OpenAI Provides GPT-5.5-Cyber Model to MUFG, SMBC, and Mizuho with Approval from Japan's Ministry of Finance

Japan's Minister of Finance, Satsuki Katayama, confirmed on Friday that MUFG Bank, Sumitomo Mitsui Banking Corporation, and Mizuho Bank will receive access to the GPT-5.5-Cyber, a specialised model from OpenAI available only to organisations with verified responsibilities for critical infrastructure. The confirmation followed a meeting with Jason Kwon, OpenAI's Chief Strategy Officer, in Tokyo. Nikkei had reported on Thursday that the three megabanks were set to join the restricted access programme that OpenAI operates independently from the commercial subscriptions of GPT-5.5.

The model is not an expanded version of the consumer product. GPT-5.5-Cyber has been fine-tuned for defensive tasks: log analysis, threat report synthesis, and automatic configuration patch generation. According to sources close to the negotiations quoted by Nikkei, the system conducts autonomous scans of the banks' internal systems, identifying vulnerabilities before attackers can. The direct competitor mentioned in the Japanese press is Anthropic's Claude Mythos, which the same megabanks plan to operate in parallel.

The Financial Services Agency (FSA) of Japan has formalised a working group with 36 entities to coordinate the use of AI in security within the financial sector, including MUFG, SMBC, Mizuho, OpenAI, Anthropic, and the major cloud providers. The group's mission is to share threat intelligence, draft incident response plans, and establish standards regarding the acceptable level of operational autonomy for AI models in systematically relevant banking systems.

AI as a Tool for Bilateral Diplomacy

The negotiations were conducted during the visit of US Treasury Secretary Scott Bessent to Tokyo, integrating access to AI models into the same framework of bilateral understandings that governs semiconductors and telecommunications networks. OpenAI had extended comparable access to European firms before Japan, according to local press, but without the formal endorsement of any Eurozone finance ministry.

For Katayama, the agreement represents "an important step towards strengthening the cyber defence capabilities of Japanese financial institutions." The context justifies the urgency: MUFG, SMBC, and Mizuho form the backbone of Japan's financial system and process payment, clearing, and settlement volumes whose disruption would have immediate systemic effects. Any breach in any of the three transcends the individual bank.

Two Models, One Regulator

The strategy of operating GPT-5.5-Cyber and Claude Mythos in parallel is significant for a technical reason: the two architectures have distinct approaches to generating alerts and reasoning about vulnerabilities. A bank maintaining both systems can compare the outputs before escalating a defensive action, reducing false positives. This model of competitive redundancy is unusual in enterprise software, where the trend is to consolidate suppliers.

The concentration of two Western AI providers at the centre of the cyber defence system of banks systematically relevant to the world's third-largest economy raises, however, a diversification question that the FSA working group will need to address: who audits the AI models when they become the primary risk detection mechanism?

What This Signals for Other Markets

In Singapore, the Monetary Authority (MAS) has already published guidelines for the use of AI in credit risk and is monitoring the Japanese precedent. DBS, OCBC, and Standard Chartered Asia have operations regulated by the MAS; a documented framework emerging from the FSA is likely to serve as a reference for regulatory reviews in the Asian bloc, from South Korea to Vietnam.

In Europe, the situation is different. The AI Act classifies systems with offensive scanning capability as high-risk categories, even when the use is defensive, creating compliance requirements that complicate adoption by the financial sector. The fact that OpenAI has already extended access to European companies without the formal endorsement of any Eurozone ministry reveals an asymmetry: Japan moved more swiftly because its FSA and Ministry of Finance coordinated deliberately in the process.

For CIOs of banks outside Japan, the most relevant operational data is this: access to GPT-5.5-Cyber is not a standard commercial subscription. It is a credential that requires demonstrating verifiable critical infrastructure responsibilities. The management of relationships with AI laboratories has, in this model, become an institutional security variable, not merely a technology supplier management concern.