Financial incidents (such as the leakage of customer information, embezzlement and financial fraud) that have occurred in recent years have raised concerns as to whether financial companies have adequate internal control systems. After forming a task force and gathering opinions from the industry, financial regulators have announced the “Internal Control Plan to Prevent Irregular Foreign Currency Remittances” and the “Improvement Plan for the Internal Control Systems of Financial Companies” to address such concerns.

The “Internal Control Plan to Prevent Irregular Foreign Currency Remittances,” announced on June 8, 2023, requires banks to establish a “three layer internal control system,” particularly for internal control related to foreign currency remittances.

The “Improvement Plan for the Internal Control Systems of Financial Companies,” announced on June 22, 2023, is applicable to all financial companies (including banks) that are subject to the Act on Corporate Governance of Financial Companies (hereby referred to as the “Corporate Governance Act”). The Plan includes: (i) introducing a “Responsibilities Map,” (ii) imposing “internal control management obligations” on executive officers including the financial company’s representative director, (iii) clarifying the “role of the board of directors regarding internal control,” and (iv) establishing sanction and indemnification standards applicable to executive officers who violate their internal control management obligations.

In the following sections, we will first discuss the “Improvement Plan for the Internal Control Systems of Financial Companies” and its impact and significance with respect to financial companies, and then discuss the “Internal Control Plan to Prevent Foreign Currency Remittances.”
 

The Responsibilities Map shall document the details on (i) how responsibilities regarding internal control shall be allocated (ii) for each business area (iii) according to each executive officer’s function. Financial companies must prepare a Responsibilities Map in accordance with their own characteristics and management circumstances. The term “Executive Officer,” in principle, refers to an executive officer under the Corporate Governance Act (the “Act”) and excludes outside directors who are not the Chairperson of the board of directors. The Act is expected to be amended to introduce certain qualifications that executive officer candidates must possess, in addition to the disqualifying factors that are already set forth in the Act.

The representative director shall be responsible for preparing the Responsibilities Map, and shall be responsible for (i) redundancies or omissions related to the stated responsibilities, or any other flaws in the Responsibilities Map, or (ii) any discrepancies between the responsible officer under the Responsibilities Map and the person actually bearing such responsibility.
 

Executive officers have an “internal control management obligation” to implement the necessary internal control management measures according to their role under the Responsibilities Map. Specific obligations will be assigned to ensure that each executive officer will be acting within the scope of his/her responsibilities as set forth in the Responsibilities Map. For example, the representative director will be responsible for overseeing the overall management of the company’s internal control measures. However, the Financial Services Commission has clarified that the representative director shall not be responsible for each and every activity subject to control.
 

A financial company’s board of directors must specify its authority and obligations regarding internal control, including (i) adding “the establishment and implementation of internal control and risk management policies” to its agenda items; and (ii) mandating the establishment of an internal control committee as a subcommittee within the board of directors.
 

An executive officer (including the representative director) may become subject to sanctions if he/she fails to perform his/her internal control management obligations. If so, he/she shall not be separately liable as a supervisor, instructor, or supporter in case the financial incidents were caused by another person. In addition, if the relevant executive officer can prove that he/she took “reasonable care” in performing his/her internal control management obligations, he/she may be granted a reduction of, or exemption from, liability even in the event of a financial incident.
 

The key feature of the Internal Control Plan to Prevent Irregular Foreign Currency Remittances is requiring financial companies to establish a “three layer internal control system” as follows:
 

With respect to the first line of defense, banks are required to check the (i) counterparty, (ii) trade item, (iii) payment method, (iv) transaction amount, (v) scheduled import date, and (vi) the type of trade transaction. In addition, when verifying the transaction, banks must inform the customer as to whether the transaction is subject to any reporting obligations. With respect to the second line of defense, banks must establish a standardized monitoring criteria and monitoring system in order to detect irregular foreign currency remittance transactions. With respect to the third line of defense, banks must assign specific tasks to the anti-money laundering (“AML”), compliance, audit, and marketing departments within its head office regarding the post-transaction review of each foreign currency remittance transaction.
 

The above measures have been developed primarily because banks and other financial companies have realized that their current internal control system has not been effective in preventing serious financial incidents. In particular, in light of recurring financial incidents, financial regulators have asked commercial banks to review the adequacy of their internal control systems. In fact, some commercial banks are working towards upgrading their internal control systems by engaging external advisors to draft their own Responsibilities Maps, even though the amendments to the Act have not yet come into effect.

The internal control systems of financial companies will likely continue to be an important issue, and as financial companies strengthen their internal control systems, the changes discussed above may not only impact financial companies, but also may have an impact on the general public as financial companies may require their customers to be subject to additional verification procedures or to submit additional documents when reviewing financial transactions.

While financial regulators are working towards amending the Act by the end of this year, they are also contemplating on announcing a guideline on internal control issues as interim measure, in case the amendment does not come into force by then as a result of scheduling issues at the National Assembly. Therefore, the improvements to the regulatory framework on financial companies’ internal control systems are expected to be made in one form or another. Taking the aforementioned circumstances into account, financial companies are advised to consider the latest legislative developments in their decision making processes and take the appropriate steps to improve their internal control systems according to the regulators’ policy stance and requirements under the relevant laws and regulations.

[Korean Version]