The essentials of risk and compliance management in Japan

Legal and regulatory framework

What legal role does corporate risk and compliance management play in your jurisdiction?

Japan seems to have a particular problem with corporate scandals, such as false accounting (false statements on annual securities reports, etc) and insider trading. These scandals can impair corporate values, harm the social credibility of the affected company and, in some cases, jeopardise its survival. Scandals in the securities market, such as false statements submitted by listed companies, may not only ruin the credibility of the relevant company, but also bring the market into disrepute. Risk and compliance management are of the utmost importance to all companies in order to avoid scandals and achieve sustainable growth.

Although the importance of compliance has been increasing in light of scandals and poor governance, no extensive body of law or practice on the subject exists. Compliance is not a discrete field of law or regulation, and there is no legally binding general definition of the concept in Japan. ‘Compliance’ is only loosely defined and is not readily distinguished from ‘corporate governance’, ‘internal control’, or ‘corporate social responsibility’. That said, some provisions of Japanese law are related to loosely defined compliance matters, so it could be said that there is a general concept of compliance under Japanese law. Outside of regulated and finance-related sectors, such as banking, insurance and financial services, compliance in Japan is more of a reactive function than a proactive one.

Which laws and regulations specifically address corporate risk and compliance management?

As mentioned in question 1, there are no laws that directly impose obligations of risk and compliance management and it is therefore not possible to make a general statement about the fields of law that businesses must cover with their compliance management activities, and management remains responsible for adhering to all laws. That said, the areas of law that companies primarily focus on for specific compliance risks (as opposed to general obligations to manage a company properly) are antitrust, anti-corruption, money laundering, data protection and employment. Antitrust, anti-corruption and money laundering are of particular importance given the potential for significant penalties and reputational damage from non-compliance.

Give details of the main standards and guidelines regarding risk and compliance management processes.

There are none. It is for directors of companies to determine how best to comply with their and the company’s obligations.

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Companies incorporated in Japan under the Companies Act are, as a basic rule, subject to the Companies Act and other general legislation governing their activities (eg, antitrust laws and banking regulation). Foreign companies listed on a stock exchange in Japan are subject to the rules of the exchange and related requirements of the Financial Instruments and Exchange Act (FIEA). Japanese corporate and administrative law, and the Criminal Code generally only apply to acts that are carried out in Japan.

What are the key risk and compliance management obligations of undertakings?

The Companies Act requires that directors or the board of directors of a large company, or a company with committees, establish systems that ensure that directors and executive officers comply with laws, regulations, the company’s articles of incorporation and other applicable requirements during the execution of their duties. Although these provisions are generally not understood as imposing a corporate (as opposed to an individual’s) duty to develop such a system, court precedents have implied a corporate duty to develop an internal control system that is closely related to the risk and compliance management obligation arising from a director’s duty of care of a prudent manager owed to the company (see question 10).

The FIEA requires that listed companies file an ‘internal control report’. This report evaluates the management structures and procedures the company has in place to ensure the appropriateness of its financial statements, accounting and other information concerning the company and the corporate group to which it belongs. Listed companies are also required to submit a letter with their annual and quarterly securities reports, confirming that the statements contained in those reports are appropriate under the FIEA and related regulations. The internal control report requires an audit certification by a certified public accountant or audit firm in order to assure that it is fair and proper.

The listing regulations of the Tokyo Stock Exchange (TSE) require all domestic companies listed on the exchange to develop a system necessary to ensure the appropriateness of their business, and to put in place management structures and procedures as required under the Companies Act (as mentioned above), and operate them appropriately. TSE listing regulations also require listed companies to respect the TSE’s Principles of Corporate Governance for Listed Companies, as well as to make efforts to enhance their corporate governance.

Ministries may, from time to time, issue guidance, among other things, on the establishment of internal control and risk management systems for the industries and bodies they regulate. While these do not have the force of law, the affected entities do habitually comply with them (and it would be imprudent for them not to do so).

In addition to legal and regulatory compliance requirements, there are also ‘soft compliance’ requirements. For example, the Keidanren, a federation of companies, industrial associations and regional economic organisations, publishes a non-binding Charter of Corporate Behaviour, which states that companies should maintain high ethical standards and go above and beyond mere compliance with laws and regulations regarding their social responsibilities. Various trade associations have similar principles.