I have spent a significant amount of time in Japan over the past decade, meeting with compliance leaders at different stages of programme maturity, and hearing their pain points as they try to adapt to the ever-changing regulatory landscape. My recent trip was no different. and the conversation that keeps coming back is some version of the same question: are we actually ahead of this, or are we just busy?
It’s a good question. And the honest answer, for most organisations, is the latter.
LRN’s 2026 Programme Effectiveness Report for Japan is clear about where things stand. Only 59% of Japanese organisations report year-over-year improvement in their ethics and compliance programmes, against 74% globally. Ethical culture resilience sits at 66% compared to 82% globally. Programme effectiveness perception is 69% versus 84% globally. Thirteen percent use analytics to actively evaluate programme performance. Not 13% using advanced analytics. Thirteen percent using analytics at all.
These are not minor variations from a global norm. They are a pattern. Programmes that have invested in infrastructure without investing equally in behavior, measurement, and accountability are not ready for what 2026 is asking of them. And what 2026 is asking of them is significant.
The whistleblower law has changed. Most programmes have not.
The 2025 amendment to Japan’s Whistleblower Protection Act was enacted in June 2025 and comes into force no later than the end of 2026. This is the first substantive revision in five years, and it moves Japan from a framework that required reporting channels to exist, to one that requires organisations to prove those channels work.
The headline change is the retaliation presumption. Any dismissal or disciplinary action taken against an employee within one year of a whistleblowing report is now presumed to be connected to that report. The burden of proof falls on the employer to demonstrate otherwise. Criminal penalties now apply to individuals who retaliate. Companies that do so face fines of up to JPY 30 million.
Two things follow from this that compliance officers need to think about carefully. First, HR and compliance can no longer operate in separate lanes. In most organisations I encounter, information about a whistleblowing report sits with compliance or legal, and decisions about performance reviews, transfers, and disciplinary actions sit with HR, with little structured coordination between them.
The one-year presumption makes that separation a legal liability. Every HR action taken within the window of a report now needs a documented compliance check. That is a process redesign, not a policy update.
Second, the law now covers freelancers under current contracts and those whose contracts ended in the previous 12 months. For organisations with extended third-party workforces, the perimeter of your whistleblower obligations just expanded considerably.
The Consumer Affairs Agency also has real teeth now. It can issue binding orders, conduct on-site inspections, and impose penalties on organisations that fail to appoint a designated whistleblowing response officer.
Companies with more than 300 employees were already required to do this. The 2025 amendment means the regulator can now enforce it. Regardless who you are, if you employ someone in Japan, and you fire them after they’ve made a compliant…take caution.
Here is the part I keep coming back to when I talk to compliance teams. All of the above assumes someone actually uses the reporting channel. In our Tokyo Q&A published late last year, we noted that only 49% of Japanese employees report using their code of conduct as a practical resource, compared to 70% globally. I did hear some companies rejoice in the news that most of their employees know about the code of conduct, but when I pressed further it seems they knew about it in the same way I know my car has a user manual in the glove box. One I have never used. Not once.
The same gap almost certainly applies to speak-up channels. A hotline that 51% of employees would not think to use is not a compliance control. It is a liability artifact with a logo on it.
The era of setting up a channel and hoping for the best is over. Regulators are expecting proof that it works, that employees know about it, trust it, and believe that using it will not cost them. That kind of trust is built through visible follow-through, not policy language. Manager training matters here more than anywhere else. The biggest gap in most compliance programmes is that the values leadership articulates at the top never make it through middle management to the people who actually need to hear them. That failure is acutely dangerous in a speak-up context.
Export controls, sanctions, and AML: an underestimated exposure in Japanese industry
There is a category of compliance risk that does not get enough attention in Japan, particularly in heavy manufacturing and industrial sectors.
Export controls, sanctions, and anti-money laundering obligations are often treated as procedural matters handled by trade compliance or legal teams, surfacing only at the point of shipment or transaction clearance. That model is increasingly inadequate, and in some sectors, it is already dangerous.
Consider the position of a Japanese manufacturer of large industrial machinery, cranes, precision engineering equipment, construction or mining hardware. The physical product may be straightforwardly classified, shipped, and documented.
But modern industrial machinery rarely ships as a standalone mechanical asset. It ships with embedded software, remote diagnostics capability, firmware update infrastructure, and ongoing connectivity to manufacturer systems. That software layer changes the compliance calculus entirely.
If software updates are initiated from a jurisdiction subject to US, EU, or UK sanctions, if the beneficial ownership of the end user entity sits in a restricted territory, or if a third-party component or system within the machine falls under export control classifications from another country, the manufacturer can face enforcement exposure across multiple jurisdictions simultaneously, even if the original shipment was entirely compliant. The US Department of Commerce, OFAC, and their UK and EU counterparts do not limit their interest to the point of sale. They are increasingly focused on ongoing relationships, software maintenance agreements, and the digital thread that connects manufacturers to their installed base around the world.
