds relate to exchange transactions, does the Funds Transfer Service Provider comprehensively consider (i) the receipt amount, (ii) the receipt period , (iii) money transfer records, and (iv) the purpose of use of the funds on a user basis? Note 1: Such measures may include the following: if the Funds Transfer Service Provider finds a user’s account in which the receipt amount exceeds 1 million yen, the Funds Transfer Service Provider checks whether the user has a plan for exchange transactions or whether such account retains a larger amount of funds for a longer period when compared to the past transaction records, etc. of such user, and as a result, if the Funds Transfer Service Provider judges that the user has a low possibility of using such amount for exchange transactions, the Funds Transfer Service Provider will transmit such amount to the bank account previously designated by the user. Note 2: With regard to measures to prevent the holding of users’ funds that are considered not to be used for exchange transactions, attention should be paid to whether an environment has been developed in which the Funds Transfer Service Provider can check whether or not such funds are used for exchange transactions, in a timely and proper manner. It should also be kept in mind that even if the receipt amount of a user’s fund is not more than 1 million yen, if it is considered not to be used for exchange transactions as a result of such checks (under Article 30-2(1) of the Cabinet Office Order), the Funds Transfer Service Provider needs to return such amount to the user or take other measures so as not to retain such amount. In relation to the above, has the Funds Transfer Service Provider established internal rules, etc. providing specific check methods, judgment criteria, and how to respond to cases, and disseminated them company-wide through internal training, etc. so that its officers and employees properly handle cases in accordance with such internal rules, etc.? Also, has the Funds Transfer Service Provider developed the necessary control environment, including system support? IV-1-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the restriction of retention of funds of a Type II Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider, by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type II Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). V. Items to Assess in Supervising Type III Funds Transfer Service Providers Type III Funds Transfer Service Providers are able to carry out only exchange transactions at amounts not exceeding the amount specified by Cabinet Order as a particularly small amount. The maximum amount of money transferred per transaction and accepted per user is 50,000 yen

71 (hereinafter referred to as the “amount equivalent to 50,000 yen”). Note: When providing Funds Transfer Services in foreign currencies, a Funds Transfer Service Provider needs to ensure that the obligations relating to exchange transactions do not exceed the amount equivalent to 50,000 yen in consideration of fluctuations in exchange rates. Therefore, since the economic impact in the event of bankruptcy is relatively small compared to other types of Funds Transfer Service Providers, Type III Funds Transfer Service Providers are permitted to manage user’s funds by means of managing deposits and savings separated from their own assets (hereinafter referred to as the “method of management by bank deposits or savings.”) In managing user’s funds by the method of management by bank deposits or savings, Type III Funds Transfer Service Providers are required to ensure to implement said method properly and to provide sufficient information to users, from the viewpoint of protecting the interests of users. When supervising a Type III Funds Transfer Service Provider, the supervisors should pay attention to the following points in addition to each supervisory viewpoint under Section II. V-1 Restriction on Retention of Funds (Upper Limit for Exchange Transactions) As the upper amount for exchange transactions of Type III Funds Transfer Service Providers is the amount equivalent to 50,000 yen both per person and per transaction, Type III Funds Transfer Service Providers need to take measures to prevent them from conducting business related to exchange transactions that exceed the capped amount. For example, the following points shall be taken into consideration. V-1-1 Major Supervisory Viewpoints (i) Does the Funds Transfer Service Provider have a system in place to prevent it from accepting an order for exchange transactions exceeding the amount equivalent of 50,000 yen from each user? (ii) Does the Funds Transfer Service Provider have a system in place under which the obligations relating to exchange transactions owed to each user do not exceed an amount equivalent to 50,000 yen? For example, has the Funds Transfer Service Provider established necessary measures to prevent the amount received(obligation relating to exchange transaction) by a user (beneficiary) from exceeding the amount equivalent to 50,000 yen as a result of receiving funds from another user? Note: For example, in a case where a user transfers 30,000 yen to another user (beneficiary) whose account balance is 40,000 yen, if the beneficiary receives the entire amount by the remittance to his or her account, his/her account balance will be 70,000 yen and exceed the upper limit of 50,000 yen. Therefore, measures to prevent this will be necessary. Such measures may include, for example, introduction into a relevant contract of a clause that any remittance that may result in the balance of the beneficiary’s account or the planned remittance amount of the remitter exceeding 50,000 yen will not be permitted, or a clause that the amount exceeding the upper limit (20,000 yen in this case) will be automatically withdrawn to a bank account. (iii) Has the Funds Transfer Service Provider established internal rules, etc. setting forth the abovementioned measures and disseminated them company-wide through internal training, etc. so that its officers and employees properly handle cases in accordance with such internal rules, etc.? Also, has the Funds Transfer Service Provider taken necessary IT system measures?

72 V-1-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the restriction on retention of funds (upper limit for exchange transactions) of a Funds Transfer Service Provider, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type III Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). V-2 Control Environment, etc. for Management Using the Method of Management by Bank Deposits or Savings When implementing the method of management by bank deposits or savings, Type III Funds Transfer Service Providers need to ensure proper handling of the management by bank deposits or savings based on Article 45-2 of the Act and Articles 21-3 to 21-5 of the Cabinet Office Order. In supervising Type III Funds Transfer Service Providers who manage user’s funds through the method of management by bank deposits or savings, the following points, for example, need to be taken into consideration in order to confirm the appropriateness of the management by bank deposits or savings, because the bankruptcy remoteness does not work for such a method, unlike the conventional method of making security deposits. V-2-1 Major Supervisory Viewpoints (1) Recognition and involvement of the management team When implementing the method of management by bank deposits or savings, does the management team recognize the importance of ensuring user protection and verify whether the management by said method is properly and surely performed? Also, does the management team receive a report on the status of the management by bank deposits or savings on a regular or as-needed basis and use it in developing a system to properly implement the management by bank deposits or savings (including the establishment of an internal checking function)? (2) Method of management by bank deposits or savings (i) Is the method of management by bank deposits or savings specified in the internal rules concerning the management by bank deposits or savings and reflected in contracts with users? (ii) Does the Funds Transfer Service Provider clearly separate money, which is its own assets, from user’s funds based on the above method? And can the balance of each user’s funds be ascertained immediately? Also does the Funds Transfer Service Provider properly verify its compliance status?

73 (iii) When implementing the management by bank deposits or savings, does the Funds Transfer Service Provider take the following measures, for example, as measures to prevent bank account balances, etc. from falling short of the amount that must be managed? • Is a division in charge of the affairs concerning the management by bank deposits or savings established? Is a person in charge of handling the procedures for receiving and paying user’s funds prohibited to concurrently serve as a person in charge of checking the balance of user’s funds? • Does the Funds Transfer Service Provider relocate and shift the persons in charge on a regular basis from the perspectives of preventing problematic conducts and wrongful acts? (iv) When managing the user’s funds by the method prescribed in Article 21-3(i) of the Cabinet Office Order, does the Funds Transfer Service Provider calculate the amount obtained by multiplying the amount of outstanding obligations pertaining to Type III Funds Transfer Services as of each business day by the rate of the amount that is managed by the method of management by bank deposits or savings (hereinafter referred to as the “rate of management by bank deposits or savings”) and confirm on each business day whether the account balance of a bank, etc., in which the user's funds are separately managed, is equal to or greater than said calculated amount? In addition, if, as a result of confirmation, the account balance of a bank, etc. is less than the amount that must be kept by the management by bank deposits or savings, does the Funds Transfer Service Provider analyze the cause thereof immediately after resolving the shortfall? (v) When managing the user’s funds by the method prescribed in Article 21-3(ii) of the Cabinet Office Order, does the Funds Transfer Service Provider calculate the amount obtained by multiplying the amount of outstanding obligations pertaining to Type III Funds Transfer Services as of each business day by the rate of management by bank deposits or savings and confirm on each business day whether the appraised principal value of the trust property at a financial institution, in which the user's funds are separately managed, is equal to or greater than said calculated amount? In addition, if, as a result of confirmation, the appraised principle value of the trust property is less than the amount that must be kept by the management by bank deposits or savings, does the Funds Transfer Service Provider immediately add the money equivalent to the shortfall to the trust property and analyze the cause thereof? (3) Audit of the management by bank deposits or savings (i) Has the Funds Transfer Service Provider developed an internal control environment necessary to respond to the audit of the management by bank deposits or savings (such as the formulation of internal rules and manuals)? (ii) When conducting the audit of the management by bank deposits or savings, does the management team select an appropriate certified public accountant or auditing firm according to the size and characteristics of the business? (iii) Are important matters identified and pointed out in the audit of the management by bank deposits or savings reported to the management team without delay? And are matters pointed out in the audit of the management by bank deposits or savings improved promptly? V-2-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning control environment for the management via the method of management by bank deposits or savings of a Funds Transfer Service Provider, which

74 have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider, by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type III Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). V-3 User Protection Measures Pertaining to Type III Funds Transfer Services A Type III Funds Transfer Service Provider who has submitted a written notification concerning the management by bank deposits or savings for the purpose of protection of the users' funds is able to conduct the management by bank deposits or savings within the scope of the notification. However, as the management by bank deposits or savings is not necessarily covered by the bankruptcy remoteness, unlike the conventional method of making security deposits, there is a risk that users will not recover funds sufficiently upon the bankruptcy of a Type III Funds Transfer Service Provider. For this reason, Type III Funds Transfer Service Providers who conduct the management by bank deposits and savings need to enhance the provision of information on risks in the event of bankruptcy. V-3-1 Major Supervisory Viewpoints (1) Prevention of misidentification with exchange transactions conducted by banks In the case where Article 45-2(1) of the Act applies, when providing explanations to prevent misunderstandings with exchange transactions conducted by banks, etc., are the following points explained as matters prescribed in Article 28(2)(iv) of the Cabinet Office Order, in addition to the matters prescribed in II-2-1-1(2)? When the rate of management by bank deposits or savings is 100%, the explanation of II-2-2-1-1(2)(ii) is not required. • A statement to the effect that the Funds Transfer Service Provider may not make all or part of the security deposits for providing Funds Transfer Services because of the application of Article 45-2(1) of the Act and to the effect that, instead, the Funds Transfer Service Provider implements the method of management by bank deposits or savings; and • Content of the right as prescribed in the proviso to Article 59(1) of the Act. (2) Provision of information to users (i) Does the Funds Transfer Service Provider provide users with sufficient information on the matters specified in each item of Article 29(1) or (2), or in each item of Article 29-2 of the Cabinet Office Order, such as by delivering documents (including electronic or magnetic means) and then providing explanations? (ii) Does the Funds Transfer Service Provider explain to users the following points as the

75 content of the right set forth in the proviso of Article 59(1) of the Act as prescribed in Article 29-2(iv) of the Cabinet Office Order? • If the rate of management by bank deposits or savings is 100%, a statement to the effect that a creditor of obligations borne by the Funds Transfer Service Provider in relation to the exchange transactions does not have the right to receive, in preference over other creditors, payments for the return of the security deposits for providing Funds Transfer Services because there is no security deposit for providing Funds Transfer Services prescribed in said clause at the time of bankruptcy • In the case where the Funds Transfer Service Provider implements the management by bank deposits or savings, the rate of which, however, is not 100%, a statement to the effect that a creditor of obligations borne by the Funds Transfer Service Provider relating the Type III Funds Transfer Services has the right to claim for the security deposits for providing Funds Transfer Services to the extent of the amount that remains after deducting the amount obtained by multiplying the amount of outstanding obligations by the rate of management by bank deposits or savings and to the effect that the creditor is entitled to receive a refund within the scope of the security deposits made by the Type III Funds Transfer Service Provider V-3-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the User Protection Measures of the Type III Funds Transfer Services, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by the Type III Funds Transfer Service Provider by holding an in-depth interview regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operation of the Type III Funds Transfer Services, including the viewpoint of protecting the interests of users thereof, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). VI. Items to Assess in Supervising Funds Transfer Service Provider Operating Multiple Types of Funds Transfer Services VI-1 Prevention of Adverse Effects in Cases Where a Funds Transfer Service Provider Operates Multiple Types of Funds Transfer Services It is permitted that a Funds Transfer Service Provider operates multiple types of Funds Transfer Services from the perspective of ensuring the convenience of users. On the other hand, however, it is necessary to prevent the adverse effects of the joint operation. VI-1-1 Major Supervisory Viewpoints (1) Measures necessary in the case where a Funds Transfer Service Provider operates multiple types

76 of Funds Transfer Services (i) Has the Funds Transfer Service Provider who operates multiple types of Funds Transfer Services taken measures so that the status of use of funds received by each user, such as the balance of funds and the actual amount of remittances, can be easily understood for each type of Funds Transfer Service it operates? (ii) In view that a Funds Transfer Service Provider must make security deposits for providing Funds Transfer Services for each category of Funds Transfer Services pursuant to Article 43(1) of the Act and that it is required to report the financial status of each category of Funds Transfer Services in the report prescribed in Article 53(1) of the Act, does the Funds Transfer Service Provider set accounts for each category of Funds Transfer Services it operates and provide separate accounting? (2) Necessary measures for operating Type I Funds Transfer Services and Type II Funds Transfer Services Has the Funds Transfer Service Provider who operates both Type I Funds Transfer Services and Type II Funds Transfer Services taken measures to prevent the transfer of funds received from users of Type II Funds Transfer Services to funds for exchange transactions for Type I Funds Transfer Services, in order to avoid the escape from the strict restriction on retentions of funds imposed on Type I Funds Transfer Service Providers? In addition, does it explain these measures to users in an easy-to-understand manner? VI-1-2 Supervisory Methods and Measures With regard to issues and challenges, etc. concerning the prevention of adverse effects in a case where a Funds Transfer Service Provider operates multiple types of Funds Transfer Services, which have been identified through the follow-up to the matters indicated in the inspection and the daily supervisory administration such as the notification of misconduct, etc., the supervisory authorities shall monitor the status of voluntary business improvement made by such Funds Transfer Service Provider by holding an in-depth hearing regarding the cause of the issue, improvement measures, etc. and, when necessary, collecting a report based on Article 54 of the Act, based on the viewpoints mentioned above. Furthermore, if it is found that the Funds Transfer Service Provider has a serious problem from the viewpoint of ensuring sound and appropriate operations of the Funds Transfer Services, including the viewpoint of protecting the interests of users, the supervisory authorities shall issue to the Funds Transfer Service Provider an order to improve business operations based on Article 55 of the Act. If a serious and/or malicious violation of laws and regulations is found, the supervisory authorities shall consider issuing an order to suspend business, etc. based on Article 56 of the Act (See VIII-3 for matters to be taken into consideration when conducting administrative dispositions). VII. Basic Views on Foreign Funds Transfer Service Providers VII-1 Prohibition of Solicitation by Foreign Funds Transfer Service Providers Foreign Funds Transfer Service Providers (excluding those registered under the Act; the same shall apply hereinafter in VII-2) must not solicit any person in Japan for exchange transactions, unless otherwise provided for by laws and regulations.

