On November 8, 2023, the Financial Supervisory Service (the “FSS”) released “Guidelines for Strengthening Financial IT Stability” (the “Guidelines”). The Guidelines are scheduled to take effect by the end of 2023, after undergoing certain internal procedures. These procedures include self-assessments and reports conducted by seven financial associations and national federations.
The suspension of financial services resulting from IT-related incidents can cause serious harm or inconveniences to consumers and even lead to social disruption. Given the increasing frequency of such occurrences, there has been a growing need for financial institutions to improve their IT internal control systems and address issues arising during the development and operation of IT systems and infrastructures.
In March 2023, the FSS established a task force with seven different associations and national federations to jointly prepare the Guidelines. After preparing an initial draft based on IT inspection precedents and best practices, the FSS finalized the Guidelines by incorporating the opinions of financial institutions gathered by the seven associations and national federations.
The Guidelines apply to financial companies and electronic financial business operators. In principle, the Guidelines should apply to all information processing systems operated by such companies. However, systems that do not affect customer service may qualify for exemption upon obtaining an approval from the Chief Information Officer (the “CIO”) of such companies.
The Guidelines address three key issues: (i) the performance management of IT systems; (ii) the establishment and operation of emergency measures; and (iii) the oversight of programs. A summary of the Guidelines is as follows.
1. |
Performance Management of IT Systems |
(1) |
Establishment of thresholds and measures to be taken in response |
(2) |
Analysis and forecast of inflow at large-scale events |
(3) |
Preparation of emergency measures for performance management |
(4) |
Securing a foundation for performance management, such as internal organization and regulations |
(5) |
Establishment of an internal reporting system for performance management |
2. |
Establishment and Operation of Emergency Plans for the IT Systems |
(1) |
Enhancement of effectiveness of emergency training and feedback system |
(2) |
Expansion of infrastructures for disaster recovery centers |
(3) |
Prevention of and preparation for IT center fires |
(4) |
Determination of core businesses and specification of relevant departments |
(5) |
Inspection of measures to ensure business continuity and establishment of relevant systems |
3. |
Program Oversight |
(1) |
Strengthening of third party verification and control functions |
(2) |
Strengthening of testing capacities |
(3) |
Distribution strategy for stability of IT operations |
(4) |
Strengthening of management and inspection of program controls |
(5) |
Strengthening of internal training on program control procedures |
While the Guidelines are not legally binding, they operate as recommendations to financial institutions based on compiled IT audit findings and best practices. As the Guidelines set a minimum standard for stabilizing IT operations, each company subject to the Guidelines is expected to have discretion in deciding how to implement that standard, provided the adjustments align with the Guidelines’ purpose.
However, as the Guidelines elaborate on matters not stipulated in Articles 23, 25 and 29 of the Electronic Financial Supervisory Regulation (the “EFSR”), companies failing to comply may violate the EFSR, resulting in potential administrative sanctions.
Therefore, financial and electronic financial companies subject to the Guidelines may need to incorporate the Guidelines in their internal regulations and policies. They would likely benefit by complying with the requirements in the Guidelines, including organizational structure, establishment of an IT system, expansion of IT resources and implementation of employee training.