Japanese
November 26, 2021
 Financial Services Agency
 (English version: published December 15, 2021)
 

  Administrative Actions against Mizuho Bank, Ltd. and Mizuho Financial Group, Inc.

 
 The Financial Services Agency issued business improvement orders as follows to Mizuho Bank, Ltd. (the "Bank"; 6010001008845) and Mizuho Financial Group, Inc. (the "Company"; 9010001081419) today.
   

I. Content of the business improvement orders

[Mizuho Bank] (Article 26, paragraph (1) of the Banking Act)

1.  Promptly implement the measures the Bank has formulated to prevent recurrence of system failures.

(1)   Measures for preventing recurrence of system failures that incorporate necessary measures ascertained through reexamination and review of the current measures

(2)   Specific initiatives for developing a governance framework necessary for ensuring stable system operation

(3)   Specific initiatives for improving business, addressing the root causes of the system failures as described in II.9. below.

3.  Report about the clarification of management responsibilities based on the causes of the system failures.

4.  Submit the business improvement plan mentioned in 2. above and the report mentioned in 3. above, together with a report on the implementation status of the recurrence prevention measures mentioned in 1. above as of the end of December 2021 by Monday, January 17, 2022.

5.  Compile the implementation status of the business improvement plan mentioned in 2. above (including the results of the reexamination and review of the plan) as of the end of March 2022 as the first report, and for every three months thereafter, and submit the report thus compiled by the 15th of the following month.

[Mizuho Financial Group] (Article 52-33, paragraph (1) of the Banking Act)

1.  Promptly implement the measures the Company has formulated to prevent recurrence of system failures.

2.  Formulate a business improvement plan regarding the following matters as a bank holding company (including examination and necessary review of the business improvement plan formulated by the Bank) and promptly implement the plan. Additionally, reexamine and review the plan on an ongoing basis.

(1)   Measures for preventing recurrence of system failures that incorporate necessary measures ascertained through reexamination and review of the current measures

(2)   Specific initiatives for developing a governance framework necessary for ensuring stable system operation

(3)   Specific initiatives for improving business, addressing the root causes of the system failures as described in II.9. below.

3.  Report about the clarification of management responsibilities at the Company based on the causes of the system failures.

4.  Submit the business improvement plan mentioned in 2. above and the report mentioned in 3. above, together with a report on the implementation status of the recurrence prevention measures mentioned in 1. above as of the end of December 2021 by Monday, January 17, 2022.

5.  Compile the implementation status of the business improvement plan mentioned in 2. above (including the results of the reexamination and review of the plan) as of the end of March 2022 as the first report, and for every three months thereafter, and submit the report thus compiled by the 15th of the following month.

II. Reasons for the Administrative Actions

  Based on the FSA's inspection and the reports submitted under Article 24, paragraph (1) and Article 52-31, paragraph (1) of the Banking Act, it is found that the Bank and the Company need to respectively deliberate, formulate and promptly implement business improvement plans based on these administrative actions and to clarify management responsibilities, as described in the reasons below, in order to ensure sound and appropriate operation of banking business.

1.  The Bank caused system failures affecting its customers eight times in total from February to September 2021. Regarding the system failure on February 28, it was found that the Bank conducted data migration without sufficiently considering the risk of conducting such operation at the end of the month, when the system generally becomes overloaded, and resulted in causing suspension of services at a number of ATMs. Cash cards and passbooks were swallowed by ATMs and a number of customers were forced to keep waiting. At the time of the system failure on August 20, over-the-counter services were suspended at all branches for a certain period of time.
 Furthermore, in the restoration process after the system failure on September 30, a problem was found in relation to the Bank's compliance with laws and regulations on asset freezing and other economic sanctions, as well as the Guidelines for Anti-Money Laundering and Combating the Financing of Terrorism.

2.  The Bank and the Company, which is its parent company, thus caused multiple system failures in a short period and exerted a significant impact on their individual and corporate customers. They not only failed to sufficiently fulfil their roles as financial institutions, which are supposed to serve as a part of social infrastructure, but also undermined  trust in Japan's payment systems. The responsibilities of the management of the Bank and the Company are serious.

3.  Direct causes of the series of the recent system failures are found as follows.

・The Bank has failed to conduct verification sufficiently for ensuring quality in system development and responses to failures.

・The Bank has not developed a maintenance and operation structure to ensure stable operation of its new core system (hereinafter "MINORI"), such as failing to correct problems in system maintenance and operation and to govern outsourcees sufficiently.

・The Bank has failed to verify its preparedness for emergencies sufficiently through drills and training.

