Inside Japan’s Crypto Framework: A Conversation with JFSA's Ryosuke Ushida

Ari Redbord (00:02):

I am Ari Redbord and this is TRM Talks. I'm Global Head of Policy at TRM Labs. At TRM we provide blockchain intelligence software to support law enforcement investigations and to help financial institutions and cryptocurrency businesses mitigate financial crime risk within the emerging digital asset economy. Prior to joining TRM spent 15 years in the US federal government, first as a prosecutor at the Department of Justice, and then as a Treasury Department official where I worked to safeguard the financial system against terrorist financiers, weapons of mass destruction, proliferators, drug kingpins, and other rogue actors. On TRM Talks, I sit down with business leaders, policymakers, investigators, and friends from across the crypto ecosystem who are working to build a safer financial system. Today on TRM Talks, I sit down with Ryosuke Ushida of the Japanese Financial Services Agency, but first inside the lab where I share data-driven insights from our blockchain intelligence team.

(01:06):

According to a TRM Labs report, North Korea was behind the largest cryptocurrency hack in history, the theft of $1.5 billion from the Bybit exchange in early 2025. This single event eclipses all of DPRK's previous exploits and marks a stunning escalation in their cyber operations. North Korea cyber actors moved quickly within hours. They bridged the stolen funds from Ethereum to Bitcoin and began layering transactions through mixers, OTC brokers and crosschain swaps accelerating the pace of laundering. This was not just another hack, it was a clear evolution, faster stealth, and increasingly decentralized. Why does it matter? First, from a national security perspective, North Korea is not just a rogue cyber actor, it is a nation state funding weapons programs with digital assets. When DPRK steals crypto, those funds are used for ballistic missile tests, nuclear development, and other destabilizing activity. Second, it undermines trust in the broader crypto ecosystem.

(02:06):

The faster North Korea moves, the harder it becomes for exchanges, compliance teams, and even law enforcement to react in real time. The Bybit hack is a reminder that sophisticated state actors are targeting the infrastructure of crypto itself. The response to this event matters. Crypto builders must prioritize cybersecurity as core infrastructure. Law enforcement must work closely with blockchain intelligence firms like TRM to collaborate in real time to trace funds, identify laundering patterns and freeze assets before they leave the blockchain. For more on the Bybit hack, listen to TRM Talks with Nick Carlson and Jean Lee and go to our website at trmlabs.com/resources to read our reports on the Bybit hack and the North Korea threat.

(02:56):

Now I sit down with the JFSA's,Ryosuke Ushida. Ryosuke, we have known each other a long time. I'm really, really looking forward to this conversation today. You have been really working as a regulator in the cryptocurrency digital assets blockchain space for a long time. I say that in the very early days when I got to TRM, I looked around the world at sort of who were the really key regulators and who were the people at those regulators that were really experts on this. And you were very early. One of those people that I identified and have really looked to you for sort of how JFSA and sort of APAC and broader globally regulators are working on these crypto issues. How did you find yourself in this position as sort of one of the most important regulators in the world? Was it a specific interest in FinTech? Tell me about your journey.

Ryosuke Ushida (03:48):

So I joined FSA back in 2010 just after graduating university. And my background was engineering. I used to be a traditional regulators and I'm doing traditional supervision and then kind of planning for the banks and then incumbent players. But it was in 2019 when my boss asked me to do blockchain because FSA needs someone who knows a lot about blockchain technologies and then who can develop future policies to regulate crypto asset and in something like stablecoin in a safe and secure manner. So that's why I decided to move to Washington DC to Georgetown University as a blockchain researcher. And then I spent two years and my first academic paper, it's about Defi and then DAO and then the point is the exist centralized aspect of so-called defi and then that could be potentially point of regulation. So that's some academic work I have been doing until 2021. Then I came back to Tokyo and since then I have been in charge of FinTech and the innovation portion at FSA and blockchain. And then my boss asked me, you can do blockchain, so why not doing ai? So now I'm doing not only blockchain but AI.

Ari Redbord (05:09):

Fantastic. Yeah, let's dig in a little bit to that. I think that sounds terrific. Someone's going to call me out on this from a different jurisdiction, but I believe Japan is the first country in the world with crypto asset specific regulation. First of all, is that correct? And second of all, talk me through those early days of it.

