Risk Management

MUFG has identif­ied the risks associated with various environmental and social issues, and recognizes that they exert signif­icant influence on the Group's corporate management for sustainable growth. As a f­inancial institution that aims to be a trusted global f­inancial group chosen by the world, the Group also grasps the risks caused by its business activities and endeavors to control and reduce them. MUFG manages these sustainability-related risks within the MUFG Environmental and Social Policy Framework, which is based on the MUFG Environmental Policy Statement and the MUFG Human Rights Policy Statement. The Framework is managed by the Sustainability Committee under the Executive Committee, and it is formed to be consistent with the framework for controlling reputational risks that could damage the Group's corporate value.

In addition, the status of policies and initiatives to the environmental and social risks are discussed and reported by the Credit & Investment Management Committee, the Credit Committee and the Risk Management Committee depending on the theme. Conclusions reached by the above committees are reported to the Executive Committee, and reported to and discussed by the Board of Directors, and the Board of Directors oversees risks related to environmental and social issues.

Standard due diligence is conducted by departments that have direct contact with customers to identify and assess the environmental and social risks of business that is to be ­financed by MUFG. If it is determined that the business needs to be examined more carefully, MUFG conducts enhanced due diligence and decides whether or not to f­inance the business.

As for business that would have signi­ficant environmental and social risks and could potentially damage MUFG's corporate value or develop into a reputational risk, MUFG holds discussions on how to handle it within a framework participated by senior management. In addition, the Bank adopted the Equator Principles, a framework for identifying, assessing and controlling the environmental and social risks of large-scale projects, and conducts risk assessments in accordance with its Guidelines.

MUFG has established cyber security standards that refer to international guidelines and is engaged in the development of relevant strategies and organizational structures as well as the planning and implementation of initiatives aimed at enhancing its cyber security measures.

MUFG enacted the Cyber Security Management Declaration with the intention of strengthening the security management structure under the direct supervision of top management as a response to cyber-attacks and crimes that are becoming more advanced and sophisticated year by year. Moreover, in 2022, MUFG separated the Cyber Security Office from the Information Systems Planning Division as an independent division operating under the leadership of the Group Chief Information Security Officer (CISO). MUFG has a governance structure supporting business judgement according to changes in the surrounding environment through timely and proper reporting to the Board of Directors and the Executive Committee. Taking advantage of the structure, MUFG puts effort into the effective and efficient promotion of cyber security strategies while continuously working to defend MUFG against day to day cyber-attacks.

MUFG has set up a dedicated team focused on threat intelligence to centralize such related activities as impact analysis for newly found vulnerabilities or past experiences, and remediation for those impacts on a groupwide and global basis. Additionally, the team monitors systems for external stakeholders daily to prevent any flaws in security updates or configuration settings.

In step with the widespread popularization of electronic payment via such internet services as Internet banking, cybercrimes that target online services have become a social issue. MUFG is implementing a variety of initiatives to deliver safe and secure services to customers, such as ensuring robust online verification, thoroughgoing vulnerability countermeasures, threat intelligence, anomaly detection and suspicious-transaction monitoring.

In May 2022, MUFG was chosen by the Financials ISAC Japan^(note) to receive its fiscal 2021 annual award in recognition of the Company’s leadership in the sharing of insights and know-how regarding countermeasures against unlawful remittance and the promotion of other collaborative initiatives among financial institutions.

MUFG actively utilizes such new technologies as cloud services, AI, Robotics and Open APIs for business.

The Cyber Security Division participates in projects related to new technologies from the early stages, such as the planning and design phases. This activity contributes to the development of multilayered security measures and the realization of coexistence between safety and technology-driven transformation through proactive actions, including procedure development for the safe utilization of new technology, risk evaluation and the monitoring of configuration settings.

Cyber security measures cover a wide range of areas, including governance, threat intelligence, risk management, engineering, monitoring operation and incident response. MUFG has secured an in-house team capable of managing and carrying out the above functions.

To ensure the robust implementation of each security measure, MUFG has systematically categorized the talents and skill sets expected of security members to provide them with optimally designed human resource development programs, which combine in-house and external lectures and exercises while giving due consideration to the competencies of each member, the nature of tasks to be assigned to them and possible opportunities for their future career advancement. Furthermore, MUFG has boldly pursued the improvement of security measures in order to keep up with constant changes in technology, the utilization environment and cyber-attacks, and to nurture them in its professional capacity.

