On April 14, 2022, the Financial Services Commission (the "FSC") issued a press release announcing its plans to improve cloud computing and network separation regulations (the "Plan"), which have been a burden to financial institutions and electronic financial business operators (collectively "financial service providers") in their efforts to develop and use new digital technologies.

On April 29, 2022, the FSC announced a proposed amendment to the Supervisory Regulations (the "Proposed Amendment").  The Proposed Amendment is scheduled to take effect in January 2023 following review by the Regulatory Reform Committee and resolution by the FSC.

The current cloud and network separation regulations have been a significant burden on the adoption and use of new digital technologies by financial service providers. 

The Proposed Amendment will simplify the requirements and procedures for use of cloud services for insignificant businesses and relieve financial service providers from the burden of complying with the regulations on the use of cloud services by converting the pre-reporting process into post-reporting process.  The Proposed Amendment also recognizes exceptions to the network separation regulation in the field of research and development so that new technologies and open sources, which were difficult to use due to the current regulations, can be utilized efficiently. 

The key changes in the Proposed Amendment are summarized below.

1.   Change of Cloud Regulations

• Clarification of standards for assessing significance of cloud computing service use
  
  Under the current regulations, significance would be recognized where financial service providers process personal credit information/unique identification information through cloud services or where the use of cloud seriously affects the safety and reliability of electronic financial transactions (currently Article 14-2, Paragraph (3)).  While it is clear that a report on use would be required for processing personal credit information/unique identification information, it is unclear when and in what circumstances the safety and reliability should be deemed materially affected.
  
  The Proposed Amendment allows the significance of cloud services to be determined by comprehensively considering the characteristics of the work to be processed, such as size and complexity, the impact of cloud suspension, the impact of electronic infringement on customers, subordinate risks to cloud service providers ("CSPs"), and financial companies' internal control capabilities (Article 14-2(1)1 of the Proposed Amendment).

• Differentiation of processes for using cloud services based on significance
  
  Under the current regulations, the process and requisite documentation for using cloud services, which are considered insignificant, are identical to those for using cloud services, which are considered significant, except for the cloud use report filing (Electronic Financial Transactions Supervisory Regulations, Articles 14-2(1), (2), (5)). 
  
  However, the Proposed Amendment differentiates requirements and procedures applicable to significant business for the CSP evaluation (proposed Annex 2-2), the business continuity plan (proposed Annex 2-3), the measures to ensure safety (proposed Annex 2-4), and the key items to be included in the outsourcing agreement for cloud services (proposed Annex 2-5) from those applicable to insignificant business, thereby greatly simplifying the cloud service use process for insignificant business.

• Ex post facto reporting in lieu of prior reporting and simplified documentation requirements for use of cloud services
  
  Under the current regulations, if financial service providers use cloud services for significant business, they must report to the Financial Supervisory Service (the “FSS”) seven business days prior to such use.  The Proposed Amendment will change such reporting requirement to an ex post facto reporting requirement so that the same may be submitted within three months after the commencement date of the cloud services, which will enable financial service providers to start using cloud services in a timelier manner. (Article 14-2(4) of the Proposed Amendment).
  
  Please note that the Proposed Amendment will require any "new execution of a cloud service agreement" to be reported irrespective of whether the cloud services would be used for significant or insignificant business.

• Relationship with Data Processing Report
  
  Under the current regulation, if a financial service provider files a report on the use of cloud services under the Supervisory Regulations, they would be deemed to have fulfilled the reporting (excluding semi-annual reporting) requirement under the Regulation on Outsourcing of Data Processing of Financial Companies (the "Regulation") (proviso to Article 14-2(3) of the current Regulation).
  
  However, while the Proposed Amendment requires reporting (ex post facto reporting) of all new cloud service agreements, the Proposed Amendment does not explicitly provide that a financial service provider who files a report thereunder would be deemed to have fulfilled its reporting requirement under the Regulation on Outsourcing of Data Processing of Financial Companies.  Therefore, relevant parties should pay attention to the implementation of the Proposed Amendment and the authoritative ruling with respect to the relationship between reporting on the use of cloud services and reporting on the outsourcing of data processing.

• Simplification of CSP assessment criteria
  
  The Proposed Amendment greatly simplifies assessment criteria for CSPs, which were the most burdensome among the current procedures for using cloud services, and establishes separate evaluation standards for software-as-a-service (“SaaS”) CSPs (Article 14-2(1)2 of the Proposed Amendment <Annex 2-2>).
  
  In addition, as financial service providers will be able to utilize the results of CSP assessment conducted by the Financial Security Institute (“the FSI”) on their behalf (Article 14-2, Paragraph (3) of the bill), the burden of CSP valuation for financial service providers will be reduced.
   

2.   Relaxed Regulation on Network Separation and Exemptions for Development and Testing

Even though internet connection is essential for new technological and open source development, such connection was restricted under the current network separation regulations.  The Proposed Amendment provides that “on the condition that financial service providers conduct a self-risk assessment and then apply a network separation alternative information protection control set by the Governor of the FSS,” network separation regulations may not apply to research and development purposes that do not process users' unique identification information or personal credit information (Article 15(1)3 and Article 15(1)5 of the Proposed Amendment).

Meanwhile, the FSC announced that it would allow exceptions to the regulation on network separation for non-financial businesses and SaaS by relying on regulatory sandboxes.  Accordingly, the use of SaaS based on regulatory sandboxes is expected to increase.  However, types of SaaS permitted based on regulatory sandboxes and access measures to such SaaS are subject to change depending on the outcome of the regulatory sandbox review.
 

3.   Strengthen Internal Control and Security Responsibilities

• Clarification of matters subject to deliberation and resolution by the Information Protection Committee
  
  The Proposed Amendment stipulates that cloud service use processes are subject to deliberation and resolution by the Information Protection Committee of financial service providers (Article 8-2(3)5 of the Proposed Amendment) and that the business continuity plan and measures to ensure safety as well as the results of the evaluation of importance of service use and the CSP assessment should be deliberated and resolved by the Information Protection Committee, thereby strengthening the internal control and security responsibilities of financial service providers (Article 14-2(2) of the Proposed Amendment).
   

4.   Future Plan

To minimize potential confusion that may arise from the Proposed Amendment, the FSC will operate an authoritative ruling group consisting of the FSC, the FSS, the FSI, and the Financial Services Association for about three months from May 9, 2022, and amend the Cloud Guidelines for the Financial Industry (the “Cloud Guidelines”) from August to October 2022, in order to reflect any authoritative ruling released by such authoritative ruling group.  In addition, the FSS announced that it plans to conduct inspections and provide consulting on the security system of financial service providers to prevent any deterioration of the internal control system, such as personal information protection which may result from the Proposed Amendment.
 

The Proposed Amendment is significant as it relaxes the regulations on cloud and network separation, which has prevented the adoption and use of new digital technologies in the financial sector.  In particular, various innovative technologies are expected to be utilized in the field of R&D, and the use of cloud services is expected to become more active as financial service providers will be less burdened with the expanded cloud services in the financial sector.

We recommend financial service providers to seek interpretive ruling on the matters that require specific interpretation/explanation with respect to the regulatory improvement plan and the Proposed Amendment.  Such requests will further ensure that the regulatory improvement plan and the Proposed Amendment ease regulations on cloud services.

On the other hand, as the FSC announced in the plan for regulatory improvement, the regulation on network separation for the use of cloud services such as SaaS will not be included in the Proposed Amendment.  Instead, requirement of network separation is expected to be relaxed through regulatory sandboxes.  Therefore, stakeholders should continuously monitor individual designation of regulatory sandboxes.