1. Introduction

Innovation, as its etymology—“neuer Kombinationen” (new combinations)—suggests, is driven by the combination of business ideas and technologies. Since the 2000s, the widespread adoption of broadband internet, smartphones, and cloud computing has enabled the realization of services that were once considered technically or commercially unfeasible. At the same time, the use of technologies and the emergence of user needs that were not anticipated under existing legal frameworks have become increasingly common.

As these technological advancements and shifts in user demand continue, there is a growing need to fundamentally reassess legal interpretations and institutional frameworks. This policy proposal seeks to address these issues from such a perspective. To facilitate understanding of these technological developments and emerging needs, we begin by reviewing several case studies of new frontier challenges, presented from the perspective of the business operators involved (note: these are the perspectives of members involved in this proposal who were also directly engaged in the respective cases).

2. Case Study: Challenges in the Gray Zone

1) The Birth and Innovation of Electronic Payment Service Providers

This section examines the emergence of electronic payment service providers in the banking sector from the perspective of service providers. While the actual business activities of such providers had existed prior to regulatory recognition, a formal legal framework was established with the amendment of the Banking Act in 2017, which came into effect in June 2018. This framework defined a new business type—service providers that, as external services, access financial institutions’ systems to retrieve data or transmit transaction instructions. Typical applications of such services include personal finance management (PFM) apps and accounting software.

With such software, users are able to automatically generate ledgers based on bank data without manual input. This automation facilitates tasks such as providing financial advice and detecting fraudulent activity, thereby streamlining and simplifying various processes. However, there was a significant gap between these innovations and existing financial regulations and systems, which had not envisioned such use cases.

Before the emergence of this regulated business model, services such as PFM apps and accounting software had been available since around the early 2000s. These services would, with users’ consent, collect the login credentials used for internet banking and access the banking systems on behalf of the users via cloud-based platforms. Even with user consent, the practice of storing passwords raised security concerns, and many financial institutions explicitly prohibited the sharing of passwords with third parties in their terms of service.

In addition, banks were wary of large volumes of access from specific servers to their systems. This sometimes led them to block such connections, based on a balance of interests between user convenience and system integrity. In extreme cases, legal questions were raised as to whether such access could constitute a violation of the Unauthorized Computer Access Law. The following section takes a closer look at the situation prior to the amendment of the Banking Act.

The Japanese Bankers Association, as early as October 2001, issued a document titled “Basic Perspectives on Account Aggregation Services,” which provided guidance on appropriate connection practices. However, at that time, such solutions were offered by a limited number of trusted major system integrators (SIers), and the services were provided on a relatively small scale. These companies, given their credibility, were generally able to coordinate directly with financial institutions when necessary. Furthermore, the number of users—even in the largest cases—was limited to several hundred thousand, meaning the issue had not yet escalated to the level of regulatory concern.

The situation changed significantly after 2010. With the widespread adoption of smartphones and cloud computing, a growing number of personal finance and accounting software services emerged. The smartphone era brought with it individual services with user bases exceeding several million. As these service providers began accessing bank systems on behalf of users, issues arose such as excessively frequent access or heightened concerns within financial institutions about potential indirect liability in the event of information leakage. What had previously been tolerated from a technical standpoint now began to be seen as problematic, owing to the diversification of players and the explosive growth in user numbers.

By around 2014, these challenges became a reality for businesses. As user numbers increased across various software platforms, cases of access being blocked by financial institutions also began to surface. Even when service providers reached out to financial institutions for permission to connect, the absence of clear criteria made it difficult to secure stable connections unless there was explicit commitment at the executive level. On the other hand, users of the software expected uninterrupted services, such as the continuous generation of financial statements. As the businesses scaled, the inability to guarantee stable access became an increasingly pressing concern. At the same time, approaching the financial regulatory authority (in this case, the Financial Services Agency) to resolve these connection issues was not seen as a viable option—at least not at that point in time.

In this context, a stroke of fortune for the software industry was the progress being made in Europe around 2014 toward a legal framework that would allow software companies to access payment services on behalf of users. The Revised Payment Services Directive (commonly known as PSD2) was under development, aiming to require banks and similar institutions in EU countries to provide access to third-party software providers free of charge in the interest of promoting competition and ensuring data portability. This dramatic regulatory shift was drawing attention from financial regulators around the world.

Against this backdrop, Japan also moved forward. The 2018 amendment to the Banking Act introduced a new framework requiring banks to develop and offer application programming interfaces (APIs) as connection points for external software. The amended law also included a best-effort obligation for banks to provide such access. During the regulatory coordination that followed, the security and internal control standards that service providers would be required to meet were clarified. As a result, the initial connection issues were not only resolved, but also paved the way for a more official and structured environment in which a wide range of users could manage their financial assets and accounting automatically.

▲Overview of Data Access and Transaction Instructions via Financial APIs

This diagram illustrates the process by which users authorize third-party apps to access financial data and issue transaction instructions. Upon receiving user consent (①), a financial institution issues an authentication key restricted for use by the specified app (②). The app then uses this key to securely obtain information and initiate transactions (③), enabling the provision of services such as automated household accounting or financial analysis (④).

