Japan’s Financial Services Agency has done something other jurisdictions have only talked about. The Financial System Council’s Working Group on Crypto-asset Systems — whose English-language report was published on 16 February 2026 — recommends that every licensed crypto-asset service provider (CASP) be required to set aside a liability reserve sized by formula, on terms close enough to the existing securities-firm regime to be governed by the same primary statute. The bill goes to the 2026 ordinary Diet session, and the implementing detail is being finalised now.
The structural news here is not the reserve. It is the formula.
The FSA’s report is precise about what it is recommending and what it is not. Under the heading “Safeguarding of Users’ crypto-assets,” the working group states: “Liability reserves should be set aside to cover compensation for customers in the event of unauthorized outflows.” That sentence does two things at once. It moves CASP customer compensation out of the “ad hoc fund, case-by-case board decision” posture that has prevailed since the Coincheck incident, and into the same kind of size-as-you-go reserve calculation that has applied to Type I Financial Instruments Business operators — Japan’s licensed securities dealers — for years.
According to The Nikkei’s reporting on the working-group deliberations, the formula draws on each exchange’s trading volume and its prior incident record. Trade press has translated that into the headline that exchanges may be required to build reserves of ¥2 billion to ¥40 billion — roughly USD 12.7 million to USD 255 million — depending on size. That is the cell range securities firms already occupy. Approved insurance can substitute for part of the cash, reducing the balance-sheet drag for smaller licensees.
The shift matters for two reasons. First, it ends the era in which “we will compensate” was a CEO statement the morning after a hack. It becomes a balance-sheet obligation enforceable by supervisors before the event. Second, it puts a number on what was previously a qualitative supervisory expectation. Japanese exchanges already know how much capital their securities-firm peers must hold to do brokerage; under the proposed rule, they will have to do the same math.
The reserve does not arrive alone. The same FSA working-group report recommends that the governing law for crypto-assets migrate from the Payment Services Act (PSA) to the Financial Instruments and Exchange Act (FIEA), classifying crypto-assets as financial instruments distinct from securities. That move drags in the supporting compliance machinery without which a reserve sits in space.
Three pieces of that machinery matter:
Without those three, the reserve is a number floating in a regulatory vacuum. With them, it is the prudential layer of a securities-style supervisory stack.
Two events are doing most of the rationale work, even when the FSA’s English summary stays at the level of “recurring incidents of crypto-asset outflows caused by cyberattacks.”
In February 2014, Mt. Gox filed for bankruptcy after losing approximately 850,000 BTC, valued at roughly USD 473 million at the time. The collapse drove Japan to become one of the first jurisdictions to write a comprehensive registration regime for crypto exchanges under the PSA.
On 31 May 2024, DMM Bitcoin lost 4,502.9 BTC — about USD 305 million — in an incident later attributed by the FBI and Japan’s National Police Agency to a North Korea-affiliated actor compromising an employee at the wallet vendor Ginco. DMM Bitcoin guaranteed customer balances, then wound the platform down and transferred accounts to SBI VC Trade by March 2025. The compensation was funded out of group balance sheet — a luxury smaller licensees would not have.
DMM is the load-bearing precedent. It is exactly the case the new reserve is designed to make survivable without depending on parent-company solvency.
One detail the trade press has been loose about and which matters for compliance teams: the FSA’s text scopes the reserve to “unauthorized outflows.” That covers hacks and unauthorised withdrawals. It is not framed as a fund for operational errors, ordinary fraud, or general insolvency. Coverage of those events will sit in the broader FIEA-import package — segregation rules, custody audits, disclosure liability — rather than in the liability reserve itself.
For exchanges drafting capital plans, that distinction is real. The reserve is sized against a specific event class. Operational risk goes elsewhere.
The US, EU and UK are working through versions of the same problem. The US relies on a patchwork of state money-transmitter bonds and SEC custody requirements, with no exchange-side compensation fund. The EU’s MiCA Title III on crypto-asset service providers requires segregation and custody discipline but leaves compensation funds to member-state discretion. The UK’s FCA cryptoasset perimeter consultation has flagged consumer-redress gaps without proposing a quantitative reserve.
What Japan is doing — applying the same numerical formula trad-finance has used since the FIEA’s enactment to crypto exchanges, and bundling it with insider-trading enforcement and statutory custody — sets a reference point those regimes will be measured against. The headline is not that Japan has decided to protect crypto users. The headline is that Japan has decided it can do so with the same arithmetic it already runs on its securities dealers, and that the answer is between ¥2 billion and ¥40 billion of reserve per licensee, depending on how large the exchange is and how often it has been broken into.
The bill is due in 2026. The formula is the news.