Given the worldwide tectonic shifts as seen in Covid-19, the demand for combating money laundering and other financial crimes has globally been on the rise. In April 2022, the Financial Services Agency (FSA) published a report on the current status and challenges regarding anti-money laundering, counter financing of terrorism, and counter proliferation financing in Japan, which summarizes the status of measures implemented by businesses under FSA jurisdiction as well as the FSA’s initiatives as of the end of March 2022. We interviewed three members on the front lines of PayPay’s security system, which safeguards the company from various financial crimes, about PayPay’s unique anti-money laundering and anti-fraud measures.
Hidetoshi Suzuki
Government Relations Department & Anti-Financial Crime Office, Legal & Risk Management Division, Corporate Group
He has restructured internal control systems and compliance operations at domestic and foreign securities firms, banks, and fintech companies. He also has approximately 12 years of experience in liaison with regulatory agencies. He joined PayPay in November 2021. He has been in his current position since 2022 in the second line of defense, focusing on the sophistication of the company’s AML/CFT framework and communicating with authorities.
Masaki Misu
Service Operations Division, Business Operations Group
He joined SoftBank Corp. in 1996 after a stint in his original startup e-commerce distribution business. He experienced sales, sales management, service planning, and the formulation of business operations in the start-up phase of broadband and mobile businesses. Since his transfer to PayPay in 2019, he has been in charge of all business operations in a first-line position.
Motohiro Hidaka
Anti-Financial Crime Office, Legal & Risk Management Division, Corporate Group
He joined Yahoo Japan Corporation in 2007, where he was engaged in marketing and business development of membership services. After working as a service manager, he switched to managing the safety department of C2C services and promoted various anti-fraud and risk prevention measures. Since 2019, he has been manager of the second-line department in charge of anti-fraud and AML management at PayPay.
INDEX
PayPay’s History of Combating Financial Crime and Its Speedy Risk Management Structure
Risk-sensitive president that leads in the front
Hidaka:
I believe that PayPay’s journey to strengthen security began with the rapid increase in credit card fraud and consequent financial loss to our users during our large-scale campaign in December 2018. I was at Yahoo! JAPAN at the time but still clearly remember it.
Back then, the person in charge of security implemented fraud countermeasures, such as 3D Secure and setting credit card spending limits, through trial and error, which did have a positive effect and reduced the number of fraud incidents. This situation continues to this day, and we feel that the foundation of anti-fraud measures established at that time still underpins to a great part PayPay’s business today.
What first comes to mind especially is the ground-level management style, under the leadership of our president, Nakayama-san.
Immediately after joining PayPay in April 2019, I was appointed as the Senior Manager of the Security Measures Office, which had a strict protocol of reporting any irregularities as soon as they occur and formulating both immediate and permanent countermeasures within 24 hours. I was also impressed by the way Nakayama-san himself gave direct instructions to ground-level employees, involving both the Product and Infrastructure Teams.
I noticed then that PayPay already had the mentality of implementing measures against fraud not only through “human wave attacks,” but also through taking effective countermeasures by involving system-related departments.
Suzuki:
In the finance industry, when a problem occurs and it is necessary to employ technology to solve it, it is unfortunately often the case that people only think of getting rid of the issue at hand without using technology. I think it is amazing that PayPay already established the mentality of using technology to solve matters since the early days of its existence.
Misu:
Another major difference is the speed of decision-making and on-site responses, thanks to the corporate culture. You can work quickly because you can communicate directly with management without having to worry about communicating via your supervisor when reporting accidents.
Suzuki:
It is common for delays to happen when communicating to decision-makers because there are too many people in between, which aggravates the situation or distorts the content of the report.
Misu:
At PayPay, both decision-makers and members on the ground take ownership and try to have a firm grasp of the situation, which facilitates smoother communication at meetings.
Hidaka:
We also have a system which allows us to respond immediately in the event of an accident, even in the middle of the night.
Suzuki:
I think “ownership” is an important keyword. This is slightly off topic, but during an emergency, if somebody provides a report to Nakayama-san without understanding the situation themselves, Nakayama-san will ask incisive questions and scrutinize the situation. There is a pressure where all members must properly understand and explain what is happening in their own words before reporting. I have never seen someone at the top of a company deal with problems this earnestly. It is great.