One takeaway from the above case is the hypothesis that services carrying institutional (i.e., financial regulations and telecommunications-related laws) or reputational risks—regardless of the clear utility they offer to users and businesses—can only be developed by startups with little to lose. It is believed that many incumbent players, including major system integrators, refrained from entering this space, viewing automatic data acquisition functions as an idealistic notion rather than a viable option. This hesitation was driven by concerns over maintaining relationships with financial institutions and the potential reputational risks involved.

2) The Emergence and Innovation of Short-Term Private Lodging Services
In the early 2010s, so-called short-term private lodging (minpaku) began to spread in Japan through overseas intermediary platforms. Sensing this trend, major domestic IT companies also began developing similar services on a trial basis. However, until the implementation of the Private Lodging Business Act in June 2018, there was an ongoing debate over whether such services violated the Inns and Hotels Act. Under that Act, operating a facility that accommodates people for a fee is considered a lodging business, and thus, providing paid accommodation—such as minpaku—without the necessary license was deemed illegal.

That said, the boundary between lodging and short-term lease agreements was ambiguous. Some providers proceeded with minpaku services by concluding short-term lease contracts, effectively sidestepping the lodging business classification. While the Ministry of Health, Labour and Welfare had issued a notice suggesting a one-month stay as a general guideline to determine whether a license was needed, the actual determination was based on a vague criterion—namely, whether the facility constituted the guest’s principal place of residence. This one-month benchmark was only a guideline for the administrative application of the Inns and Hotels Act and was not legally binding; ultimately, the courts had final authority on whether such interpretation was appropriate. Although this ambiguity created a legal gray zone, some domestic businesses nonetheless chose to enter the field.

During this period, a growing number of inbound travelers to Japan was causing a nationwide accommodation shortage. Domestic travelers found it increasingly difficult to secure reservations, and even when rooms were available, prices had surged due to overwhelming demand. This shortage affected not only tourists, but also Japanese business travelers, many of whom reported difficulties finding lodging. At the time, the number of international visitors to Japan was increasing by several million each year, and with major events such as the 2019 Rugby World Cup and the 2020 Tokyo Olympics and Paralympics on the horizon, the lodging shortage was expected to worsen significantly.

In light of both these social conditions and the fact that foreign companies were already expanding short-term lodging services in Japan, a movement began to legally accommodate such services through the introduction of new legislation. The proliferation of minpaku despite legal ambiguity suggests that society had come to recognize and accept the need for such services. This case serves as an example in which the legal framework was developed after the fact to reflect an already widespread practice.

3) The Need for Legal and Social Infrastructure to Foster Innovation and Emerging Sectors: Insights from Two Case Studies
The new businesses in the two aforementioned case studies emerged in areas that were not explicitly permitted under existing laws and, at least for large corporations in Japan, were generally avoided due to being regarded as gray zones. In countries like the United States, which continues to produce unicorn companies, the prevailing mindset that "if something is not explicitly prohibited, it is permissible" has served as a foundation for fostering innovation. In contrast, in Japan—at least until around 2015—ventures operating even within the bounds of legality could still face reputational damage due to negative public perception, making it difficult to assume the business risks associated with gray zones. Moreover, except in very clear cases, there was a general reluctance to proactively consult with government agencies regarding unregulated legal risks, for fear of "stirring up a hornet's nest." Based on our experience, we observed that this tension often led to innovation being abandoned before any tangible harm had actually occurred.

In such an environment, even incremental pursuit of innovation required some form of reputational support. For example, when venture companies secured business or financial partnerships with financial institutions, those alliances not only facilitated capital-raising and collaborative opportunities, but also had the added effect of enhancing credibility after the fact.

As of 2023, Japan is increasingly expected to promote innovation, in part due to heightened momentum around the creation of startups. However, the structural issues that led to hesitation in engaging with gray zones up to 2015 still persist. In the following sections, we aim to analyze the relevant systems—such as administrative regulations, civil and criminal liability schemes, the responsibilities of directors under corporate law, and challenges related to directors and officers (D&O) insurance—and offer perspectives on the future direction of these discussions. At the same time, we will examine approaches to risk management that companies should adopt in practice.

3. Administrative Regulations and Organizational Structures Needed to Promote Innovation and Emerging Fields

Given the challenges discussed above, it is necessary to first update the nature of regulations. To foster a business environment in which unicorn companies can emerge, the current approach to legislation and legal interpretation within the government must be reconsidered. Specifically, a startup ecosystem as the legal foundation should be developed based on the following three perspectives.

First, the thorough implementation of agile governance. Unlike governance systems where rules and procedures are fixed in advance, agile governance is a concept in which various governance systems—including corporate, legal and regulatory, infrastructure, market, and social norms—continuously and rapidly iterate through a cycle of “environment and risk analysis,” “goal setting,” “system design,” “operation,” “evaluation,” and “improvement” with multi-stakeholder engagement. This allows for flexible legal reforms in response to changes in social interests, business activities, and competitive environments.

Second, a shift in legislative approaches toward principles-based regulations within the government. Legal systems in countries such as the United States often establish purpose-based regulations (e.g., “take necessary measures for...”) and leave specific methods to the discretion of businesses. In contrast, Japan tends to adopt specification-based regulations, which stipulate detailed technical standards (e.g., “... must be within five meters”). Generally, principles-based regulation allows for greater innovation and flexibility in developing new services, while specification-based regulation limits creativity but reduces legal uncertainty and simplifies compliance.