77 VII-2 Cross-Border Transactions by Foreign Funds Transfer Service Providers Using the Internet, etc. An act of posting an advertisement, etc. concerning exchange transactions on a website, etc. by a foreign Funds Transfer Service Provider generally falls under the act of “soliciting/solicitation.” Provided, however, that the foregoing shall not apply to “soliciting/solicitation” directed to a person in Japan as long as reasonable measures, including the measures set forth below, are taken so as not to result in any exchange transactions with a person in Japan. (1) Disclaimer Clearly state that persons in Japan are not covered by the service. The following points should be taken into consideration when determining whether the above measures have been taken sufficiently. (i) No particular operation of computer or device other than viewing the advertisement is required for reading and understanding the disclaimer. (ii) The disclaimer must be indicated in language reasonably deemed to be readable and understandable for those in Japan who are accessing the website. (2) Measures to prevent transactions Measures must be taken to prevent exchange transactions with a person in Japan. The following points should be taken into consideration when determining whether the above measures have been taken sufficiently. (i) At the time of a transaction, the business operator has gone through the procedure to confirm the residence of the user by having the user present his/her address, mailing address, e-mail address, payment method, and other information. (ii) In cases where there are reasonable grounds to believe that it is clearly an exchange transaction by a person in Japan, the business operator should take care not to accept the order from the person in Japan. (iii) The business operator has been attentive in order not to conduct any act of inducing persons in Japan to engage in exchange transactions, including establishing a call center for users in Japan or linking websites targeted at persons in Japan. In addition, the measures listed above are merely examples, and if equivalent or superior measures are taken, posting of advertisements, etc. shall not be deemed to be an act of “soliciting/solicitation” for persons in Japan. (3) In cases where reasonable measures described above are not taken, since the posting of advertisement, etc. is highly likely to be deemed as the act of “soliciting/solicitation” of exchange transactions for persons in Japan, the foreign Funds Transfer Service Provider should prove that it has not conducted any exchange transactions with persons in Japan, including any solicitation thereof. VIII. Points to Note regarding Administrative Processes for Inspection and Supervision of Funds Transfer Service Providers VIII-1 Basic Views and General Administrative Processes, etc. VIII-1-1 Basic Views on Inspection and Supervision The purpose of inspecting and supervising a Funds Transfer Service Provider is to enforce registration and provide other necessary measures with respect to exchange transactions, etc.

78 conducted by those other than banks in order to ensure the appropriate provision of payment services, and protection of the users, etc. thereof, and to promote the provision of those services, thereby contributing to the improvement of the safety, efficiency, and convenience of the payment and settlement system (see Article 1 of the Act). To accomplish the purpose of such inspection and supervision, the supervisory authorities need to make continuous responses commensurate with the scale and characteristics of each Funds Transfer Service Provider. For this, in conducting the inspection and supervisory affairs of Funds Transfer Service Providers, it is essential to first understand the policies of how each Funds Transfer Service Provider intends to address issues and challenges in developing business models and establishing compliance management and risk management systems, and then to accurately understand how these policies are implemented, what governance systems are operated for such implementation, what potential risks or problems lurk, and how Funds Transfer Service Providers recognize and respond to their respective risks and problems. In order to respond to important issues from the perspective of overall management, to ensure the soundness and appropriateness of the business of a Funds Transfer Service Provider and the protection of users, etc., and to contribute to the stability of the fund settlement system, etc., each Funds Transfer Service Provider itself needs to transform its management structure so that it can work on continuous improvement toward the best practices on its own without being pointed out by the supervisory authorities. The supervisory authorities will encourage each Funds Transfer Service Provider to pursue its efforts in seeking better practices through continuous monitoring through fact-finding and dialogue. If, in the course of such monitoring activities, the supervisors find any issue that is considered serious in terms of the soundness and appropriateness of the Funds Transfer Service Provider’s business or find that the Funds Transfer Service Provider is unable to improve its business by its self-initiated efforts only, the supervisors shall consider whether to issue an order to improve business operations or to impose other administrative disposition pursuant to Article 55 of the Act (as explained in VIII-3). (1) Ensuring sufficient communication with Funds Transfer Service Providers In inspecting and supervising a Funds Transfer Service Provider, it is important to adequately gather and analyze information about the business operations of the Funds Transfer Service Provide and to make timely and to respond appropriately and in a timely manner. For this reason, the supervisory authorities should, in addition to obtaining reports from Funds Transfer Service Providers, endeavor to closely communicate with them and collect information on a day-to-day basis under sound and constructive tension with Funds Transfer Service Providers. More specifically, it is necessary to ensure daily communication with Funds Transfer Service Providers through regular and timely interviews and exchanges of opinions with various officers and employees thereof, including the management team, outside directors, and persons in charge of internal audits, and to endeavor to grasp not only financial information but also various information on management. (2) Respect for voluntary efforts of Funds Transfer Service Providers While each of Funds Transfer Service Providers, as a private company, makes management decisions at its own risk and responsibility, the role of the supervisory authorities is to review such decisions based on relevant laws and regulations and to encourage each of them to resolve

79 problems by its own efforts and resources. With this role firmly in mind, the supervisors must pay due regard to the initiatives of Funds Transfer Service Providers in their business operations throughout supervisory processes. (3) Ensuring efficient and effective inspection and supervisory From the viewpoint of making effective use of limited resources of the supervisory authorities and Funds Transfer Service Providers, it is necessary to conduct inspection and supervisory activities efficiently and effectively while taking into consideration the scale and characteristics of Funds Transfer Service Providers. Therefore, when the supervisors ask a Funds Transfer Service Provider to submit reports or other documents, the scope of such documents must be limited to the extent truly necessary for the relevant supervisory processes. More importantly, the supervisors must continue efforts to enhance efficiency and effectiveness of supervisory services; the necessity of the supervisory processes currently adopted and their methodologies should be constantly reviewed and supervisory processes should be redesigned whenever necessary. The content of the reports previously obtained from Funds Transfer Service Providers and the procedures for requesting submission of reports or documents are reviewed once every year to streamline such procedures and reduce paperwork burdens of Funds Transfer Service Providers. On such occasions, the supervisors should seek opinions of Funds Transfer Service Providers about submission requirements. When requesting a small-scale Funds Transfer Service Provider, etc. to submit reports or other documents, the supervisors shall give sufficient consideration of their characteristics so as not to hinder smooth operation of their business. (4) Active information gathering about Funds Transfer Service Providers In the inspection and supervision of Funds Transfer Service Providers, it is important for the supervisors to accurately understand and analyze information on the management of Funds Transfer Service Providers, including complaints, etc. from users, etc., and to take appropriate and timely measures for inspection and supervision as necessary. For this reason, it is necessary to pay attention not only to reports from Funds Transfer Service Providers but also to complaints from users, etc., and to actively collect information through daily and sufficient communication with Certified Associations for Payment Service Providers and Funds Transfer Service Providers. VIII-1-2 General Supervisory Affairs (1) Offsite monitoring Local Finance Bureaus shall endeavor to understand the actual situation of the following matters by examining submitted materials, etc., in cooperation with the relevant divisions of the FSA, as necessary. When conducting offsite monitoring, the FSA’s divisions in charge shall present priority matters for such supervision to the Local Finance Bureaus at the beginning of every fiscal year, and the monitoring shall be conducted based on this. (i) Basic management (governance) policies, etc. (ii) Status of internal management (iii) Status of compliance with laws and regulations (iv) Status of business operations

80 (v) Status of internal audits (2) On-site inspection pursuant to Article 54 of the Act The supervisors shall conduct on-site inspection pursuant to the Act when it determines that detailed examination is required for verifying the soundness and appropriateness of the current business of a Funds Transfer Service Provider, or when it is found necessary on other grounds. In doing so, the supervisors shall always keep in mind what are the most important management issues and what are the underlying causes of these issues, and by holding discussions with the executives, the supervisors shall endeavor not to reach an easy conclusion but to engage in fundamental discussions on important management and financial administration issues of the Funds Transfer Service Provider. In this regard, see the Basic Procedures for On-Site Inspection, as shown in Exhibit 1. If the supervisors issue a notice of inspection results to an inspected Funds Transfer Service Provider, the supervisors shall, within one week after the notice in principle, ask the Issuer of Prepaid Payment Instruments to report its fact-checking of the problems pointed out in the notice, its own analyses of the causes of those problems, planned measures for improvement or remediation, and other comments within one month pursuant to Article 54 of the Act. (3) Dialogue Dialogue with a Funds Transfer Service Provider is intended to clarify whether any problem that could affect the financial stability and compliance of the Funds Transfer Service Provider has occurred or is likely to occur, to review the initiatives of the Funds Transfer Service Provider for enhancing business management, or to discuss other issues that are important under the present circumstances or in light of the nature of ongoing problems, as well as the scale and characteristics of the Funds Transfer Service Provider. When holding a dialogue, the supervisors shall avoid imposing their beliefs or hypotheses and endeavor to make the Funds Transfer Service Provider feel free to express its views. After hearing its story and grasping its mindset and policies, the supervisors carry out fact-based discussions. Furthermore, on each occasion of such dialogue session, the supervisors shall make efforts to ensure the continuity of the dialogue, taking into full consideration the communications made so far between the supervisory authorities and each Funds Transfer Service Provider. (A) If the supervisors determine, based on the facts ascertained, that the Funds Transfer Service Provider is highly likely to face a serious problem on compliance, etc., the Funds Transfer Service Provider shall, first of all, verify its challenges, the root causes, and the adequacy of remediation measures by itself. Then, in-depth discussions between the supervisors and the Funds Transfer Service Provider to implement remediation measures shall follow. If, however, a serious problem has already arisen or high urgency in any other form is observed, the supervisors may go further and pinpoint the issues which the supervisors consider necessary to be rectified and then check the policies of each Funds Transfer Service Provider for rectification. (B) If a Funds Transfer Service Provider is determined to be unlikely to cause the abovementioned serious problems, the Provider is expected to exercise diverse initiatives to innovate itself in ways fitting its circumstances and to continue efforts to refine business models and risk management practices. The supervisory authorities shall try to deepen the understanding of the business conditions and challenges of Funds Transfer

81 Service Providers and their policies and strategies through day-to-day monitoring and profiling activities. Then, the supervisory authorities shall conduct in-depth dialogue with Funds Transfer Service Providers to discuss their business models, risk management practices, human resources development, and other issues, without a presumption on specific answers, for the purpose of promoting their improved awareness and understanding (and share model cases of other Funds Transfer Service Providers for best practices where appropriate). (4) Dealing with complaints, etc. (i) Basic response The Counseling Office for Financial Services Users of the FSA and the relevant division in charge at each Local Finance Bureau shall be the primary contact for receiving consultations and/or complaints, etc. concerning Funds Transfer Service Providers. These authorities shall explain to those who made such consultations and complaints, etc. that they are not in a position to conduct mediation, etc. concerning individual transactions and, if necessary, introduce a Designated ADR Body or the Certified Association for Payment Service Providers to them as an institution to respond to such consultations, complaints, etc. pursuant to the law. If the person who made consultation or complaint, etc. has given consent to the provision of his/her information to the relevant Funds Transfer Service Provider, the supervisory departments shall, in principle, provide relevant information to the Funds Transfer Service Provider. (ii) Accumulation of information Each Local Finance Bureau shall record the content of any consultations, complaints, etc. concerning Funds Transfer Service Providers that are deemed to be helpful for supervising Funds Transfer Service Providers (Appended Form 2) and, if the information is deemed particularly influential, it shall promptly report it to the relevant division in charge at the FSA. (iii) Cooperation with the Counseling Office for Financial Services Users To properly reflect feedback from consultation or complaints, etc. received at the Counseling Office for Financial Services Users, the supervisory departments shall take the following measures. (A) Analysis of details of the consultations and complaints, etc. circulated from the Counseling Office (B) Exchange of information with the Counseling Office VIII-1-3 Coordination among Supervisory Authorities (1) Cooperation between the FSA and Local Finance Bureaus The Financial Services Agency and the Local Finance Bureaus need to share awareness of issues deemed necessary for the supervision of Funds Transfer Service Providers by appropriately exchanging relevant information. For this reason, the FSA and the Local Finance Bureaus shall make efforts to strengthen their mutual cooperation, such as by providing information in a timely and appropriate manner and actively exchanging opinions, etc., with regard to information, etc. other than the coordination, etc. pertaining to internal delegated

82 affairs listed in VIII-1-5, as well. In addition, the Local Finance Bureaus shall endeavor to strengthen cooperation between themselves by, when they become aware of any undisclosed issues regarding Funds Transfer Service Providers supervised by another Local Finance Bureau, providing information to the relevant Local Finance Bureaus or the FSA as appropriate. (2) Liaison and coordination with the Director-General of the Local Finance Bureau of competent jurisdiction In the case where an administrative disposition under Article 57 of the Act is made to a Funds Transfer Service Provider, the details of such disposition shall be promptly notified to the Director-General of another Local Finance Bureau having jurisdiction over the location of the Funds Transfer Service Provider’s business office. (3) Authority of the Commissioner of the Financial Services Agency other than matters delegated to the Directors-General of Local Finance Bureaus When receiving the following application, etc. pertaining to the authority other than those delegated to the Director-General of a Local Finance Bureau within the authority of the Commissioner of the Financial Services Agency based on the provisions of Article 30 of the Order, the Local Finance Bureau shall explain to the applicant, etc. that such application is subject to the authority of the Commissioner of the Financial Services Agency, and introduce the division in charge in the FSA to the applicant, etc. Also, when the FSA processes the following applications, the FSA shall endeavor to closely cooperate with Local Finance Bureaus by, for example, providing relevant information to them. • Application for an approval of the business implementation plan and change thereof pursuant to Article 40-2(1) of the Act • Notification of change of the business implementation plan pursuant to Article 40-2(2) of the Act VIII-1-4 Cooperation, etc. with Certified Associations for Payment Service Providers Certified Associations for Payment Service Providers (hereinafter collectively referred to as “the Association”) have an important role to play in ensuring the proper operation of the business of Funds Transfer Service Providers, thereby promoting the sound development of Funds Transfer Service Providers and protection of the interests of users, and contributing to the improvement of the safety, efficiency, and convenience of the payment system, including the establishment of self-regulation rules, the investigation and guidance of the status of legal compliance, etc. to members, and the resolution of complaints from users. When supervising Funds Transfer Service Providers, the supervisors shall pay attention to the following points, given the necessity to ensure appropriate coordination with the Association. (1) From the viewpoint of conducting efficient and effective supervision of Funds Transfer Service Providers who are members of Certified Associations for Payment Service Providers, the supervisors shall hold an interview as needed with regard to the investigations, audits, guidance for improvement, etc. conducted by the Associations for its members.