Ryosuke Ushida (05:26):

So Japan is one of the first country to introduce crypto regulation and then we have a reason for that. So more than 10 years ago that crypto exchange named the Mt. Gox. So at that time was 70% of global bitcoin transaction was taking place in exchange located in Tokyo. And then of course regulators didn't know about that at all. And then in 2014 the Mt. Gox went bankrupt suddenly and then 500 million is directly variant of Bitcoin was lost. So obviously there's no regulation for those services. So it has huge investor protection and the FT implications. So it was a wake up call for FSA, so we decided to develop a regulatory framework for crypto service providers and then we made that in 2016 and then that's at the start of our journey. But even after that we had another incident like Coin Check. So again, a lot of crypto asset was lost and then some nation actors like North Korean related have cuts were involved in this kind of incident. So we decided to tighten regulation for the safe custody of customers assets. So we have been updating our regulatory framework. So it's kind of unfortunate that Japans already adapt of blockchain, bitcoin regulation, but we have a good experience thanks to that.

Ari Redbord (07:00):

It's interesting. Japan was very much in the early days of major incidents within the crypto ecosystem, but it seems to have prepared Japan for later events like FTX, that it seems like you've weathered better than other jurisdictions. What sort of protections did you put in place in the wake of Mount Gox coin checks, other incidents?

Ryosuke Ushida (07:23):

So when it comes to the FTX incidents, so FTX Japan's customers was one of the most protected customers compared to other countries and investors because FTX and Japan was registered in Japan and then they are subject to the strong custody requirement. So for example, they need to segregate customers asset from other asset and then that should be put in the cold wallet in the offline environment. So if the wallet was kind of isolated from global custody wallet of FTX global, so the customers and Japan's customers asset was put into that wallet. So therefore even under the bankruptcy and Japanese and FTX customers got their fund back much earlier than other investors in different countries. So that's one of the examples that our regulatory framework works relatively and it seems some other jurisdictions are implementing similar regulation for the investor protection. So that's something we can share with international colleagues.

Ari Redbord (08:32):

Talk me through a little bit about Japan's regulatory framework today from a high level how you see FSA's framework in place today.

Ryosuke Ushida (08:38):

So we already have comprehensive framework for crypto asset and the stablecoins and then as a tokenization like digital tokenized securities. So unlike some other countries, we have specific regulation for crypto stablecoin and the organization. So we needed to amend our regulation like every year to adjust the technological learning business development and therefore crisp, as I mentioned, we have very good regulatory framework from investor protection and the ML safety perspectives. And then we regulated crypto service providers and the payment services act because we believed 10 years ago that something like Bitcoin could be used as a means of payment, but in other countries security regulation often apply to the crypto services. So that's the kind of future consideration for FSA. Actually, we are now discussing how we can consider crypto asset as a means of investment not only for the means of payments, which means we might need more regulatory requirement for market protection.

(09:47):

So market regulation like insider trading prevention, the comment, it's not in place for now. So that's something for future consideration. And then for stablecoin, again, obviously it's a means of payments. So stablecoin is also regulated under Payment Services Act, but we assume both stablecoin insurance and intermediaries and then for issue banks and payment service providers and then trust company can be issuer and then slightly different regulatory framework apply to each entity. And then basically stablecoin immediately it's regulation, it's similar to that of crypto asset service providers. So again, they need to subject to the strong investor protection and then shift requirement. So that's a basic framework. And the tokenization, it's tokenized corporate bond, tokenized real estate, it's a security so is now regulated and security act named the Financial Instrument and the Exchange Act. So different regulation is applying to tokens depending on the economic characteristics of them.

Ari Redbord (10:55):

Fantastic. You mentioned AML, CFT. This is TRM Talks, so everyone knows those terms, but anti-money laundering, countering terrorist financing, others are hot topics. On this show you have been the co-chair of the virtual asset contact group, which is the crypto working group within the FATF, the financial action taskforce. Everyone knows FATF on this show, but it's essentially the UN of anti-money laundering. It's 37 member states that come together to try to stop illicit finance globally. That's one of the reasons I think we know each other well is we've done a lot of briefings and we've spent a lot of time together in the context of FATF. Would you talk a little bit about your role personally but then also sort of JFSA's role on the FATF over the last six years plus as sort of co-chairs there?

Ryosuke Ushida (11:41):

Sure. So I have been co-chairing financial action task force virtual asset contact group since 2023. But even before that my was taking that role since the inception of the group and Japan has been doing co-chairing task in collaboration with another co-chair from US Treasury. And then I think the big mandate of this group is to accelerate and global implementation of part of recommendation related to a robust and virtual asset, which is Recommendation 15 and then have to say that still the implementation, it's not well advanced in many jurisdictions, especially follow low capacity jurisdiction. It's not easy to implement ML safety requirement like Travel Rule because it's technically difficult in a sense. And that's why one of our priority as part of is to help those jurisdictions to implement our recommendations. So we have been conducting a number of technical assistance and the workshop and then of course we are working with international organization like IMF and the World Bank. So that's some effort we have been doing. And then of course private and the public sector partnership is indispensable in this fast changing environment. So that's why we invite expert direct TM levels frequently to our meeting and then to develop a policy and then to accelerate implementation.

