On August 13, 2024, the Financial Services Commission (FSC) of Korea announced its 「Financial Sector Network Separation Improvement Roadmap」(the Roadmap). This initiative aims to enhance the competitiveness of the financial industry in the rapidly evolving IT landscape.

Background

Network separation policies, while effective in protecting customer information and trade secrets from various security threats, have become increasingly viewed as an outdated and overly restrictive regulation unique to Korea. These policies have been criticized for hindering the global competitiveness of the domestic financial industry, especially in the face of emerging technologies such as cloud computing and AI.

There have been persistent requests for regulatory improvements, citing significant operational inefficiencies for financial companies, hindrances to the adoption of new technologies, and difficulties in research and development due to network separation. In response, the FSC has developed and announced the Roadmap to improve network separation regulations and comprehensively reform financial security laws and systems in the medium to long term, pursuing a paradigm shift to find a new balance between innovation and security.

The Roadmap primarily focuses on: (1) allowing financial companies and electronic financial business entities (collectively, financial companies) to use generative AI; (2) significantly expanding the scope of cloud-based application usage; (3) improving the research and development environment for financial companies; and (4) advancing regulatory exceptions, including the implementation of a “Stage 2 Sandbox.” With the introduction of the Roadmap, it is expected that AI and IT development in the financial sector will be invigorated, and the utilization of financial data will significantly increase.

Key Points of the Roadmap

  1. Allowing the Use of Generative AI

The FSC has announced plans to permit financial companies to adopt and utilize cloud-based generative AI through regulatory sandboxes. This initiative will grant exceptions to current network separation restrictions, allowing financial companies to leverage cutting-edge AI technologies. Recognizing the potential risks associated with generative AI, the FSC will implement comprehensive security measures as prerequisites for participation in these sandboxes. Furthermore, the Financial Supervisory Service (FSS) and the Financial Security Institute (FSI) will play crucial roles in ensuring the safe adoption of these technologies. They will conduct thorough security inspections and provide tailored consulting services for companies applying to the sandbox program.

  1. Expanding the Use of Cloud-Based Applications (SaaS)

The FSC has also announced plans to significantly broaden the scope of Software as a Service (SaaS) usage in the financial sector. This expansion will extend to various business operations, including security management and customer relationship management (CRM). Notably, the FSC will also permit the use of SaaS for processing pseudonymized data and on mobile devices, marking a substantial increase in the potential applications of cloud-based services. These changes are expected to enhance operational efficiency and enable financial companies to leverage cutting-edge cloud technologies across a wider range of their activities. However, recognizing the potential security concerns that may arise from this expanded use of SaaS, the FSC has stated that it will develop and impose specific security measures as conditions for regulatory sandbox designation. This approach mirrors the safeguards being implemented for generative AI usage, ensuring that innovation in cloud services is balanced with robust security protocols.

  1. Improving Research and Development Environment

The FSC will amend the Electronic Financial Supervision Regulation to create a more conducive environment for innovation in the financial sector. These amendments will ease physical restrictions on transferring R&D results, allowing for a more fluid exchange of ideas and technologies within financial companies. Additionally, the changes will permit the use of pseudonymized data in R&D processes, opening up new possibilities for data-driven innovation. Building on the regulatory improvements made in November 2022 that allowed free internet usage in R&D environments, these new changes are anticipated to significantly enhance the ability of financial companies to develop innovative products and services that better meet evolving customer needs.

  1. Enhancing Regulatory Sandboxes

Lastly, the FSC plans to advance its regulatory sandbox program, potentially implementing a “Stage 2 Sandbox” as early as next year, subject to a comprehensive assessment of the operational performance and safety of the current “Stage 1 Sandbox.” This enhanced sandbox environment would allow financial companies to directly process non-pseudonymized personal credit information, representing a significant expansion of regulatory exceptions. However, recognizing the increased data utilization scope, the FSC has stated that it will impose additional security measures. This initiative demonstrates the FSC’s commitment to fostering innovation while maintaining robust data protection standards in the financial sector.

Implication

These regulatory changes are expected to have significant and broad implications for the financial sector in Korea. Through the sandbox program, financial companies will be able to utilize generative AI technologies that were previously restricted, and the scope of permissible SaaS applications will be significantly expanded. These advancements are anticipated to substantially enhance the overall competitiveness of the financial industry.

Specifically, the introduction of AI and SaaS-based solutions is expected to improve operational efficiency in several key areas, including business process automation, Enterprise Resource Planning (ERP) systems, and compliance monitoring programs. Furthermore, these changes are likely to facilitate increased utilization of financial data, particularly in the realm of big data analytics.

However, it is important to note that the FSC has stated it will impose “security measures for expected risks” as conditions for participation in the sandbox program. As such, financial companies should proactively prepare for these requirements. It would be prudent for companies to closely monitor the forthcoming detailed security measures and take preemptive steps to address any necessary preparations.

 

More from Lee & Ko