Misu:
As a team in charge of first-line operations, we also bear that in mind.
One of Nakayama-san’s words that left a deep impression on me was when he was asked the question, “Which is more important: preventing risks or making profits?” and replied “Preventing risk” without delay. While communications outside the company inevitably highlight business achievements, the president constantly emphasizes to the employees the importance of risk countermeasures, which is quite motivating.
Suzuki:
There is also a culture in which both key people and junior members think for themselves regarding the whys and hows of doing something. I have worked in various companies and financial institutions, and I feel that this is the main difference between PayPay and other banks and companies. “Because it is the law” is never the correct answer. Rather, people here take ownership and consider what the purpose of a measure is and what impact it will have. Each day we read and cross-reference laws and guidelines at work, and I doubt any other company does as much as we do.
We believe that our manner of work is recognized by the FSA and other ministries and agencies. I think it is because of our sincere efforts that people understand that at PayPay we take anti-money laundering and anti-fraud measures seriously. When I talk with the FSA, I see in the back of my mind the faces of everyone including Nakayama-san, Hidaka-san, and Misu-san. I can answer any question with confidence, even though I sometimes get asked extremely tough questions. Since we all work together as one team and take our tasks seriously, I am able to explain things clearly in my own words, which is important.
First line or second line does not matter – together we prevent money laundering and fraud
Suzuki:
As the second line of defense, the difficult part in combating money laundering and other financial crimes is gaining understanding from our employees. Usually, you would hit a roadblock when trying to explain the project to first-line departments, the president, and management. That does not happen at PayPay. Rather, Nakayama-san says, “We should do that anti-fraud measure,” and the discussion ends as simple as that. It was a shock for me.
Misu:
Nakayama-san himself has been communicating to everyone in the lines of defense that anti-money laundering and anti-fraud measures are important for the future of fintech, and this thinking has now become more widespread, including among the first line employees. I would say this is a major difference between PayPay and other banks or companies.
Suzuki:
Generally speaking, the second line tends to have the biggest say, but PayPay is the opposite. In a second-line meeting with Hidaka-san, he would occasionally say, “From the perspective of the first line, we should do this measure for the users. Considering the risks, it is understandable that we should stop the project, but we can implement it by taking a different approach,” or other things from the first-line perspective. This is rare.
In addition, in meetings with first-line members, when we, the second-line employees, bring up a proposal that we are worried about and suggest, “Maybe we should allow this,” the first-line staff often responds, “We probably shouldn’t do that.” In a good way, the first and second lines overlap to some extent. Both are highly law-abiding and have a strong sense of “there is no question of disobeying the law.” This culture was created by the firm policy of our management, and we will continue to maintain it at all costs.
Misu:
It is a valuable culture. Even in a first-line position, I always feel that I must think about the first line with a second-line perspective.
Speaking of culture, I was previously involved in a campaign for a non-PayPay business where I unintentionally violated the Act against Unjustifiable Premiums and Misleading Representations, and I got rebuked by Son-san (Representative Director, Corporate Officer, Chairman & CEO, SoftBank Group Corp.). When I reported to Son-san, together with the senior manager of marketing at the time and a member from the legal team, that we violated the law, he told me, “It is not your role to report whether or not we are violating the law. We are running this campaign to make people happy, so we should think about how we can implement it without breaking the law.” He was absolutely right. There is no progress if we only implement measures that we know beforehand play it safe from a legal perspective. We should seek new measures on the premise that they do not violate the law, but at the same time ask ourselves if it will satisfy users and serve as an adequate defense mechanism against financial crimes. To this end, I believe that culture is also about the first and second lines cooperating and exploring how we can help each other overcome risks on a daily basis.
Suzuki:
I often talk with Hidaka-san about the issue of boundaries between the first and second lines, and recently I have been thinking that boundaries should not be defined unnecessarily simply for the sake of creating one. Of course, I do not object to the three-line system that a financial institution should have, but the main purpose of clearly separating the first and second lines is that there should be someone in a position to check the first line if they are moving too fast. In the case of PayPay, there are areas where the first line functions are related to the second line, but the second line is also constantly thinking about the first line when performing tasks, so there is a part where they coalesce. Since this is working so well, I am beginning to think that we do not necessarily need clear boundaries in everything, as long as we have a system of checks and balances with a strong second line in place. This is PayPay’s style.