However, with principles-based regulation, businesses must make their own decisions regarding implementation methods, necessitating internal risk management. This presents challenges for companies accustomed to minimizing risk at all costs, many of which still prefer specification-based regulations. Nevertheless, for startups and new business units within major corporations, a legal system centered on principles-based regulation is more desirable. The government should aim to establish such frameworks to support the creation of new industries. For example, the 2020 amendment to the Installment Sales Act introduced principles-based provisions for credit screening methods—a development that should be expanded across government ministries.

Furthermore, legislative processes should incorporate objective and neutral economic analysis, comparing benefits and risks as is common in Western nations. Even principles-based regulation requires clearly defining which legal interests are to be protected. As such, changes in protected interests must be continually reviewed and revised with speed and flexibility through agile governance.

Third, the government’s approach to legal interpretation. While conservative interpretations are often necessary to guard against the worst-case behavior of malicious actors, excessive conservatism can impede innovation. Legal interpretations by government agencies should not only seek to “reduce risk to zero” but also give equal weight to the creation of new industries and the resolution of social challenges. Even if a proactive interpretation leads to misconduct by bad actors, the emergence of beneficial new businesses should be recognized and valued. Officers who make such bold legal interpretations should be commended in personnel evaluations within the government, legal communities, and private sectors.

At the same time, in order to prevent the proliferation of bad actors, ex-post regulation must be strengthened. Expanding the space for creative business innovation through principles-based rules and flexible interpretation increases the risk of misconduct. Therefore, enforcement capacity—including sanctioning systems, staffing, and budget—must be simultaneously bolstered.

In light of these perspectives, initiatives such as those proposed by the Digital Extraordinary Administrative Investigation Committee—including principles-based regulation and non-binding guidance like technology maps that explicitly allow for alternative methods—are critically important. These efforts clarify protected legal interests while empowering businesses to propose implementation strategies. The omnibus legislation submitted by the Committee, covering seven key areas, is a model that should be adopted beyond the Committee’s scope.

Ultimately, the most important issue is not individual reforms but enabling ministries with jurisdiction over specific laws to proactively review and revise their own regulations—rather than relying on other agencies to push for change. This requires administrative reform that promotes voluntary improvement by regulators themselves. Discussions about organizational and personal incentives for public officials should not end with rule changes but should lead to fundamental changes in how public institutions operate. (This is also the goal envisioned by the Digital Extraordinary Administrative Investigation Committee and the Digital Administrative and Fiscal Reform Council.)

Finally, it should be reiterated that shifting away from rigid, rule-based governance toward agile governance is essential. This enables society to respond flexibly and rapidly to changing protected interests, business models, and competitive landscapes.

4. Civil and Criminal Sanction Systems Necessary for Innovation and Engagement in Emerging Fields

1) Integration with Agile Governance
The concept of “agile governance,” which has been gaining attention as a model for promoting innovation, has been extensively discussed by the Ministry of Economy, Trade and Industry’s “Study Group on New Governance Models in Society 5.0.” While this model has primarily been applied in the context of administrative regulatory reform, civil and criminal sanction systems also significantly influence the relationship between corporate behavior and legal systems. Therefore, it is useful to consider the role of civil and criminal sanctions as domains connected to agile governance.

2) Necessity of a Responsibility Framework That Provides Proper Incentives

Current regulatory and liability rules are based on the assumption that desirable decisions and actions can be clearly defined in advance. That is, when an accident occurs, those who could have foreseen and avoided it bear civil liability, and licenses and other ex-ante regulations are applied accordingly. However, in scenarios involving highly autonomous machines operating in coordination with humans—such as automated driving systems or heavy machinery support systems—much of the scientific understanding of complex interactions is still underdeveloped, and such systems are constantly evolving. Given the probabilistic behavior of AI, questions arise as to whether traditional concepts such as “negligence” or “defect” can be applied as-is.

Consequently, instead of a legal system premised on the ability to define the “correct answer” in advance, it is necessary to establish civil and criminal liability frameworks that provide flexible and appropriate incentives for companies to prevent and respond to accidents.

3) Civil Liability

While “liability” is a multifaceted concept, traditional civil liability has been understood as linking “blameworthiness” (moral condemnation of accidents, etc.) and “burden liability” (seeking monetary compensation, etc.). The essence of blameworthiness lies in condemning decisions or actions that, despite having significant societal consequences, are not grounded in justifiable reasons. From this, legal condemnation for “negligence”—i.e., failure to take sufficient care to prevent an accident—and the obligation to compensate for the resulting damage, are derived.

In Society 5.0, however, blameworthiness requires a different approach. In an environment where highly autonomous machines interact with humans to form the social system, the probabilistic behavior of AI and systemic complexity make it difficult to avoid undesirable events—even with careful individual conduct. It is also often difficult to predefine what constitutes “sufficiently careful” behavior, i.e., justifiable conduct.

In this context, where undesirable events and unforeseeable circumstances are expected to be the norm, it is important to continuously reevaluate both the probability of such events and the adequacy of existing risk management strategies. Accordingly, a liability system that incentivizes companies to “continuously reassess” risk management practices becomes critical. This can be viewed as a shift to “accountability-based liability,” where entities are required to justify the actions that led to undesirable events.