83 (2) For minor matters that are not necessarily in violation of laws and regulations and for which it is deemed appropriate and effective for the Association to provide improvement guidance, etc., the supervisors may, in close cooperation with the Association, request the Association to give improvement guidance, etc. and to pay attention to such matters in its investigation, while taking into consideration the supervisory right of the authorities. (3) With regard to complaints, etc. received by the Association and the status of processing complaints and the trend of the complaints, the supervisors shall regularly hold an interview and exchange opinions with the Association. (4) From the perspective of supervising Funds Transfer Service Providers including non-members appropriately and efficiently, the supervisory authorities shall closely cooperate with the Association with regard to the establishment, amendment, and status of operation of the self-regulatory rules. VIII-1-5 Internal Delegation (1) Coordination with the Commissioner of the Financial Services Agency The Director-General of the Local Finance Bureau shall, in processing the matters to be delegated to him/her regarding supervisory affairs of Funds Transfer Service Providers, coordinate in advance with the Commissioner of the FSA with regard to the following matters (which does not preclude coordination with the Commissioner of the FSA with regard to other matters on an as-needed basis). It should be noted that, at the time of coordination, the Director-General of a Local Finance Bureau shall report the results of the deliberations made at his/her bureau (including deliberations made pursuant to III-3(3) hereof) and express the opinions thereof. (i) Order to improve business operations under Article 55 of the Act (ii) Revocation of registration or business suspension under Article 56(1) of the Act (2) Sub-delegation to the Head of Local Finance Office, etc. In cases where the location of the headquarters (referring to the “headquarters” stipulated in Article 43 of the Act; the same shall apply hereinafter) of an applicant for registration and a Funds Transfer Service Provider is within the jurisdictional district of a Local Finance Office, the Otaru Sub-office of Hokkaido Local Finance Bureau, or the Kitami Sub-office of Hokkaido Local Finance Bureau, the authorities delegated to the Director-General of a Local Finance Bureau pertaining to the acceptance of written notification, applications, and reports submitted by the applicant for registration or the Funds Transfer Service Provider may be delegated to the Head of said Local Finance Office or Sub-Office. The written notifications, etc. concerning these matters shall be submitted to the attention of the Director-General of the Local Finance Bureau having jurisdiction over the location of the headquarters of an applicant for registration or a Funds Transfer Service Provider. Exhibit 1: Basic Procedures for On-Site Inspection Exhibit 1-2: List of Important Matters VII-2 Various Administrative Procedures

84 VIII-2-1 Application for Registration and Acceptance of Notification Administrative processes pertaining to applications for the Funds Transfer Services registration and changes thereof, as well as public inspection of such registers, shall be handled as follows. (1) Acceptance of application for registration and notification (i) When accepting an application for registration and/or notification of change thereof, the supervisors shall pay attention to the following matters and, if finding them inappropriate, request the Funds Transfer Service Provider who submitted the application and/or notification to make a correction. (A) The applicant must not use any trade name or name that is likely to mislead users to think that it is a public institution or a financial institution or that it has a special relationship therewith, or to impair the fairness of transactions. (B) The applicant must not make two or more applications for registration using two or more trade names. (C) The entrustment agreement with entrustees must cover the following matters. a) The entrustee’s obligation to comply with the Payment Services Act; b)Matters concerning the scope of entrusted operations; c) Matters concerning how to determine and how to pay the commission to entrustees; d)Sharing of expenses necessary for handling the entrusted operations; and e) Entities to install business facilities and equipment (ii) The “place where the principal activities of the Funds Transfer Service are carried out” as prescribed in Note 1 on the 3rd page of Appended Form 1 of the Cabinet Office Order means the place where important activities for exchange transactions with users are carried out, such as receipt and payment of cash. (2) Examination of applications for registration (i) When examining the registration, the supervisors shall examine, in particular, the cases that are considered to have a high risk of causing money laundering and terrorist funding and those involving sophisticated and complex business models and systems in cooperation with the FSA as necessary. (ii) The supervisors need to keep in mind to conduct the examination efficiently. Note: For example, the examiner should pay attention not to take a long time to verify the merely formal part of the registration or not to overlap the verification items of the Local Finance Office and the Local Finance Bureau. (iii) The supervisors should be careful to make an integrated examination for an applicant who intends to apply for the registration of issuing the Prepaid Payment Instruments for Third-Party Business and for the Funds Transfer Service at the same time, for providing integrated services of both businesses. (iv) In examining the sufficient financial foundation set forth in Article 40(1)(iii) of the Act, the examiner shall verify it through interviews and on-site inspections, etc. based on the application for registration and the attached documents, and take the following points into consideration in particular. (A) Does the applicant has a sufficient financial foundation to fulfill the obligation to make security deposits for providing Funds Transfer Services under the Act? Note: When assessing the abovementioned matters, the supervisors shall conduct interviews about the expected Required Amount as Security for Providing Funds

85 Transfer Services as defined in Article 43(2) of the Act and the expected method to preserve the assets, based on the details of “Content and Method of the Funds Transfer Services” included in the written application for registration, the latest balance sheet, etc. as prescribed in Article 6(1)(vii) of the Cabinet Office Order, the “document stating the expected income and expenditures pertaining to the Funds Transfer Services for the first three business years after the commencement of the business” as prescribed in Article 6(1)(ix) of the Cabinet Office Order, and the details of the “internal rules, etc. concerning the Funds Transfer Services” as prescribed in Article 6(1)(xiii) of the Cabinet Office Order. (B) Does the Funds Transfer Service Provider have a control environment sufficient to facilitate the payment and receipt of funds to and from users? Note: For example, in the case of cash receipts and payments, is it possible for the Funds Transfer Service Provider to prepare the expected amount of payments to users at stores or ATMs? Also, does it have the ability to raise cash in cases where payments to users are concentrated? (C) Regarding the prospective income and expenditures, has the Funds Transfer Service Provider established plans and measures to cope with deterioration of the business environment such as the entry of any competitor or the system obsolescence, and does the plan anticipate a certain level of earnings even under such a scenario? In addition, if there are special circumstances that are considered to affect the continuity of the Funds Transfer Services, such as a case where any loss incurred in the Funds Transfer Services can be offset by earnings from other businesses operated by the applicant, the supervisors shall consider such circumstances. (v) In examining whether the applicant falls under the category of a “corporation which has not established a system to ensure the proper and secure conduct of the Funds Transfer Services” as prescribed in Article 40(1)(iv) of the Act and the category of a “corporation which has not established a system that is necessary for ensuring compliance with the provisions of this Chapter” as prescribed in Article 40(1)(v) of the Act, the examiner shall verify it through hearings and on-site inspections, etc. based on the application for registration and the attached documents, and take the following points into consideration in particular. (A) With regard to the internal rules and the major supervisory viewpoints listed in II-1 (Business Management, etc.) and II-2-1 (Compliance with Laws and Regulations) through II-2-3 (Administrative Operations) of these Guidelines, has the Funds Transfer Service Provider developed a control environment to appropriately respond to them; for example, whether or not it handles international remittance or receipt and payment of cash, in light of the scale and characteristics of said Funds Transfer Service Provider? In particular, when confirming the organizational structure, has the applicant secured sufficient personnel commensurate with the structure of the Internal Control Department (or the Internal Audit Department depending on type of its business) in which the mutual check function effectively works, including the structure for legal compliance? (B) Do the articles of incorporation or articles of contribution include the operation of the Funds Transfer Services as a corporate purpose? (C) In particular, with regard to an applicant who plans to handle international remittances, has it developed a control environment based on relevant laws and regulations concerning international remittances, such as the Foreign Exchange and Foreign Trade

86 Act and the Act on Submission of Statement of Overseas Wire Transfers for Purpose of Securing Proper Domestic Taxation? (D) In cases where international remittance is included in the businesses conducted by the applicant, are the time and method of calculation of outstanding obligations in the process of funds transfer described in the application for registration consistent with the statement in the terms and conditions used by the applicant (statement related to transfer of the right of the funds for international remittance)? (E) In cases where business entrustment to or business collaboration with a third party located in a foreign state is included in the businesses conducted by the applicant, the supervisors shall confirm with the applicant about the personal information protection system in the foreign state and the measures taken by the third party for the protection of personal information, and then check that the applicant has developed a system to appropriately manage personal information in relation to business entrustment or business alliance. (3) Processing of applications for registration (i) A written notice of completion of registration under Article 7 of the Cabinet Office Order shall be treated as follows. (A) The registration number shall be assigned serially from 00001 in the order of completion of approvals by the Directors-General of Local Finance Bureaus. (B) When a registration is no longer valid, its registration number shall be retired and no replacement shall be made. (C) With regard to a notification for change of the location of the headquarters, which is beyond the jurisdictional district of the local finance bureau, its registration number shall be newly given by the Director-General of the Local Finance Bureau who effected the new registration in serial in accordance with (A) above. (ii) If a registration is refused, a written notice of refusal of registration, stating the reasons for refusal, etc., based on Article 9(2) of the Cabinet Office Order shall be delivered to the applicant for registration (See VIII-4). (iii) When refusing the registration, the Director-General of the Local Finance Bureau shall notify the Director-General of the Supervisory Bureau of the FSA to that effect by sending a written notice of refusal of registration of the Funds Transfer Service Provider using Appended Form 3 together with a copy of the written application for registration. (4) Interview, etc. after registration During the period from the registration to commencement of business, the supervisors shall conduct interviews and on-site inspections, etc. to confirm whether the applicant can start the business of the Funds Transfer Services normally. In addition, if as a result of the above interviews the supervisors do not receive a reasonable explanation from a Funds Transfer Service Provider who had registered but has not yet launched the business for a long period of time, the supervisors shall grasp the actual status of the business of said Provider, as necessary, by considering the issuance of an order to collect reports on its future operation. (5) Processing of the notification of change (i) If it becomes clear that a person newly appointed as an officer of the notifier falls under any of Article 40(1)(x)(a) through (e) of the Act, the supervisory authorities shall take measures

87 such as revocation of registration prescribed in Article 56 of the Act with respect to the notifier. (ii) In cases where the change so notified is a change of the location of the headquarters beyond the jurisdictional district of the Local Finance Bureau, such change shall be treated as follows. (A) The Director-General of the Local Finance Bureau who receives the notification of change of registered matters shall retain the attached documents under Article 10(2)(ix) of the Cabinet Office Order (the written notice of completion of registration). (B) The Director-General of the Local Finance Bureau who has received the relevant notification of change, etc. under (A) above shall notify the Director-General of the Local Finance Bureau who will newly have the authority of registration pursuant to Article 10(3) of the Cabinet Office Order with the written notification of change prepared using Appended Form 4, together with a copy of the relevant notification of change, the part of the register of Funds Transfer Service Providers relating to the notifier, the written opinion of the Local Finance Bureau prepared using Appended Form 5, the previous notification and documents to be attached thereto, and a copy of the report on the inspection conducted immediately prior to the submission of the relevant notification of change. (C) The Director-General of the Local Finance Bureau to whom the written notification described in (B) above has been sent shall, without delay, register the relevant information in the register of Funds Transfer Service Providers and notify the Director-General of the Local Finance Bureau who previously registered the information through the written notice of completion of registration of change prepared using Appended Form 6. (6) Issuance of certificates of registration If a registered Funds Transfer Service Provider or a person who was a Funds Transfer Service Provider files an application for the registration certificate for the reason that it is necessary to submit it to a public institution, the supervisors shall issue a certificate of registration for the Funds Transfer Service Provider pursuant to Appended Form 7. Provided, however, that this shall not apply to cases where the registration application documents have already been disposed of after the expiration of the retention period. (7) Preparation of the register of Funds Transfer Service Providers Based on the written application for registration prescribed in Article 4 of the Cabinet Office Order (pages 2 to 12 of Appended Form 1 of the Cabinet Office Order, (in the case of a foreign Funds Transfer Service Provider, pages 2 to 13 of Appended Form 2 of the Cabinet Office Order)), the registry pertaining to the registered Funds Transfer Service Providers shall be organized by the Funds Transfer Service Provider and kept in the register. (8) Public inspection of the register of Funds Transfer Service Providers Public inspection of the register of Funds Transfer Service Providers under Article 8 of the Cabinet Office Order shall be treated as follows. (i) A person who made a request for public inspection shall be required to fill in the prescribed items on the application for public inspection of the register of Funds Transfer Service Providers pursuant to Appended Form 8. It should be noted that a person who has changed his/her surname may also enter his/her former surname (meaning the former surname

88 prescribed in Article 30-13 of the Order for Enforcement of the Residential Basic Book Act (Cabinet Order No. 292 of 1967, the same shall apply in II-2-5)) and name between parentheses in the column of “Applicant's name.” (ii) The date and time of inspection of the register shall be as follows. (A) The date of public inspection shall be days other than Saturdays, Sundays, holidays prescribed in Article 3 of the Act on National Holidays, January 2 and 3, and from December 29 to 31. (B) The public inspection time shall be within the time specified by the Director-General of the Local Finance Bureau. (C) When it is necessary to organize the register, etc. or for any other reason, the public inspection date or time may be changed. (iii) The register, etc. may not be taken out of the place of the public inspection designated by the Director-General of the Local Finance Bureau. (iv) The following persons may be suspended or refused for public inspection: (A) Any person who fails to follow (i) through (iii) above or the instructions of the staff (B) Any person who has damaged or is deemed likely to damage the register, etc. (C) Any person who has caused or is deemed likely to cause trouble to others. VIII-2-2 Application for Registration and Acceptance of Notification Administrative processes pertaining to applications for approval and change of the business implementation plan shall be handled as follows. (1) Acceptance of applications for approval and notifications When accepting an application for approval and/or notification of change thereof, the supervisors shall pay attention to the following matters and, if finding it inappropriate, request the Funds Transfer Service Provider who submitted the application and/or notification to make a correction. • In the case where an applicant makes the application for registration of a Funds Transfer Services (including the registration of change) and the application for approval of the business implementation plan pertaining to Type I Funds Transfer Services at the same time, the examiner shall confirm with the applicant that there are no discrepancies, etc. between the contents of the application for registration and the contents of the business implementation plan. (2) Examination of applications for approval When receiving an application for approval of a business implementation plan, the examiner shall examine it according to the upper limit of exchange transactions planned by the applicant and the contents of the business. Note: In examining the application, the examiner shall hold sufficient interviews of the applicant regarding the content of the application and, when necessary, ask the applicant for submission of additional materials such as data supporting the content of the explanation. (i) Upper limit of exchange transactions Does the applicant, in order to operate Type I Funds Transfer Services appropriately and reliably, conduct risk assessments for each type of risk according to the upper limit of exchange transactions, including IT system risk, and terrorist financing and money laundering risk? In addition, has it developed a risk management control environment based on such risk

