TL;DR: Japan’s revised rules for used-goods sales and related electronic verification tighten identity checks for online transactions, while expanding where eKYC can be used and what records must support it, according to Cybertrust Japan. The pressure is shifting from whether verification exists to whether identity evidence, auditability, and operational fit can withstand abuse.
NHIMG editorial — based on content published by Cybertrust Japan: a 2025 analysis of Japan’s tightened identity verification rules for second-hand goods transactions
By the numbers:
- NHI identities outnumber human identities by 25x to 50x in modern enterprises.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations choose the right eKYC method for a transaction?
A: Start with the transaction risk, then choose the lowest-friction method that still produces enough assurance and evidence for audit.
Q: Why do remote identity checks fail even when the process is followed?
A: They fail when the method creates weak evidence, not necessarily when staff make mistakes.
Q: What do security and compliance teams get wrong about eKYC recordkeeping?
A: They often treat logs as operational clutter instead of governed evidence.
Practitioner guidance
- Map transaction risk to verification strength Define which transactions can use image-based checks, which require IC chip reading, and which need stronger evidence before approval.
- Preserve verification evidence with lifecycle controls Retain the records needed to show what was verified, when it was verified, and which method was used.
- Separate convenience from assurance in onboarding flows Review remote identity journeys to ensure low-friction steps do not silently reduce assurance below the transaction’s regulatory threshold.
What's in the full article
Cybertrust Japan's full blog post covers the regulatory detail this post intentionally leaves for the source:
- Exact changes to Japan's identity verification rules for second-hand goods transactions and related documentation.
- The eKYC methods explicitly recognised under the revised framework, including document, chip, and signature-based approaches.
- Practical examples of how the amended rules affect purchase workflows, evidence handling, and cost expectations.
- The article's own summary of which verification methods are likely to be easiest to adapt operationally.
👉 Read Cybertrust Japan’s analysis of Japan’s tightened identity verification rules →
eKYC regulation is tightening in Japan, but are controls ready?
Explore further
Identity proofing is becoming a governance control, not just a user-facing step. The article shows that regulated transactions now depend on evidence quality, not just on whether a customer completed a form or upload. That shifts the burden onto assurance design, retention, and auditability, which aligns with NIST SP 800-63C and broader identity governance practice. The practitioner conclusion is that verification methods must be selected and governed by risk, not convenience.
A few things that frame the scale:
- NHI identities outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when identity proofing is too weak for a regulated sale?
A: Accountability usually sits with the organisation operating the transaction, because it selected the method, set the workflow, and decided what evidence to retain. If the control design does not match the risk or the legal requirement, the failure is governance-related, not just technical.
👉 Read our full editorial: Japan’s identity verification reforms raise the bar for eKYC