Specifically, the following approaches are proposed:

First, the adoption of a “strict liability rule.” Under this rule, entities that develop or supply cyber-physical systems (CPS)—which integrate cyberspace and physical space—are liable for any harm caused by such systems, regardless of the reason. Developers and suppliers are thereby incentivized to constantly review their risk management practices, weighing the costs of harm mitigation against the cost of implementing preventive measures. These costs would be reflected in product pricing, thereby maximizing social benefit through market mechanisms.

However, to make strict liability functional, the responsible party must be aware of the risk. In the dynamic and complex environment of Society 5.0, it is practically impossible—and prohibitively expensive—for a company to identify all risks in advance.

Second, therefore, a disclaimer system should be introduced in parallel with strict liability for “unrecognized risks.” To avoid moral hazard (i.e., the failure to search for risks), entities seeking exemption must bear the burden of proof that such risks could not have been identified despite appropriate efforts.

Traditional negligence liability is broken down into (1) risk identification, (2) damage prediction, and (3) preventive measures, with courts ultimately judging each aspect. In contrast, the strict liability with exemption system imposes (1) a de facto duty of conduct but assigns full responsibility for resulting damages (regardless of (2) and (3)) to the company. This allows businesses to make autonomous decisions about risk management while preserving innovation. Moreover, strict liability lacks the element of moral condemnation, setting it apart from traditional negligence frameworks.

Third, the limitation of corporate financial capacity to compensate for damages under strict liability must be addressed. Thus, it is necessary to establish an insurance system to cover such liabilities. Additionally, a collective compensation scheme is needed to compensate victims for harm caused by “unrecognized risks,” which would not be covered under standard liability frameworks.

In summary, to respond effectively to the new technologies of Society 5.0, the traditional negligence-based liability model should not be taken for granted. Instead, civil liability frameworks should be reconsidered to provide appropriate incentives to companies.

4) Criminal Liability
Criminal liability must also be reconsidered based on the concept of accountability. One possible direction is the adoption of Deferred Prosecution Agreements (DPAs), which have gained traction globally in the context of corporate crime.

Originating in the United States, a DPA allows a company to avoid prosecution by admitting wrongdoing, cooperating with authorities, implementing measures to prevent recurrence, compensating victims, and paying fines. In the U.S., companies that forgo DPAs face risks of astronomical fines, license revocations, and even bankruptcy. Furthermore, whistleblowers receive strong protections and monetary rewards, making it highly risky for companies to ignore misconduct.

Given this background, adopting a DPA-like framework in Japan for companies that develop or supply CPS—when undesirable events occur—could create strong incentives for businesses to proactively review their risk management and respond responsibly in crisis situations. Linking victim compensation and disclosure obligations to DPA conditions can also help reduce enforcement costs and prevent misuse of exemption systems.

Traditionally, Japan’s criminal liability system has focused on assigning blame to individuals whose “negligence” led to undesirable outcomes. However, when dealing with accidents involving probabilistic AI behavior or systemic complexity, assigning individual responsibility becomes opaque and potentially discourages innovation. Additionally, product and service quality is often shaped more by a company’s governance and culture than by individual actions. Thus, the effectiveness of individual criminal liability in mitigating CPS-related risks is questionable.

Moreover, Japan’s conventional criminal justice system—reliant on public investigative authority and limited resources—faces practical challenges in responding to corporate misconduct on a global scale. This raises concerns about poor corporate practices prevailing over ethical ones.

In light of the above, criminal liability should also be redesigned to provide companies with incentives for responsible innovation through creative and accountable behavior.

5. Current State in Japan and International Comparison Regarding the Business Judgment Rule under Corporate Law and Directors and Officers Liability Insurance (D&O Insurance)

As discussed above, while administrative regulations and civil/criminal legal systems are important, it is also worth emphasizing that ultimate decision-making lies with individual executives. This raises the question: when a business operator ventures into a so-called "gray zone" and is later found to be in violation of the law, how is the responsibility of directors evaluated under civil and criminal law in Japan compared to other jurisdictions? In this section, we examine the current legal framework in Japan and the role of Directors and Officers (D&O) liability insurance, considering implications from the perspective of corporate law.

1) The Business Judgment Rule in Japan

　a) Civil Liability
Under the Companies Act of Japan, directors owe a duty of due care of a prudent manager (Article 330 of the Companies Act, Article 644 of the Civil Code), and if a violation of this duty causes damage to the company, the director is liable for such damages (Article 423(1) of the Companies Act). Directors are also obligated to perform their duties in compliance with laws and regulations (the duty of legal compliance, Article 355 of the Companies Act).

Although the business judgment rule has not been explicitly defined in case law, courts often evaluate directors' decisions in light of the understanding that business judgments are often made under fluid circumstances and may involve risk-taking. To avoid discouraging such decision-making, directors are granted broad discretion within the scope of their authority. Judicial scrutiny typically focuses on whether there was any negligent error in the recognition of the facts that formed the basis of the business decision, and whether there were any grossly unreasonable elements in the decision-making process or content (e.g., Supreme Court, July 15, 2010, Hanrei Jiho No. 2091, p. 90).[1]

There is also a Supreme Court precedent where a director was not held liable due to lack of awareness of the legal violation (Supreme Court, July 7, 2000, Minshu Vol. 54, No. 6, p. 1767). In this case, regarding loss compensation provided by a securities company, the Court found that the director did not recognize that the conduct violated the Antimonopoly Act. The Court held that to hold a director liable for damages due to a legal violation, intentional or negligent conduct on the part of the director must be established.