89 assessments? For example, the following points shall be taken into consideration. • In conducting high value exchange transactions, does the applicant have means of raising funds that enables it to appropriately and reliably fulfill obligations, such as making security deposits for providing Funds Transfer Services as required by laws and regulations? • Does the applicant have a financial foundation commensurate with the upper limit of exchange transactions? (ii) Strict restriction on retention of funds (A) In examining the “period necessary for handling processes for the transfer of funds,” the examiner shall require the applicant to submit supporting materials and pay attention to the following points in particular. • Has the applicant set a reasonable period for each necessary administrative process (confirmation and verification for countermeasures against terrorist financing and money laundering, communication with overseas bases and banks, and remittance to bank accounts, etc.)? • Has the applicant set it for each country and region where the transfer of funds through exchange transactions occurs? (B) If the application includes any assumption of “event where the funds cannot be transferred for reasons not attributable to a Type I Funds Transfer Service Provider,” is the cause thereof truly not attributable to the Funds Transfer Service Provider? (3) Conditions for approval It should be noted that the supervisors may add or change conditions for approval to the extent necessary. (4) Notification to the applicant Upon approving the business implementation plan, the supervisory authorities shall issue a notification for approval to the applicant. When refusing the application, the supervisors shall deliver to the applicant a notification of refusal stating the reasons for refusal, the fact that the applicant may file a request for review with the Commissioner of the Financial Services Agency, the fact that the applicant may file an action for revocation of the disposition against the State, etc. (see VIII-4). (5) Response after approval Following the approval of the business implementation plan, the following points shall be taken into consideration in the supervisory response. (i) During the period from the approval of registration to commencement of business, the supervisors shall conduct interviews and on-site inspections, etc. to confirm whether the applicant can start the business of the Funds Transfer Services normally. However, the supervisors shall consider the reduction of the burden on the Funds Transfer Service Provider, such as by doing it at the same time as VIII-2-1(4). (ii) If additional conditions are imposed on the applicant for approval, the supervisors shall grasp the situation by collecting a report pursuant to Article 54 of the Act as necessary as to whether the conditions for approval are satisfied. (iii) With regard to the implementation status of measures concerning the approved business implementation plan, the supervisors shall grasp the situation by collecting a report as necessary pursuant to Article 54 of the Act.

90 (iv) In the case where the applicant has changed particulars in the business implementation plan and received the approval for such change, if such change relates to the registered matters, the supervisors shall request the applicant to submit a notification of change prescribed in Article 41(4) of the Act. For example, if the applicant changed the “upper limit of exchange transactions” in the business implementation plan and received an approval for such change, it must submit a notification of change concerning the “upper limit of the amount it handles” in the register, because such change is regarded as a change of the “contents and means of the Funds Transfer Service” set forth in Article 38(1)(viii) of the Act. (6) Examination of application for approval of change When an application for approval of change of the business implementation plan is filed, the supervisors shall examine it in the same manner as examining the application for approval. VIII-2-3 Written Reports under Article 53 of the Act (1) Written reports under Article 53(1) of the Act The following points shall be taken into consideration when processing a business report prescribed in Appended Form 19 (or Appended Form 20 in case of a foreign Funds Transfer Service Provider) of the Cabinet Office Order. (i) After reviewing the reporting contents with reference to the matters confirmed at the time of application for registration, such as the financial plan, if there is a significant discrepancy between the two, the supervisors shall confirm the actual business conditions through interviews with the Funds Transfer Service Provider. (ii) If, as a result of confirming the actual business conditions, it is suspected that the Funds Transfer Service Provider is found to “lack the sufficient financial foundation that is necessary for the proper and secure conduct of Funds Transfer Services” as prescribed in Article 40(1)(iii) of the Act, such as the possibility that the Funds Transfer Service Provider is not able to make security deposits for providing Funds Transfer Services in the future, the supervisors shall consider necessary measures, such as collecting a report based on Article 54 of the Act. (2) Written reports under Article 53(2) of the Act The following points shall be taken into consideration when processing a report on the amount of the outstanding obligations prescribed in Appended Form 21 of the Cabinet Office Order. (i) In the case where the amount of outstanding obligations has fluctuated significantly, the supervisors shall check the reasons for said fluctuation through interviews, etc. (ii) In the case where the amount of outstanding obligations has increased significantly, the supervisors shall check the forecast of future changes in outstanding obligations and the future possibility of securing the security deposits for providing Funds Transfer Services. (3) Submission, etc. to the FSA (i) As-needed basis reports on Funds Transfer Service Providers A duplicate copy of the report on the amount of the outstanding obligations, etc. and a copy of each reference document, as well as a written opinion from a Funds Transfer Service Provider with regard to (1) or (2) above, if any, shall be sent to the relevant department in charge at the FSA within one month after the deadline for submission. (ii) Periodic reports on Funds Transfer Service Providers (A) The Director-General of the Local Finance Bureau shall collect from each Funds

91 Transfer Service Provider its business report as of the end of March every year prepared using Appended Form 9, with the deadline being the end of May every year, pursuant to Article 54(1) of the Act. (B) A copy of the business report of each Funds Transfer Service Provider shall be sent to the relevant department in charge at the FSA by the end of June every year. VIII-2-4 Treatment of Discontinuation, etc. (1) In cases where a Funds Transfer Service Provider submits a notification of discontinuation, etc. of the Funds Transfer Services (hereinafter referred to as the “notification of discontinuation, etc.”) pursuant to Article 61(1) of the Act (excluding the cases where said business is succeeded due to transfer of business, merger or company split, or for other reasons), or in cases where the registration of a Funds Transfer Service Provider has been revoked pursuant to Article 56(1) of the Act, the supervisors shall request the Funds Transfer Service Provider to report, by using Appended Form 10, about the amount of obligations borne in relation to exchange transactions and relevant information based on Article 54 of the Act. Note 1: It should be kept in mind that if a notification of discontinuation, etc. of part of the Funds Transfer Services is submitted pursuant to Article 61(1) of the Act, only the Funds Transfer Services pertaining to said discontinued business will be subject to the execution of the obligations borne in relation to exchange transactions prescribed in Article 61(5) of the Act. Note 2: “When the Funds Transfer Service Provider has discontinued all or part of the Funds Transfer Service,” as prescribed in Article 61(1)(i) of the Act means that the system of said Funds Transfer Service is completely abolished and the users cease to receive any services through said system, and does not include cases where only part of said system is abolished. (2) In cases where a report set forth in (1) above has been submitted, the supervisors shall order, based on Article 54 of the Act, the Funds Transfer Service Provider to report without delay to the effect that it has completed the performance of obligations borne in relation to exchange transactions that it intended to discontinue as part of the Funds Transfer Services upon said completion, or to the effect it has changed its contact information or its trade name before the completion. (3) If an application for recovery of security deposits for providing Funds Transfer Services has been filed pursuant to Article 47(iii) of the Act, the supervisors shall require the Funds Transfer Service Provider to submit the following documents in order to confirm whether the conditions prescribed in Article 17(2) of the Order have been satisfied. • Form of written notification to Known persons (“Known persons” mean “creditors of obligations borne by a Funds Transfer Service Provider in relation to the exchange transactions for Funds Transfer Service that said Funds Transfer Service Provider intends to discontinue” as prescribed in Article 17(2) of the Order) • A document stating the method of individual notice (4) In cases where a Funds Transfer Service Provider has submitted the notification of discontinuation, etc. pursuant to Article 61(1)(i) of the Act (limited to cases where said business was succeeded through transfer of business, merger or company split, or for other reasons), the Director-General of a Local Finance Bureau who has received said written notification of

92 discontinuation, etc. shall send the notice of business transfer prepared by using Appended Form 11 together with said notification of discontinuation, etc., a copy of the portion of the register of Funds Transfer Service Providers pertaining to said notifier, and a copy of the report on the outstanding obligations as of the immediately preceding Base Date to the Director-General of a Local Finance Bureau who has accepted or registered the notification of the Funds Transfer Service Provider to which said business is transferred. (5) The Director-General of the Local Finance Bureau to which the written notice described in (4) above has been sent shall, without delay, confirm whether necessary measures, including the submission of a written notification of change pertaining to the business, have been taken with regard to the Funds Transfer Service Provider to which the relevant business has been transferred. VIII-2-5 Procedures for Security Deposits for Providing Funds Transfer Services (1) Matters concerning a written notification of making, etc. of security deposits for providing Funds Transfer Services (i) Replacement of security deposits for providing Funds Transfer Services Approval for replacement of security deposits for providing Funds Transfer Services pursuant to Article 4 of the Rules on Security Deposit for Providing Funds Transfer Services (Ordinance of the Cabinet Office and the Ministry of Justice No. 5 of 2010, hereinafter referred to as the “Security Deposits Rules”) may be granted if a security deposit for providing Funds Transfer Services in lieu of the bond certificates prescribed in Article 43(3) of the Act has been made in advance. (2) Matters concerning the recovery of security deposits for providing Funds Transfer Services “The immediately preceding Base Date” as prescribed in Article 47(i) of the Act and Article 17(1)(i) of the Order shall mean the Base Date immediately preceding the date of submission of the application for approval of recovery of security deposits for providing Funds Transfer Services pursuant to Article 1(1) of the Security Deposits Rules. (3) Procedures for security deposits for providing Funds Transfer Services (i) Cases where provisional distribution may be made In cases where, as a result of the preparation of a provisional distribution table pursuant to Article 7 of the Security Deposits Rules, it is expected that the entire amount of claims to be filed in the procedure for the execution of rights can be refunded, such as a case where the amount equivalent to 80% of the amount remaining after deducting the expenses necessary for the procedure for refund of security deposits for providing Funds Transfer Services as prescribed in Article 19(9) of the Order, exceeds the total amount of claims filed pursuant to Article 6 of the Security Deposits Rules, etc., the Director-General of the Local Finance Bureau may make provisional distribution pursuant to Article 19(10) of the Order and Article 17 of the Security Deposits Rules. (ii) When making provisional distribution, the Director-General of the Local Finance Bureau shall request presentation of a document certifying that the person has the right prescribed in Article 6 of the Security Deposits Rules or other document in lieu thereof. (iii) In the case where the security deposits for providing Funds Transfer Services contains a security deposit made by a person who has concluded a guarantee contract of security deposits for providing Funds Transfer Services or trust agreement of security deposits for

93 providing Funds Transfer Services with a Funds Transfer Service Provider based on the order prescribed in Article 46 of the Act, the provisional distribution shall be shall be made first from the security deposit for providing Funds Transfer Services made by said Funds Transfer Service Provider. VIII-2-6 Points of Attention regarding Statements in Reports Submitted by Funds Transfer Service Providers With regard to a name to be entered in Appended Forms, it should be noted that, in accordance with the procedures under the laws and regulations, a person who has submitted an application for registration or a notification of change by entering his/her former surname and name together may fill in their former surname and name together in parentheses or fill in their former surname and name instead of their current name. VIII-2-7 Points of Attention regarding Written and Face-to-Face Procedures An application and notification to be submitted by a Funds Transfer Service Provider, etc. to competent authorities and a disposition notice, etc. to be issued by the competent authorities to a Funds Transfer Service Provider, etc. may be made by using an electronic data processing system pursuant to Article 6(1) and Article 7(1) of the Act on Promotion of Administration by Use of Information and Communications Technology (hereinafter referred to as “Digital Procedure Act”), even if any other laws and regulations stipulate that such application, notification, etc. and disposition notice, etc. shall be made in writing, etc., or by other methods. In light of the purpose of the Digital Procedures Act, the provisions of these Guidelines related to procedures covered by the Digital Procedures Act may also be fulfilled by means of an electronic data processing system, regardless of the provisions requiring a written or face-to-face means. In addition, while digitization is rapidly advancing in all economic and social activities, the Government as a whole is reviewing Japan's systems and practices based on written, stamped, and face-to-face procedures, and is moving forward with efforts toward the realization of a remote society in which procedures can be carried out without actually having to travel. In order to steadily advance these efforts, the FSA has also promoted the computerization of administrative procedures by updating the FSA Electronic Application and Notification System, which enables online submission of all procedures for applications and notifications received from Funds Transfer Service Providers, and by revising Cabinet Office Orders and supervisory guidelines to abolish seals. Furthermore, with regard to procedures between private business operators, as well, the FSA established the “Panel for Reviewing Procedures Requiring Documents, Seals and Face-to-Face Contact in the Financial Industry” to encourage the industry as a whole to review conventional practice and has made efforts to promote digitalization of documents, to eliminate the seal procedures, and to review face-to-face requirements. In light of such efforts by the public and private sectors, written and/or face-to-face requirements in these Guidelines other than those related to procedures covered by the Digital Procedure Act may also be fulfilled by means of an electronic data processing system or other information and communications technology, except for cases where the submission of an original document is required in VIII-2-8 hereof. Considering the intent of the abovementioned handling, the supervisory authorities shall promote conduct of procedures based on the provisions of these Guidelines in a manner other than in writing or in person, whenever possible, taking into account the intentions of the parties to the procedures.

