One example of the vital role played by the three areas of governance, risk, and compliance (GRC) is the work to confirm that newly released products and services comply with laws and ordinances as well as social requirements; equally important are the team structures that support these and other related tasks.

In some cases, companies split the roles of governance into three lines (reference).

Among these, the second line has a central position in the building of structures for risk management and internal audits. The second line is also expected to exert control over risk management, internal audits, and the autonomous risk management of the business division from an independent stance while at the same time supporting the organization.

In concrete terms, the second line keeps up with a vast array of laws, ordinances, and guidelines, updates the structure and content of internal regulations, and interprets the vast reams of information on these topics to incorporate all of this into the company’s structure. At Mercari, our second line is also focusing on generative AI/LLM technologies because they are highly compatible with GRC areas.

For this edition of Mercan, we spoke with Vice President of Merpay Yuki Saito (＠yukis) and Risk Team manager Haruki Kaneko (＠haruki) about the company’s usage of AI in GRC areas and the details of the background, present, and future outlook of AI/LLM technology implementation at Mercari.

As a fintech company, making no attempt was never an option

ーLet’s jump right in. What prompted Mercari to start using AI/LLMs in GRC areas?

@haruki: Starting last year, Mercari put forward the idea of “Back to Startup” and has been reforming its organization to restore a sense of speed and urgency at the company. As AI/LLM technology adoption gained momentum internally, the members of the second-line GRC teams (such as teams covering risk management, compliance, and anti-money laundering [AML]) took on the task of starting to make a list of all the tasks that would be appropriate for AI/LLM technology implementation. As this was happening, we decided to use AI/LLM technologies more boldly and launched a cross-functional project to support the initiatives of each GRC team.

@yukis: Since Mercari Group is a tech company, we’ve used AI/LLMs to develop products. For instance, at Merpay, we actually leverage an AI score model in our credit review for individuals.

At the same time, we still have some back-office work at the company that we do manually, like tasks involving complicated documents and approval work that requires document signing and sealing. However, with the emergence of AI/LLMs, we’re starting to gain leverage that will allow us to make fundamental changes to that work.

We aim to become a strong organization that has multiplied the potential between technology and finance. To make this happen, we cannot overlook the immense room for improvement that remains to be made using AI. Although AI/LLM usage has been promoted across our organization, what spurred us into action was the feeling that, as a fintech company, there were some essential parts of our work that we should change.

—Could you break down the details of how you use AI/LLMs in your work?

@yukis: When we looked at the option of not using AI/LLMs in our work and thought about this in the mid-to-long term, we concluded that there was a possibility we would substantially lose our competitive edge in the fintech domain. In addition, recent financial services have become increasingly sophisticated at using digital resources.

For example, with the addition of digital payments to conventional services for managing money with a bank book, there are now mechanisms that entwine laws, ordinances, and regulations. Absolutely no one has all of that information on tap at the front of their mind, so if a company is going to implement realistic risk management, they probably won’t be able to cover all of that knowledge with human capacity alone.

What’s more, up until now, credit risk and system risk have not been tied to each other. However, in recent times, if a system bug occurs, it can impact a person’s credit. If companies do not have experts in both credit and system operations, they won’t be able to manage risk effectively. However, leveraging AI technology makes risk management feasible.

@haruki: Looking at the movement of regulatory authorities, last October the Financial Services Agency (FSA) announced a “Call for participation in a questionnaire survey on the status of use of AI (Artificial Intelligence) by financial institutions, etc.” (Japanese version and an English summary are available here). The survey examined the level of interest in AI/LLM technology usage at financial institutions.

—So, what you’re saying is that AI/LLMs have even gained the attention of the authorities.

@yukis: Well, the FSA has been vocal on the subject in a variety of forums and mediums. Case in point, in their AI Discussion Paper, they stated that as areas that amount to black boxes become unavoidable, whether or not a financial institution is able to fulfill its role of accountability as a financial institution will likely become a point that affects the usage and spread of generative AI. While there are risks and concerns involved, the authorities are promoting awareness of the risk of not taking on these challenges to the leadership of each financial institution. You could say that this is also the tailwind driving the implementation of AI/LLM technology.

