|
|
|
|
|
|
|
Newsletter | December 2014, Issue 4
|
|
|
|
|
|
|
|
|
|
|
BANKING
|
|
|
|
|
Amendments to Laws and Regulations on Sharing of Customer Data among Affiliates within a Financial Holding Company Group
|
|
|
|
The Financial Services Commission ("FSC") announced proposed amendments (“Proposed Regulations”) to the Enforcement Decree and Supervisory Regulations of the Financial Holding Companies Act (the “FHCA”), which was recently amended and went into effect on November 29, 2014. The Proposed Regulations set forth new rules regarding the sharing of customer information among affiliates under a single financial holding company, and are scheduled to enter into force on the same date as the amended FHCA. However, rules regarding ex post notification of information shared with an affiliate, as explained below, will go into effect on May 29, 2015.
|
|
|
|
Key points of the Proposed Regulations are as follows:
|
|
|
|
Scope of “Use for Internal Administrative and Managerial Purpose,” under which Information may be Provided to an Affiliate without Customer’s Consent
|
|
|
|
Affiliates held by a single financial holding company are allowed to share information to (i) engage in risk management, internal control, and/or subsidiary investigation to promote business integrity; (ii) develop products and services, conduct customer analysis, and outsource services to promote synergies within the financial holding company group; and (iii) allocate outcomes and expenses among affiliates. However, introducing customers to or inducing customers’ purchase of products and services do not fall within such exceptions and thus customer’s consent is required for such promotional activities.
|
|
|
|
Methods and Processes for Sharing of Customer Information
|
|
|
|
The methods and processes for sharing customer data are set forth in the Supervisory Regulations, which seek to ensure that financial holding companies exercise greater care in managing such information. Key points include:
|
|
|
|
|
Client data ledger must not be shared
|
|
|
Must share and use only encrypted client data
|
|
|
Client data received must be stored separately from internal data
|
|
|
In principle, data may only be used for up to 1 month (this period may be extended if necessary for risk management, after consent from the client data manager)
|
|
|
Data must be immediately deleted or destroyed as soon as it becomes obsolete, e.g., when purposes for which information was provided have been achieved
|
|
|
When requesting or providing personal information, the client data manager must evaluate the appropriateness of purpose and period of use, scope of information provided, and the person who will be authorized to use the information, etc.
|
|
|
The client data manager must conduct an annual comprehensive examination regarding how the client data is managed by the various affiliates, and report the findings to the Financial Supervisory Service ("FSS").
|
|
|
|
|
Notice to Customers regarding Provision of Client Data
|
|
|
|
Under the Proposed Regulations, financial institutions are obligated to provide customers with ex post notice regarding instances in which their data was shared with an affiliate of the company that originally collected the information from the customer. The notice must be provided at least on an annual basis and must contain details regarding the person/entity providing and receiving the information, the specific information provided, and the purpose of such data transfer, etc. This requirement will go into effect on May 29, 2015.
|
|
|
|
|
|
Back to Main Page
|
|
|
|
|
|
If you have any questions regarding this article, please contact below:
|
|
|
|
|
|
|
|
For more information, please visit our website:
|
|
|
|
|
|
|
|