The government recently announced the Measures to Innovate Banks’ Internal Controls” (the “Measures”). As the government and financial supervisory authorities appear to be committed to implementing such measures, banks should carefully prepare for their implementation.
After ineffective and insufficient internal controls were identified as a cause behind the recent financial accidents in the banking sector, there have been calls to revisit and reform the internal control systems of banks. In response, the Financial Supervisory Service (the “FSS”) created a joint task force with the Korea Federation of Banks (the “KFB”) and its member banks to prevent further financial accidents and improve internal controls. On November 4, 2022, three months into operation, the task force announced the Measures. Furthermore, on November 29, 2022, the KFB enacted and amended the best practices for internal control and the banking sector’s internal control standards regarding personnel management. The KFB and its member banks will implement the Measures after amending their best practices and internal regulations, while the FSS will begin monitoring the banks’ progress in the second quarter of 2023 and will thereafter continue monitoring and recommending improvements. As such, it would be important for banks to understand and prepare for the changes the Measures will introduce.
1. Key Details of the Measures
The key components of the Measures are infrastructural innovation and effective and consistent internal control.
(1) Infrastructural innovation
Hiring and maintaining compliance personnel will be subject to certain minimum requirements. Specifically, a bank’s compliance department must have at least 15 people or 0.8% of the bank’s total number of employees, whichever is higher, and at least 20% of said department’s members must be experts in the field of compliance. In addition, a bank’s compliance officer must have at least two years of relevant work experience. Furthermore, banks must develop a policy to rotate employees who have worked within the same department for a long time by ensuring that employees who stay within the same department on a long-term basis do not exceed 5% or 50 of its employees on rotational duty. Banks will also have to update their personnel management standards for such employees.
(2) Establish detailed operational standards for key accident prevention policies
Changes will be made to the “ordered leave” policy (which requires employees in charge of high-risk operations to go on unplanned, mandatory vacations, during which the bank examines their work records), segregation of roles and responsibilities, whistleblower policy, and accident prevention measures, which have been criticized as being ineffective. For the “ordered leave” policy and segregation of roles and responsibilities, new measures for internal control will expand and specify the types of employees subject to such policies, require such policies to be managed systematically and strengthen monitoring related to their implementation. The financial authorities are also reviewing several methods to improve the effectiveness of whistleblower policy and accident prevention measures.
(3) Improve security in high-risk work processes
Security will be strengthened for high-risk work processes identified in recent financial accidents. Improvements include enhancing system access control, mandating creditors to verify jointly managed funds, strengthening the verification procedure for funds withdrawal (connecting the internal approval request system, authorization system and funds disbursement system), and creating a digital management system for documents that were previously written and handled manually.
(4) Ongoing internal control
To make internal control an essential part of banks’ day-to-day operations, compliance departments will need to strengthen their regular monitoring and self-audit functions. Specifically, the scope of mandatory audits and audit targets is expected to be expanded.
The Measures will introduce broad changes across several internal control policies for banks. Therefore, banks are advised to promptly review and improve their current internal control systems to ensure that they comply with the Measures:
The Measures include changes that entail amending internal regulations and reworking the division of responsibilities among departments, which require planning in advance (e.g., minimum requirements for the number and qualifications of compliance personnel, qualifications for the compliance officer, long-term employee management system, and changes to the “ordered leave” policy and segregation of roles and responsibilities).
The Measures also include changes that entail updating banks’ IT systems and revising operational procedures, which require developing and testing feasible methods (e.g., introducing other verification methods that can replace passwords, upgrading fund withdrawal systems, and upgrading IT systems for managing internal documents and external documents that were previously written and/or handled manually).
As financial accidents in the banking sector have become a serious societal issue, the government and relevant financial authorities appear to be committed to reforming the internal control systems of banks, requiring representative directors, executive officers and board members to have greater responsibilities with respect to internal control failures. Therefore, the banking sector will need to focus on adopting the changes proposed in the Measures and other reform initiatives, and ensure that they are promptly implemented. Moreover, it would be prudent for non-banking financial institutions to review their internal control systems in advance, as other financial institutions may also be required to improve their internal control systems.