Specifically, the Court pointed out that: (i) although the director was seriously concerned about whether the compensation violated the Securities and Exchange Act, he did not consider the applicability of the Antimonopoly Act; (ii) at the time, the relevant authorities did not regard such compensation as problematic under the Antimonopoly Act; and (iii) it was approximately nine years after the compensation was provided that the Fair Trade Commission issued recommendations on the matter. These circumstances made it unavoidable that the director did not recognize the conduct as a violation of the Antimonopoly Act, and the Court denied liability.

Conversely, there are many cases in which directors have been held liable for breach of duty when they were aware of the legal violation (e.g., Tokyo District Court, December 22, 1994, Hanrei Jiho No. 1518, p. 3; Tokyo District Court, June 20, 1996, Hanrei Jiho No. 1572, p. 27; Tokyo District Court, March 28, 2022, Shouji Houmu No. 459, p. 131).[2]

　b) Criminal Liability
In Japanese criminal law, the business judgment rule is not recognized as a separate concept from its civil counterpart. Generally, it is understood that the business judgment rule should not apply to cases where a director acts for personal gain or in breach of their fiduciary or duty of care obligations. It is assumed that the rule applies only when the director has not engaged in unlawful conduct (e.g., Supreme Court Third Petty Bench Decision, November 9, 2009, Keishu Vol. 63, No. 9, p. 1117).[3]

That said, there are cases where courts have applied the business judgment rule even in the presence of legal violations and denied criminal liability (e.g., Hiroshima High Court, April 19, 2017, available on the court’s website, Case No. (u) 71 of 2016). Thus, under Japanese law, even if an action turns out to be unlawful, this does not necessarily amount to a breach of the business judgment rule, though broad immunity is not recognized.

　c) Summary on Japan
As seen in the Japanese case law, under the business judgment rule, if a director did not recognize the legal violation at the time of the act, liability may not be imposed. On the other hand, where a director is aware of the legal violation, the application of the business judgment rule is limited. With these observations in mind, the next section will explore how similar issues are treated in other jurisdictions.

2) The Business Judgment Rule in Other Jurisdictions
To provide a comparative perspective to Japanese law, this section introduces the legal frameworks of jurisdictions where business judgment in gray areas is either broadly protected—such as Delaware and Nevada in the United States—or where legal certainty is pursued through codification of the business judgment rule, as in Germany.

　a) The Business Judgment Rule in the State of Delaware, U.S.
Under Delaware law, directors owe fiduciary duties, which are primarily categorized as (i) the duty of care and (ii) the duty of loyalty. According to Delaware case law, even when a director’s business decision causes harm to the company or shareholders, as long as the decision was made within the scope of the director’s authority, with due care and in good faith, it is protected under the Business Judgment Rule (BJR).

Delaware courts focus not on the “result”—i.e., the failure of a business that involved uncertain or gray legal areas—but rather on whether there were flaws in the “process” that led to the decision (e.g., Litt v. Wycoff, 2003). Furthermore, mere proof of “gross negligence” is insufficient to impose liability on directors; liability is generally found only where directors acted “in bad faith[4] .” Plaintiffs are required to allege specific facts supporting a breach of fiduciary duty that the directors could have recognized (e.g., In re Citigroup Inc. Shareholder Derivative Litigation, 2006; Construction Industry Laborers Pension Fund v. Bingle, 2022).

Examples of such “specific facts” include cases where (i) the board approved a massive acquisition after holding only a single meeting, without due diligence, experienced advisors, or detailed presentations by management; or (ii) the board approved the acquisition of a company controlled by one of the directors, who was facing financial difficulties, and the approval was driven by personal rather than corporate interests (Trenwick America Litigation Trust v. Ernst & Young, 2006).

　b) The Business Judgment Rule in the State of Nevada, U.S.
Nevada law codifies the business judgment rule in Nev. Rev. Stat. Ann. § 78.138. Subsection 4 allows directors, in making business decisions, to consider (i) the interests of employees, suppliers, creditors, or customers; (ii) the interests of the state or national economy; (iii) the interests of the community and society; (iv) the long-term or short-term interests of the corporation; and (v) the long-term or short-term interests of the corporation’s shareholders.

Subsection 5 provides that directors are not required to make decisions solely based on the interests of any particular shareholder group or constituency. Subsection 3 establishes a presumption that directors act in good faith on behalf of the corporation, and the burden of proof is on the plaintiff to show that a director's business decision was not made in the corporation’s best interest.

　c) The Business Judgment Rule in Germany
Under German law, directors must perform their duties with the care of a prudent and conscientious business manager (Aktiengesetz, or Stock Corporation Act, §93). They are also obliged to preserve any trade or business secrets learned through their directorial position. If a director breaches these duties and causes damage to the company, they are liable for damages, and the burden of proof lies with the director to show that they fulfilled their duty of care.

