FSC Released the Revised Draft AI Guidelines for the Financial Sector

On December 22, 2025, the Financial Services Commission (the "FSC") held an AI Council meeting in the financial sector to release the "Draft AI Guidelines for the Financial Sector" (the "Draft Integrated Guidelines"). Until now, the financial authorities have encouraged best practices for the use of AI in financial sector by publishing separate guidelines for AI development, operation, and security. But this time they have consolidated those three pre-existing guidelines into a single document, the new Draft Integrated Guidelines, to reflect the fast-pacing developments in AI technology, including the expansion of of the use of generative AI, as well as the enactment of the Act on the Development of Artificial Intelligence and Establishment of Trust (the "AI Basic Act"), which is scheduled to take effect on January 22, 2026.^[1]

The Draft Integrated Guidelines provide broader and more detailed suggestions and recommendations than its precedssor, the "Guidelines on AI Operation in the Financial Sector," and is therefore expected to have broader impact on the development and use of AI by financial companies, etc. In practice, there are emerging needs for clear definition of roles and responsibilities within a company throughout the AI lifecycle as the coverage of AI governance are now extended to the adjacent areas of data management and security.

The Draft Integrated Guidelines applies both to financial companies and to non-financial companies (e.g., fintech companies) as long as their AI systems have effects on the financial transactions ("Financial Companies, etc."). Even with respect to the services covered by the Draft Integrated Guidelines, it is recommended that the guidelines apply not only to AI services intended for face-to-face use by customers but also to cases where AI systems are used to support or manage the internal work of financial companies, etc.

As for the interplay with the AI Basic Act, when the AI Basic Act and its subordinate laws, regulations, and guidelines (the "AI Basic Laws") and the Draft Integrated Guidelines are in overlap, the AI Basic Act takes precedence. If, however, the AI Basic Act neither applies nor addresses a particular issue, the Draft Integrated Guidelines may come into play.

In line with the "Seven Principles for AI in Finance" announced by the FSC in December 2024, the Draft Integrated Guidelines present, in a systematic and organized manner, detailed tasks and action items to implement each principle. Key details of the Draft Integrated Guidelines addressing the Seven Principles for AI in Finance are set out below:

Principle of Governance

The Draft Integrated Guidelines specify the roles and responsibilities of top management under the Seven Principles for AI in Finance, and require top management, including the CEO, to ensure ongoing oversight of AI development and use by clearly allocating the intra-company roles and responsibilities.

Regarding internal control, the Draft Integrated Guidelines require the highest decision-making body, for example the AI Ethics Committee, to actively engage in major decisions such as enacting and amending ethical principles and related bylaws and approving high-risk or high-impact AI services. They also require a dedicated AI risk management division to operate in a manner that is organizaitonally and functionally separate from the divisions in charge of AI planning and development. In this respect, the Draft Integrated Guidelines can be considered to ensure independence in AI governance based on a mechanism for checks and balances.

Additionally, depending on the risk preferences of Financial Companies, etc., the Draft Integrated Guidelines recommend the adaption of a quantitative scoring system based on four of the Seven Principles, namely Principles of Legality, Reliability, Good Faith and Security, in order to classify each AI service into high, medium and low risk categories. If a total risk score of an AI service is considerably high, the guidelines recommend that it review and reconsider, through a formal deliberation process, whether to roll out the service.

Principle of Legality

Financial Companies, etc. must proactively comply with the AI Basic Laws, which apply across all industries, as well as with the relevant sectoral regulations applicable to their AI developments and uses. The practical importance of the Draft Integrated Guidelines can be found in the fact that it consolidates the key obligations in financial sector previously existing in fragmentation under different laws and regulations and present them as a legally compliant reference in a coherenet and understandable way.

Principle of Subsidiarity

Financial Companies, etc. must put internal management systems in place to ensure that their AI systems are used only as assistant tools in their work, with humans (i.e. officers and employees) retaining the authority over the final decision-making and bearing responsibility for their decisions. The Draft Integrated Guidelines state that when AI models or systems are outsourced from or provided by third parties, including open source, Financial Companies, etc. procuring the AI model or system, not third parties, should bear the responsibility for their use.

