Risk Management

MUFG has identif­ied the risks associated with various environmental and social issues, such as response to climate change & environmental protection, as a priority issue, and recognizes that they exert signif­icant influence on the Group's corporate management for sustainable growth. As a f­inancial institution that aims to be a trusted global f­inancial group chosen by the world, the Group also grasps the risks caused by its business activities and endeavors to control and reduce them. MUFG manages these sustainability-related risks within the MUFG Environmental and Social Policy Framework, which is based on the MUFG Environmental Policy Statement and the MUFG Human Rights Policy Statement. The Framework is managed by the Sustainability Committee under the Executive Committee, and it is formed to be consistent with the framework for controlling reputational risks that could damage the Group's corporate value.

In addition, the status of policies and initiatives to the environmental and social risks are discussed and reported by the Credit & Investment Management Committee, the Credit Committee and the Risk Management Committee depending on the theme. Conclusions reached by the above committees are reported to the Executive Committee, and reported to and discussed by the Board of Directors, and the Board of Directors oversees risks related to environmental and social issues.

Standard due diligence is conducted by departments that have direct contact with customers to identify and assess the environmental and social risks of business that is to be ­financed by MUFG. If it is determined that the business needs to be examined more carefully, MUFG conducts enhanced due diligence and decides whether or not to f­inance the business.

As for business that would have signi­ficant environmental and social risks and could potentially damage MUFG's corporate value or develop into a reputational risk, MUFG holds discussions on how to handle it within a framework participated by senior management. In addition, the Bank adopted the Equator Principles, a framework for identifying, assessing and controlling the environmental and social risks of large-scale projects, and conducts risk assessments in accordance with its Guidelines.

MUFG designated business with significant environmental and social risks as "Prohibited Transactions" if they are illegal businesses or businesses with illegal purposes and the like, and as "Transactions of High Caution" if they have a negative impact on indigenous communities and the like. It has been tightening its policy on business that has a signi­ficant impact on climate change including coal-­fired power generation. By periodically reviewing and sophisticating the MUFG Environmental and Social Policy Framework, the Sustainability Committee will continue to address risks that may emerge as a result of changes in business activities and the business environment.

MUFG is well aware of its social responsibilities for securing the assets entrusted by the customers and its obligation to provide secure and stable financial services. MUFG has positioned risk and threats posed by cyber-attacks and other relevant events as one of the Top Risks and is promoting cyber security measures under management leadership.

MUFG has cyber security standards that reference to international guidelines and is engaged in the development of relevant strategies and organizational structures as well as the planning and implementation of initiatives aimed at enhancing its cyber security measures.

MUFG enacted the Cyber Security Management Declaration with the intention of strengthening the security management structure under the direct supervision of top management as a response to cyber-attacks and crimes that are becoming more advanced and sophisticated year by year. Moreover, at the beginning of fiscal year 2022, MUFG separated the Cyber Security Office as an independent division from Information Systems Planning Division and enhanced the leadership of the Group Chief Information Security Officer (CISO). MUFG has a governance structure supporting business judgement according to changes in the surrounding environment through timely and proper reporting to the Board of Directors and the Executive Committee. Taking advantage of the structure, MUFG puts an effort in effective and efficient promotion of cyber security strategies while working to defend MUFG against cyber-attacks daily.

The MUFG Cyber Security Fusion Center (MUFG CSFC), which was launched as a security center to provide threat analysis and security measures, plays key roles in the around-clock monitoring and incident response on a groupwide and global basis.

Furthermore, MUFG sets up the MUFG-CERT as an umbrella organization in case of cyber security incident to cooperate with Computer Security Incident Response Teams (CSIRTs) of Group companies. MUFG conducts periodic exercises and drills to ensure its ability to perform promptly and surely such as information sharing, decision making, external public relations, and technical countermeasures. In addition, MUFG has stepped up collaborative activities with government agencies, other companies in the financial industry, and security communities including the Nippon CSIRT Association.

Given current international situation and global threat of ransomware, the risk of cyber-attacks has been increasing. MUFG sets up a dedicated team focused on threat intelligence to centralize the related activities such as impact analysis for newly found vulnerabilities or past experiences, and remediation for those impacts on a groupwide and global basis. Additionally, the team monitors systems for external stakeholders daily to prevent any flaws in security updates or configuration settings.

In step with the widespread popularization of electronic payments on the internet such as Internet banking, cybercrimes that target online services have also become social issues. MUFG is implementing a variety of initiatives to deliver safe and secure services to customers, such as ensuring robust online verification, thoroughgoing vulnerability countermeasures, threat intelligence, anomaly detection, and suspicious-transaction monitoring.

MUFG actively utilizes new technologies such as cloud services, AI, Robotics, and Open APIs for business.

The Cyber Security Division participates in the projects related to the new technologies from the early stages such as planning and design phases. The activity contributes to the development of multilayered security measures and the realization of coexistence between safety and technology-driven transformation through proactive actions including procedure development for safe utilization of the new technology, risk evaluation, and monitoring of configuration settings.

Cyber security measures are a wide range of areas, including governance, threat intelligence, risk management, engineering, monitoring operation, and incident response. MUFG has secured an in-house team capable of managing and carrying out the above functions.

