Japan Stablecoin Regulation 2026: What CAESP and EPIESP Custody Rules Actually Require

Japan's stablecoin framework has moved past the licensing question. The 2026 rules already answer "can we launch." What's still unresolved for most teams building here is narrower: how does custody actually work, wallet by wallet, key by key.
If you're new to Japan's regulatory framework, see Part 1: Japan Stablecoin Regulation Explained for an overview of Electronic Payment Instruments (EPIs), Crypto Asset Exchange Service Providers (CAESPs), Electronic Payment Instrument Exchange Service Providers (EPIESPs), and the Financial Services Agency (FSA)'s equivalence framework for foreign stablecoins. This article focuses on how the custody rules work in practice.
Key takeaways
- CAESP requires at least 95% cold storage. The remaining hot wallet balance must be matched 1:1 by a Redemption Guarantee Crypto Asset.
- EPIESP operators must segregate client assets under the PSA, even though the 95/5 ratio isn't codified identically for this license.
- EPIESPs distributing a foreign EPI like USDC must hold a domestic reserve equal to the value of customer holdings in their custody.
- Trust-type EPI issuers can now hold up to 50% of reserves in short-term JGBs or cancellable time deposits, as of June 13, 2026.
- Japan has no data localization requirement. Custody architecture can be shared across markets instead of rebuilt for Japan alone.
Japan stablecoin vs CBDC: two different regulators
It's easy to lump Japan's yen stablecoins in with the Bank of Japan's digital yen project. They get mentioned in the same breath a lot. They are not the same thing, and treating them as one will point your compliance program at the wrong regulator.
The digital yen is a central bank digital currency. The Bank of Japan itself would issue and run it, and as of now it's still in the research and pilot stage, not a live product anyone can hold or transact with.
JPYC and JPYSC are private stablecoins. Ordinary companies issue them, not the central bank. Shinsei Trust & Banking issues JPYSC. JPYC Co. issues JPYC. Both are regulated under the Payment Services Act, the same law that governs how USDC gets distributed in Japan.
Different issuer, different regulator, different legal basis. If your compliance program treats "Bank of Japan digital yen policy" as the source of truth for a JPYC or JPYSC integration, you're reading the wrong rulebook.
Japan stablecoin custody rules by license type
Three license types, three different build requirements.
CAESP (Crypto Asset Exchange Service Provider). At least 95% of user crypto assets must sit in offline cold wallets. Whatever remains in hot wallets, up to 5%, has to be matched by the operator's own assets in a separate cold wallet, called a Redemption Guarantee Crypto Asset. If the hot wallet gets compromised, the operator absorbs the loss, not the user. A certified public accountant or auditing firm must run an annual segregation audit.
If you're building custody for a CAESP license, this requirement effectively pushes you toward MPC-based architecture. Manual cold storage operations don't scale once you're rebalancing a matched reserve wallet on a rolling basis.
EPIESP (Electronic Payment Instrument Exchange Service Provider). This is the license SBI VC Trade holds to distribute USDC and JPYSC. Client asset segregation is mandatory under the same PSA umbrella. The 95/5 ratio isn't codified identically here, but in practice most operators benchmark to it anyway. Although the 95/5 split is not explicitly codified for EPIESPs, many operators adopt a similar custody model to align with supervisory expectations and demonstrate robust asset segregation.
Trust-type EPI issuers. The JPYSC model. Until the 2025 PSA Amendment Act, trust-type EPI issuers had to hold 100% of reserves in demand deposits. Full stop. Since June 13, 2026, issuers can hold up to 50% in short-term JGBs (three-month maturity or less) or early-cancellable time deposits. The catch: if the value of those instruments drops, the entrustor has to top up the difference. Reserve management here isn't buy-safe-assets-and-relax. It's an ongoing obligation to hold par value, monitored and enforceable.
| Dimension | CAESP | EPIESP | Trust-type EPI issuer |
| Governs | Custody of any listed crypto asset held for users | Distribution and intermediation of EPIs, domestic or foreign | Issuance of the stablecoin, backed by trust assets |
| Cold / hot split | Codified: min. 95% cold, remainder matched 1:1 in a separate cold wallet | Segregation mandatory; ratio not codified, CAESP standard used as benchmark | Not the primary framework; issuer manages fiat reserve composition instead |
| Reserve composition | Not applicable | Domestic reserve required, equal to foreign EPI holdings in custody | Since June 13, 2026: up to 50% short-term JGBs or cancellable deposits, rest in demand deposits |
| Audit | Annual CPA or auditing firm segregation audit, explicitly required | Segregation audit expected; cadence less precisely specified | Regular independent verification per FSA guidance |
| Example | Domestic exchanges custodying BTC, ETH, and other listed assets | SBI VC Trade distributing USDC and JPYSC | SBI Shinsei Trust & Banking issuing JPYSC |
Why trust banks, not banks, issue yen stablecoins
JPYSC comes from Shinsei Trust & Banking, not a conventional deposit-taking bank. That's not a branding choice.