Be that as it may, finance is a mission-critical area for which 100% success is constantly demanded. If there is even one case where AI fails to deliver on its promises, it will start a chain reaction where critics blame the use of AI, say it isn’t appropriate for financial institutions, and then call for overly strict regulations that would keep the technology from being misused, but also impede the development of the technology for a decade or more. To keep this from happening will require taking a well-thought-out approach while planning carefully.

Realizing AI/LLM usage in GRC areas

—Could you tell us about how you’ve promoted AI at Mercari?

@haruki: At the beginning of the project, our members had different levels of knowledge of and experience with AI/LLMs. Some members questioned what they could actually create using AI. For these reasons, we set aside discussions about the feasibility of using AI and brainstormed about the issues we encountered in our work and where there was room for optimization, involving as many members as possible. In addition, we coordinated with external advisors in the early stages of LLM usage and used it for a task performed in GRC areas, namely evaluating the compliance of internal regulations with laws, ordinances, and guidelines. As a result we shared a successful experience of being able to evaluate our internal regulations more quickly and effectively than we expected.

@yukis: I think we were able to work on this project while maintaining a good relationship with the external advisors. The missions and ideologies of both our company and that of our advisors are very much alike. At the same time, the regulatory technology (RegTech) area is in its infancy, and even for external advisors, there is a need for them to use it to enhance their own company’s services. From Mercari’s perspective, in addition to utilizing software as a service (SaaS), we were able to build mutually beneficial relationships to sustain the momentum of our projects by engaging in collaborative discussions on our internal tools.

Of course, in addition to cooperating with external parties, collaborating with AI-related teams that had expertise in internal tasks and systems was also indispensable. GRC areas and AI tend to be highly compatible in the first place. I believe that having external and internal experts partner together to apply AI/LLM technology was what led directly to the results we achieved.

—So, what did you focus on specifically?

@haruki: Good question. Allow me to talk about the main results we’ve seen in the last six months (October 1, 2024, to March 31, 2025).

The first action we looked at was the efficiency of evaluating how compatible our internal regulations were with laws, ordinances, and guidelines. In our GRC teams, it’s necessary for us to periodically ensure that our internal regulations cover the vast laws, ordinances, and guidelines that shift in alignment with changes in society. By leveraging LLMs to evaluate compliance, we’ve managed to achieve far-reaching optimization. As a result, we received feedback from managers that the work led to a total reduction in work resources of over 70%.

The second action we looked at was the efficiency of advertising screening work. The Compliance Division screens consumer advertisements daily to ensure that they do not contain inappropriate expressions. For this work, we used LLMs to screen short text and the text inside of images, and we made it possible to conduct primary screening regarding the Act Against Unjustifiable Premiums and Misleading Representations. In concrete terms, we performed risk assessments on advertisements based on clearly defined screening standards. In areas where risks were detected, the LLM screening results presented the relevant rules and problem areas, allowing us to indicate a direction for making improvements.

The third action involved generating preliminary replies to the questions we received from regulatory authorities and business partners on our GRC structure. In our areas of expertise there is a large demand for fact-based text, such as the information specified explicitly in our internal regulations. But when we realized that it was possible to provide responses with a high level of accuracy in a shorter period of time than a person ever could, it made sense to introduce AI/LLMs with a focused approach, while having a person check the final results, and that’s exactly what we did.

In the end, the GRC members leveraged ChatGPT models and RPA tools to lead tool and process development and improve work efficiency without relying on the company’s engineering resources. This included a bot that automatically collected and summarized various news items related to regulations and a bot that generated preliminary responses to inquiries received internally.

@yukis: In our initial goal setting, we focused on balancing two things: 1. Refinement of generic GRC work; and 2. work optimization specific to Merpay. How information is managed varies for each financial institution, so when it came to the latter item, we didn’t outsource the work to external partners and instead implemented our ideas with the support of our internal AI experts on the AI Labs team and the help of our engineering organization.

