The TSE imposed a fine of JPY 3 million on Monex, Inc. (hereafter "Monex" or "the company") as the company's management of the electronic information processing system relating to financial instruments business was deemed insufficient. The TSE also requested Monex to submit a business improvement report regarding the following actions:
- (i) Clarify the locus of responsibility (including the management level), in addition to reviewing the management control system and the internal control system by verifying the reason why the past business improvement report submitted to the FSA and the TSE was not implemented properly;
- (ii?Review the past business improvement report and implement the improvement properly;
- (iii) Verify the effectiveness of system management by conducting external system audit covering the whole system, as a part of the implementation mentioned in (ii), and prepare for adjustments in light of the verification results;
- (iv) Establish systems necessary to properly monitor the state of improvement, as a part of the implementation mentioned in (ii); and
- (v) Remind officers and employees about the importance of system management, and implement necessary system reviews and training, etc. to secure an appropriate business execution system.
Outline of Violation
On June 7, 2006, Monex was ordered by the FSA to improve business execution due to insufficient management of the electronic information processing system relating to securities business. Monex submitted a business improvement report ("improvement report") to the FSA, on July 7, 2006 and reported a request to outsourcees for improvement of operations and continuous checks on the state of implementation of the improvement plan, as well as the improvement plan for Monex itself.
However, the management of Monex only reported the implementation of the improvement plan from the Technology Department, which was mainly in charge of the improvement plan regarding the electronic information processing system, without deciding (i) the department responsible for overall supervision of the state of implementation of the improvement measures in each department; (ii) concrete policy for improvement activities; and (iii) evaluation standard for improvement activities. As a result, the implementation of the business improvement measures was deemed insufficient.
The above is acknowledged to be a 'situation deemed to be an insufficient management of the electronic information processing system relating to financial instruments business, etc.' as defined in Article 123, Item 14 of the Cabinet Office Ordinance on the Financial Instruments Business based upon Article 40, Item 2 of the Financial Instruments and Exchange Act.
An overview of the improvement plan, etc. and deficiencies in implementation are as follows:
- Implementation of improvement plan at outsourcees
The company failed to grasp how operations were improved. As a result some improvements were not made. - Implementation of improvement plan at the company
The state of improvement of the below-mentioned improvement measures was deemed insufficient. In addition, the Business Improvement Support Office designated to supervise the state of improvement was deemed to have not performed verification of the effectiveness of each improvement measure.- Enhancement of ASP management system (Application Service Provider, i.e. outsourcees)
ASPs conducted self-evaluation, and the company failed to seek supplementary documentation concerning the evaluation results or conduct objective evaluation. - Countermeasures for system malfunction due to insufficient capacity
No concrete threshold value is specified in the contracts with outsourcees. From the period of April to October 2008, there were 9 occurrences of system malfunction due to insufficient capacity. The improvement report stated that the company would verify the appropriateness of capacity management standards of each ASP. - Countermeasures for system glitches due to errors in test design or omissions
System malfunction occurred due to failure to clarify the locus of responsibility and procedures. - Countermeasures for system glitches due to operational errors
System glitches occurred with wider effect due to failure to perform confirmation of the range of influence, etc. - Securing the effectiveness of measures to prevent recurrence
Checks on the implementation of measures to prevent recurrence were deemed ineffective. - Enhancement of verification system
While the company held meetings on measures to prevent recurrences, etc. the Business Improvement Support Office failed to perform verification of the discussion and resolution of such meetings. - External system audit
No external system audit was performed from the date of submission of the improvement report to the date of examination.
- Enhancement of ASP management system (Application Service Provider, i.e. outsourcees)
A major internet securities company such as Monex is expected to have a system in place to appropriately address issues such as development and operation of durable systems and measures in response to technical glitches. However, the company had not properly implemented the improvement plan despite receiving administrative punishment from the FSA. As such, a review of the reasons behind how this had occurred, and the actual implementation of the improvement plan is deemed necessary.