Defending to Pioneer vol.1 Picking the Brains of the Head of Legal & Risk Management

About the Defending to Pioneer Series

The Legal & Risk Management Division defends PayPay, its users, and merchants from a variety of risks, such as cyberattacks and fraud. Although it is true that the division protects against threats directed at PayPay, this unit is in fact also a group of specialists who work together to enable the company and employees to assertively move into uncharted territory. In this series, we will ask the heads of respective teams to explain their thoughts on the all-encompassing defensive framework for combatting threats, which enables PayPay to remain the absolute no. 1 in the industry.

The first installment features Division Head Terada, the skipper of legal and risk management matters. We discuss PayPay’s defensive framework, the messages sent out to continue the company’s confident business while providing protection, and the people we are looking for.

Defensive Measures to Run an Assertive Business

Please tell us about the overall legal and risk management protection framework.

PayPay is now fortifying its framework in the following areas.

• Legal matters and compliance with financial laws
• BCP activities to defend the company from various threats to business continuity
• Risk management to control overall risks that may occur in the company’s business
• Information security to protect against cybercrime
• Countermeasures against financial crime to combat fraudulent use of PayPay and money laundering
• Data governance to ensure that user and merchant data are used appropriately
• Internal control to check whether the entire company is managed according to these rules

It may not be so obvious from the word “defend,” but we also have a team that handles public policy, with the aim to enable PayPay to contribute more effectively to society, as well as a government relations team that lobbies the authorities regarding regulatory policies that affect us.

What are your “offense” tactics despite you being a defensive division?

When I look at each department, I see that some of them, such as the Legal & Compliance Department, are well maintained like a financial institution, while others, such as the Anti-Financial Crime Office, continue to evolve with the use of cutting-edge technology for sophisticated fraud detection and monitoring. We are improving our framework with the help of Paytm, an Indian two-dimensional code payment company that has invested in and provided technical support to PayPay.I think the fact that the team handling information security is not only implementing security measures for within Japan, but also considering global standards, is both an offensive and defensive approach.

When other teams ask for legal advice, given the possible risks, the protecting departments tend to respond that things cannot or should not be done. However, with assertive legal affairs and risk management, we should not halt activities but rather think together how we can go about it. Admittedly, there are certain things in each area that really need to be stopped. But by discussing with our advisees how to do things we want to do while considering the risks involved, we can advance together at the forefront of our business. I believe this is a way of being on the offensive and keeps us from becoming reactive.

In addition, it’s necessary to understand how our business is structured in order to do internal consultation properly. There’s no such thing as “I work in administration, so I don’t need to know anything about other fields.” If you understand the technical background of a product, you can have a more meaningful interaction than just giving conventional responses.

Also, in the field of data governance, we need to have a deep understanding of how PayPay technically processes personal data, how it flows through the system, and how it affects our business. Only then can we provide consultation.

Thankfully, the Senior Managers in the Legal & Risk Management Division are professionals in their respective fields, so there’s no need to worry about their knowledge and information gathering capabilities. Since I’m in charge of a very broad area, I’m always mindful of having a wide perspective, which is crucial for making the right decisions.

What areas do you want to strengthen in the future?

What we need to be most meticulous about is AML/CFT (anti-money laundering and counter financing of terrorism).This summer, there was news that FATF, an international evaluation body that examines the status of AML/CFT systems, issued a report stating that Japan’s AML/CFT measures are still rather insufficient. For this reason, the Financial Services Agency (FSA) is now urgently taking various measures to deal with AML/CFT as a national effort. As Japan’s leading funds transfer company, PayPay needs to maintain a high degree of sophistication that will lead the industry also in the AML/CFT area. Naturally, I believe that the FSA is expecting a lot from us. This is what I’ve been focusing on most recently.

As Division Head, what are some things you share with your team to be mindful of?

What I often tell them these days is “awareness as a financial institution and boldness as an IT startup.” When PayPay was first established, many of our employees were involved in IT services, so there was this strong perception of us being an IT company. That idea was also a part of our corporate culture. However, recently, we are being viewed from the outside as a financial institution. Being seen as a financial institution means that we need to meet high standards in various areas, such as security, risk management, and compliance. I would like everyone in the company to realize that they are a member of a financial institution. This is what I mean by “awareness as a financial institution.”

On the other hand, the number of employees has been increasing these days, and more people from the financial industry are joining PayPay. Companies in the financial industry can be slow to act due to various constraints, and it can be difficult to take on new challenges. So I would like our employees to be aware of our role as a financial institution, but also want them to have the sense of speed like an IT startup, be unafraid of change, and be willing to try out new things.

Another thing I say is “simple and logical.” Experts tend to talk about their respective fields in a complicated manner. Contracts can be elaborate since they are exchanges between experts, but when interacting with clients, it’s important for the departments in charge to communicate their thoughts in simple terms. It’s actually easy to say difficult things in a difficult way. Communicating difficult things in an intelligible way for everyone is a great skill, and one that we expect all our members to have.

Also, when having discussions with other departments in the company, it’s necessary to be logical when speaking as an expert. And you can’t speak simply without being logical. That’s why I tell my team members to be “simple and logical.”

The People PayPay Seeks for Its Defense and Offense

What sort of person would you like to see join PayPay?

The name of our service, PayPay, has become quite established. However, the company itself is still a startup. Unlike large corporations that have been around for some time, there are matters, flows, and systems that are not yet internally in place. We have to solve these issues and set up a new framework ourselves. So I would like to have people who can develop new things and enjoy that process, rather than those who only work within a fixed environment. It would also be great if they are willing to cross boundaries and do a wide range of work, not limiting their scope to just one area.

What skills are required in working with PayPay’s defensive framework?

Imagination. When being consulted, it’s important to be able to imagine things and ask, “What will you do if this happens?” or “How will you respond to this action?” It’s a skill that is required in any department dealing with protection. In other words, the question is whether one has the ability to properly assess risk.

When we hear “risk assessment” we tend to think of something elaborate, but the assessment skills needed in our departments are to evaluate the risk in front of us, imagine various scenarios, and take ownership in handling them.

Although this is not limited to our line of work and quite basic, communication skills are also necessary. Since the business that PayPay is promoting is a new service and a new system, it’s often difficult for people outside who are involved with the company to have an idea of what PayPay’s services are. But I believe that if we communicate carefully with our takeholders, we can create a better outcome for everyone. We try to keep the business moving as much as possible, but as a defensive unit, we sometimes have to bring certain things to a halt. Even in those situations, though, we don’t just push the case aside and say, “It’s impossible,” but provide alternatives and explain, “You can make it happen if you do this.” Civil and polite communication is a must.

A message to those interested in joining PayPay.

Since the funds transfer business is quite regulated, it may not lead to business growth unless we, the defenders, do our best in dealing with the regulatory authorities. In that sense, PayPay’s defensive department is a valuable position where you can contribute to business growth and feel that you are pushing the business forward, while doing administrative work. Come join us and work at the forefront of our business!

Special Thanks: Yosuke Terada / Editor: Keiko (PayPay Inside-Out Editor)​​​​
* Employees’ affiliations are those of the time of the interview.