94 VIII-2-8 Points of Attention when Submitting Applications etc. Based on VIII-2-7 hereof, the supervisory authorities shall require, in principle, that applications and/or notifications by Funds Transfer Service Providers, etc. be submitted by the deadline specified by relevant laws and regulations using the FSA Electronic Application and Notification System. However, as for any of the attached documents (a copy of certificate of residence, an identification card, documents certifying payment of taxes/fees, etc.) issued by public institutions, the original thereof is required to be sent. VIII-3 Points of Attention in Enforcing Administrative Dispositions Major adverse dispositions (as defined in Article 2(iv) of the Administrative Procedure Act; the same applies hereinafter) enforced by the supervisory authorities include: (i) the issuance of an order to improve business operations under Article 55 of the Act, (ii) the issuance of an order to suspend business under Article 56, and (iii) the revocation of a registration under Article 56 of the Act. The basic workflow for rendering such administrative disposition is illustrated as follows. (1) Order to submit reports pursuant to Article 54 of the Act (i) If the on-site inspection or off-site monitoring (such as interviews or demanding submission of a misconduct notification) finds out any problem in compliance management systems, governance systems, or other business practices, the supervisors shall ask the Funds Transfer Service Provider to report its fact-checking of the problems, its own analyses of the causes of those problems, planned measures for improvement or remediation, and other necessary matters pursuant to Article 54(1) of the Act. (ii) If the supervisors determine, as a result of verifying the report submitted by the Funds Transfer Service Provider, that further scrutiny is needed, the supervisors shall ask it to submit an additional report pursuant to Article 54(1) of the Act. (2) Follow-up on measures for improvement or remediation reported under Article 54(1) of the Act (i) If the supervisors determine, as a result of verifying the reports submitted by a Funds Transfer Service Provider, that no serious issue is found in terms of the soundness and appropriateness of its business and that the Funds Transfer Service Provider is capable of promoting its self-initiated improvement efforts, the supervisors shall follow up on the progress of its measures for improvement reported in (1) above through non-compulsory interviews or other communication. (ii) If necessary, the supervisors may ask the Funds Transfer Service Provider to submit periodic follow-up reports pursuant to Article 54(1) of the Act. (3) Order to improve business operations, order to suspend business, or revocation of registration based on Article 55, or Article 56(1) of the Act If the supervisors determine, as a result of verifying the relevant reports (including the additional reporting) as its response to inspection results or off-site monitoring, etc., that a serious issue is found concerning the protection of the interests of users, etc., it will take into account the factors listed in (1) to (3) below, examine whether there are any other factors to be considered, and then consider the following issues, and ultimately determine the content of the final administrative disposition. • Whether it is appropriate to leave initiatives for improvement to voluntary efforts of the Funds Transfer Service Provider;

95 • Whether it needs considerable efforts for the improvement and whether the Funds Transfer Service Provider needs to focus on the business improvement for a certain period of time; and • Whether it is appropriate for the Funds Transfer Service Provider to continue the business (i) Severity and maliciousness of the misconduct (A) Degree of detriment to public interests Does the Funds Transfer Service Provider substantially infringe on the public interest by seriously impairing the credibility of Funds Transfer Services? (B) Degree of damage to users Do a large number of users in extensive areas suffer damage? How serious is each user’s damage? (C) Maliciousness of the improper conduct Did the Funds Transfer Service Provider commit a malicious act by, for example, making a false report on outstanding obligations in order to avoid making security deposits for providing Funds Transfer Services? (D) Duration of the improper conduct and its repetitions Has the conduct in question been continued over a long time or for a short period? Was it committed repeatedly or continuously? Or only once? Had the Funds Transfer Service Provider committed any similar violation in the past? (E) Intentionality Did the Funds Transfer Service Provider intentionally commit the conduct with an awareness of illegality or inappropriateness? Or was it mere negligence? (F) Institutional involvement Was the conduct in question at the sole discretion of a person in charge or based on directions from a high-level officer? Were the management team of the Funds Transfer Service Provider involved in the conduct? (G) Attempt to cover up the improper conduct After the Funds Transfer Service Provider or the persons in charge had recognized the problem, did they attempt to conceal its evidence? If so, was it an institutional attempt? (H) Involvement of anti-social forces Were any anti-social forces involved in the conduct in question? If so, to what extent were they involved? (ii) Appropriateness of governance systems and business operation systems leading to the causes of the improper conduct (A) Is the management team of the Funds Transfer Service Provider fully aware of the significance of compliance and eager to promote compliance-conscious management? (B) Is the Internal Audit Department of the Funds Transfer Service Provider well prepared? Does it exert its functions properly? (C) Are relevant staff of the Funds Transfer Service Provider fully aware of the significance of compliance? Are they adequately trained or educated? (iii) Mitigating factors In addition to (i) and (ii) above, are there any factors that can allow the supervisory authorities to mitigate administrative enforcement? For example, is the Funds Transfer Service Provider promoting self-initiated efforts for protecting users, etc. before receiving any administrative measure?

96 (4) Standard period for processing a case subject to administrative disposition Supervisory dispositions pursuant to Article 55 or Article 56(1) of the Act, if any, shall be given within approximately one (1) month (or approximately two (2) months if coordination with the FSA is required), in principle, from the time of receipt of the report described in (1) above. Note 1: The following points should be taken into consideration in determining “the time of receipt of the report”. (A) If asking for submission of a report multiple times pursuant to Article 54(1) of the Act (limited to the case where each request for submission is made within the time frame specified above after receiving the immediately preceding report), the time for receiving the last report is regarded as the starting point of the time frame for administrative disposition. (B) If asking for correction of a report submitted or for submission of additional documents (excluding inconsequential correction or provision of trivial information), the time for receiving corrected or additional documents is regarded as the starting point of the time frame for administrative disposition. Note 2: The time spent for formal explanations or hearings is not included in the standard period for processing a case subject to administrative disposition. Note 3: The standard period for processing a case subject to administrative disposition will apply to each set of information to be examined as the basis for invoking administrative disposition. (5) Cancellation of the obligation to make progress reports based on the order to improve business operations issued under Article 55 of the Act After issuance of an order to improve business operations to a Funds Transfer Service Provider under Article 55 of the Act, the supervisors shall, in principle, ask the Funds Transfer Service Provider to report the progress of its business improvement plan so that the supervisors can follow up on the approach of the Funds Transfer Service Provider for business improvement based on such order and encourage its improvement efforts. For this, the following points shall be taken into consideration. (i) If the supervisors ask a Funds Transfer Service Provider to which it has issued an order to improve business operations pursuant to Article 55 of the Act to submit a report on the progress of the business improvement plan within a limited period, the Funds Transfer Service Provider will be relieved of the obligation to make a report after expiration of the specified period. (ii) If the supervisors ask a Funds Transfer Service Provider to which it has issued an order to improve business operations pursuant to Article 55 of the Act to make a report on the progress of the business improvement plan on an on-going basis without specifying a definite period, the supervisors shall cancel the obligation of the Funds Transfer Service Provider to make a report when the supervisors determine that adequate improvement measures have been completed in line with the business improvement plan to address the problem triggering the order to improve business operations. In this regard, the supervisors shall determine whether or not to cancel the obligation of the Funds Transfer Service Provider to submit a report, by evaluating its improvement efforts reported by the Funds Transfer Service Provider or confirmed through the supervisors’ inspections.

97 VIII-4 Relationship with the Administrative Procedure Act and Other Relevant Acts (1) Relationship with the Administrative Procedure Act When the supervisors intend to render any adverse disposition falling under any of the cases set forth in Article 13(1)(i) of the Administrative Procedure Act to a Funds Transfer Service Provider, the supervisors must conduct hearings with the Funds Transfer Service Provider. In case of any adverse disposition falling under the case set forth in item (ii) of the same paragraph, the supervisors must offer the opportunity for explanation to the Funds Transfer Service Provider. In either case, the supervisors must show the grounds for the adverse disposition pursuant to Article 14 of the same Act. (When such adverse disposition is rendered in writing, its grounds must also be indicated in writing.) If intending to refuse to grant the permission, license, or other approval requested under an application filed by a Funds Transfer Service Provider, the supervisors must show the grounds for the disposition of refusal pursuant to Article 8 of the same Act. (When such disposition is rendered in writing, its grounds must also be indicated in writing.) On this occasion, merely enumerating the provisions of relevant acts is not sufficient; instead, full accountability is required to clarify what facts underlie the decision to render the disposition and which acts and standards are relied on to justify the disposition. (2) Relationship with the Administrative Complaint Act If the supervisors intend to render any disposition against which a complaint may be filed, it should be kept in mind that the supervisors must explain in writing that the Funds Transfer Service Provider is entitled to file a complaint pursuant to Article 82 of the Administrative Complaint Act (Act No. 68 of 2014). (3) Relationship with the Administrative Case Litigation Act If the supervisors intend to render any disposition against which an action for revocation may be filed, it should be kept in mind that the supervisors must explain in writing that the Funds Transfer Service Provider is entitled to file a lawsuit pursuant to Article 46 of the Administrative Case Litigation Act (Act No. 139 of 1962). VIII-5 System for Exchange of Opinions Before rendering any adverse disposition to a Funds Transfer Service Provider, the supervisors are supposed to conduct hearings with the Funds Transfer Service Provider or give an opportunity for explanations to the Funds Transfer Service Provider in accordance with the Administrative Procedure Act. In addition to and apart from such hearings or explanations, there is a system to allow the Funds Transfer Service Provider to ask for multi-level exchange of opinions between the supervisory authorities and the Funds Transfer Service Provider. This system is meaningful to help the parties share the same recognition as to the facts underlying the disposition and their severity. In cases where, in the course of hearings, etc. in relation to the supervisory authorities’ request for reporting under Article 54(1) of the Act, a Funds Transfer Service Provider who was aware that an adverse disposition is likely to be rendered requested the supervisory authorities to have an opportunity of exchange of opinions between the supervisory authorities’ senior officials and the executives of the Funds Transfer Service Provider (Note) and when the supervisory authorities intend to render an adverse disposition which requires prior hearings or the grant of an opportunity for explanations, the supervisory authorities must provide an opportunity for exchanging opinions

98 as to the facts underlying the intended adverse disposition and their severity. Such opinion exchange session must be held before giving a notice of hearings or notice of granting an opportunity for explanations, except where such disposition needs to be urgently rendered. Note: Requests by a Funds Transfer Service Provider for an opportunity for exchange of opinions must be made during the period from the time when the supervisory authorities received a written report under Article 54(1) of the Act explaining the facts underlying the intended adverse disposition to the time when the supervisory authorities give a notice of hearing or of granting an opportunity for explanation. VIII-6 Ascertainment of Location of Business Office Where it is necessary to ascertain the location of the business office of a registered Funds Transfer Service Provider pursuant to Article 56(2) of the Act, the supervisory authorities may require said Funds Transfer Service Provider to submit a location report pertaining to the business office prepared using Appended Form 12, a document certifying the rights to the business office or a map of the business office, etc. pursuant to Article 54(1) of the Act. The supervisory authorities may order that such report be submitted to the Local Finance Bureau having jurisdiction over the location of such business office. VIII-7 Communication with Relevant Authorities in Japan and Overseas Regulators When the supervisory authorities intend to issue an order to submit reports, an order to improve business operations, or an order to suspend business, or to render an adverse disposition of rescinding the registration, it shall contact the relevant authorities in Japan and overseas supervisory authorities, etc. as necessary. VIII-8 Basic Stance for Public Disclosure of Adverse Dispositions (1) When making public notice of adverse disposition pursuant to Article 58 of the Act, the supervisory authorities shall disclose the following particulars in the public notice. (i) Trade name (ii) Name of the representative (iii) Location of the headquarters (iv) Registration No. (v) Date of registration (vi) Date of the disposition (vii) Details of the disposition (2) It should be noted that the handling of public notice other than (1) above is based on the approach specified in “I-5 Transparency” of the “Principles of Financial Supervision and Instructions for Supervisory Bureau Staff (Code of Conduct)”. That is, with regard to the adverse dispositions such as orders to improve business operations, etc., the facts underlying the invocation of those dispositions, the content of dispositions, and other information shall be made public from the viewpoint of enhancing the predictability for other Funds Transfer Service Providers and preventing recurrence of similar incidents or problems, except where the disclosure of relevant facts and information is likely to impede the business improvement efforts of the Funds Transfer Service Provider concerned.

99 VIII-9 Notification of Administrative Disposition (1) In the case of a refusal of registration (Article 40 of the Act) When refusing the registration, the Director-General of the Local Finance Bureau shall notify the Director-General of the Supervisory Bureau of the FSA to that effect by sending a written notification of refusal of registration of Funds Transfer Service Provider using Appended Form 3 together with a copy of the written application for registration. (2) In the case of an order to improve business operations (Article 55 of the Act) When issuing an order to improve business operations, the Director-General of the Local Finance Bureau shall send relevant materials to the department in charge at the FSA and the Directors-General of Local Finance Bureaus having jurisdiction over the location of the business office pertaining to the business operation of said Funds Transfer Service Provider. (3) In the case of a business suspension order (Article 56(1) of the Act) When issuing a business suspension order, the Director-General of the Local Finance Bureau shall send relevant materials to the department in charge at the FSA and the Directors-General of Local Finance Bureaus having jurisdiction over the location of the business office pertaining to the business operation of said Funds Transfer Service Provider. (4) In the case of a disposition to revoke registration (Article 56 of the Act) When revoking the registration of a Funds Transfer Service Provider, the Director-General of the Local Finance Bureau shall send relevant materials to the divisions in charge at the FSA and other Local Finance Bureaus. In addition to the above, the Director-General of the Local Finance Bureau shall also send materials concerning the names of the officers of the Funds Transfer Service Provider within 30 days prior to the rescission.