Following the 2005 amendment to the Stock Corporation Act, the business judgment rule was codified in the second sentence of §93(1): if a director makes a business decision in a reasonable manner, based on appropriate information and in the best interests of the company, it is not deemed a breach of duty. However, a failure to meet the rule’s requirements does not automatically mean a breach of duty—courts are required to examine whether the decision was careless and caused damage to the company.[5]

For the business judgment rule to apply, the following five requirements must be met:

A business decision as an entrepreneur – This involves selecting the best course of action for the company from among various legally permissible options after a balanced consideration of risks. The decision must be informed and involve a comparison of viable alternatives.[6] For instance, entering into a cartel agreement—an act that is clearly illegal like bribery or money laundering—would not fall within the scope of a protected business judgment, even if the chance of exposure is low or the potential profits are high. Similarly, if a director acts beyond the company's stated business purpose, the rule will not apply.[7]

Reasonable belief that the action is in the company’s best interests – “Company’s best interests” refers not only to shareholder value but also to creditors, employees, and public interest.[8]Whether this belief is reasonable is assessed based on the director’s subjective intent to benefit the company.[9]

No special interest or external influence – Although not explicitly codified, this requirement is supported by case law and academic literature. It means that the director must not act for personal gain or for the benefit of close affiliates—i.e., they must avoid conflicts of interest.[10]

Reasonable basis of information – This does not mean that directors must exhaust every possible source of information. Rather, they must prepare thoroughly and collect sufficient information in light of the specific risks and context. Whether the decision was made carefully is determined by factors such as (a) the timeline of decision-making, (b) the nature and impact of the decision, (c) access to relevant information, and (d) the cost-benefit balance of gathering such information.[11] Although consulting external experts does not automatically meet this requirement, where the director lacks relevant expertise and properly informs an independent and reliable expert before relying on their advice, the “principle of reliance” may shield the director from liability.[12]

Good faith – This means that the director must have made a sincere effort to act in the company’s best interests. That said, because directors are already expected to act in the company’s interest, this condition is generally not viewed as imposing a heavy additional burden.[13]

3) Directors and Officers Liability Insurance (D&O Insurance)
As discussed above, some jurisdictions seek to limit the scope of legal liability under the business judgment rule or to clarify its application through statutory codification. At the same time, even in cases where liability is recognized, efforts to limit financial exposure—such as through D&O insurance—also play an important role. This section explores the status of D&O insurance in Japan and other jurisdictions.

Directors and Officers Liability Insurance (D&O insurance) generally refers to liability insurance that covers damages (such as compensation and litigation costs) arising from claims for damages made during the insurance period, resulting from the execution of duties by corporate officers. By implementing D&O insurance, companies are expected to foster a business environment where directors and officers can make bold and proactive decisions without undue fear of liability, as the insurance provides financial protection for third-party and intra-company claims arising from their actions.

In Japan, the 2019 amendment to the Companies Act introduced procedural requirements for entering into D&O insurance contracts. Specifically, a resolution of the general shareholders’ meeting (or the board of directors in companies with a board) is required for a company to enter into a D&O insurance contract (Article 430-31 of the Companies Act).

In other countries, D&O insurance is explicitly recognized by statute. For example, under Delaware General Corporation Law—one of the representative corporate laws in the United States—companies may purchase D&O insurance for their officers without distinguishing between third-party and intra-company liability (Section 145(g)). Similarly, the UK Companies Act 2006 provides that a company may purchase and maintain insurance for a director of the company or its affiliates to cover liabilities arising from negligence or breach of duty related to the company (Section 233).

In contrast, in Germany, prior to 2009, there was debate over the legality of D&O insurance funded by the company. However, the 2009 amendment to the Stock Corporation Act (Aktiengesetz) resolved this by stipulating that if a company enters into a D&O insurance contract for a director using company funds, the policy must require the director to bear at least 10% of any damages, up to 1.5 times the director’s fixed annual compensation (Section 93(2)). As a result, the legality of company-funded D&O insurance is now widely accepted in Germany.

Although there is generally no statutory distinction between coverage for third-party and intra-company liability, D&O insurance policies in countries such as the U.S. typically exclude coverage for intentional illegal acts. It is widely believed that no insurer would provide coverage for such acts, and case law has established that public policy prohibits indemnification for willful or intentional violations of rights, fraud, or knowing violations of the law.

In the UK, insurers are exempt from liability for: (i) criminal fines, (ii) punitive damages, (iii) civil liability resulting from violations of statutes, and (iv) civil liability arising from fraudulent or dishonest acts committed with intent. There are also court decisions denying D&O coverage where a director caused damage through intentional or reckless conduct, obtained unjust enrichment, or violated laws or regulations.

In Germany, model insurance policies typically exclude coverage for liability arising from intentional breaches of duty, as well as criminal penalties and administrative fines. Insurance coverage for fines and penalties is considered invalid under German law as contrary to mandatory legal provisions (Section 134 of the Civil Code) and public policy (Section 138 of the Civil Code).

Thus, while jurisdictions such as the U.S., the UK, and Germany generally exclude coverage for willfully illegal acts under case law and insurance clauses, the extent to which negligent acts are covered varies depending on the terms of the policy.

