April 25, 2006
Financial Services Agency
Government of Japan
Administrative Actions on Mizuho Bank
Mizuho Bank Ltd. submitted a notice on misconduct and other matters under Article 53 (1) of the Banking Law and Article 35 of the Enforcement Regulations of the Banking Law and an accident report on the leakage of personal information under Article 22 of the Guidelines for Protection of Personal Information in the Financial Sector. The Financial Services Agency (FSA) received a report that the Bank had discovered the leakage of customer information outside its branch upon the notification from the police.
In response to the report on the present case, the FSA ordered the Bank to report on the facts concerning the leakage of customer information, the current state of internal control framework, etc. under Article 24 of the Banking Law and Article 32 of the Personal Information Protection Law.
According to the said report, the following matters have been confirmed: (1) Mizuho Bank recognized that its employee was involved in leaking its customer information outside upon the notification of the leakage by the police; (2) customer information leaked outside relates to 628 individual customers (name, address, phone number, date of birth, account number, etc.) and 623 corporate customers (company name, address, phone number, date of establishment, etc.) of the Bank's Shinjuku Nishiguchi branch; and (3) the customer information was taken out illicitly by a person in the position of section chief at the branch.
As a result of examining the said report, the FSA identified serious problems in the Bank's internal control system for customer information, including inadequate oversight of employees, in addition to the failure to detect the leakage of customer information due to appropriate rules for preventing the leakage of customer information not being in place, etc. because of its inadequate management stance towards compliance.
Furthermore, the FSA determined that it is necessary to protect the rights and interests of individuals, as such a situation breaches the duty to take security control measures set forth in Article 20 of the Personal Information Protection Law and the duty to oversee employees set forth in Article 21 of the said Law.
For the reasons mentioned above, the FSA issued a Business Improvement Order pursuant to Article 26 (1) of the Banking Law and made recommendations under Article 34 (1) of the Personal Information Protection Law with respect to the Bank today as follows.
Business Improvement Order based on Article 26 (1) of the Banking Law
(1)In order to establish a compliance system and ensure fair and proper operations, the internal control system for customer information must be improved and enhanced at the branch with due emphasis on the following points, in consideration of the nature of the incident in that the deed was done by a person with specific authority at the branch:
(i)An unequivocal statement of commitment by the management regarding compliance (including establishment of a clear system of responsibility);
(ii)Establishment of an effective customer information control system aimed at preventing the leakage of customer information.
(2)A plan to improve business operations pertaining to (1) described above must be submitted by May 25, 2006 and implemented promptly. (The improvement plan must encompass the development and establishment of a governance and internal control system to ensure the implementation of the plan, as well as a clear assignment of responsibilities to ensure the effectiveness of the plan.)
(3)Subsequent to the implementation of (2) described above, and until the plan to improve such operations is fully carried out, a summary outlining the progress and implementation of the plan, etc. must be prepared every three months, starting at the end of June 2006, and is to be submitted by the 15th day of the following month.
Recommendations under Article 34 (1) of the Personal Information Protection Law
(1)Measures required to protect the rights and interests of individuals should be taken with respect to the following, in consideration of the nature of the incident in that the deed was done by a person with specific authority at the branch:
(i)Ensure effective security control measures for personal data.
(ii)Strictly oversee employees to ensure the security control of personal data.
(2)Measures taken pertaining to (1) described above should be reported by May 25, 2006.
Financial Services Agency, Government of Japan
Tel: +81-3-3506-6000 (main)
Banks Division I, Supervisory Bureau (ext. 3321)
- Laws & RegulationsPage list Open
- Name of Laws and Regulations(PDF)
- Financial Instruments and Exchange Act
- Recent Changes
- Public Comment
- Capital adequacy requirements (Basel framework)
- Economic value-based solvency regulation
- No-Action Letter System
- Procedures concerning Foreign Account Management Institutions
- PrinciplesPage list Open
- Strategic Directions and Priorities
- Progress and Assessment of the Strategic Directions and Priorities
- Policy Approaches to Strengthen Cyber Security in the Financial Sector
- Financial Monitoring Policy
- AnnouncementsPage list Open
- Press Conferences
- Press Releases
- Official Statements
- Disaster-related Information (Support for Disaster Victims)
InstitutionsPage list Open
- List of Institutions
- For those engaging in High Speed Trading
- To Operators of Specially Permitted Businesses for Qualified Institutional Investors, etc.