Note: Fill in "-" for "Not Applicable". Examiner: Date of Examination: YY/MM/DD Applicant name:

Checklist for Examination for Registration of Funds Transfer Service Provider (controls enabling proper and reliable operation of Funds Transfer Services and controls necessary to comply with the provisions of this Chapter) Points to check □ □ □ □ □ □ □ □ □ □ □ □ Has a specific implementation plan (compliance program) been established? Has a code of conduct (Code of Ethics and Compliance Manual) been established? Has training, etc. on compliance been conducted? Also, with regard to the results of internal audits, has the applicant established the rules to formulate and implement improvement measures? Does the Internal Audit Department have a system for conducting effective internal audits that are independent from the departments that are subject to audit? In cases where external audit is used, has the applicant established a control environment to give the external auditor clear instructions about the purpose of the audit and to utilize the audit results for business improvement? Basic Policy on Compliance, etc. (Guideline II-2-1-1-1) Is the division responsible for legal compliance specified? Has a basic policy on compliance been established? Internal Rules, etc. concerning the Funds Transfer Services (Article 6(xiii) of the Cabinet Office Order) Specific Policy on Internal Control Environment (Guideline II-1-1) Does the applicant regard matters related to the establishment and development of internal control environments as one of the most important management issues? Has the applicant established rules to conduct monitoring/verification and formulate improvement measures, which are designed to ensure appropriate business operations for divisions in which the Internal Control Department deals with users? Has the applicant appropriately set the objectives of internal audits? Has the applicant established an environment in which the Internal Audit Department can fully exercise its functions? Applicability Points to check □ □ □ □ □ (i) Does the applicant properly research and analyze the risks in which its own transactions are used for terrorist financing and money laundering, and prepare and regularly review documents, etc. describing the risk assessment report by a specified business operator, etc.? In particular, for a business operator who is engaged in overseas remittance, does it pay attention to evaluation and review of risks of each country or region involved in transactions, risks according to the period of stay of foreign customers who are involved in such remittance, risks of remittance through agents, or risks of non-face-to-face transactions, etc.? □ (ii) Does the applicant collect and analyze necessary information while considering the details of the risk assessment report by a specified business operator, etc., and continuously scrutinize the preserved verification records and transaction records, etc.? Also does the applicant periodically review the policy and methods it established? □ (iii) When engaging in high risk transactions, does the applicant ensure that its supervisory manager approves it, and that documents describing the results of collected and analyzed information are prepared and stored together with verification records or transaction records, etc.? Also, does the applicant verify the accuracy and appropriateness of verification records and transaction records in a timely manner? □ (iv) Does the applicant formulate and implement a policy for continuous customer management, such as the investigation of customer information at a frequency commensurate with the customer risk assessment based on the risk assessment report by a specified business operator, etc.? In addition, does the applicant review the customer risk assessment upon occurrence of an event that affects the customer risk assessment? □ □ □ □ □ □ □ □ □ □ □ □ (i) Framework to promptly stop the relevant exchange transaction that is suspected of having been used for a criminal act (ii) Framework to suspend the withdrawal of funds from a person who has concluded an account opening contract, etc. when the person is suspected of using the contract for a criminal act □ Applicability Has the applicant established an appropriate control environment for correspondent contracts in accordance with Articles 9 and 11 of the Anti-Criminal Proceeds Act and Articles 28 and 32 of the Ordinance for Enforcement of the Anti-Criminal Proceeds Act? In cases where there is a suspicion that a criminal act has been committed with respect to the Funds Transfer Services provided by a Funds Transfer Service Provider, in consideration of the information provided by investigative authorities, etc. to the effect that the transaction pertaining to the Funds Transfer Services has been used for fraud or any other criminal act as well as in light of other circumstances, has the applicant established the following control environment? If it has an overseas business location, has the applicant established a framework for appropriately implementing countermeasures against terrorist financing and money laundering at its overseas business locations? Does the applicant prepare a manual of the user management method including measures for verification at the time of transaction, etc., disseminate it to employees, and in addition, conduct proper and continuous training to employees? Has the applicant established an appropriate reporting framework for cases related to the abuse of financial services through organized crimes found by employees? Has the applicant established a control environment enabling a Funds Transfer Service Provider to verify and evaluate that each agent implements continuous customer management measures according to risk? In addition, does the Funds Transfer Service Provider assess the risks of each agent and monitor its control environment in accordance with such risks? When conducting transactions for which there is an especially strong necessity for conducting rigid customer management, does the applicant implement the (re-)verification at the time of transaction in a proper manner, by ensuring that a customer’s identification matters are confirmed not only in a normal way but also in a more rigid way in which customer identification documents or supplementary documents are additionally received? In addition, when confirmation of the conditions of assets and revenues is obligated, does the applicant conduct such confirmation in a proper manner? Does the applicant detect, monitor, and analyze suspicious users and transactions by using systems and manuals? In transaction monitoring, are threshold values set appropriately based on the risk assessment of each customer? Also, are scenarios for detecting suspicious transactions appropriately set? Has the applicant analyzed suspicious cases that have been reported, and periodically reviewed scenarios and threshold values in proper manner? Has the applicant selected and appointed an appropriate person as supervisory manager, as stipulated in Article 11(3) of the Anti-Criminal Proceeds Act, such as a person at a managerial level who is in charge of compliance on countermeasures against terrorist financing and money laundering? Has the applicant taken the following measures in order to research and analyze risks used for terrorist financing and money laundering, etc. and to take action based on the results? Does the applicant adopt the measures for verification at the time of transaction that is appropriate according to the risks, while taking into consideration the risk assessment report by a specified business operator, etc.? In addition, does the applicant recognize and evaluate risks regularly and in a timely manner to improve the verification at the time of transaction? Does the applicant appropriately screen the customers, such as by checking sanction lists from relevant countries including Japan? Also does the applicant conduct rescreening at the time of updating various relevant lists? Has the applicant established proper policies for recruitment of employees and acceptance of users? Does the applicant conducts necessary audit? Internal Rules, etc. concerning Measures for Verification at the Time of Transaction, etc. (Guideline II-2-1-2-1) Is the division responsible for measures for verification at the time of transaction, etc. specified? Has the applicant developed a centralized control environment for appropriately implementing the measures for verification at the time of transaction, etc. and the measures listed in the Guidelines on Anti-Money Laundering/Terrorist Financing Measures (particularly customer management)?

Points to check □ □ □ □ □ □ □ □ □ □ □ □ □ □ (i) The fact that the system of security deposits for providing Funds Transfer Services has been established as a user protection framework (ii) With regard to the procedure for execution of security deposits for providing Funds Transfer Services, the time when the right to receive a refund thereof is transferred from the remitter to the beneficiary □ □ □ □ □ □ (i) Do the internal rules specifically provide a method for managing funds received from users and funds to be used for loans in separate deposit accounts, and a method for reasonably confirming that funds received from users are not used for loans even when managing funds in one bank account? □ (ii) If funds received from users and funds to be used for loans are managed in separate deposit accounts, does the applicant verify that no contamination occurs between the accounts, in a timely and appropriate manner? □ (iii) Has the applicant taken measures such as not allowing persons in charge of managing funds received from users to serve as persons in charge of managing funds to be used for loans, from the viewpoint of preventing accidents and fraud? □ □ (i) Are links of the applicant’s website configured to prevent a user from misrecognizing a counterparty of transaction? □ (ii) Has the applicant taken proper anti-phishing measures? □ (iii) Does the applicant take measures to allow a user to easily confirm and correct the details of his/her instruction concerning an exchange transaction before sending it to the Funds Transfer Service Provider? □ With regard to the matters prescribed in each item of Article 31(iv) of the Cabinet Office Order, has the applicant developed a control environment for providing appropriate explanations and information to users in accordance with II-2-2-1-1(1)(i) hereof? Also, is the policy relating to compensation for losses and other response based on II-2-6 hereof? Does the applicant provide explanations on the matters prescribed in each item of Article 29(1) or (2) of the Cabinet Office Order? With regard to the matters prescribed in each item of Article 29-2 of the Cabinet Office Order, has the applicant developed a control environment for providing appropriate explanations and information to users in accordance with II-2-2-1-1(1)(i) hereof? Also, is the policy relating to compensation for losses of users and other response prescribed in Article 29-2(v) of the Cabinet Office Order based on II-2-6 hereof? When intending to receive the manifestation of intention of users to consent or withdraw by electromagnetic means in lieu of delivering a receipt, does the applicant record that the user has given consent, etc.? Has the Funds Transfer Service Provider established a method for returning to users funds of said users that are deemed not to be used for exchange transactions? In addition, has the Funds Transfer Service Provider developed a framework for obtaining necessary information from users in advance in order to make returns, etc. in accordance with specified methods? Does the applicant take measures to prevent funds received from users from being used as resources for loans, etc.? When conducting Internet transactions, does the applicant take the following measures? Internal Rules, etc. concerning Misconduct (Guideline II-2-1-4-1) Is the division responsible for dealing with misconduct cases specified? Has the applicant established measures to be taken when misconduct is found? Internal Rules, etc. concerning User Protection Measures (Guideline II-2-2-1-1) Is the division responsible for the user protection measures specified? Has the applicant developed procedures, etc. to appropriately provide information in light of the knowledge and experience of users? Has the applicant developed procedures to review its business framework for the Funds Transfer Services based on the examination of the effectiveness of User Protection Measures? Has the applicant clearly specified procedures for handling complaints and consultations in cases where administrative processing errors have occurred? When providing explanations to prevent misunderstandings with exchange transactions conducted by banks, etc., does the applicant explain the matters prescribed in Article 28 (2)(i) to(iii) of the Cabinet Office Order without omission? Also, does the applicant explain the following matters as the matters prescribed in (iv) of the same Article? Has the applicant established a division in charge of supervising responses to ban any relationship with anti-social forces so as to develop a centralized control environment for preventing infliction of damage by anti-social forces? Does the Funds Transfer Service Provider take measures to ban allowing anti-social forces to become a counterparty to a transaction, by conducting appropriate advance screening using information, etc. on such forces in order to prevent transactions with anti-social forces, and making sure provisions regarding the exclusion of organized crime group are introduced in all contracts and terms of transactions? Has the Funds Transfer Service Provider established a framework for conducting an appropriate follow-up review on existing contracts for the purpose of making sure that any relationships with anti-social forces are eliminated? Does the applicant, with the appropriate instructions and involvement of the management team, encourage termination of transactions with anti-social forces in close cooperation with external expert organizations such as the police, the Center for Removal of Criminal Organizations, and lawyers on an ongoing basis? In addition, does the applicant take care not to provide benefits to anti-social forces when canceling transactions? When anti-social forces make unreasonable demands, does the applicant cope with them with the appropriate instructions and involvement of the management team, and proactively consult with external expert organizations such as the police, the Center for Removal of Criminal Organizations, and lawyers? Does the applicant manage shareholder information properly, through means such as regularly checking the transaction status of its own shares and examining information regarding the attributes of its shareholders? Applicability Internal Rules, etc. concerning Prevention of Damage that may be Inflicted by AntiSocial Forces (Guideline II-2-1-3-1) Is the management team of the applicant properly involved in banning of relationships with antisocial forces? Is there a policy calling for firm-wide response? Points to check □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Applicability Has the applicant developed a control environment wherein, in cases where it has accepted a reconciliation plan or a special conciliation proposal, the division in charge takes prompt action, and the Inspection/Audit Department(s) conduct(s) a follow-up examination on matters including the progress of its fulfillment? Has the applicant developed a control environment wherein, in cases where it rejects acceptance of a reconciliation plan or a special conciliation proposal, it promptly explains its reasoning and takes necessary action, such as instituting legal proceedings, in light of the operational rules (which refer to the “operational rules” as defined in Article 52-67(1) of the Banking Act, which will be applied mutatis mutandis pursuant to Article 101 of the Act)? Has the applicant developed a control environment to faithfully perform the basic contract for execution of procedures concluded with a designated ADR body? Has the applicant properly publicized the name or trade name and the contact address of a designated ADR body with which it has concluded a basic contract for execution of procedures? Has the applicant developed a control environment wherein it disseminates any necessary information to users, such as the flow of standard procedures by the designated ADR body and the effects of using a designated ADR body (such as the effect of interruption of prescription), in light of the basic contract for execution of procedures? Has the applicant developed a control environment wherein, in cases where it receives a request from a designated ADR body for compliance with procedures, submission of materials, or the like, it responds to the request promptly, unless there is a justifiable reason not to do so? Has the applicant developed a control environment wherein, in cases where it refuses a request from a designated ADR body to comply with procedures, submit materials, or the like, the applicant conducts a proper examination as an organization with respect to such decision of refusal, rather than the division that caused the complaint or dispute simply deciding by itself to refuse the request? Also, has it developed a control environment wherein, wherever possible, it explains the reasons (justifiable reasons) for that decision? Has the applicant developed a control environment wherein, in cases where it is presented with a recommendation to accept a reconciliation plan or with a special conciliation proposal from a dispute resolution committee member, it makes prompt decisions on whether or not to accept it? Has the applicant developed a control environment wherein it cooperates appropriately with external organizations in working toward the prompt resolution of complaints, etc.? In filing a petition for dispute resolution procedures for itself, has the applicant developed a control environment wherein it first responds sufficiently to the allegation of complaints, etc. from the user and goes through an appropriate internal deliberation on the need for the petition, rather than simply filing a petition without fully exhausting its own procedures? Internal Rules, etc. concerning Responses to the Financial ADR System (Guideline II-2-2-4-2) Cases with Designated Dispute Resolution Organization for Funds Transfer Service Business (Designated ADR Body) (Guideline II-2-2-4-2-1) Has the applicant promptly concluded a basic contract for execution of procedures with a designated ADR Body with regard to the Funds Transfer Service Business it conducts? Has the applicant developed a control environment wherein it refers the relevant users to appropriate external organizations according to details of complaints, etc. and user requests, etc.? In addition, has the applicant developed a control environment wherein it provides information, such as the outline of its standard procedures? Has the applicant developed a control environment wherein, even during a period when proceedings for dealing with complaints, etc. are pending at an external organization, it takes appropriate action where necessary with respect to the user who is the other party to said proceedings? Has the applicant developed a control environment wherein the complaints, etc. categorized into typical patterns and their respective results, etc. are reported to the Internal Control Department and the Sales Division, and wherein information necessary for the particular case is shared between those concerned, such as promptly reporting cases that are recognized as important to the Audit Department and the management team? Does the applicant properly and accurately record and store information on the contents of complaints, etc.? Also, has the applicant developed a control environment wherein it analyzes the complaints, etc. so recorded or stored, and applies this on an ongoing basis to the improvement of control environments for dealing with users and conducting administrative processes and to the formulation of measures for preventing any occurrence or recurrence of complaints, etc.? Has the applicant developed a control environment wherein the internal checks and balances functions, such as those of inspection and audit, can function properly to ensure the effectiveness of how complaints, etc. are dealt with? In reflecting the results of dealing with complaints, etc. in the conduct of business operations, has the applicant developed a control environment wherein the management team supervises over any decisions to implement measures for business improvement or recurrence prevention, as well as any examination and ongoing review of how the control environment for dealing with complaints, etc. should be? Is the division responsible for handling complaints specified? Has the applicant specified the divisions in charge of complaints, etc., their responsibilities and authorities, as well as the procedures for dealing with complaints, etc. so that such complaints, etc. can be responded to and dealt with in a prompt, fair, and appropriate manner? In addition, has the Provider established procedures concerning business improvement so that the views of users are reflected in the conduct of business operations? Has the applicant developed a control environment to disseminate internal rules, etc. to its officers and employees and thoroughly implement them by means of training and other measures (including the distribution of manuals and so forth) so that business operations for dealing with complaints, etc. can be conducted based on those internal rules, etc.? Particularly in cases where complaints, etc. are being made frequently by users, does the applicant first confirm how internal rules, etc. are publicized and enforced at business offices? And then does the applicant examine the causes and problem areas in terms of control environments? Has the applicant appropriately appointed staff in charge of handling complaints, etc.? Has the applicant developed a control environment wherein relevant divisions cooperate and promptly deal with complaints, etc. from users? Has the applicant developed a control environment wherein it promptly settles any outstanding cases and prevents the occurrence of any long-term outstanding cases by conducting progress management aimed at the resolution of such complaints, etc.? Has the applicant developed a control environment wherein it improves the response provided at contact points according to the occurrence of complaints, etc., and wherein it can receive complaints, etc. extensively, such as by setting access hours and means of access that are considerate of user convenience? Also, has the Funds Transfer Service Provider developed a control environment wherein it extensively publicizes these contact points and ways of making allegations, and wherein it makes them well known to users in an easy-to-understand manner taking into account their diversity? When dealing with complaints, etc., has the applicant established a control environment to sincerely respond to and resolve complaints, etc. with the understanding and agreement of each user wherever possible while suitably interviewing the respective users on the circumstances according to the nature of complaints, etc.? Has the applicant developed a control environment wherein it provides users who have made complaints, etc. with appropriate explanations, as necessary, according to the progress of the procedures for dealing with complaints, etc. while also being considerate of the specific characteristics of the respective users, from the time complaints, etc. are made until after the settlement? Internal Rules, etc. concerning Handling of Complaints, etc. (Guideline II-2-2-4-1)