This is not a theoretical scenario. The convergence of physical product and software-defined functionality in industrial equipment means that trade compliance training built around shipping documentation and commodity classifications is no longer sufficient. This was a real example I shared with a compliance leader last week.
Employees in engineering, software development, after-sales service, and customer success functions now sit inside the compliance perimeter for export controls and sanctions in ways that most training programmes have not caught up with.
AML exposure compounds this further.
Large machinery transactions frequently involve complex financing structures, intermediary distributors, and agents operating across multiple jurisdictions.
The beneficial ownership question, who ultimately controls the entity receiving the equipment, who is financing the transaction, who benefits from the arrangement, is as relevant in heavy industry as it is in financial services.
Japan’s financial intelligence frameworks have strengthened considerably over recent years, but the training infrastructure within manufacturing and industrial companies has not kept pace.
The practical recommendation for compliance officers in these sectors is to expand the population who receive substantive training on export controls, sanctions, and AML beyond the trade and legal functions.
Engineers who manage software update pipelines, account managers who handle installed-base relationships in sensitive markets, and commercial teams who structure financing arrangements all need scenario-based training that reflects the actual decisions they are making.
Classroom-first delivery remains the preference in Japan, our 2026 report shows 45% of Japanese organisations favor live training against 27% globally, and that cultural preference can be an asset here. Scenario-led workshops built around real product and customer situations will land better than e-learning modules written for a generic financial services audience.
Supply chain and third-party training: the gap that keeps widening
Our 2026 Japan report shows only 14% of Japanese organisations expend significant effort on third-party due diligence, against 27% globally. Ongoing third-party monitoring sits at 19% compared to 32% globally. These figures sit alongside Japan’s analytics adoption rate of 27%, well below the 42% global figure, and a digital tool adoption rate that has barely moved year over year.
Put those numbers together and the picture is clear. Japanese organisations are conducting less third-party scrutiny than their global peers, with fewer tools to do it, and less data to evaluate whether it is working. That combination is a structural risk in a market where supply chain complexity is high and where global counterparties, European customers in particular, are increasingly expecting documented evidence of third-party controls rather than contractual assurances.
The training dimension of this problem tends to be overlooked. Most third-party risk management programmes focus on initial due diligence at the point of onboarding. Fewer extend meaningful training access to suppliers themselves, and fewer still build in mechanisms to monitor whether supplier behavior is actually aligned with the expectations set at contract stage.
Our 2025 Code of Conduct Report showed that third-party management now appears in over 80% of leading codes globally. The gap between having a policy expectation and building an operational training relationship with suppliers is where most Japanese organisations are currently sitting.
The low technology adoption rate makes this worse. If only 16% of Japanese organisations have increased the amount and type of data they obtain from their E&C programmes in the past year, the monitoring infrastructure required to verify supplier behavior simply does not exist in most cases. Supplier training programmes that are tracked, measured, and reported, that connect back to a compliance dashboard that a compliance officer can show a board or a regulator, remain the exception rather than the rule.
The argument I keep making to compliance leaders in Japan (which I’m sure they are getting tired of hearing) is that third-party training is not a generosity extended to suppliers. It is a risk management investment in your own programme.
A supplier who does not understand your anti-bribery expectations, your sanctions screening requirements, or your data handling standards is an exposure you have failed to manage, regardless of what your contract says.
AI governance and policy: the window for treating this as optional is closing
Japan’s AI Promotion Act, enacted in May 2025 and largely in force from June 2025, does not impose fines. It does not create a licensing regime. Its primary obligation on private businesses is a best-efforts duty to cooperate with government measures, a common formulation in Japanese legislation and intentionally non-prescriptive.
That is worth stating clearly because I have seen it mischaracterized in some compliance briefings. Japan is not doing what Brussels did. The national posture is explicitly promotion-first. The government wants Japan to be the world’s most AI-friendly country, and the legislation reflects that orientation.
But the absence of fines does not mean the absence of risk.
The government has authority to investigate rights infringement and publicly disclose non-compliance. In January 2026, it used that power for the first time, launching a formal investigation into sexual deepfakes. That is the first signal of how this framework operates in practice: reputationally before financially, but operationally real.
The METI and MIC AI Guidelines for Business, updated in March 2025, call explicitly for executive-level responsibility, framing ethical AI governance the way we frame cybersecurity: embedded into organisational structures, reviewed regularly, reported upward.
Our 2026 Japan report shows 31% of Japanese organisations currently using AI in compliance training, with only 28% planning to expand data-based tools programme-wide. That adoption gap matters, but it is not the most urgent problem.
The more urgent problem, in my opinion, is governance.
