Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Japan seems to have a particular problem with corporate scandals, such as false accounting (false statements on annual securities reports, etc) and insider trading. These scandals can impair corporate values, harm the social credibility of the affected company and, in some cases, jeopardise its survival. Scandals in the securities market, such as false statements submitted by listed companies, may not only ruin the credibility of the relevant company, but also bring the market into disrepute. Risk and compliance management are of the utmost importance to all companies in order to avoid scandals and achieve sustainable growth.

Although the importance of compliance has been increasing in light of scandals and poor governance, no extensive body of law or practice on the subject exists. Compliance is not a discrete field of law or regulation, and there is no legally binding general definition of the concept in Japan. ‘Compliance’ is only loosely defined and is not readily distinguished from ‘corporate governance’, ‘internal control’, or ‘corporate social responsibility’. That said, some provisions of Japanese law are related to loosely defined compliance matters, so it could be said that there is a general concept of compliance under Japanese law. Outside of regulated and finance-related sectors, such as banking, insurance and financial services, compliance in Japan is more of a reactive function than a proactive one.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

As mentioned in question 1, there are no laws that directly impose obligations of risk and compliance management and it is therefore not possible to make a general statement about the fields of law that businesses must cover with their compliance management activities, and management remains responsible for adhering to all laws. That said, the areas of law that companies primarily focus on for specific compliance risks (as opposed to general obligations to manage a company properly) are antitrust, anti-corruption, money laundering, data protection and employment. Antitrust, anti-corruption and money laundering are of particular importance given the potential for significant penalties and reputational damage from non-compliance.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

All companies, regardless of the nature of their business, are subject to the Companies Act and other laws of general application that impose compliance obligations directly or by implication. All directors of companies are subject to duties of care (see question 10). Listed companies and companies in regulated industries are subject to specific compliance management requirements.

It cannot be said that specific types of undertakings are targeted regarding their imposition of compliance management obligations.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

There are no regulatory or enforcement bodies with responsibility for corporate compliance. It is for directors of companies to determine how best to comply with their and the company’s compliance obligations.

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

As noted in question 1, there are no specific laws and regulations that define ‘risk management’ and ‘compliance management’.

Processes

Are risk and compliance management processes set out in laws and regulations?

No. It is for directors of companies to determine how best to comply with their and the company’s compliance obligations.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

There are none. It is for directors of companies to determine how best to comply with their and the company’s obligations.

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Companies incorporated in Japan under the Companies Act are, as a basic rule, subject to the Companies Act and other general legislation governing their activities (eg, antitrust laws and banking regulation). Foreign companies listed on a stock exchange in Japan are subject to the rules of the exchange and related requirements of the Financial Instruments and Exchange Act (FIEA). Japanese corporate and administrative law, and the Criminal Code generally only apply to acts that are carried out in Japan.

What are the key risk and compliance management obligations of undertakings?

The Companies Act requires that directors or the board of directors of a large company, or a company with committees, establish systems that ensure that directors and executive officers comply with laws, regulations, the company’s articles of incorporation and other applicable requirements during the execution of their duties. Although these provisions are generally not understood as imposing a corporate (as opposed to an individual’s) duty to develop such a system, court precedents have implied a corporate duty to develop an internal control system that is closely related to the risk and compliance management obligation arising from a director’s duty of care of a prudent manager owed to the company (see question 10).

The FIEA requires that listed companies file an ‘internal control report’. This report evaluates the management structures and procedures the company has in place to ensure the appropriateness of its financial statements, accounting and other information concerning the company and the corporate group to which it belongs. Listed companies are also required to submit a letter with their annual and quarterly securities reports, confirming that the statements contained in those reports are appropriate under the FIEA and related regulations. The internal control report requires an audit certification by a certified public accountant or audit firm in order to assure that it is fair and proper.

The listing regulations of the Tokyo Stock Exchange (TSE) require all domestic companies listed on the exchange to develop a system necessary to ensure the appropriateness of their business, and to put in place management structures and procedures as required under the Companies Act (as mentioned above), and operate them appropriately. TSE listing regulations also require listed companies to respect the TSE’s Principles of Corporate Governance for Listed Companies, as well as to make efforts to enhance their corporate governance.