Ari Redbord (13:16):

Terrific I know everyone again is tracking the Travel Rule, but it's essentially the rule that says that any VASP virtual asset service provider cryptocurrency exchange essentially must send identifying information along with the transaction. And we have many, many VASPs globally that are doing that today. We have some that are not, it becomes bigger issue sort of more of a hot issue when it comes to self-hosted wallets or defi where it's much more difficult to do that. That's obviously been a huge focus for the financial action task force for a long time. What do you see as some of the other priorities for FATF right now?

Ryosuke Ushida (13:52):

So one of the big topic is stablecoin. So we have a variety types of stablecoin and then some stablecoins has been used for ilicit purposes. So stablecoin is easy to use as a means of payments, so it's stable, so it can be used to purchase something without exchange it into fiat currency. So sometimes they may not need VASPs anymore because they can use stablecoin to buy something. So it's good in a sense, but of course bad guys also can use stablecoin for illicit purposes. So we are going to develop short paper on stablecoin and then P2P transaction could be covered from that perspectives and then we will make analysis on the kind of typologies and then how stablecoin is going to be used and what are the risks out there and how we can mitigate the risks. Then of course, stablecoin issues can implement some measures to mitigate the risks like freezing function if the stablecoin was transferred to the let's say sanctioned wallet. So that kind of mitigation measures it's quite important. So that's exactly where we need a more discussion with private sectors. And then we have to be careful about emerging risks like Defi and then again P2B transactions. So we will monitor market development and then take necessary actions as needed.

Ari Redbord (15:26):

No, I think that's been really smart. I think for folks who don't follow FATF really should in terms of that guidance around anti-money laundering. And there's been times where FATF has talked about defi has talked about NFTs, but I really think it's mostly backed away from those issues to watch how the market plays out a bit. And I really sort of admire that approach. I think that's the right approach, see how things sort of develop but focus on the centralized exchanges where you've really been focused the last few years. stablecoins is a really interesting one, right? Because the promise of it is this idea of cross-border value transfer for payments, but at the same time, as you said, bad actors like to move funds faster across border also in a sort of stable way. And that's why we've seen stablecoins used for lawful activity at scale now and also illicit activity at scale. Now whether it's with your FATF hat on or your FSA hat on you choose, what are some of the other sort of big risks that you see within the crypto ecosystem?

Ryosuke Ushida (16:19):

I would say cybersecurity and hacking risks are quite important. So as all of us know, we had a high profile incident at Bybit and in Japan we had another incident to the exchange named the DMM. So a lot of crypto asset was stolen and then still investigation is going, but some niche actors might involve in that incident. So there's an obvious threat not only for Japan and then for international society. So that's something part of an FSA should work together to prevent, not to make that happen again. So that's why it's not only FSA, but as a Japanese government for department and the Ministry of Justice and the Ministry of Finance and then about ministries working together to develop some kind of action plan to prevent those terrorist financing and then for efficient financing and then we send warning letter to our financial institutions and the crypto service providers to be careful about those risks. And then some IT North Korean related IT workers might get involved in your businesses. So we kind of cautioned and industry again and again about those risks. And I think it's a kind the buying story. So we have to monitor market development and then we have to take whatever actions which is to prevent those risks.

Ari Redbord (17:52):

This is something you and I have spent time on before. I think you'll remember this. I know you were there. We were together, it was about two years ago and it was the virtual asset contact group meeting for the FATF in Tokyo. And I got up the first morning of the meeting and the newspaper headline was that there was a missile launched by North Korea and it really hit home just how close you are and immediately Takahide your predecessor opened up the meeting by talking about this as an existential threat and it really hit home how close, how very real it is in Japan, the threat of North Korea. And when you see them steal 1.5 billion from the crypto ecosystem a couple of weeks ago, it becomes even more real. And I couldn't agree with you more. I think it's a real existential threat. It's so important. I do think that we've seen vasts really come together over the last few weeks to try to stop and freeze funds. We've seen stablecoin issuers, freeze funds, so I think I have seen this ecosystem come together in a way I hadn't necessarily seen before over the last few weeks. Is that something that you're seeing on your end as well?

