By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Cybertrust JapanPublished September 8, 2025

TL;DR: Japan’s revised rules for used-goods sales and related electronic verification tighten identity checks for online transactions, while expanding where eKYC can be used and what records must support it, according to Cybertrust Japan. The pressure is shifting from whether verification exists to whether identity evidence, auditability, and operational fit can withstand abuse.


At a glance

What this is: Japan is tightening identity verification expectations for certain second-hand goods transactions, with eKYC and recordkeeping now central to compliance and fraud prevention.

Why it matters: IAM teams responsible for customer identity, onboarding, and audit trails need to reassess assurance levels, document retention, and control design wherever regulated transactions rely on remote verification.

By the numbers:

👉 Read Cybertrust Japan’s analysis of Japan’s tightened identity verification rules


Context

Japan’s identity verification rules are being tightened in response to theft-linked crime patterns, and that has direct implications for how organisations prove who is on the other end of a transaction. In practice, the issue is not simply whether verification happens, but whether the method, evidence, and records are strong enough to stand up to fraud pressure and compliance review.

The article also points to a broader shift in how electronic identity proofing is being treated. Remote verification is no longer a lightweight convenience layer, and organisations using it for regulated transactions will need stronger operational discipline around recordkeeping, control selection, and the limits of each verification method.


Key questions

Q: How should organisations choose the right eKYC method for a transaction?

A: Start with the transaction risk, then choose the lowest-friction method that still produces enough assurance and evidence for audit. For high-risk or regulated flows, image-only checks are often too weak on their own. Where available, chip-based validation and cryptographically signed evidence provide stronger proof than visual inspection alone.

Q: Why do remote identity checks fail even when the process is followed?

A: They fail when the method creates weak evidence, not necessarily when staff make mistakes. A process can be completed correctly and still be easy to forge, hard to audit, or impossible to prove later. The core question is whether the verification artefact can survive fraud pressure and regulatory review.

Q: What do security and compliance teams get wrong about eKYC recordkeeping?

A: They often treat logs as operational clutter instead of governed evidence. If the organisation cannot show the verification method, the time of the check, and the supporting artefacts, the control is weak in practice even if the transaction completed successfully. Evidence retention is part of identity assurance.

Q: Who is accountable when identity proofing is too weak for a regulated sale?

A: Accountability usually sits with the organisation operating the transaction, because it selected the method, set the workflow, and decided what evidence to retain. If the control design does not match the risk or the legal requirement, the failure is governance-related, not just technical.


Technical breakdown

eKYC methods and assurance levels in regulated transactions

eKYC is not one control but a set of remote identity proofing methods with different assurance characteristics. The article describes document checks, facial image capture, IC chip reading, and electronic signatures as part of the regulatory toolbox, with some methods supporting stronger verification than others. The key technical issue is evidence quality: a system may be online and convenient while still producing weak assurance if the underlying document, chip, or signature validation is not robust enough for the transaction risk.

Practical implication: Practitioners should map each transaction type to an acceptable assurance method rather than treating all eKYC flows as equivalent.

IC chip reading, digital signatures, and anti-tamper validation

The strongest part of the article is its focus on chip-based verification. IC chip data can be signed by a government-controlled secret key, which makes tampering easier to detect than image-only checks. That matters because attackers can forge photographs or alter document images, but they cannot easily reproduce valid cryptographic signatures without access to the issuing authority’s private material. In this model, the chip becomes a higher-trust evidence source than the visible document surface.

Practical implication: Organisations should prefer chip-verified methods where the regulatory context allows it and preserve the verification evidence for audit.

Recordkeeping as part of identity assurance

The revised rules do more than specify how identity should be checked. They also tie verification to records, which makes auditability part of the control itself. If an organisation cannot show what was verified, when it was verified, and which method was used, then the transaction may be operationally complete but governance-incomplete. For IAM and compliance teams, that pushes identity proofing closer to lifecycle management and evidence retention rather than treating it as a front-end onboarding step.

Practical implication: Treat verification logs and supporting evidence as controlled identity assets, not disposable operational data.


Threat narrative

Attacker objective: The attacker seeks to complete regulated transactions under a false or stolen identity while avoiding detection and accountability.

  1. Entry occurs when a malicious buyer or seller exploits a weak identity proofing method that can be imitated or manipulated more easily than chip-based verification.
  2. Escalation follows when the attacker passes onboarding or purchase controls and gains the ability to transact under a falsely trusted identity.
  3. Impact comes through stolen goods, fraudulent transfers, or delayed detection, especially where records cannot prove which verification method was used.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity proofing is becoming a governance control, not just a user-facing step. The article shows that regulated transactions now depend on evidence quality, not just on whether a customer completed a form or upload. That shifts the burden onto assurance design, retention, and auditability, which aligns with NIST SP 800-63C and broader identity governance practice. The practitioner conclusion is that verification methods must be selected and governed by risk, not convenience.