Ministries may, from time to time, issue guidance, among other things, on the establishment of internal control and risk management systems for the industries and bodies they regulate. While these do not have the force of law, the affected entities do habitually comply with them (and it would be imprudent for them not to do so).

In addition to legal and regulatory compliance requirements, there are also ‘soft compliance’ requirements. For example, the Keidanren, a federation of companies, industrial associations and regional economic organisations, publishes a non-binding Charter of Corporate Behaviour, which states that companies should maintain high ethical standards and go above and beyond mere compliance with laws and regulations regarding their social responsibilities. Various trade associations have similar principles.

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

The Companies Act imposes an obligation on directors to exercise the duty of care of a prudent manager (also known as a ‘fiduciary duty’) in the management of their company, which requires that directors act with the level of care that is normally expected to be taken by a person in the same position and, if relevant, with the same expertise as the director - the duty is owed to the company. The duty of care could be interpreted to include a (compliance) duty to organise the managed business (including its controlled subsidiaries) in such a way so as to ensure adherence to all applicable laws so far as is reasonably possible. In order to comply with these duties, directors should familiarise themselves with background information, such as the company’s size and business type, and the occurrence of previous scandals, etc, and the occurrence of misconduct or violations by other companies in the same business.

The relationship between a company and its managers (persons other than directors exercising management functions and with authority to bind the company) is one of entrustment and employment, the managers therefore owing a duty of care to the company. The liability of officers is almost the same as that of directors (see above), though managers are usually appointed as the head of an office or branch office, and their powers and liability are limited to such office.

If a director, officer or manager suspects that an employee has engaged in an unlawful activity, he or she must take action to prevent the offence, and to prevent similar cases of non-compliance from occurring in the future by testing the effectiveness of the existing compliance programme, and adopt adequate improvement measures and controls if required. It is the responsibility of management to determine what constitutes an adequate and effective compliance programme. It was noted in a judgment that ‘what should be included in the development of a risk management system is a matter of business judgment, and it should be noted that directors are given broad discretion thereover for their expertise in company management.’ The board of directors must continuously review whether or not an existing internal control system is still appropriate and operating properly, and any deficiencies must be corrected in a timely manner. Establishment of an internal audit department, on-site audits and a whistle-blower system, and monitoring of reporting of unfair acts are some of the means to determine whether or not an internal control system is functioning properly.

Senior employees are also obligated to monitor internal control systems, but are not liable for any failure to develop appropriate internal control systems.

Although the Companies Act does not clearly specify the duties owed by directors of parent companies with respect to management of subsidiaries, there are provisions in the Banking Act based on the assumption that bank holding companies are authorised and obligated to manage and control their subsidiary banks.

Do undertakings face civil liability for risk and compliance management deficiencies?

An undertaking would only face civil liability for a risk or compliance management deficiency if the deficiency gave rise to a claim under another head, for example, tort.

A company may be liable under civil law for compliance violations resulting from torts committed by its employees or persons acting in its name. Essentially, a company is liable for the acts of its employees and directors while they are acting in the course of their employment or performance of their duties. A company is also liable for the acts of its agents when they are acting within the scope of their authority unless the company or its directors exercised reasonable care in appointing the agent or in supervising the business, or if the damages could not have been avoided even if the company or its directors had exercised such reasonable care.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Although Japan does not have a separate body of administrative law as is found in some civil law European jurisdictions, administrative actions may be taken pursuant to the specific law to which the breached compliance obligation relates.

Where an activity of a company is subject to regulatory oversight, and the applicable law provides regulators with enforcement powers, the relevant authority is often entitled to impose sanctions, including fines.

