Skip Navigation

Financial Regulators Introduce Sandbox for Use of Software as a Service (“SaaS”) - Implications for CSPs


On June 28, 2023, the Financial Services Commission (“FSC”) and the Financial Security Institute (“FSI”) held a briefing session to announce a regulatory sandbox to allow financial institutions and electronic financial service providers (collectively, “Financial Companies”) to use software as a service (“SaaS”) offered by cloud service providers (“CSPs”) on their internal networks.
The financial regulators provided information about, among other things: (i) the scope of services for which participating Financial Companies may use SaaS and (ii) how to evaluate the security of the CSP that provides the SaaS.

1.   Permitted SaaS Use Cases

Financial Companies are currently unable to use SaaS because the current Electronic Financial Supervisory Regulations mandate that internal networks and the external Internet be kept separate. With the new regulatory sandbox, however, Financial Companies will be able to use SaaS on their internal networks.
Participating Financial Companies may use SaaS for non-critical services, but not for services that process customers’ personal information, credit information, transaction information, etc. As shown in the table below, the regulatory sandbox will permit the use of SaaS for collaboration tools, ERP, and other internal services, but not for security management, IT development and operation, and customer-related services.





Collaboration tools  

Office software, messenger, design, video conferencing, e-mail, groupware, etc.


HR management, performance management, contract management, finance and accounting, expenditure resolution, etc.

Other internal services

Marketing analysis, analysis of financial indicators, training management, data translation, survey, etc.

Not Allowed

Security management

Comprehensive account management, web isolation (blocking malicious content), document security, secure coding, etc.

IT development and operation

Program development, IT resources management, system failure test, etc.

Customer-related services

Customer support, analysis of customer behavior, response to customer inquiries, management of corporate customers, etc.


2.   CSP Security Assessment

Before Financial Companies can participate in the regulatory sandbox and use SaaS, the CSP that offers the SaaS must undergo a security assessment. The following details regarding the required CSP security assessment were shared during the briefing session.

  • The FSI will perform the security assessment, not the Financial companies themselves.

  • The assessment will cover the CSP’s SaaS-related assets (e.g., the CSP’s host management servers, cloud portals, storages, and virtualization servers), but excludes the terms of contract between CSPs and Financial Companies, and Financial Companies’ own responsibilities.

  • The FSI will evaluate: (i) compliance with laws and policies, (ii) security audits, (iii) response to failures, (iv) service availability, (v) response to breach incidents, (vi) access rights management, (vii) virtualized security, (viii) data protection, etc.

  • The assessment procedure:

Based on Financial Companies’ applications for a regulatory sandbox, the financial authority selects the CSP and services to be assessed and establishes an assessment plan.

The FSI informs the CSP to be assessed about the assessment method, schedule, areas requiring the CSP’s cooperation, etc. and consults with the CSP. (No assessment will be conducted if the CSP declines to cooperate.)

The CSP prepares a self-assessment report as agreed and submits it to the FSI.

The FSI examines the CSP’s self-assessment report and conducts an on-site inspection.

The FSI shares the assessment result with the Financial Services Commission and discloses the final assessment result on its website.

3.   Implications for CSPs

The Innovative Finance Review Committee1 reviews and decides on Financial Companies’ regulatory sandbox applications. The Innovative Finance Review Committee’s next subcommittee meeting is scheduled for late August.
Assistance from CSPs is essential for Financial Companies to obtain the necessary security assessment to participate in the sandbox. Therefore, customers in the financial sector are likely to seek assistance from CSPs for the security assessment when applying for a financial regulatory sandbox.
CSPs could consider consulting with their financial sector customers on whether they plan to apply for a regulatory sandbox, checking which SaaS solutions may qualify for the regulatory sandbox, and preparing for the CSP security assessment.

1   The FSC has formed the Innovative Finance Review Committee to review applications for the financial regulatory sandbox. The Innovative Finance Review Committee consists of up to 25 members, including the Chairman of the FSC (serving as the Chairman of the Innovative Finance Review Committee), experts in the fields of technology, finance, law, and consumer protection, the Vice Chairman of the FSC, vice ministers (or equivalents) of the ministries concerned (i.e., Office for Government Policy Coordination, Ministry of the Interior and Safety, Ministry of Economy and Finance, Ministry of SMEs and Startups, and Ministry of Trade, Industry and Energy), the Vice Chairman of the FSS, and Fintech Center Korea. The Innovative Finance Review Committee may form subcommittees for efficient review of agenda items, smooth budget execution, etc.


[Korean Version]