Ryosuke Ushida (18:53):

Yeah, I think it's a quite good positive progress. And even in Japan we had a good progress. So one example, its Japan Crypto ISAC was established just this month. So it's information sharing mechanism among vast about incident information. So cooperation between VASPs are quite important. So it's quite encouraging that industry are working together to develop policies to tackle these challenges. And then of course FSA are supporting these initiatives and supervisoryaction, it's needed. Of course we'll do that. That's fantastic. You

Ari Redbord (19:31):

Mentioned ai, so I'll ask sort of how do you think of AI? I think of basically sort of in two major buckets for us at TRM, it has really supercharged our ability to trace and track transactions. We've leveraged it in our tool, we've leveraged it in our workflows. It's really become a huge part of what we do and how we support regulators, law enforcement, compliance teams globally now. But we're also always thinking about are how our illicit actors leveraging AI in order to commit ransomware attacks and scams and supercharge illicit activity by also leveraging this sort of transformative technology. How do you think of it as FSA and what's next? How are your regulated entities thinking about it?

Ryosuke Ushida (20:15):

I think you are right. So AI is double-edged sword. So it can be used for good purpose and bad purposes. And then our basic approach is we strongly encourage Japanese financial institutions to use AI for the good use cases. Actually, Japanese people are very conservative in using AI. So we and the government of Japan took survey to nearly 20 countries about how comfortable are you in using AI under existing regulation. And then Indian says 80% is okay, and then in Chinese, 70% it's okay. And in Singapore it's around 50%. And in Germany, 39% I think, and the United States around 30%.

Ari Redbord (21:04):

And that's a percentage of people who are using the technology today?

Ryosuke Ushida (21:08):

It's a percentage of people who feel comfortable in using AI under existing regulation. Where's Japan on that list? Japan, it's at 13%. So it's a lowest among 20 countries. I dunno why, but Japan is very, very conservative about adapting emerging technology like generative AI. So that's the reason if we say, try to encourage very conservative financial institutions to actively consider positive use case of AI. So of course there are the risks of AI such as halucination and lack of explainability and bias, and of course they have to take care of that, but we believe the opportunities and the potential benefit of using AI would be higher than those downside. So that's why our message is let's use AI together and then FSA, we'll do whatever you need for regulatory clarification and then taking necessary actions for that.

Ari Redbord (22:09):

How do you communicate that to regulated financial institutions? How are you able to communicate that FSA wants to encourage the use of these types of tools?

Ryosuke Ushida (22:17):

So we published AI discussion paper and then we had a multiple roundtable discussion and I was there and then people from banks and insurance companies and then very small financial institutions was there. And then we tried to convince them that FSA is fine if you make minor mistake about using AI, of course we need a discussion, but we believe the biggest risks of the risks of not taking action. So we encourage them to consider those risks of doing nothing. And then we are very much looking forward to develop new financial services out of those emerging technologies.

Ari Redbord (23:02):

Going sort of back to digital assets, how do you see the future? Japan has done this for so long, it's really been a leader in this space, but it's still a nascent technology. I mean, whether it's AI or crypto, we're still early.

Ryosuke Ushida (23:12):

So 10 years ago when Mt. Gox went bankrupt, we could have decided, oh, this is very dangerous, so let's ban it. But we decided at a time to nurture innovation out of these blockchain technologies. And I thought the decision was quite right. Even now we have a lot of problems and the challenges and some risks are there for sure, but ai, we believe that blockchain could bring more benefit to our society in the future. So our best stance is to strike a balance between innovation and their risk mitigations. It's easy to say, but it's quite different to actually implement.

Ari Redbord (23:52):

It's a huge challenge. We talk about this as in every jurisdiction. This is the same point. So how do you think about it as a regulator? How do you think about doing it? Because such an interesting question. How do we allow lawful users to have full access to emerging technology and allow for innovation and yet stop market abuse, stop elicit finance? How do you think about that balance?

Ryosuke Ushida (24:14):

So one of the initiatives that Japan is taking, it's to work with self regulatory organization. So as you mentioned, technology is changing quite fast and the business is quite changing fast. It's quite difficult for regulators to catch up with those change. And then it's not easy to amend our law every year. On the contrary, self regulatory organization have self-regulation. So all Japanese VASPs are a member of SRO because it was decided by our load. So some people say SRO doesn't work because it's a private organization, but in Japan, FSA and the SRO are working very closely and in Japanese VASPs are in compliant with regulation. So we see the emerging use case like staking and then stablecoin and then many others and potentially regulated defi in the future. So if we think about this change in the future, the input from private sector but is indispensable, and then if we needed to take legal action, of course we will do that. But market development is quite important. And then effort by private sector expert should be respected. So that's something we are taking. But again, so we cannot afford the kind of very high risks like North Korean risks. So in that case, the government of Japan is taking necessary action. So it's basically a risk-based approach. And then we will take necessary major steps depending on the risks and we encourage all private sector industry and the solution providers, like TRM Labs to come to us and then to have a good discussion for the future policy.

