Japan Financial Services Agency publishes results of FinTech Demonstration Experiment Hub pilot on verifiable credentials for identity verification

The Japan Financial Services Agency published the completed results of FinTech Demonstration Experiment Hub Project No. 9, which tested whether verifiable credentials (VCs) can be used in practice for identity verification by financial institutions. The pilot confirmed that standards-based implementations can achieve technical interoperability across multiple issuers and verifiers, while also highlighting that governance arrangements, wallet security expectations, and legal positioning remain central constraints for real-world deployment. The experiment ran from December 6 to March 7 with Mitsubishi UFJ Trust and Banking Corporation as applicant and a broad set of participating financial institutions and technology providers. The test flow used a bank-issued VC recording customer due diligence results and an eKYC vendor-issued VC based on My Number Card verification, stored and presented via digital identity wallets (local and cloud types), with verifiers checking signatures and using prepared status and trusted lists. The stack used SD-JWT VC, OpenID for Verifiable Credential Issuance, OpenID for Verifiable Presentation, and the W3C Bitstring Status List, and validation covered 811 test cases across interoperability, identity verification and security, and user experience, including 22 issuer-verifier combinations. On security and identity assurance, the pilot found that My Number Card verification using an official personal authentication signature certificate can support capturing the latest basic four identity attributes at the point of verification, and that combining the holder’s signing key with PIN or biometric authentication can reduce impersonation risk. Outside the technical scope, the work flagged open questions on rules for issuers, wallets and verifiers, operation of trusted lists, and controls to reduce risks such as users presenting VCs to unintended parties via spoofed verifiers or collusive fraud. The legal analysis noted the approach did not meet the “IC chip” method under the Enforcement Regulations of the Act on the Prevention of Transfer of Criminal Proceeds because the IC chip is not scanned at each presentation, and it set out a potential pathway where a certified provider issues an X.509 certificate and delivers it in VC form, subject to appropriate risk assessment and with verification performed using standard X.509 procedures rather than status and trusted lists.