Hidaka:
This culture has been around since the start of the service. The reality is that at PayPay, a defensive culture is at the center, from which various functions are controlled. The first line does not overstep their mark because there are controls in place, and everyone is aware of the need to safeguard what needs to be protected.
Suzuki:
Nakayama-san also once said, “If you don’t take measures to combat fraud, you can’t provide services. So that is our priority.” The basic premise is that we do not implement anti-fraud measures because we have a service, but without prevention measures there should be no service in the first place.
Misu:
Our department is in charge of operations, so we are constantly thinking about how we can reduce the cost and time required for KYC screening, and we are trying to find a balance between new measures to achieve this and fraud prevention. You might ask, “Which is more important?” but “Do both while maintaining a good balance!” is what our management would say (laughs).
Hidaka:
That part should eventually be solved with technology. If we can achieve that balance in a way our competitors cannot, with technology that they cannot replicate, it will be a major advantage for us, and that is what I am looking forward to.
Preventing Financial Crime by Constantly Asking Why?
PayPay’s commitment to anti-money laundering
Suzuki:
Money laundering is difficult to interpret in terms of laws and regulations, as well as connecting that to actual operations, so many companies are likely to deal with it by exploring a safe line. However, at PayPay, both the first and second lines meet daily to discuss legal requirements in depth, how they affect our practice, and what specific measures will yield results. We believe that measures should not follow some prepared template, but be “organic,” which is why we combine actual cases with our own ideas to formulate measures in light of PayPay’s inherent risks.
Hidaka:
PayPay is also a pioneer in this field. It is not enough just to know the laws and regulations. After correctly understanding the background and purpose of the laws and regulations, it is necessary to consider what should be done in PayPay, determine the requirements, and explain them to others. This requires a great deal of imagination. I feel that creating something from nothing is a daily struggle not only in business, but also in the area of compliance.
Challenges and solutions with the introduction of KYC
Misu:
At the end of September 2019, we obtained a license for conducting fund transfer businesses and started eKYC at the same time. We had a very tight schedule, starting with assessments in June and releasing by the end of September, but we were able to start from scratch and launch in a short period of time.
Now, we were able to release the product itself, but the initial number of screenings grew to more than four times the expected number, so we had to keep users waiting until the screenings were completed. That experience got me thinking about usability. Therefore, in addition to the conventional method of taking photos, we released JPKI-based IC chip authentication. By doing so, we were able to produce the screening result in just a few seconds. However, at that time, the penetration of My Number Cards was only at about 30%, so we released a screening method in May 2022 that reads the IC of driver’s licenses, which many people already have. Screening with a driver’s license IC is the first of its kind in the cashless industry.
Also, as the business expands, the screening volume will increase, so the cost of screening will also be a major issue. The cost of screening has been reduced by half compared to the time when the project started, thanks to the introduction of reading ICs mentioned earlier and improvements in screening operations.
Having said that, we are not yet satisfied, and I am talking with members about how we can reduce costs by half in the next fiscal year. In order to take on such a major challenge, it is necessary to devise new measures and consider whether the risks involved are acceptable. We are discussing things with everyone in the second line as we proceed.
Suzuki:
The screening costs are decreasing dramatically.
Misu:
The gross merchandise value of PayPay payments and the number of users are increasing exponentially, so we, as an operations team, think that we should set high goals for cost reduction. The first line members do not get motivated if we set the bar too low (laughs), so it may be very difficult for some, but achieving our goals will give them confidence, and the culture of PayPay is to keep thinking, “How can we do it?”
Suzuki:
This culture is at the root of the development of PayPay’s anti-money laundering and anti-fraud measures.
Misu:
We don’t just do as we’re told. We also look at feedback from users, and ask ourselves “Could this be interpreted this way as well?”
Suzuki:
Shocking, isn’t it! First line people casually bringing up public comments. I was dumbfounded (laughs).
Misu:
If the first line does not plan and consult with other teams with a certain degree of awareness of laws and regulations, there will inevitably be a lot of back and forth. Understanding and consulting with relevant departments will help reduce the amount of work and time required for the release.