The response and sense of issues gained by challenging ourselves to use AI/LLMs

What we would like to eventually create

—Is there anything you’d like to share about what you’ve achieved so far or about any issues you’ve encountered?

@haruki: Thanks to the members who have taken an active part in the project, we’ve managed to achieve better results than we thought possible. In the beginning, we set goals and milestones within seven subcommittees. However, in the process of working with internal and external experts to search for technological solutions to issues, we discovered solutions that could potentially be applied to other work and by other teams. This in turn accelerated the pace of our progress significantly. As a result, our efforts led to better outcomes than expected for a lot of work.

However, when applying AI/LLMs to our work, there were situations where we had to redesign tasks, such as where the work processes were vague and where the work required the judgement of a specialist. For tasks that people cannot articulate easily, it’s impossible to get sufficiently good results from AI/LLMs. To address this, we made an effort to review and visualize some of our work processes by writing a business requirements document.

Going forward, I would like us to be more proactive about involving employees eager to leverage AI/LLMs over a wider range of areas. Since each of the project members have their core duties, I feel it’s important to assign leadership roles to people who are passionate about AI.

—While eventually the tasks that AI can be relied on to handle will be turned over to this technology, there will still be work that needs to involve people, right?

@yukis: Yeah, I believe there will still be work that needs to involve people. However, we’re already starting to see signs of a future where a business can function with just management and AI. If this becomes a reality, it will be feasible for the company to take care of GRC tasks and operate at the same level or better while payroll costs are half as much. Overall, the changes might only be a few percentage points in efficiency, but for an organization the size of Mercari, this can have a major impact.

—This sounds like it could be really challenging, but surely this is an issue that other companies are also facing.

@yukis: Yeah, I think this is an issue that other companies have also come face to face with. What we tell our members is that employees with a broad outlook who are able to lead during times of transformative change will maintain their market value in the next 10 to 20 years. They cope with handling tasks independently while also having steady practical experience. In addition to this, employees that have a full awareness of the processes for leveraging AI/LLMs are also very marketable. For business professionals looking to advance their careers, having a mindset like this can only be a benefit.

—It sounds like specialized employees working on GRC tasks need to be committed.

@yukis: That’s it exactly. Where AI is concerned, we’re still grappling with the issue of hallucinations (the generation of information that is not factual). Sometimes AI ends up making definitive statements about things that simply cannot be asserted; statements like that can lead to fatal errors in the financial sector. This is precisely why carefully assessing the impact and risk of applying AI and determining the elements of AI that are optimal for us to apply are crucial roles of our second line, a specialized organization tasked with GRC operations.

—Lastly, could you tell us what your outlook is for the future?

@yukis: It’s going to be important for us to transform GRC tasks to make them more AI friendly. It will be a given that AI/LLMs exist as a part of our tasks, and since we can expect this technology to spread, I believe that the time when GRC tasks change fundamentally is coming. I do not want to see us get stuck on the operational processes or fixed preconceived notions that have served us. I would like us to invent a completely new raison d’être for GRC tasks.

@haruki: Using AI/LLMs, we can overhaul the efficiency of GRC tasks like analyzing thick regulation documents and internal regulations, making risk assessments, and performing compliance checks. Once we accomplish this, the people working on GRC tasks will be able to focus on their work more strategically and contribute to the strengthening of the company’s governance structure at a higher level. Additionally, this process will allow each member to actively learn this new technology and how to use it, which will feed their excitement for AI. Their enthusiasm will then spread to others around them, linking naturally to transformation and generating a positive feedback loop. Steady efforts to redesign work processes and perform verification work will accompany AI implementation, but the results we reap will be great, so I would like to continue to promote dynamic projects together with our members.

Photography: Tomohiro Takeshita / Original article: Yuta Ishikawa / English Translation: Mercari Global Operations Team