On November 27, 2020, a proposed amendment (the “Proposed Amendment”) to the Electronic Financial Transactions Act (the “EFTA”) was submitted to the National Assembly, which includes new regulations concerning cloud computing services.  The Proposed Amendment is based on the “Comprehensive Reform Plan for Digital Finance” recently announced by the Financial Services Commission (the “FSC”), and is expected to be approved in the plenary session of the National Assembly.  

Under the Proposed Amendment, cloud service providers (including foreign cloud service providers that offer cloud computing service to Korean financial institutions) may become subject to direct supervision and regulation of the Korean financial regulators, as described below.  The current version of the Proposed Amendment introduces the concept of “major outsourcing companies,” which refers to outsourcing companies whose services have a material impact on the stability and reliability of electronic financial transactions.  The Proposed Amendment simply provides that the Presidential Decree of the EFTA would specify which types of service providers would be considered as “major outsourcing companies,” and does not make it clear whether cloud service providers would be deemed as major outsourcing companies.  However, as the Comprehensive Reform Plan for Digital Finance, the basis on which the Proposed Amendment was prepared, mentions the need to strengthen the supervision and regulation of third party risks arising from the increase in IT outsourcing by financial institutions, it is expected that cloud service providers would be deemed as major outsourcing companies and thus would be subject to the following regulations. 

1.   Direct Supervision and Regulation of Major Outsourcing Companies

The Proposed Amendment allows financial regulators to directly supervise and examine major outsourcing companies if deemed necessary to protect consumers and to maintain sound market order.  More specifically, under the Proposed Amendment, financial regulators would be able to (i) request information related to the services provided under the relevant outsourcing contracts; (ii) investigate matters relating to the outsourced services; (iii) request submission of statements and books and records in relation to the investigation, and interviews with the relevant personnel; and (iv) conduct any other matters prescribed by the Presidential Decree of the EFTA. 

Currently, the financial regulators indirectly supervise cloud service providers and other ancillary electronic financial service providers through the financial institutions that are subject to direct supervision and regulation of the financial regulators.  The Proposed Amendment would allow the financial regulators to directly supervise major outsourcing companies such as cloud service providers. 

2.   Corrective Orders as a Result of Supervision and Examination

The Proposed Amendment allows financial regulators to issue corrective orders to major outsourcing companies to take measures necessary to protect consumers and maintain sound market order, based on their supervision and examination activities.  Also, the Proposed Amendment allows financial regulators to take additional measures such as notifying the relevant financial institutions of such failure by the major outsourcing companies, or preventing the major outsourcing company from executing a new contract for six months from the termination of an existing outsourcing contract. 

The Proposed Amendment would allow the financial regulators to directly order and compel major outsourcing companies such as cloud service providers to take necessary measures based on direct supervision and examination of cloud service providers. 

As the Proposed Amendment may have a significant impact on the cloud service industry, we recommend you closely follow further updates as they become available.  Meanwhile, you may consider taking necessary steps in advance so that if cloud service providers indeed become subject to direct supervision and regulation of Korean financial regulators, you would be in a position to deal with any potential supervision and examination.