To ensure the robust implementation of each security measure, MUFG has systematically categorized the talents and skill sets expected of security members to provide them with optimally designed human resource development programs, which combine in-house and external lectures and exercises while giving due consideration to the competencies of each member, the nature of tasks to be assigned to them and possible opportunities for their future career advancement. Furthermore, MUFG has boldly pursued improvement of security measures in order to keep up with constant changes in technology, utilization environment and cyber-attacks, and to nurture them as professional through these opportunities.

For MUFG to maintain the stable operation of its financial infrastructure, it is essential to foster the corporate culture in which each employee understands the importance of cyber security and considers what should be done as a company while acting in collaboration with other financial institutions or government authorities.

MUFG provides educational programs to not only employees directly involved in cyber security but also those engaged in planning and promotion of the business services so that every employee is well-versed in necessary countermeasures against cyber-attacks. Furthermore, MUFG provides all employees at main Group companies with e-learning, phishing mail exercises, and newsletters for alerting cyber-attacks and familiarizing them proper responses, and hosts seminars for widely scoped Group companies. MUFG also engaged in various activities with external organizations, such as collaboration with Financials ISAC Japan, the IT security association of financial institutions, and participation in various training programs and drills hosted by the NISC (National center of Incident readiness and Strategy for Cybersecurity), the Financial Services Agency, and the Tokyo Metropolitan Police Department.

We are striving to provide services that our customers can feel secured by implementing a wide range of countermeasures against financial crimes as well as providing assistance for victims of such financial crime.

To prevent customers from bank transfer frauds at ATM which has been frequently occurring in Japan, we provide necessary alerts to customers by using posters or guiding them on ATM displays etc. In addition, we prohibit phone calls at ATM since mobile phones are often used for bank transfer frauds. Also, to prevent customers from damages caused by those frauds, we have some restrictions to specified customers on transactions by ATM which may cause a fraud case. When receiving requests to withdraw large amount of cash or send money at the counter of our premises, our staff would give attention to customers and ask about the purpose of the transaction, as well as cooperate with police to prevent crimes when the transaction seems suspicious.

Furthermore, for those who open a new bank account, we would check and verify customers identification and confirm the purpose of opening the account. In addition, to prevent customers’ bank account from being abused for financial crimes, we make continued efforts to give attention to customers about those crimes of selling, buying, or handing over a bank account by using leaflets and our website.

IC cards have been introduced to prevent harm due to cash card forgery and theft. To prevent peeping, rearview mirrors have been installed, and ATM screens have been equipped with polarized film and provided with reminder displays about password management.

A variety of effectual security measures have been established to prevent unauthorized third-party access and fake transactions through phishing and computer viruses.

MUFG Bank (the Bank) and Mitsubishi UFJ Trust and Banking (the Trust Bank) have introduced an electronic certification system, which displays a warning message if an email from the Bank or the Trust Bank has been tampered with. This system also allows customers to confirm on their computers that the server they access during Internet transactions is authentic.

In addition, in order to authenticate online transactions for individual customers, the companies provide the “One-Time Password Card,” giving the user a password that is valid only once per transaction. (the Bank and the Trust Bank also provides this service through a smartphone application.) This service greatly reduces the risk of fraudulent transactions by third parties.

Security measures for corporate customers include the Internet services “BizSTATION” (the Bank) and “the Bank Business Direct” (the Trust Bank) and the provision of the “One-Time Password Card” (the Bank) and the “One-Time Password Token” (the Trust Bank).

Furthermore, MUFG has been implementing various security measures such as suggesting customers to use “Rapport”, a free anti-virus dedicated software to prevent customers' PCs from infecting malware while using our Online Banking.

Mitsubishi UFJ NICOS is committed to complying with the Payment Card Industry Data Security Standard (PCIDSS), an international security standard for the credit card industry, developed to ensure the safe handling of credit card membership data. In September 2010, we acquired compliance certification for the EC Card Payment System, which provides credit card payments via the Internet. Since then, the scope of application has been gradually expanded, and in December 2014, we have obtained compliance certification for major systems, striving to maintain and improve security.

Also, in order to prevent customers from being involved in malicious credit card crimes, we have introduced a fraud detection system which monitors customers’ credit cards 24/7 for unauthorized use by third parties.

In order for customers to use their credit cards with peace of mind, we may temporarily suspend the use of the relevant credit cards and contact the card holders when suspicious transactions are detected on the credit card accounts. For customers whose card information may have been leaked to a third party, we are taking measures such as replacing the credit cards in issue with new cards.

Production systems' operational units of NICOS cards of Mitsubishi UFJ NICOS has acquired the internationally recognized ISO/IEC 27001 certification for information security management systems as a part of their efforts to.

NICOS and ACOM have obtained PrivacyMark (PMark) certification from the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) that evaluates the level of protection of personal information. Privacy Mark (P Mark) certifies that the business operator complies with the JIS standard for personal information (JISQ15001:2017), which has established a system to take appropriate protection measures for personal information. We are working to maintain and improve the level of protection of customers' personal information.