Japan Moves to Force Crypto Exchanges to Hold Liability Reserves, Ending Cold-Wallet Loophole

Japan is preparing to reset crypto custody incentives. The Financial Services Agency (FSA) plans legislation for 2026 that would require exchanges to maintain liability reserves for hack-related losses and abolish the long-standing “cold-wallet exemption” that let platforms sidestep capital buffers by keeping customer funds offline.

The proposed framework borrows from traditional securities rules, where firms hold reserves of roughly $12.7 million to $255 million (¥2 billion to ¥40 billion) depending on trading volume. Exchanges would need to either hold comparable reserves or, under options the FSA is considering, purchase insurance to satisfy the obligation. The blueprint also introduces formal bankruptcy return procedures, empowering court-appointed administrators to handle customer payouts.

The pivot isn’t abstract. Japan is still living with the fallout from Mt. Gox, which lost 850,000 BTC in 2014 and entered bankruptcy; repayments only began in 2024 and are scheduled through October 2026. More recent hits kept the pressure on: in May, DMM Bitcoin lost 4,502 BTC—about $305 million—after North Korean actors reportedly compromised an employee at Ginco, the wallet software vendor DMM used for transaction management. Just last month, roughly $21 million in Bitcoin and other assets was taken from addresses linked to SBI Crypto, with on-chain analysts flagging laundering activity via Tornado Cash and possible North Korean ties. Chainalysis’ mid-2025 update placed Asia-Pacific second globally for crypto thefts, with Japan, Indonesia, and South Korea among the hardest hit.

The critical change here is ending the cold-wallet carve-out. For a decade, operators leaned on air-gapped custody as a regulatory shield and a talking point. That approach manages surface attack vectors but often neglects the messy reality: operational keys still transit signing systems, staff still interface with vendors, and policy controls are only as strong as the least disciplined process. By tying operator survival to reserve sufficiency, the FSA is pushing exchanges to rebuild their risk stack around measurable, auditable loss expectations rather than marketing reassurance.

Expect three immediate shifts: - Architecture: More exchanges will migrate to MPC and hardware-backed signing with granular policy engines, 24/7 monitoring, and enforced separation of duties. “Cold” becomes a spectrum with provable controls rather than a binary state. - Vendor governance: Wallet-management providers will face higher scrutiny. The FSA is weighing rules that require any company offering crypto-management systems to file prior notice with regulators—an overdue acknowledgment that outsourced software has become a critical weak link. - Balance sheet planning: Mid-tier platforms will model tail-risk capital the way broker-dealers do. Those unable to warehouse the risk will seek insurance, including derivative-style or parametric covers, if carriers and reinsurers are willing to underwrite at scale.

Musheer Ahmed of Finstep Asia put it plainly: liability reserves function like insurance for bank accounts and could rebuild user confidence, though the added capital burden will raise operating costs. That trade-off is deliberate. When customers shoulder loss risk, exchanges economize on security and skimp on internal controls. When losses threaten capital or premium hikes, operators behave differently—budgets shift, vendor access narrows, and red-team findings get acted upon.

There are second-order effects. Capital requirements at the ¥2–¥40 billion benchmark range will pressure lightly capitalized venues and likely accelerate consolidation, which can improve safety but reduce competition. Insurance substitution helps, yet capacity for large, correlated crypto losses remains thin, and underwriters will demand telemetry, incident disclosure, and disciplined key management. Some venues will grumble and consider offshoring; others will quietly invest and turn compliance into a moat.

Ethically, this approach corrects a persistent misalignment: losses from preventable operational failures should not default to retail. Psychologically, it addresses lingering distrust from Mt. Gox through DMM and SBI by promising a process for recovery that doesn’t rely on ad hoc reimbursements or multi-year bankruptcies. Technologically, it nudges the industry away from “cold wallet theater” toward verifiable control frameworks. And from a business lens, it professionalizes custody into something insurers can price and auditors can test.

If Japan executes cleanly—clear reserve tiers, recognized insurance options, and enforceable vendor rules—it will likely become the reference model for mature-market crypto custody. Not because it eliminates hacks, but because it changes the incentives when they happen.