4.  As the background, it is found that the leadership of the Bank and the Company incorrectly considered that MINORI had been operating stably, without ascertaining and understanding the actual situation of the IT section sufficiently, and was overconfident in the property of MINORI that it would limit the impact only locally even in the event of a system failure. Accordingly, the leadership did not sort out the requirements for ensuring stable operation of MINORI (including measures necessary for minimizing damage in an emergency) but just forwarded the shift from the development phase to the maintenance and operation phase. Furthermore, the leadership promoted structural reform, including the reshuffling of the personnel required for the maintenance and operation of MINORI and the reduction of maintenance and operation expenses.
 Additionally, it is found that the operating officer of the Bank incorrectly considered that MINORI had been operating stably, and continued reshuffling the personnel and succeeded to the operations from the vendor, without ascertaining the actual status of system risk management.
 As a result, the leadership of the Bank and the Company is found to have weakened the operation environment of MINORI, etc.

5.  These actions and inactions were considered to be one of the causes that have weakened the IT section's capability, such as its ability to manage failure signs and to conduct work for recovery from a failure, which was revealed in the series of the system failures that occurred from February to September of this year.

6.  The Bank's board of directors has not developed a system risk management environment that would fulfill check functions effectively, such as having the Bank continuously report the status of failure analysis and failure sign management, the status of failure-related training, and appropriate allocation of IT personnel. Therefore, it has failed to ascertain the vulnerability in the operation and management of complicated MINORI, etc. and is unable to give appropriate instructions to the operating officer of the Bank.

7.  The Company, which is a bank holding company, should have managed and controlled the Bank appropriately, but the following governance-related problems are found in the Company itself.

・ The management in charge of the execution of business promoted the structural reform without fully disseminating its purpose of aiming for appropriate allocation of resources among staff of the Company and the Bank. As a result, emphasis was placed on cost optimization, and the personnel required for ensuring the stable operation of MINORI were reshuffled and the required maintenance and operation expenses were reduced, without sufficiently listening to opinions of the IT section.

・ The board of directors did not fully discuss the personnel reduction plan and status of workload in relation to system risks accompanying the structural reform.

・ The operating officer has not formulated clear ideal types of personnel that serves as the guidelines for appointing or training candidate of CIOs, who is required to have a high degree of expertise, including that for risk management based on past system failures. The board of directors has not sufficiently discussed the ideal types of candidates for a group CEO and major managerial personnel.

・ Despite the fact that the Risk Committee had selected large-scale system failures upon the introduction of top risk management methods and had proposed that it would be important to formulate actions against selected top risks, the Company's leadership did not take measures sufficiently, nor has the Risk Committee conducted follow-up checks.

・Despite the fact that the Audit Committee had cited IT-related governance framework as one of the priority themes of auditing, it only received a report from the Company's internal audit group that there was nothing for which improvement would be recommended, and did not give any specific instructions, such as requesting a further investigation and report concerning the appropriateness of the allocation of management resources.

8.  In response to the system failures in February and March 2021, the Bank and the Company expressed their commitment to making organization-wide efforts for fundamentally preventing recurrence and published recurrence prevention measures on June 15. However, considering the fact that system failures occurred four times in August and September and  that some of the causes of these four system failures were not included in the scope of checking in the recurrence prevention measures, it should be said that the recurrence prevention measures were only limited.

9.  FSA considers that the root causes of these problems in terms of systems and governance are as follows.

(1)   Disregard for system-related risks and expertise

(2)   Disregard for the actual situation of the IT section

(3)   Lack of sensitivity to the impact on customers and disregard for the actual situation of the sales section

(4)   Attitude to refrain from saying what needs to be said and to only do what was instructed

  Many of these root causes also apply to the Bank's system failures that occurred in 2002 and 2011. In light of this, it should be said that even if the Bank and the Company have taken measures for each of the past system failure, some of those measures based on past lessons have not been continued, or the Bank and the Company have failed to make appropriate responses to environmental changes. From these perspectives, the self-cleansing mechanisms cannot be found to have worked sufficiently.

10.  Accordingly, the Bank and the Company need to formulate business improvement plans regarding the following (for the Company, including the examination and the necessary review of the business improvement plan formulated by the Bank) and promptly implement the plans, and reexamine and review the plans on an ongoing basis.

(1)   Measures for preventing recurrence of system failures (including the development of a system risk management environment necessary for ensuring stable operation of MINORI, etc. and measures for minimizing the impact on customers in the event of a system failure, and for the Company, including improvement measures pertaining to appropriate allocation of resources)

(2)   Specific initiatives for developing a governance framework necessary for ensuring stable system operation

(3)   Specific initiatives for strengthening organizational acting capability and changing behavior, by transforming such corporate culture as disregarding system-related risks and expertise, disregarding the actual situation of the IT section, lacking sensitivity to the impact on customers and disregarding the actual situation of the sales section, and refraining from saying what needs to be said and only doing what was instructed, as cited as the root causes of the series of the system failures, and by making each officer and employee more sensitive to the impact on customers

Contact

Banking Business Division Ⅰ, Supervision Bureau Financial Services Agency

Tel +81-(0)3-3506-6000(ext. 3444, 3328)

Site Map

top of page