On April 14, 2022, financial regulators announced the “Plan for Improvement of Cloud Services and Network Separation Regulations in Financial Sector” and stated that they would relax regulations on network separation through a financial regulatory sandbox, so that software as a service (“SaaS”) can be used for non-critical services in internal networks, and establish additional data protection obligations as a supplementary condition to a financial regulatory sandbox. Subsequently, on November 23, 2022, in a press release regarding the decision on the amendment to the Electronic Financial Supervisory Regulations, the financial regulators announced that they would consider relaxing the network separation regulations through a financial regulatory sandbox so that SaaS can be used for non-critical services in internal networks in the first half of 2023.

As a follow-up, on June 28, 2023, the financial regulators held a briefing session on the use of SaaS in internal networks through a financial regulatory sandbox and announced additional conditions to a financial regulatory sandbox in relation to the use of SaaS in internal networks. The relevant details are described below.

1.   Scope of Services (Data) Permitted for Using SaaS
 

Financial companies and electronic financial service providers (collectively, “Financial Companies”) have to specify, among others, the type of services for which SaaS will be used, the Cloud Service Provider (“CSP”) that will provide the SaaS, and the name of the SaaS to be used when applying for the financial regulatory sandbox. Any subsequent addition or change to the services for which SaaS will be used require re-application or application for change for the financial regulatory sandbox.

In the session, the financial regulators distinguished between tasks that can use SaaS and those for which it cannot be used. SaaS may be used through a financial regulatory sandbox for collaboration tools, ERP, and other internal services on the premise that such services are non-critical services that do not process customers’ personal information, credit information, or transaction information. On the other hand, the use of SaaS will still not be permitted for security management, IT development and operation, or customer-related services. Financial Companies wishing to use SaaS through a financial regulatory sandbox should consult with the financial regulators in advance as necessary regarding the exact scope of services and data for which the use of SaaS is limited.
 

2.   CSP Safety Evaluation for Use of SaaS
 

A CSP safety evaluation will be required as an additional condition to the network separation exception for the use of SaaS in internal networks. Specifically, the Financial Services Commission (“FSC”) selects the CSPs and services to be evaluated for the SaaS that applied for the financial regulatory sandbox, and requests the Financial Security Institute (“FSI”), to evaluate the CSPs, and the FSI conducts the evaluation thereafter.

Therefore, Financial Companies are not allowed to perform the evaluation of the CSP on their own. The scope of evaluation covers the CSP’s SaaS-related assets to be used by Financial Companies and does not include the terms of contract between Financial Companies and the CSP or their respective responsibilities.

The CSP safety evaluation consists of eight categories: (i) compliance with laws and policies, (ii) security audit, (iii) response to failures, (iv) service availability, (v) response to breach incidents, (vi) access rights management, (vii) virtualized security, and (viii) data protection. 30 detailed evaluation methods and standards will apply.

As the CSP’s assistance and cooperation are essential for the evaluation, if CSP does not assist with the evaluation, the evaluation will not proceed. If the CSP decides to assist with the evaluation, it would have to prepare a self-evaluation report and submit it to the FSI, and the FSI would examine the submitted report and conduct an on-site inspection to perform the evaluation. The final evaluation result will then be disclosed on the FSI’s website.

Therefore, Financial Companies need to secure the CSP’s assistance and cooperation before applying for the financial regulatory sandbox. CSPs need to identify and rectify any inadequacies in advance in light of the detailed evaluation methods for each safety evaluation item. If multiple Financial Companies use SaaS from the same CSP, the safety evaluation would be performed for the SaaS service itself, rather than for each Financial Company.
 

3.   Security Obligations for Use of SaaS
 

Financial Companies must ensure that SaaS access terminals are not connected to a system for processing customer information and electronic financial transaction information and apply security controls for the terminals to prevent Internet access other than the permitted SaaS. Accordingly, Financial Companies would need to consider preparing separate SaaS terminals for officers and employees who handle client or electronic financial businesses related information.

Financial Companies must establish and implement necessary security measures to mitigate security threats arising from network separation exceptions and submit a report on the implementation of the security measures once a quarter (the implementation plan must be submitted when applying for a financial regulatory sandbox) to the financial regulators.
 

During the briefing session, the FSC announced that the closest meeting of the Innovative Finance Review Committee is scheduled to be held near the end of August. Therefore, Financial Companies wishing to apply for a financial regulatory sandbox promptly should prepare their applications in light of this schedule.

[Korean Version]