Points to check □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ (Necessary and appropriate measures concerning safety management) (A) Measures based on Article 8 of the Financial Sector Personal Information 　　　 Protection Guidelines (B) Measures based on I, and Appendix 2 of the Practical Guidelines (Necessary and appropriate measures concerning supervision of employees) (C) Measures based on Article 9 of the Financial Sector Personal Information 　　　 Protection Guidelines (D) Measures based on II of the Practice Guidelines □ □ (A) Has the applicant set an appropriate period of time for keeping credit card information, etc., which takes into account the purpose of use and other circumstances, and does it limit the locations where such information is kept, and dispose of the information in a prompt and appropriate manner after the retention period has lapsed? (B) Has the applicant implemented appropriate measures when displaying credit card information, etc. on computer monitors, such as not displaying whole credit card numbers, unless needed for business operations? (C) Does the independent Internal Audit Department of the applicant conduct internal audit on a periodic or as-needed basis on whether the rules and systems for protecting credit card information, etc. are functioning effectively? □ Applicability Has the applicant implemented appropriate measures, such as training programs, in order to increase the specialization of the staff engaged in audits pertaining to the management of user information? With regard to information concerning individual users, has the applicant implemented the following measures pursuant to Article 25 of the Cabinet Office Order? Has the applicant implemented measures to ensure that sensitive information of individual users is not used except for the cases specified in each item under Article 5(1) of the Financial Sector Personal Information Protection Guidelines? For credit card information, etc., has the applicant implemented the following measures? When intending to entrust part of its business to a third party located in a foreign state or to engage in business alliance with such foreign third party, has the applicant established a control environment to confirm the personal information protection system in the foreign state and the measures taken by the third party for the protection of personal information? Has the applicant established a control environment that enables timely and appropriate verification of the status of management of user information? Has the applicant taken appropriate measures for preventing wrongful acts utilizing user information, such as the dispersal of authority concentrated upon specific personnel and the enhancement of controls and checks over personnel who have broad powers? Has the applicant established frameworks for appropriately reporting to responsible divisions when user information has been leaked, and notifying relevant users, reporting to the relevant authorities, and disclosing to the public in a prompt and appropriate manner to prevent secondary damage? Does the applicant analyze the causes of information leaks and implement measures designed to prevent recurrence? In light of incidents of information being leaked at other companies, does the applicant examine measures needed to prevent a similar incident from occurring in its organization? Does the applicant conduct audits covering the broad range of business operations handling user information by its independent Internal Audit Department on a periodic or as-needed basis? Has the applicant established a system for appropriately recognizing the outstanding obligations in accordance with its approach to the point of time at which such obligations are generated, transferred, and extinguished? Internal Rules, etc. concerning Management of User Information (Guideline II-2-2-3-1) Is the division responsible for managing user information specified? Does the management team endeavor to develop an internal control system, such as establishing an organizational system and formulating internal rules to ensure the appropriateness of the management of user information? Has the applicant formulated a specific standard for the handling of user information and communicated it to all officers and employees through the provision of training and other means? Internal Rules, etc. concerning Books and Documents (Guideline II-2-2-2-1) Is the division responsible for preparing books and documents specified? Has the applicant established internal rules, etc. concerning the preparation of accounting books and documents, and disseminated them thorough internal training, etc.? In the event that the books and documents are damaged, is there a system in place to promptly ascertain and restore the amount of outstanding obligations for each user? Has the applicant established a control environment in which departments other than the booksand-documents-preparation division verify the accuracy of the description of the books and documents? Points to check □ (A) Complaint processing measures a) Have consumer counselors or the like with certain experience provide advice and guidance to employees engaged in complaint processing; b) Establish and publicize its own business management system and internal rules; c) Use a Certified Association for Payment Service Provider; d) Use the National Consumer Affairs Center of Japan or a local consumer affairs center; e) Use a designated ADR body for another business category; and f) Use a corporation capable of fairly and appropriately executing complaint processing services. (B) Dispute resolution measures a) Use the certified dispute resolution procedures set forth in the Act on Promotion of Use of Alternative Dispute Resolution; b) Use a bar association; c) Use the National Consumer Affairs Center of Japan or a local consumer affairs center; d) Use a designated ADR body for another business category; and e) Use a corporation capable of fairly and appropriately executing dispute resolution services. (C) Has the applicant developed a control environment wherein it continuously monitors the processing status of complaints and disputes, and where necessary, reviews and revises its complaint processing measures and dispute resolution measures? (D) In cases where the applicant utilizes a corporation that can conduct complaint processing services or dispute resolution services in a fair and appropriate manner ((A)f or (B)e above), does the applicant assess whether said corporation is a corporation who has a financial basis and personnel structure that are sufficient to fairly and appropriately carry out operations pertaining to the complaint processing and dispute resolution (Article 32-3(1)(v) and (2)(iv) of the Cabinet Office Order), in a reasonable manner based on considerable materials and other factors? (E) In cases where the applicant utilizes an external organization, although it is not a requirement for the Funds Transfer Service Provider to necessarily enter an outsourcing contract with said external organization, has the applicant made arrangements in advance regarding matters such as the flow of standard procedures and terms and conditions regarding the burden of expenses? (F) With regard to cases where expenses arise when the procedures of an external organization are used, has the applicant taken measures to prevent the expenses from becoming an impediment to the filing of a petition for complaint processing or dispute resolution, such as taking measures likely to prevent the user’s share of expenses from becoming excessive? □ □ (A) Cases where a control environment is developed wherein consumer counselors or the like give guidance and advice to employees a) Has the Funds Transfer Service Provider developed a control environment wherein it improves the skills of its employees engaged in processing complaints, such as periodically conducting training run by consumer counselors or the like? b) Has the applicant developed a control environment wherein it utilizes the specialized knowledge and experience of consumer counselors and the like, where necessary, for processing individual cases, such as building a network with consumer counselors and the like? (B) Cases where a Funds Transfer Service Provider develops its own operational system and internal rules a) Has the applicant properly developed an operational system and internal rules according to the status of occurrence of complaints? And has it developed a control environment wherein it processes complaints in a fair and appropriate manner based on said system and rules? b) Has the applicant made users aware of the contact point for making complaints in an appropriate manner? And has it properly published the operational system and internal rules pertaining to complaint processing? In terms of the content of the dissemination and publications, although publishing the full text of the internal rules is not necessarily needed, in order for users to confirm for themselves whether complaints are being processed in accordance with appropriate procedures, it is important that the contact for inquiry about the complaint processing and the flow of standard operations be clearly indicated. Does the applicant pay attention to such importance and published the information covering these matters? □ (A) When using an external organization, does the applicant disseminate and publish information on the external organization, including, for example, the name and contact information of the external organization, etc., from the perspective of user protection? (B) If the petition for complaint processing or dispute resolution is outside the scope handled by the external organization to which the user was first referred by the applicant because of geographical reasons, the nature of the complaint or dispute, or for any other reason, or if the petition is suitable for handling by another external organization, etc., has the applicant developed a control environment for referring users to other external organizations? (C) Has the applicant developed a control environment wherein, in cases where it receives a request from an external organization for compliance with complaint processing or dispute resolution procedures, a request for an investigation of the facts, a request for the submission of relevant materials or the like, it responds to the request promptly in light of the rules, etc. of the external organization? (D) Has the applicant developed a control environment wherein, in cases where it refuses a request for compliance with complaint processing or dispute resolution procedures, a request for an investigation of the facts, or a request for the provision of relevant materials or the like, the applicant conducts a proper examination as an organization with respect to such decision of refusal, in light of the details of the complaint or dispute, the nature of the facts or materials, and the rules, etc. of external organizations, rather than the division that caused the complaint or dispute simply deciding by itself to refuse the request? Also, has the Funds Transfer Service Provider developed a control environment wherein it explains the reasons for the refusal wherever possible in light of the rules, etc. of the external organization? (E) Has the applicant developed a control environment wherein, in cases where it is presented with a proposed solution such as a reconciliation plan or mediation plan from an external organization that has commenced dispute resolution procedures (hereinafter referred to as a “proposed solution”), it makes prompt decisions on whether or not to accept the proposed solution, in light of the rules, etc. of the external organization? (F) Has the applicant developed a control environment wherein, in cases where it has accepted a proposed solution, the division in charge takes prompt action, and the Inspection/Audit Department(s) conduct(s) a follow-up examination on matters, including the progress of its fulfillment? (G) Has the applicant developed a control environment wherein, in cases where it rejects acceptance of a proposed solution, it promptly explains its reasoning and takes necessary action, in light of the rules, etc. of the external organization? Applicability Does the applicant respond to the following matters regarding complaint processing measures (in cases where a Funds Transfer Service Provider develops its own control environments by itself)? Points of attention regarding complaint processing measures (when using external organizations) and dispute resolution measures Cases without Designated Dispute Resolution Organization for Funds Transfer Service Business (Designated ADR Body) (Guideline II-2-2-4-2-2) Does the Funds Transfer Service Provider, in view of the nature of its Funds Transfer Service Business, the occurrence of complaints, etc., its trading area, and other factors, appropriately select one or more of the following measures prescribed by laws and regulations as its complaint processing measures or dispute resolution measures? The supervisory authorities shall examine whether the Funds Transfer Service Provider has made inappropriate use of the complaint processing measures and dispute resolution measures, such as limiting the scope of application excessively.

Points to check □ □ □ □ □ □ □ □ □ □ □ □ □ □ Applicability Has the applicant confirmed that outsourced contractors have systems in place to take appropriate actions and to promptly report to the applicant in the event that information is leaked, lost, or damaged at outsourced contractors? Does the applicant restrict the access right by outsourced contractors to user information possessed by the applicant to the extent necessary according to the nature of the outsourced business? In cases of multi-tiered outsourcing, does the applicant check whether the outsourced contractor is adequately supervising such subcontractors? And does it directly supervise the subcontractors and other business operators as needed? Internal Control Environment, etc. for Responses to Persons with Disabilities (Guideline II-2-4-1) Has the applicant developed an internal control environment for taking appropriate measures in accordance with the Disability Discrimination Act and the Guidelines for Eliminating Discrimination against Persons with Disabilities? Has the Funds Transfer Service Provider developed a control environment that prevents users from suffering inconveniences if it cannot be provided the services agreed under the outsourcing contract with its outsourced contractor? When outsourcing the handling of information of individual users to an outsourced contractor, has the applicant taken measures based on Article 10 of the Financial Sector Personal Information Protection Guidelines and III of the Practice Guidelines to supervise the outsourced contractor as necessary and appropriate measures to prevent such information from being leaked, lost, or damaged? Does the applicant clarify the division responsible for the management of outsourcing and monitor how business operations are being conducted at outsourced contractors, on a regular basis or as needed? With regard to complaints, etc. pertaining to the outsourced service, has the applicant developed an appropriate complaint consultation system, such as a system to accept direct communication from users to the Funds Transfer Service Provider who outsourced such service? Does the applicant confirm that outsourced contractors properly manage user information? Has the applicant taken measures to ensure that outsourcing does not hinder the performance of obligations to supervisory authorities regarding inspections, reporting orders, submission of records, etc.? Has the Funds Transfer Service Provider implemented measures to ensure that it makes clear that the outsourcing of business operations does not cause any change in the contractual rights and obligations involving it and its users and that the users continue to have the same rights as if the business operations were conducted by the Funds Transfer Service Provider itself? In the case of outsourcing the operation relating to cash payment and receipt with users, when the outsourced contractor receives and pays cash from or to users, has the applicant taken measures to promptly identify increases and decreases in the outstanding obligations pertaining to the receipt and payment of cash? Internal Rules, etc. concerning Outsourcing (Guideline II-2-3-3-1) Has the applicant established internal rules, etc. specifying criteria for selecting outsourced contractors, or measures to be taken when outsourcing risk appears, and disseminated such rules, etc. through internal training, etc.? Has the applicant established a control environment for taking appropriate measures, such as issuing necessary instructions regarding the development of a legal compliance system at the outsourced contractor? Points to check □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Has the applicant established information management rules and introduced a mechanism to prevent information leakage, etc., according to each of the important information items of users that have been thoroughly identified, after conducting importance assessment and risk assessment? Applicability Does the applicant give due consideration to the necessity of confidential information for business purposes and treat such information in a stricter manner? Internal Rules, etc. concerning IT System Risk Management (Guideline II-2-3-1-1) Is the division responsible for managing IT system risk specified? Has the applicant developed a control environment for preventing IT system failures, etc. and for quick recovery measures in the event of such failures? Does the applicant regularly evaluate the level of cyber security and improve security measures? When conducting non-face-to-face transactions using communication means such as the Internet, has the applicant introduced an appropriate authentication method suited to transaction risks, such as multi-factor authentication that combines effective elements such as variable passwords, biometric authentication, and electronic certificates, or an authentication method that does not rely solely on fixed IDs and passwords, or a transaction authentication method that uses multiple routes? When conducting non-face-to-face transactions using the Internet and other means of communication, has the applicant taken anti-fraud measures corresponding to the business? Also, has the applicant established a system to detect illegal logins, abnormal transactions, etc., and to promptly notify such anomalies to the user, and to suspend the use of IDs confirmed as unauthorized? Has the applicant appointed an officer who oversees and manages IT systems? Has the applicant determined specific measures to take in case of crisis where an IT system failure, etc. occurs? Has the applicant established the basic policy for managing the IT system risk? Does the basic policy for managing the IT system risk contain the security policy (a basic policy for proper protection of information assets of an organization) and the policy on outsourced contractors? Does the division in charge of managing IT systems identify and manage the upper limit of the transactions through the computer system and consider system and administrative measures for cases where the transactions exceed the upper limit? Has the applicant developed an IT security management system for the appropriate management of information assets and has the applicant been making efforts for continuous improvement through the PDCA cycle? Does the applicant manage information by designating individuals responsible for information security and clarifying their roles/responsibilities? Does the applicant periodically monitor its information assets to see if they are managed properly according to management rules, etc., and review the control environment on an ongoing basis? Are measures taken in case of data loss? Has the applicant developed a necessary control environment, such as the establishment of an organizational structure and the formulation of internal rules, while recognizing the importance of cybersecurity? Has the applicant introduced a multi-layered defense system against cyberattacks that combines security measures respectively for inbound perimeter control, internal network security control, and outbound perimeter control? Has the applicant taken measures to prevent expansion of damage when cyberattacks occur? Are necessary measures introduced for vulnerabilities in the IT system, such as updating of the operating system and application of security patches, in a timely manner? Are rules to authorize plans, development, and transitions of IT system development projects clearly established? Does the Internal Audit Department, which is independent from the IT Systems Department, or external auditor conduct periodic audits of IT systems? Are the results of the IT system audit reported to the Board of Directors in a proper manner? Does the applicant, in entering an outsourcing contract with an outsourced contractor, set out division of roles and responsibilities between them, supervising authority to audit outsourced work, subcontracting procedures, rules and security requirements to be observed by the officers and employees of the outsourced contractor in the contract? Has the applicant established a control environment in which risk management is carried out properly in outsourced IT system work (including multi-tiered outsourcing)? In cases where IT system-related administrative work is outsourced, does the applicant properly manage the risk thereof in the same manner as outsourcing of IT system work? Does the applicant audit its important outsourced contractors by the Internal Audit Department, or IT system auditors, etc.? Has the applicant formulated a contingency plan and established arrangements and procedures for dealing with emergencies? In cases where IT system-related operations are outsourced, has the applicant established an emergency system including important outsourced contractors? Does the applicant regularly conduct a drill based on its contingency plan? Also, is the drill conducted jointly with outsourced contractors and IT system partners according to the degree of importance and risk? For important IT systems whose failure could seriously affect business operations, has the applicant developed a control environment to address disasters, IT system failures, etc. so that normal business operations can be speedily brought back? Has the applicant clarified reporting procedures and the framework of command and supervision covering outsourced contractors in preparation for IT system failures, etc.? Has the applicant established measures to respond to users in the event of IT system failures, etc.? Internal Rules, etc. concerning Administrative Risk Management (Guideline II-2-3-2-1) Is the division responsible for managing administrative risk specified? Also, has the applicant established rules and regulations regarding administrative work and processes? Does the Internal Audit Department properly conduct internal audits in order to examine the control environment for managing administrative risk? Has the division in charge of managing administrative risk at headquarters taken measures for checking business offices’ control environment for managing administrative risk?