Close information sharing and collaboration among product teams and other departments
Misu:
In promoting anti-money laundering and anti-fraud measures, we have very solid cooperation not only within the three lines of defense but also with the product teams that develop the products.
I appreciate that the PMs join in from the planning stage and give us advice from the development perspective even when writing the RFP. The PMs explain the background of the project to the actual development team so that they can develop the project in a very short period of time and without rework.
Hidaka:
I also feel that a system is in place to improve PayPay’s functionality with the strong backup of the product team in various scenes of defense sophistication.
We work closely with the product teams and other specialized members of various other teams to share information, then cross-functionally pool all our knowledge and ideas on what methods can be considered to prevent money laundering and fraud.
Suzuki:
I am sure that the lack of strange sectionalism is a good thing. PayPay is a service that is at the forefront of cashless services, and we are trying to work out solutions for matters that have no precedent, so a system that allows us to share information in real time is extremely important. Usually, you keep plowing through without having a full grasp on the situation, and then after some time, you realize, “We were wrong!” But here, once we realize something is amiss, we are able to immediately change course. This is a considerable advantage. In fact, there was a time when we were informed of our mistake on the following day and we were able to swiftly remedy the situation. This is not something you can do in any ordinary company.
Close information sharing and collaboration with each team enables prompt analysis and implementation of new countermeasures in cooperation with the engineering team, as well as enhanced security of the SMS authentication feature, login management, raising awareness about phishing sites, and other security enhancements.
Protect Users from Sophisticated Financial Crimes and Provide Reassurance
Suzuki:
We are taking advanced measures to combat money laundering and fraud, and I believe that we are achieving some results. This is true not only for payment businesses like ours, but also for other financial businesses.
It is important to carefully consider whether certain anti-money laundering measures are appropriate for our business, or in terms of user convenience, how far we can go with these measures or what measures are necessary. It is easy to say, “We provide services that can be used with peace of mind,” but we are now entering a phase where we need to think hard about specific methods to realize that statement. I would like to see the public and private sectors work together with the FSA with the determination to protect users through initiatives they devise, rather than doing it because they were told to do so. We would be happy if the FSA could gain a better understanding of both our business and the behavior of users of cashless services, and then work with us to formulate future standards for laws, regulations, and guidelines for cashless services.
Misu:
As PayPay, we believe it is important to provide convenient and enjoyable services for users in this cashless era. On the other hand, comprehensive risk measures are also important. It does not mean one is prioritized over the other; we need both.
With that as a prerequisite, PayPay will be constantly releasing new services. In new areas, the legal aspects are not quite fully in place.
We were reminded of our station the other day when the FSA contacted us and told us that they were looking forward to having us set a precedent. This is not a world of “just follow the current guidelines.” Our services are moving further and further ahead, and we must create risk countermeasures in parallel. Criminals thoroughly consider how to get through countermeasures, so we need to work hard to outperform them. I would like to consider it a personal task–in a good way–to think of countermeasures every day and at the same time enjoy this situation.
Hidaka:
PayPay is just an app, but as the number of services and features grow, I feel that the weight of responsibility increases alongside. Sometimes I wonder if we can really say, “Cashlessness is safer than having cash.” It seems to me that the more services and features are provided, while many people may find it convenient, the more people become concerned. Going back to what Misu-san mentioned, realizing a “convenient and secure society” by utilizing PayPay’s technology while meeting various needs will be a challenge for the future.
How to achieve enhanced services and functions as well as user safety through the sophistication of money laundering and fraud risk scoring technology, AI technology, and identity verification technology, and under what kind of system, will be our biggest challenge in the future.
Suzuki:
Lately, many people do not consider wallets to be something that they must take with them when going out. However, they would also say that smartphones are a must. These are the times we live in.
Hidaka:
It would be a little scary if criminals started thinking that stealing a smartphone is better than stealing a wallet.
Suzuki:
We need to make solid progress in anti-money laundering and anti-fraud measures along with advances in technology to counter those issues as well. That’s all there is to it.
Thanks to: Hidetoshi Suzuki, Masaki Misu, Motohiro Hidaka / Author & Editor: Essie (PayPay Inside-Out Editorial Team) / Photographer: Tak & Keizo / Translator: Justin / Translation Editor: Jeanette
*All employee affiliations are as of the time of this interview.