In Japan, D&O insurance policies typically exclude coverage for “criminal acts” without distinguishing between intentional and negligent conduct. Consequently, even if a director chooses a course of action in a legal gray area based on a proactive business judgment and is later fined for violating the Inns and Hotels Act or similar industry-specific regulations, such conduct may not be covered. This has raised concerns that such exclusions could discourage directors from taking necessary business risks.

4) Summary of Director Liability for Business Decisions
As discussed, while Japan’s business judgment rule may allow for director immunity in the context of new businesses operating in legal gray areas, its scope may be more limited compared to jurisdictions that actively apply or codify the rule. D&O insurance can also support directors’ decision-making within certain boundaries; however, coverage may be unavailable if the conduct in question ultimately constitutes a criminal offense.

Given this landscape, there is hope for further development of the business judgment rule to better support ventures into gray areas and for expanded applicability of D&O insurance. Nevertheless, even under the current legal framework, it is crucial to implement appropriate risk management frameworks to facilitate responsible engagement in legally uncertain areas of business.

6. Legal Risk Management Framework for Innovation and Emerging Fields

1) Challenges Faced by Companies Regarding Legal Gray Areas
Innovation inherently involves trade-offs with risk. However, in Japan, many corporate legal departments and law firms are said to base their legal judgments on the premise of "eliminating all risks." While such a mindset ensures strict compliance, it also has adverse effects—namely, it can obstruct the launch of new businesses in innovative and emerging fields, which often fall into legal gray areas where interpretations of the law are not yet established.

2) Trends in Legal Risk Management
Looking at global trends, the concept of "managing risk" instead of "eliminating risk" has gained traction, as exemplified by the publication of ISO 31022:2020 (Guidelines for Legal Risk Management). In Japan, legal practices often result in conclusions such as "the business cannot proceed due to legal risk," bypassing the risk management process altogether. Particularly with respect to regulatory gray zones, it is not sufficient merely to “identify” vague provisions in relevant laws. One must also “analyze” the degree of infringement on legal interests based on the law’s underlying purpose, consider how the business might benefit those legal interests, examine past enforcement trends and the behavioral logic of regulators, and then “evaluate” the risk.

According to ISO 31022, evaluation should consider both the "likelihood" of occurrence and the "consequences of events." It is equally important to propose "responses" based on this evaluation—such as innovative business model designs to mitigate risk, or contingency plans in case of regulatory intervention.

In short, all legal professionals, especially those in corporate legal departments, must shift their mindset from "eliminating risk" to "managing risk." Legal risk management consists of four core processes: identification, analysis, evaluation, and response[14].

3) Official Endorsements from Regulatory Authorities as a Risk Mitigation Tool
From a legal risk management perspective, what is the value of the traditional approach of seeking legal interpretations or behavioral guidance from government authorities?

This approach should not be dismissed outright. It has both advantages and disadvantages. On the plus side, aligning with government authorities in advance (and voluntarily refraining from activities outside the agreed scope) can significantly reduce the likelihood of surprises from regulators, thereby improving predictability as one form of risk mitigation.

On the downside, government agencies have their own institutional missions and purposes, which differ fundamentally from those of businesses that prioritize economic activity. In the context of risk management—where risk is defined as uncertainty surrounding the achievement of objectives—even a single minor incident may be seen as entirely unacceptable by a regulator depending on the legal interests involved. Thus, it is a gross misjudgment to blame conservative regulators for a company’s inability to take risks. Ultimately, whether or not to seek “official endorsement” is just one among many options for reducing risk—and it is entirely up to the company to decide.

With this in mind, companies must assess whether this risk mitigation measure is the only viable option, develop multiple mitigation strategies, and take calculated risks based on their own ingenuity and responsibility. The core issue lies in whether decision-makers are abdicating their authority and responsibility by shifting all risk onto the regulators.

4) Growing Need for Legal Risk Management: Technological Progress Continually Generates New Legal Gray Areas
As discussed above, the legal risk management framework was published in May 2020 as the international standard ISO 31022:2020. This framework aligns with ISO 31000:2018, a general-purpose risk management standard applicable to all types of risk. These frameworks provide valuable tools for organizations to manage uncertainty in achieving their goals.

Crucially, the need for legal risk management will only increase in the future; it will never diminish. That is because legal rules, including laws and regulations, are always older than the technologies and services they aim to govern, resulting in inevitable gaps. Laws are created based on legislative facts available at a particular point in time in the past. The older the law, the greater the gap with current technologies and services. As discussed in the context of agile governance, the fusion of cyberspace and the physical world, combined with the rapid acceleration of technological advancement, makes legal gray areas unavoidable. For instance, the Inns and Hotels Act was enacted in the late 1940s, long before the advent of the internet. It is not difficult to imagine that even the most capable legislators and administrators of the time could not have foreseen real-time, internet-based home-sharing services like Airbnb.

In light of the inherent gap between legal rules and technological developments, the legal risk management framework—with its built-in flexibility for legal interpretation and fact-finding—can become a core pillar of applied legal practice that supports smart risk-taking. In today’s rapidly advancing technological environment, the importance of legal risk management will continue to grow. Companies must adopt it without delay, as doing so will also contribute to enhancing their corporate value.