Chip-based verification creates a higher-trust evidence chain than image-only checks. A photographed identity document can be copied or altered, but chip-signed data introduces a cryptographic validation layer that is much harder to forge. That does not eliminate fraud, but it narrows the attacker’s room for document manipulation. The practitioner conclusion is that organisations should distinguish visual confirmation from cryptographic proof when building eKYC controls.

Recordkeeping is the part of eKYC that often fails first. Even where the verification step itself is strong, weak logs and poor retention make it impossible to prove compliance or investigate abuse later. This is the same governance problem that appears across NHI and IAM programmes: if evidence disappears, control effectiveness cannot be demonstrated. The practitioner conclusion is that identity proofing evidence needs the same lifecycle discipline as access records.

Japan’s move is a reminder that identity controls are converging across customer, employee, and machine contexts. Once regulators demand stronger proof and better records in one domain, the operating model tends to spread into others. That matters for IAM teams because the same governance concepts, assurance levels, and evidence retention patterns increasingly apply across human identity, NHI lifecycle, and delegated access. The practitioner conclusion is to design identity governance as a shared control plane, not a single-channel process.

From our research:

  • NHI identities outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
  • For a broader control baseline, see Top 10 NHI Issues for the governance patterns that break when identity evidence is incomplete.

What this signals

The direction of travel is clear: identity assurance is moving deeper into transaction governance, and that will shape how teams think about evidence retention, fraud resistance, and control selection. The organisations that do well will stop treating eKYC as a front-end form step and start treating it as a governed identity proofing lifecycle.

Proofing evidence debt: when verification artefacts cannot be retained, searched, and defended, the control loses value after the transaction closes. That same pattern already appears in machine identity programmes, where 96% of organisations store secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.


For practitioners

  • Map transaction risk to verification strength Define which transactions can use image-based checks, which require IC chip reading, and which need stronger evidence before approval. Avoid one-size-fits-all eKYC design.
  • Preserve verification evidence with lifecycle controls Retain the records needed to show what was verified, when it was verified, and which method was used. Make those logs searchable for audit and fraud investigation.
  • Separate convenience from assurance in onboarding flows Review remote identity journeys to ensure low-friction steps do not silently reduce assurance below the transaction’s regulatory threshold.
  • Extend identity governance into customer proofing Treat customer verification evidence as part of the same governance model used for access records, approval trails, and recertification evidence.

Key takeaways

  • Japan’s revised rules show that identity proofing is now a governance problem, not just a customer experience problem.
  • Chip-validated evidence is materially stronger than image-only checks when fraud pressure and auditability matter.
  • Teams that cannot retain proof of what was verified will struggle to defend both compliance and trust decisions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63CThe article focuses on identity proofing and federated evidence handling.
NIST CSF 2.0PR.AC-1Identity assurance and access decisions depend on validated credentials and proofing.
GDPRIf identity evidence includes personal data, retention and minimisation become relevant.

Use SP 800-63C concepts to align evidence, assurance, and accountability for remote verification.


Key terms

  • Embedded KYC: Embedded KYC is the practice of placing customer identity verification directly inside the onboarding workflow instead of managing it as a separate process. In regulated environments, it creates a single control path for identity proofing, sanctions screening, and audit evidence, which can improve consistency if governance is clear.
  • Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before access, registration, or a transaction is approved. For practitioners, the important distinction is between convenience and assurance, because weak proofing can satisfy a workflow while still failing fraud or compliance scrutiny.
  • Cryptographic verification: A verification method that confirms identity by checking a valid digital signature against a known public key. It is deterministic rather than probabilistic, so it does not depend on recognising a voice, face, or behavioural pattern. For high-trust workflows, it provides a binary pass or fail that synthetic media cannot imitate without the private key.
  • Evidence retention: Evidence retention is the disciplined keeping of approvals, logs, attestations, and supporting records for the period required by audit or policy. It matters because a control that cannot be reconstructed later is often treated as weaker than one that can be demonstrated with complete records.

What's in the full article

Cybertrust Japan's full blog post covers the regulatory detail this post intentionally leaves for the source:

  • Exact changes to Japan's identity verification rules for second-hand goods transactions and related documentation.
  • The eKYC methods explicitly recognised under the revised framework, including document, chip, and signature-based approaches.
  • Practical examples of how the amended rules affect purchase workflows, evidence handling, and cost expectations.
  • The article's own summary of which verification methods are likely to be easiest to adapt operationally.

👉 Cybertrust Japan's full post covers the amended rule details, eKYC methods, and operational implications for sellers.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org