For MUFG to maintain the stable operation of its financial infrastructure, it is essential to foster the corporate culture in which each employee understands the importance of cyber security and considers what should be done as a company while acting in collaboration with other financial institutions or government authorities.

MUFG provides educational programs to not only employees directly involved in cyber security but also other employees within our group, including temporary and part-time staff, who are engaged in the planning and promotion of our services so that the whole employees are well-versed in necessary countermeasures against cyber-attacks. Furthermore, MUFG provides employees at main Group companies with e-learning, phishing mail exercises and newsletters for alerting readers of cyber-attacks and familiarizing them with proper responses. It also hosts seminars for a wide scope of Group companies. In addition, MUFG is engaged in various activities with external organizations, such as various training programs and drills hosted by the NISC (National center of Incident readiness and Strategy for Cybersecurity), the Financial Services Agency, and the Tokyo Metropolitan Police Department.

In July 2022, MUFG signed a partnership agreement involving industry-academia-government collaboration aimed at nurturing cyber security specialists. Based on this agreement, MUFG will expand the scope of interactions with partners from different sectors and universities to enhance its own cyber security measures. At the same time, we convey MUFG’s insights to society, with the aim of contributing to the enhancement of cyber security measures for society as a whole.

We are striving to provide services that our customers can feel secured by implementing a wide range of countermeasures against financial crimes as well as providing assistance for victims of such financial crime.

To prevent customers from bank transfer frauds at ATM which has been frequently occurring in Japan, we provide necessary alerts to customers by using posters or guiding them on ATM displays etc. In addition, we prohibit phone calls at ATM since mobile phones are often used for bank transfer frauds. Also, to prevent customers from damages caused by those frauds, we have some restrictions to specified customers on transactions by ATM which may cause a fraud case. When receiving requests to withdraw large amount of cash or send money at the counter of our premises, our staff would give attention to customers and ask about the purpose of the transaction, as well as cooperate with police to prevent crimes when the transaction seems suspicious.

Furthermore, for those who open a new bank account, we would check and verify customers identification and confirm the purpose of opening the account. In addition, to prevent customers’ bank account from being abused for financial crimes, we make continued efforts to give attention to customers about those crimes of selling, buying, or handing over a bank account by using leaflets and our website.

A variety of effectual security measures have been established to prevent unauthorized third-party access and fake transactions through phishing and computer viruses.

MUFG Bank (the Bank) and Mitsubishi UFJ Trust and Banking (the Trust Bank) have introduced an electronic certification system, which displays a warning message if an email from the Bank or the Trust Bank has been tampered with. This system also allows customers to confirm on their computers that the server they access during Internet transactions is authentic.

In addition, in order to authenticate online transactions for individual customers, the companies provide the “One-Time Password Card,” giving the user a password that is valid only once per transaction. (the Bank and the Trust Bank also provides this service through a smartphone application.) This service greatly reduces the risk of fraudulent transactions by third parties.

Security measures for corporate customers include the Internet services “BizSTATION” (the Bank) and “the Bank Business Direct” (the Trust Bank) and the provision of the “One-Time Password Card” (the Bank) and the “Transaction Authentication Token” (the Trust Bank).

Furthermore, MUFG has been implementing various security measures such as suggesting customers to use “Rapport”, a free anti-virus dedicated software to prevent customers' PCs from infecting malware while using our Online Banking.

Mitsubishi UFJ NICOS is committed to complying with the Payment Card Industry Data Security Standard (PCIDSS), an international security standard for the credit card industry, developed to ensure the safe handling of credit card membership data. We have obtained compliance certification for systems involving the credit card business and are striving to maintain and improve security.

To prevent customers from becoming involved in malicious credit card crimes, we have introduced a fraud detection system that uses AI and other technologies to monitor customers’ credit cards 24 hours a day, 365 days a year,  for unauthorized use by third parties.

So that customers can use their credit cards with peace of mind, we may temporarily place suspicious transactions on hold and send email messages requesting confirmation, or confirm use by the cardholder through contact by telephone or Short Message Service (SMS) following the transaction. When use by a party other than the cardholder has been determined, to prevent damage from unauthorized use we carry out procedures to suspend use of the card in question and replace it with a new card bearing a different card number.