5) Legal Risk Management Framework to Enable Smart Risk-Taking
One potential solution is to integrate the ability to manage risk—a skill traditionally neglected in formal legal education and left to on-the-job training in law firms and corporate legal departments—into the core competencies of law students and legal practitioners through better learning environments.

Consider the following hypothetical world: imagine if the three founders of Airbnb had instead been young Japanese graduates—one from the University of Tokyo and two from Tokyo University of the Arts—who came up with exactly the same idea for a platform that matches travelers with hosts willing to rent out unused rooms.

If these Japanese founders were the first in the world to launch such a business, would Japan’s legal experts and business professionals have enabled or buried the idea?

At this crossroads, the implementation of applied legal skills that support smart legal risk-taking would undoubtedly be a decisive factor. It has been more than three and a half years since the Ministry of Economy, Trade and Industry’s report on “Enhancing the Legal Capabilities of Japanese Companies to Strengthen International Competitiveness” was released in November 2019. As aggressive legal practices become increasingly connected with regulatory reform and agile governance, legal risk management is entering a new phase as a clinical legal technique.

7. Summary of Recommendations

In the coming society, where various forms of infrastructure are naturally becoming digital, it is expected that the use of generative AI will bring about a wide range of everyday conveniences through automated and autonomous services. Given that artificial intelligence exhibits probabilistic behavior to some extent, it is inevitable that the number of areas considered as “gray zones” will increase.

To ensure an environment in which innovation can emerge under such business conditions, it is essential to develop systems that allow businesses to actively innovate within these gray zones. While it is hoped that administrative regulations will be addressed in a more comprehensive manner, it is also necessary to review not only such regulations but also the civil and criminal liability frameworks that have long been taken for granted.

Furthermore, it is important to establish clear criteria for the application of the business judgment rule for corporate officers and directors with respect to gray zones, and to enhance the availability of safety nets such as Directors and Officers (D&O) liability insurance.

At the same time, companies do not have the luxury of waiting for all these issues to be resolved. Rather than shrinking back in the face of legal uncertainty, they must develop appropriate risk management strategies that allow them to deal with gray zones properly, thereby continuing to engage with these areas while promoting innovation.

[1] Takayasu Okushima et al., New Basic Law Commentary [2nd Edition], Companies Act 2, p. 90 (section authored by Mika Takahashi, Hōgaku Seminar Extra Edition No. 243, 2016).
[2] Wataru Tanaka, Companies Act [4th Edition], p. 287 (University of Tokyo Press, 2023).
[3] Mitsuo Kondo, Jurisprudence on the Business Judgment Rule (Chuo Keizaisha, 2012), states that: “The application of the business judgment rule requires that directors have not committed any violations of law and have actively made management decisions. Whether or not a violation of law has occurred is naturally subject to judicial determination, and it is therefore inappropriate to interpret unlawful conduct as falling within the scope of a director's discretion.”
[4] “Bad faith” refers to an intentional dereliction of duty—a conscious disregard for one’s responsibilities. It encompasses actions taken for purposes other than pursuing the best interests of the corporation, actions taken with the intent to violate applicable laws, or knowing omissions of required actions where the director intentionally fails to act and knowingly disregards their duties. (8 Del. C. § 102(b)(7)(ii); In re Citigroup Inc. S'holder Derivative Litig., 2006)
[5] Hiroyuki Fukutaki, “A Memorandum on the Business Judgment Rule: Its Hermeneutic Position under German Law,” Kansai University Law Review, Vol. 64, No. 5, p. 1876 (2015).
[6] Eiji Takahashi, “The Development and Challenges of the Business Judgment Rule in Germany and Japan (Part 1),” Shoji Homu, No. 2047, p. 19; and Hiroyuki Fukutaki, supra note [5], p. 146.
[7] In the explanatory memorandum to the German government's draft of the UMAG, which introduced the codification of the business judgment rule, it is explicitly stated that: “When a decision to take a certain action is mandated by law—that is, actions that violate duties of loyalty, disclosure obligations, or other legal or statutory provisions—such actions must be distinguished from entrepreneurial decisions, and no safe harbor should be granted for general violations of laws or articles of incorporation.” In other words, at the time of codification, the prevailing view appeared to be that “even if a violation of law might benefit the company, the business judgment rule does not apply to such illegal conduct.” (Japan Exchange Group, Financial Instruments and Exchange Act Study Group, “The Business Judgment Rule in Germany” (September 26, 2014),https://www.jpx.co.jp/corporate/research-study/research-group/nlsgeu00000165yr-att/20140926_1.pdf）
[8] Eiji Takahashi, supra note [6], p. 20.
[9] Hiroyuki Fukutaki, supra note [5], pp. 147–148.
[10] Eiji Takahashi, supra note [6], p. 20.
[11] Eiji Takahashi, supra note [6], p. 21.
[12] Ibid.
[13] Ibid.
[14] See: Yuichiro Watanabe, Aggressive Legal Affairs: A Textbook on Legal Risk Management for Achieving Growth (Nippon Kajoshuppan, 2023).

Contact Information

For general inquiries regarding this policy proposal, please contact:

Atsumi & Sakai / Prototype Policy Research Institute

Email: public-inst.contact@aplaw.jp

(Published on December 15, 2023)