Most Japanese organisations that are using AI tools, in operations, in procurement, in customer service, in product development, are doing so without policies that define approved use cases, acceptable data inputs, human oversight requirements, or escalation protocols when something goes wrong. Across global programmes, only 33% of organisations reference AI ethics in their codes of conduct. In Japan, the figure is lower still.
For employees navigating a daily reality where AI tools are proliferating across their workflows, the absence of a clear organisational position is not neutral. It is an invitation for inconsistent, undocumented, and potentially harmful use.
I want to be direct about the timeline here. Twelve months ago, the absence of AI governance language in a code of conduct was a gap. Today it is starting to look like negligence. Not because Japan’s law demands it yet, but because the accumulation of AI-related risk events, reputational, legal, and operational, across global markets is moving faster than annual code review cycles.
Organisations that wait for a regulatory mandate before embedding AI governance into their policies are making the same error that organisations made with data privacy a decade ago: they will spend years catching up to a risk that was visible long before it became enforceable.
The practical asks here are not complex.
Define which AI tools are approved for use and under what conditions. Specify what data categories cannot be input into external models. Establish a human oversight requirement for any AI-influenced decision that affects an employee, a customer, or a third party.
Create a clear escalation path when an AI output is challenged or causes harm. Include AI ethics explicitly in your code of conduct, not as a standalone technology policy, but as a statement of organisational values about how automated systems should and should not be used.
Train managers on what that means in practice, because the decisions about whether to use an AI summary in a performance review, or whether to rely on an AI risk score in a supplier assessment, are being made at the middle management level right now, with no guidance.
Japan’s position in APAC on AI governance is already behind Singapore. Singapore launched the world’s first Model AI Governance Framework for Agentic AI at Davos in January 2026. The gap between Japan’s current average and that benchmark is not closing on its own.
The ESG picture: a phased obligation that has already started
The Sustainability Standards Board of Japan finalized its inaugural disclosure standards in March 2025, covering general sustainability and climate-related disclosures. The FSA is applying these initially to Prime Market companies above JPY 3 trillion in market capitalisation, beginning with fiscal years ending March 2026.
That is not a future deadline. For the largest Japanese companies, the first reporting period under these standards is already underway.
There is no mandatory human rights due diligence law in Japan, and none is currently proposed. But that framing does not capture the full exposure. The EU’s Corporate Sustainability Due Diligence Directive retains extraterritorial reach for Japanese companies that meet certain criteria, even after its 2025 scope revisions and delayed enforcement timeline.
Japanese organisations with European customers, investors, or supply chain counterparties cannot treat the CSDDD as someone else’s problem.
The supply chain data from our 2026 Japan report makes the readiness gap hard to ignore. Those figures, 14% on diligence effort, 19% on monitoring priority, are not trends moving in the right direction. They are structural underinvestment in a risk area where external scrutiny is only increasing. And for Japanese manufacturers with European clients or investors, the connection between supply chain integrity and market access is becoming direct.
The board reporting problem
This generated a lot of questions from the audience at our networking event at the Tokyo American Club. Our 2026 Japan report shows that only 26% of Japanese boards receive external benchmarks and comparisons in their E&C reporting, against 40% globally.
Planned enhancements to board reporting sit at 25% against 42% globally. Japan does conduct E&C board reviews more frequently than the global average, with 44% holding twice-yearly reviews versus 31% globally. But frequency is not the same as quality.
Boards receiving training completion rates, hotline volumes, and policy acknowledgment figures are receiving activity data. That is not governance.
Culture health indicators, leading risk signals, retaliation follow-up rates, time to closure on investigations, third-party anomalies, AI use case tracking, these are the inputs that allow a board to form a view about whether the programme is actually working. Most Japanese boards are not seeing them.
Compliance officers who can present that picture coherently, and connect the whistleblower amendments, AI governance expectations, export control exposures, and ESG obligations into a single intelligible account of organisational risk, are the ones who will be most effective when regulators and boards ask the questions that are coming.
The question Japan’s compliance officers need to answer
I opened the Singapore article I wrote a few weeks ago with the observation that the future of compliance is about the integration of culture and data, anchored in trust. The same is true in Japan, and the regulatory environment in 2026 is testing that integration in practical ways.
The question is not whether the policy exists. It is whether you can demonstrate that employees trust the reporting system enough to use it, that managers are equipped to handle disclosures without creating retaliation risk, that AI tools are governed with the same rigor as any other consequential process, that supply chain and third-party relationships include genuine monitoring rather than contractual formality, that trade compliance training has kept pace with the software-defined reality of modern industrial products, and that boards are seeing real intelligence rather than curated reassurance.
I wouldn’t say that Japan is not behind. I would say it’s at an inflection point.
High-impact programmes in Japan already outperform their peers by 1.2x in data utilisation. The structural advantage of being a high-impact programme is available to every organisation in this market. Most have simply not committed to the conditions that produce it.
The regulatory environment in 2026 is no longer patient with that gap.
