On April 14, 2022, the Financial Services Commission (the ″FSC″) issued a press release announcing plans to improve cloud computing and network separation regulations (the ″Plan″), which have been an obstacle to financial institutions and electronic financial business operators (collectively ″financial service providers″) in their efforts to develop and use new digital technologies.
The Plan will significantly relax the relevant regulations that have been criticized as impediments to innovations in the financial sector. The details of the Plan, and their implications to financial service providers and cloud service providers (″CSPs″), are as follows:
Changes to Cloud Regulations
1. Clarification of standards for assessing significance of cloud computing service use
Under the current regulations, cloud systems used by financial service providers are considered to be ″significant systems″ when they either (i) process personal credit information or unique identification information or (ii) perform tasks that significantly impact the security and reliability of electronic financial transactions (systems that do not handle the above tasks are considered “non-significant systems”). When financial institutions utilize cloud as a significant system, it would be subject to stricter obligations, including the need to file cloud use reports to the Financial Supervisory Service (the ″FSS″). However, as there are no clear standards for assessing whether a particular system ″significantly impacts the security and reliability of digital financial transactions″, a financial service provider is at risk of sanction for using cloud computing services that it deemed a non-significant system when it should have been classified as a significant system.
The FSC has stated that the Plan will provide a more detailed set of standards for assessing the significance of systems and clarify the processes that financial service providers need to take to use cloud systems. This change is expected to reduce the risk of financial service providers being sanctioned for failing to file the cloud use report for significant systems, as well as reduce instances of unnecessary cloud use reports being filed for non-significant systems.
2. Differentiation of processes for using cloud services based on significance
Under the current regulations, the process and requisite documentation for using cloud services as a non-significant system are identical to those for using cloud services as a significant system, except for the cloud use report filing (Electronic Financial Transactions Supervisory Regulations, Articles 14-2(1), (2), (5)).
Different procedural requirements are expected for the use of cloud computing in a clearer manner under the Plan. For example, separate standards for non-significant systems in terms of business continuity plan and security measures are expected.
3. Ex post facto reporting in lieu of prior reporting and simplified documentation requirements for use of cloud services
Under the current regulations, if financial service providers use cloud services for significant systems, they must report to the FSS seven business days prior to such use. However, in practice, as it is difficult to submit such reports on time, financial service providers faced frequent delays in using cloud services.
The reporting requirement will be changed to submitting an ex post facto report within three months of the commencement date of the cloud services, which will enable financial service providers to start using cloud services in a more timely manner.
The supporting documents required to be attached to the cloud use report will also be simplified to eliminate similar and redundant requirements under the current regulations, which will reduce the administrative burden on financial service providers.
4. Simplification of CSP assessment criteria
The CSP soundness and stability assessment (″CSP Assessment″), which has been the heaviest burden on financial service providers among the steps necessary for using cloud services, will be simplified from 141 fields to 54 (16 essential fields and 38 alternative fields)1. Accordingly, this will significantly lessen the burden on financial service providers in undertaking the CSP Assessment.
5. Establishment of a different set of assessment criteria for SaaS
The current CSP Assessment criteria are designed for Infrastructure-as-a-Service (″IaaS″) which utilize servers and storage devices. Accordingly, such criteria have been criticized as being unsuitable for assessing Software-as-a-Service (″SaaS″).
The FSC stated that it would prepare a separate set of assessment criteria for SaaS similar to the Cloud Security Assurance Program (″CSAP″), which will allow for more appropriate assessments of cloud services.
6. Introduction of a representative assessment system
Under current regulations, CSPs must be assessed by each financial institution that uses their services. To reduce the redundancy in the evaluation process, the joint assessment system was adopted in June 2021, in which financial institutions intending to use cloud services of the same CSP can elect a representative company to undertake the CSP Assessment (with the support of the Financial Security Agency) that would apply to all other financial institutions intending to use their cloud services.
The Plan will introduce the representative assessment system, in which the Financial Security Agency assesses CSPs and financial institutions are able to utilize the assessment results. This will greatly reduce the burden on financial institutions regarding assessing CSPs.
Changes to Network Separation Requirements
1. Exemptions from network separation regulations for development and testing
While a connection to the Internet is a prerequisite to using new technologies and open-source resources, the current network separation regulations restrict such connection and has hindered financial institutions from developing innovative services.
The FSC intends to amend the Regulations on Supervision of Electronic Financial Transactions (″RSEF″) to relax regulations on physical network separation for development and testing servers, which do not store personal credit information and handle relatively less important digital financial transactions. This change aims to allow financial institutions to use new technologies and open-source resources more effectively. However, new security obligations such as prohibition on using customers′ personal credit information or transaction information on development and testing servers, and implementation of internal standards on access and use of open-source resources, will be established.
2. Exemptions from network separation regulations for non-financial functions and SaaS
Network separation regulations also apply when financial institutions use SaaS for back-office functions such as human resource management. Because SaaS are often web-based, they could only be used for types of work exempt from the network separation requirement.
According to the Plan, the FSC intends to establish a regulatory sandbox to exempt network separation regulations for non-financial functions and SaaS. However, continued monitoring of relevant developments is necessary as the types of SaaS and methods of accessing SaaS that are permitted are subject to change depending on how the regulatory sandbox system is implemented.
3. Deregulation of network separation regulations in phases
The FSC has stated that it will pursue a phased approach to deregulation of network separation regulations over a mid- to long-term period, such as reducing the scope of work subject to the network separation requirement and allowing financial institutions to choose between physical or logical network separation for different types of work, albeit along with measures to safeguard against security risks such as securing accountability from financial institutions and strengthening the security oversight of the Financial Security Agency.
Financial institutions will likely be able to choose the application of network separation regulations depending on their circumstances and the importance of the work, which will enable them to operate more effective internal control systems. We recommend to closely monitor how the relevant laws and regulations are amended to determine further details.
To ensure the improvements announced in the Plan are smoothly rolled out as policy, the FSC will publish a draft of the amended Enforcement Decree of the Electronic Financial Transaction Act (the ″EFTA″) and the RSEF that incorporate the changes sometime in April 2022, and revise the ″Guidelines for Using Cloud Computing Services in the Financial Industry″ issued by the Financial Security Agency in January 2019 by the end of 2022 to provide the finance sector with detailed procedures and standards that can serve as practical references.
The Plan is meaningful in that it lays the grounds for relaxing cloud and network separation regulations that have obstructed the adoption and utilization of new digital technologies in the finance industry. The contemplated improvements are expected to facilitate the use of new technologies in the development and testing fields, and make it easier for financial institutions to use cloud services. Since the FSC has stated that it will implement the policy changes in stages, it will be necessary to closely monitor the amendment of the Enforcement Decree of the EFTA and the RSEF, as well as other relevant laws and regulations.
Meanwhile, deregulation of network separation rules for non-financial work and SaaS will be achieved not through legislative amendment but through a regulatory sandbox, which makes it necessary to monitor the development and implementation of the sandbox.