Principle of Reliability

Financial Companies, etc. must ensure the reliability of AI services by properly managing model performance and the quality of training datasets, inspecting fairness and bias in both algorithms and datasets, enhancing the explainability of AI outputs, technically verifying AI models or systems, and establishing mechanisms to detect, mitigate, or eliminate errors. The Draft Integrated Guidelines provide sample indicators and practical examples for measuring AI model performance and bias for selected service types, including credit rating services and recommender services for financial products.

Principle of Financial Stability

Financial Companies, etc. must minimize risks related to financial stability throughout the entire AI lifecycle. To achieve this end, the Draft Integrated Guidelines require companies to prepare measures to evaluate and manage systemetic risks, such as overdependence on third parties, coordinated bahaviors among companies in the financial market, and cybersecurity risks and to share and report any incidents that occur or are likely to occur to the financial authorities.

Principle of Good Faith

When using AI to provide customer services, Financial Companies, etc. must implement measures to avoid any conflict of interest and protect financial consumers, with consumer interests given top priority. The Draft Integrated Guidelines specifically require companies to notify consumers in advance of the use of AI and to establish procedures for a prompt response to consumer harms. It should be noted that unlike the AI Basic Act, which requires advance notification only for high-impact and generative AI, the Draft Integrated Guidelines require advance notification for all AI services intentded for the use by customers.

Principle of Security

For AI system security, the Draft Security Guidelines require Financial Companies, etc. to identify AI-specific security threats such as data contamination, model contamination, data leakage of data, prompt injection, and jailbreaking attacks, and to establish counter strategies and measures for each potential security risk. While the Draft Security Guidelines allow Financial Companies etc. to utilize their pre-existing IT security frameworks to handle traditional security issues, Financial Companies etc. are recommended to make modifications, if necessary, to the existing frameworks to address the unique characteristics of AI systems.

The Draft Integrated AI Guidelines for the Financial Sector are expected to take effect within the first quarter of 2026 after the expiration of the public consultation period, January 31, 2026. Not only financial companies such as banks, insurance companies, credit card companies, capital companies, and financial investment business entities, but also non-financial companies such as fintech companies may be covered by the Draft Integrated Guidelines if their use of AI systems could be deemed directly or indirectly affect the provision of financial services. Given this broad scope of application and the need for consistency with the AI Basic Act, relevant Financial Companies, etc. should carefully review the Draft Integrated Guidelines and proactively evaluate its impact on their AI services. Now is the time to distinguish mandatory compliance requirements under the AI Basic Act from the best practice recommended in the Draft Integrated Guidelines, identify the roles and responsibilities relevant departments internally, promptly consult with stakeholders to accurately evaluate the regulatory environment affecting a company' AI services, and establish AI governance strategies and roadmaps without delay.

[1] The National AI Strategy Committee has unveiled the "Draft Korea AI Action Plan" on December 16, 2025 and opened it for public consultation until January 4, 2026. The Draft Action Plan sets out policy recommendations for the FSC as follows: (i) preparation of the "AI Guidelines for the Financial Sector" by the first quarter of 2026 to secure fairness, transparency,and accountability of financial institutions and to ensure financial institutions comply with the AI Basic Act, (ii) establishment of a regular monitoring system for AI risk management, etc. in the financial sector by the fourth quarter of 2026, and (iii) supplementation of the "AI Guidelines for the Financial Sector" by the first quarter of 2027 to reflect changes in regulatory, technical, and business aspects. According to the current Draft Action Plan, the FSC's regular monitoring system for AI risk management, etc. in the financial sector will be in place after the Draft Integrated Guidelines enter into force, and the Draft Integrated Guidelines is likely to undergo further revisions even after it takes effect. So it is necessary to keep in mind these regulatory trajectories and plan ahead.

[Korean Version]

Share

Professionals

Professionals