Where a company listed on the TSE has made false statements in securities reports or other sources, or where auditors, etc, of the company express, for example, an adverse opinion in audit reports and the TSE deems that ‘improvement of the internal management system, etc, of such listed company is highly necessary’, then the TSE may designate the listed stock as a security on alert. If the internal management system is not improved within the prescribed period, or the TSE deems that improvement is not expected (ie, no steps are taken for fact-finding, no policies considering preventative steps are disclosed, or the proposed policies lack practicability), then the company will be delisted.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Corporate criminal law does not exist in the Japanese legal system, as only natural persons may be subject to criminal prosecution under the Penal Code. A company can, however, be subject to criminal fines under a number of other statutes, for example, the Anti-monopoly Act, the Companies Act and the Labor Law.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

The Companies Act stipulates that if a director, accounting advisor, company auditor, executive officer or accounting auditor of a company neglects their duties (such as their implied duty to develop and monitor internal compliance systems), they shall be liable to the company (but not its shareholders) for any resulting damages. And if a director knowingly breaches their duties, or is grossly negligent in performing them, they shall be liable to any third party (including shareholders in the company) suffering loss as a result. A director (but not the other officeholders mentioned above) may be released, in whole or in part, from their liability to the company (but not to third parties) for breach of duty on a case-by-case basis, the basis of this release depending on whether the director acted with wilful misconduct or was grossly negligent. If the director acted with wilful misconduct or was grossly negligent, shareholders’ unanimous approval is needed for such a release; otherwise, a partial limitation of liability may be available under the company’s articles and the Companies Act, though there is a minimum liability in some cases.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

No specific or ‘catch all’ administrative liability exists for directors, officers or managers of a company that fail to supervise a subordinate, or to put adequate supervisory processes in place. However, such failures may violate specific legislation, depending on the nature of the business and the act or failure in question, and could give rise to third-party claims.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Persons are criminally liable if they commit criminal offences themselves or if the criminal offence arises from their actions, for example, when they instruct others to commit a criminal act or otherwise contribute to it. A director’s breach of the duty of care owed to their company (see question 10) does not, in itself, give rise to any criminal liability. As there is no catch-all risk and compliance management obligation at law, there is no related criminal liability.

Specific legislation may impose criminal sanctions for certain acts that are compliance-related; for example, the Anti-monopoly Act imposes criminal fines on representatives of companies who have failed to take necessary measures to prevent certain acts (such as not complying with regulatory orders), despite their knowledge of an intention to commit such acts, or who have failed to take necessary measures to rectify such acts despite their knowledge of them.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

No, but in practice taking appropriate measures, such as implementing effective internal compliance management, may mitigate penalties for breach of statutory or regulatory obligations, or claims by third parties. For example, in a judgment in 2009 relating to the liability of a representative director for the acts of an employee in falsifying sales amounts, the Supreme Court held that the representative director had not violated their duty to develop an internal control system, on grounds that, among other things, the representative director had developed a management system that was sufficient to prevent unfair acts that could normally be expected (such as the false entries).

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

The most recently publicised case of corporate management failure is the ¥220 billion false accounting by Toshiba Corporation, one of the leading electronics manufacturers in Japan. According to a third-party committee’s report on the case, the underlying cause of this false accounting was the company’s top management’s extreme pressure to pad the company’s profits, and that the actions were not revealed by the company’s internal controls. There have been many other cases of accounting fraud by listed companies in recent years, triggering claims for damages by shareholders, including institutional investors, or significant administrative monetary penalties. What underlies these accounting frauds is, in many cases, the failure of compliance management.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

There are no legally binding risk and compliance management obligations for government, government agencies and state-owned enterprises, though any such entity that is a company would have to comply with the general management obligations and other obligations that a director of a private company would be subject to.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

Risk management in the public sector is not a statutory obligation at this point in time, and it has been acknowledged that local governments have not made enough efforts to develop their internal control systems. Internal controls requirements of incorporated administrative agencies differ from those of private companies due to their businesses being stipulated by individual laws, the involvement of the government, etc, in the evaluation of performance and review of operations, and their budget being under strict management due to the institutional constraint that they are financially supported by the government. It has been suggested that these differences should be thoroughly examined to determine to what extent they are still appropriate.