Points to check □ □ □ □ □ □ □ □ □ □ □ (i) Has the applicant formulated standards of requirements partner companies should abide by including an effective method of the confirmation of verified status at the time of transaction, and evaluated and examined such standards prior to entering into a contract? (ii) Has the applicant specified in the contract the content of the business related to the verification at the time of transaction, the division of roles and responsibilities with the partner, and matters necessary to implement (iii) below? (iii) Does the applicant conduct necessary and appropriate supervision, etc. of the business partner, such as verifying whether the business partner is performing the business appropriately and reliably, and having the business partner make improvements as necessary, by confirming the status of implementation of the business related to the verification at the time of transaction on a regular basis or as necessary? (iv) From the viewpoint of ensuring effective confirmation of verified status at the time of transactions and enhancing continuous customer management by a Funds Transfer Service Provider, does the applicant verify the accuracy of the identifying matters (name, address, and date of birth) reported by users of the Funds Transfer Services by, for example, collating them with the corresponding information owned by its business partners? In cases where it is difficult to confirm the accuracy of addresses at that point, has the Funds Transfer Service Provider formulated a plan to enable such confirmation? (v) Has the Funds Transfer Service Provider taken necessary measures, such as changing or canceling contracts, if necessary from the viewpoint of the proper and secure performance of its business, including protection of the interests of users, etc.? □ □ • To promptly detect transactions suspected of being fraudulent by setting appropriate scenarios or thresholds based on changes in the environment, including the sophistication of criminal methods, and the occurrence of incidents in it or other business entities • To share information on suspicious transactions detected based on the above with partners in a timely manner, to take necessary measures including suspension of the services, and to investigate such suspicious transactions • To promptly notify persons who may be a victim of fraud of the incident • To suspend the use of IDs that have been confirmed to be used for improper transactions □ □ □ Applicability Has the applicant developed a control environment for honestly and sincerely responding to users, including inquiries, etc. on business partners? Also, has it clarified how to cooperate and share the responsibilities with business partners in specific manners? Does the applicant crosscheck with a business partner whether each of them has taken any inappropriate actions in responding inquiries, etc. form users, such as inducing users, etc. who made an inquiry to either party to contact the other party? And if any inappropriate actions are found, does the applicant, together with the partner, properly investigate the cause thereof, and take corrective measures and measures to prevent recurrence, etc.? Does the applicant regularly and in a timely manner check and re-evaluate risks in light of changes in the environment, including the sophistication of crime methods, and the occurrence of incidents at the applicant itself or other business operators, and improve measures to prevent fraud, including the introduction of public personal authentication? If, as a result of risk assessment, it is found that there is a problem, does the applicant temporarily suspend all or part of its services, including collaborative services, or take other appropriate measures until the problem is resolved? When entrusting the business related to the verification at the time of transaction including the confirmation about verified status at the time of transaction to a business partner or when conducting such business in cooperation with a business partner, does the applicant pay attention to the following points, for example? When engaging in the linked account transfer service, etc., with business partners, does the applicant take measures to enable users, etc. to confirm that such service is a collaborative service and the content of such service in a timely manner by cooperating with the partner to notify users, etc. at their contact information such as the telephone number and e-mail address (including SMS (short message service) to telephone numbers) registered with the partner in advance, so that users, etc. can be aware of fraud or other damage, if any, at an early stage? With regard to the collaborative services, from the viewpoint of preventing improper transactions, has the applicant developed a control environment for appropriately implementing the following matters, for example, in cooperation with business partners? Has the applicant developed a control environment for accumulating and analyzing cases of inquiries and consultations from users, etc. concerning collaborative services (hereinafter referred to as "inquiries, etc.") and utilizing them for early detection of risks, and for improvement of fraud prevention measures and responses to consultations from users, etc.? Does the Internal Audit Department audit the control environment (including fraud prevention measures) for the operation of collaborative services on a regular and timely basis? Also, does it report the audit result to the management team? Does the management team create an environment in which the so-called PDCA cycle, which consists of risk analysis, the formulation and implementation of risk mitigation measures, and the evaluation and review thereof, functions as described above? From the viewpoint of preventing improper transactions, does the applicant assess possible risk of the entire collaborative service in cooperation with its business partners at the time of introduction of the services or at the time of any change in the contents and methods thereof? Also, does it cooperate with the business partners in assessing the risk? Has the applicant clarified the division of roles and responsibilities with the business partners? Based on the risk assessment, does the applicant crosscheck information on users in cooperation with the business partners, and take appropriate and effective measures commensurate with risks to prevent fraud? For example, when linking with the account transfer service, does the applicant take appropriate and effective measures to prevent fraud by carrying out effective verification at the time of transactions for the users of the Funds Transfer Services? Has the applicant confirmed that partner banks, etc. that offer the account transfer services have introduced multi-factor authentication and other authentication methods that combine effective elements?

It should be noted that fraud prevention measures taken by a Funds Transfer Service Provider do not overlap with those taken by the partner banks, etc. Internal Control Environment, etc. for Linkage with Services Provided by Other Service Providers such as Account Transfer Service (Guideline II-2-5-1) Does the management have the Internal Control Department identify inherent risks with regard to the entire collaborative services at the time of introduction thereof or at the time of any change in the contents and methods thereof, and develop a system to reduce risks in a timely manner based on these? Does the Internal Control Department collect and analyze information on the occurrence of related crimes and methods thereof in collaborative services, and improve the system for the operation of collaborative services (including fraud prevention measures)? Also, does it report the content thereof to the management team on a regular and timely basis? Points to check □ □ (A) Depending on the contents of the Funds Transfer Services, whether or not compensation for damage is to be provided to victims for each specific situation in which damage is likely to occur, and the content of and requirements for compensation, if any; (B) Content of the compensation procedure (C) In cases of collaborative services, particulars concerning the sharing of compensation between the Funds Transfer Service Provider and the business partner (including those who provide compensation to victims) (D) Inquiry and contact for compensation (E) Standards for disclosure of improper transactions □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Applicability Does the applicant take measures to prevent a situation in which there is a shortage of account balances at banks, etc.? Does the applicant confirm on each business day whether the account balance, etc. at a bank, etc. is equal to or greater than the amount that must be managed through the method of management by bank deposits or savings? If, as a result of checking, the amount is less than the amount required to be managed, does the applicant immediately eliminate the shortfall and analyze the cause? Has the applicant developed an internal control environment necessary for the audit of the management by bank deposits or savings? When conducting the audit of the management by bank deposits or savings, does the management team select an appropriate certified public accountant or auditing firm? Are important matters identified and pointed out in the audit of the management by bank deposits or savings reported to the management team without delay? Are matters pointed out in the audit of the management by bank deposits or savings improved promptly? Internal Rules concerning Restriction on Retention of Funds (Upper Limit for Exchange Transactions) (Guideline V-1-1) Does the applicant have a system in place to prevent it from accepting an order for exchange transactions exceeding the amount equivalent of 50,000 yen from each user? Does the applicant have a system in place under which the obligations relating to exchange transactions owed to each user do not exceed an amount equivalent to 50,000 yen? Internal Rules, etc. concerning Management Using the Method of Management by Bank Deposits or Savings (Guideline V-2-1) Is the division responsible for the management by bank deposits or savings specified? Does the management team of the applicant verify whether the management by bank deposits or savings conducted appropriately and reliably? Has the applicant established a system to appropriately conduct the management by bank deposits and savings? Has the applicant specified the method of the management by bank deposits and savings in its internal rules? Is it reflected in the contract with users? Does the applicant clearly separate its own money from user’s funds? Does the applicant is able to immediately identify the balance of funds of individual users? Is compliance status verified? Internal Rules, etc. concerning Type II Funds Transfer Services (Article 6(xiii) of the Cabinet Office Order) Internal Control Environment, etc. for Restriction on Retention of Funds (Guideline IV-1-1) Has the applicant put in place a control environment in which, if the receipt amount per user exceeds 1 million yen, the applicant checks whether such amount is used for exchange transactions and takes measures to prevent the retention of such amount by, for example, returning it to the user? In judging whether users’ funds relate to exchange transactions, does the applicant comprehensively consider (i) the receipt amount, (ii) the receipt period, (iii) money transfer records, and (iv) the purpose of use of the funds on a user basis? In relation to the above, has the applicant established internal rules, etc. providing specific check methods, judgment criteria, and how to respond to cases and disseminated them company-wide via internal training, etc.? Also, has the applicant developed the necessary control environment, including system support? Internal Rules, etc. concerning Type III Funds Transfer Services (Article 6(xiii) of the Cabinet Office Order) If the Internal Control Department includes the function in charge of handling user responses, what alternative measures are taken to ensure business operations? Does the Internal Audit Department have an independent control environment in which sufficient checks can be exercised against the audited departments? If internal audits cannot be conducted, are alternative measures with the same effect as internal audits taken? Internal Rules, etc. concerning Type I Funds Transfer Services (Article 6(xiii) of the Cabinet Office Order) Internal Rules, etc. concerning User Protection Measures (Guideline III-2-1) Does the applicant explain the matters prescribed in Article 29(1)(i)(f) or (ii)(e) of the Cabinet Office Order? Does the applicant share necessary information with business partners (if any) and the Certified Association for Payment Service Providers (if it is a member thereof), etc. concerning risks of improper transactions and actual cases thereof, such as inquiries, etc. from users, etc. concerning improper transactions? Organizational Chart concerning Funds Transfer Services (Article 6(xi) of the Cabinet Office Order) Organizational Chart concerning the Business of Funds Transfer Services that Describes Control Environment for Ensuring Compliance with Laws and Regulations Does the Funds Transfer Service Provider describe the Internal Control Department, the division in charge of the Internal Audit Department, the responsible persons thereof, and the operations under their respective jurisdiction? Does the Internal Control Department have an effective control environment, such as separating it from the division in charge of handling user response, in order to ensure business operations that comply with laws and regulations and the internal rules? Internal Control Environment, etc. for Compensation for Damage due to Improper Transactions (Guideline II-2-6-1) Based on Article 29-2(v) and Article 31(iv) of the Cabinet Office Order, has the applicant formulated a policy concerning compensation for damage arising from improper transactions made in connection with the Funds Transfer Services and other measures (hereinafter referred to as "Compensation Policy")? And has it provided users of the Funds Transfer Services with necessary information and made it available also to persons who are likely to incur losses in the event of the occurrence of improper transactions other than the users of the Funds Transfer Services? Does the Compensation Policy include at least the following items? Has the applicant developed a control environment for appropriately and promptly providing compensation in accordance with the established Compensation Policy (in the case of collaborative services, including a system for cooperation with business partners)?

Points to check (i) To the effect that the applicant may not make all or part of the security deposit for providing Funds Transfer Services because of the application of Article 45-2(1) of the Act (ii) To the effect that, instead, the applicant conduct the management by the method of management by bank deposits or savings (iii) Content of the right as prescribed in the proviso to Article 59(1) of the Act. □ □ □ □ □ Has the applicant established a control environment to prevent the transfer of funds received from users of Type II Funds Transfer Services to funds for exchange transactions for Type I Funds Transfer Services? □ When providing explanations to prevent misunderstandings with exchange transactions conducted by banks, etc., does the applicant explain the matters prescribed in Article 28 (2)(iv) of the Cabinet Office Order without omission? Does the applicant provide explanations on the matters prescribed in each item of Article 29(1) or (2), or each item of Article 29-2 of the Cabinet Office Order? Does the applicant provide sufficient information on the matters prescribed in Article 29-2(iv) of the Cabinet Office Order? Internal Rules, etc. concerning Cases Where a Funds Transfer Service Operates Multiple Types of Funds Transfer Services (Article 6(xiii) of the Cabinet Office Order) Internal Control Environment, etc. for Prevention of Adverse Effects in Cases Where a Funds Transfer Service Provider Operates Multiple Types of Funds Transfer Services (Guideline VI-1-1) Does the Funds Transfer Service Provider who operates multiple types of Funds Transfer Services ensure that the status of use of funds received by each user, such as the balance of funds and the actual amount of remittances, can be easily understood for each type of Funds Transfer Service it operates? Does the applicant set accounts for each category of Funds Transfer Services it operates and provide separate accounting? Internal Rules, etc. concerning User Protection Measures (Guideline V-3-1) Applicability