Ari Redbord (26:03):

Fantastic. And I've loved those conversations and look forward to more of them. What do you do for fun? What do you do when you're not working, when you're not thinking about what's the next in FinTech and AI and crypto, what do you do to relax?

Ryosuke Ushida (26:15):

I love cooking. I'm not good at running like Ari, but yeah, when I was in Washington DC sometimes it was difficult to find a good Japanese food. Of course it was there, but it's a bit little bit expensive. And it was during a pandemic, so I couldn't go outside. My apartment. So yeah, I started cooking and then now I have that. So I don't like washing, so my wife is taking care of that.

Ari Redbord (26:46):

Well, she's very lucky that you cook for her. So what do you like to make?

Ryosuke Ushida (26:49):

I like curry, Japanese, curry rice, and then Italian food, like pasta and lasagna.

Ari Redbord (26:56):

That's fantastic. I love it. That's amazing. That is actually so interesting that you were in DC living in Georgetown during the pandemic. What an interesting experience to be overseas away from home for that specific time in the world. How was that experience?

Ryosuke Ushida (27:12):

So it was quite difficult compared to when I was working in Tokyo. So when I was in Washington DC I talked to Bitcoin engineers and some academias who do not like the government options like myself. So in Japan, I often talk to regulated banks and the insurance companies, they know how to talk to regulators, but Bitcoin developers has totally different philosophy and the way of thinking, and of course language barrier exists. So it's not easy for me to develop mutual understanding with those guys. So I kind of hide it that I was a regulator, I am just university researcher and I tried to develop a valid relationship, but I realized we have something in common. Even no one would like North Korea to use crypto or stablecoin for illicit profits. So that's something we can share. So that's my take. And then now I very much enjoy talking to people coming from different industry and who have different mindsets. So it's in a multi-stakeholder discussion. And maybe innovation could come out of those kind of dialogues.

Ari Redbord (28:29):

Absolutely. And in fact, I give you so much credit you're at every conference we've been to these dinners where you'll sit next to Defi on the one side and a large regulated financial institution on the other side, and you'll have the conversations with everyone. And I think that's really important and one of the major reasons I wanted to have you on TRM Talks because I feel like we can reach a lot of people and they can understand better about the work that Japan has been doing for a really long time in this space.Ryosuke, thank you so much for joining me. As I said, I've wanted to do this forever. This was a fabulous conversation.

Ryosuke Ushida (28:58):

My pleasure. Thank you very much.

Ari Redbord (29:04):

Ryosuke is someone that I've really known for a while in this space. And for me, when I got to TRM, I looked around the world and I said, alright, who are the important regulators? What are we seeing happening in Dubai? What are we seeing from the Monetary Authority of Singapore? Is anything happening in the US? And the answer was usually no at that time. And I looked at Japan and obviously said, Hey, this is a country with the financial services regulator that has been doing this for a really long time. Reached out to folks there, met Takahide, Ryosuke predecessor, met Ryosuke, and really start to engage in great conversations and really learned a lot about the early days of crypto regulation and where it was potentially headed. And this conversation was very much that, right? It was grounded in, alright, this is what we were doing early days, but this is how we've really seen space develop with the licensing regime and stablecoins and custody.

(29:52):

We're talking about tokenization, we talked about defi. It's amazing actually, as I'm saying all of this, to think about the topics that we covered in a relatively short time today that's very much like that just speaks to his knowledge and expertise. And then you put all of that aside. And this is someone who has been the co-chair of the virtual asset contact group of the Financial Action Task Force for the last three or four years. And before him, again, Takahide, his predecessor. So Japan has been in all the important conversations that we've had on anti-money laundering, on crypto licensing, on regulatory regimes over the last decade essentially. And really, really cool to have this conversation sort of at that level today. On the next TRM Talks, I sit down with CJ Rinaldi, Chief Compliance Officer of Kraken. If you love the show, leave a review wherever you're listening to it and follow us on LinkedIn to get the latest news on crypto regulation, compliance, and investigations.

TRM Talks (30:49):

TRM Talks is brought to you by TRM Labs, the leading provider of blockchain intelligence and anti-money laundering software. This episode was produced in partnership with Voltage Productions. The music for this show was provided by Ikoliks.

Ari Redbord (31:07):

Now let's get back to building.