The Amendment to the Electronic Financial Supervisory Regulations (the “Amendment”), deliberated and adopted by the Financial Services Commission (“FSC”) on December 5, 2018, has become effective as of January 1, 2019.  

The Amendment expands the scope relating to cloud service usage in the finance sector and strengthens its management/supervision systems. 

Key features of the Amendment include: (i) expansion of the scope of cloud usage; (ii) introduction of safety standards for cloud services; (iii) establishment of internal procedures for cloud service usage; and (iv) the provision of the financial supervisory authority’s management/supervision measures in cloud service usage.  The Amendment is a part of the FSC’s systematic advancements as announced in its Plan for Expansion of Cloud Usage in the Financial Sector on July 16, 2018.

Details of the Amendment:

1. Expansion of the scope of cloud usage

The existing financial companies and electronic financial business operators have only been able to use cloud services to process “non-significant information” that do not contain personal credit information and/or unique identification information. 

The Amendment will expand the scope of cloud usage to allow the use of cloud services for the processing of both personal credit information and unique identification information.  However, in order to promptly respond to service interruptions and possible accidents, financial companies and electronic financial business operators will be required to use cloud systems (including management systems) located in Korea for the processing of personal credit information and unique identification information. 

2. Introduction of safety standards for cloud services

The Amendment: (i) prescribes separation/segregation from external networks and encryption of material information as a means of information protection; and (ii) provides standards regarding prevention of/measures against malfunctions to secure safety in the use of cloud services.

3. Establishment of internal procedures for cloud service usage

The Amendment requires financial companies to: (i) strengthen their internal procedure(s) to use cloud services whose safety has been ensured upon undergoing self-evaluations on technical and managerial protection measures; and (ii) to establish an Information Protection Committee to deliberate and resolve safety evaluation results and operation standards, and to report such resolution to supervisory authorities.

4. Strengthening of financial supervisory authority’s management/supervision measures

The amendment also: (i) requires that compensation for damages be specified in the contract to clarify relevant legal liabilities that may arise between financial companies and cloud service providers; and (ii) strengthens the rights of supervisory authorities to monitor and investigate cloud service providers by requiring such rights to be specified in contracts, and obligating financial companies to report the contents of such contracts to the relevant authorities.

Significance:

Meanwhile, through the implementation of the amended Guideline on the Use of Cloud Services in the Financial Industry (the “Guideline”) in January 2019, the FSC has: (i) clarified the details of the Electronic Financial Supervisory Regulations; and (ii) explained in detail, the required procedures, security plan, and standards to evaluate the soundness and safety of cloud service providers.  

As such, while promoting expanded cloud service usage in the financial sector, cloud service providers and customers in the financial industry should closely monitor future developments of the operations of the Amendment and the Guideline as relevant authorities are seeking to strengthen their monitoring/investigative power.