Japan's Bank Holding Rule effectively blocks standard banks from issuing EPIs directly. The FSA has flagged concerns about banks touching permissionless blockchain infrastructure, and the money laundering exposure that comes with it. Trust banks sit in a different regulatory lane. They can hold crypto assets as trustees and provide trust custody services without triggering the same restriction.
That's why the market pattern looks the way it does. SBI routes issuance through a trust banking subsidiary. The MUFG, SMBC, and Mizuho consortium is structuring its Progmat-based stablecoin the same way. Not a preference. A structural workaround baked into the law.
Japan's stablecoin Travel Rule: what EPIESPs actually have to do
Both CAESP and EPIESP operators fall under the Act on Prevention of Transfer of Criminal Proceeds, Japan's Travel Rule vehicle. The obligation itself is simple to state: collect and retain originator and beneficiary information on transfers, and transmit it to the counterparty VASP when that jurisdiction has an equivalent Travel Rule regime in force.
Two details operators consistently miss:
- Japan's Travel Rule obligations generally apply to transfers between regulated service providers (VASPs). Transfers involving unhosted wallets are treated differently and are not subject to the same information transmission requirements. If your compliance stack is trying to force Travel Rule data collection on self-custody withdrawals, that's solving a problem the law doesn't ask you to solve.
- EPIESPs distributing a foreign EPI like USDC carry an added twist: the domestic intermediary must set aside a reserve inside Japan equal to the value of customer holdings in its custody. Real balance sheet impact, not paperwork.
We go deeper on how pre-signing screening and Travel Rule data plumbing actually get wired into a signing flow in AML Monitoring and Pre-Signing KYT Screening for Fintechs.
No data localization: what that means for your compliance framework
Nothing in the PSA or its Cabinet Office Ordinances requires servers or private keys to sit physically inside Japan. The FSA cares about how assets are managed and segregated, not where the infrastructure lives.
Many teams assume Japan requires domestic key storage. It doesn't. The regulation focuses on segregation, auditability, and reserve management, not physical server location.
That distinction matters more than it looks. It means one compliant custody architecture can be reused across APAC markets instead of standing up a Japan-specific HSM cluster. Compare that to Vietnam, where Decree 53 does require key material and transaction logs to sit on infrastructure physically located in-country. Japan and Vietnam sit at opposite ends of the same spectrum, and a custody stack built assuming the stricter model will always satisfy the looser one, not the other way around.
A practical checklist for Japan stablecoin compliance
Pulling the above into what actually needs to exist in your stack:
- Cold/hot split enforced at the protocol level, not policy on paper. Use the 95/5 ratio as your working assumption even under EPIESP.
- A provably matched Redemption Guarantee Crypto Asset wallet, separate from operating hot wallets, rebalanced as hot wallet exposure changes.
- Segregation that survives a CPA audit: per-customer or per-license-type wallet separation with a clean, exportable trail. An internal ledger entry claiming segregation isn't the same thing as demonstrable segregation.
- Reserve accounting for foreign EPIs, sized to match customer holdings, held domestically, if you're intermediating USDC or similar.
- Travel Rule data plumbing scoped correctly: VASP-to-VASP transfers with equivalent jurisdictions, unhosted wallet flows explicitly excluded.
- Multi-currency key management that doesn't assume Japan-only infrastructure. There's no data localization rule forcing that assumption.
Managed custody or self-hosted: two paths teams take
Everything above changes shape depending on two decisions most teams make early and rarely revisit.
| Decision | Option A | Option B |
| Issue new vs. integrate existing stablecoin | Issue new: needs a bank, trust company, or registered funds transfer service provider license. You own reserve backing and par redemption end to end. | Integrate existing (USDC-style): goes through a licensed EPIESP. If you're that EPIESP, you carry the domestic reserve obligation matching customer holdings. |
| Self-hosted vs. third-party custody | Self-hosted (MPC): your system owns the 95/5 logic directly. Your own segregation trail is what the annual CPA audit examines. | Third-party custodian: the provider owns the 95/5 split. You present their certifications (SOC 2 Type II, ISO 27001) as part of your own audit evidence. |
Neither axis has a universally right answer. Issuing your own EPI makes sense with the balance sheet for full reserve backing and the intent to own the settlement rail outright. Integrating an existing stablecoin gets to market faster, at the cost of a real reserve obligation the moment you're the distributor.
Managed custody shortens the path to an audit-ready answer. Self-hosted custody keeps the segregation logic, the thing regulators and auditors scrutinize directly, inside your own infrastructure. For a closer look at that trade-off outside the Japan context specifically, see Fystack vs Fireblocks: Self-Hosted vs SaaS and MPC vs. Multisig Wallets.
If you're evaluating self-hosted infrastructure for a Japan build, here's how Fystack approaches it: self-hosted custody designed for exactly this kind of scrutiny, not a general-purpose wallet SDK retrofitted for compliance.
This is Part 2 of our Japan stablecoin regulation series. Part 1 covers the legal categories and the 2026 rules for USDC, USDT, and yen stablecoins in full.
Share what you are building: contact Fystack here

