Skip Navigation

Pre-Announcement of a Proposed Amendment to the “Electronic Finance Supervisory Regulations”


On February 1, 2024, the Financial Services Commission (the “FSC”) pre-announced a proposed amendment to the Electronic Finance Supervisory Regulations (the “EFSR”). Such proposed amendment (the “Proposed Amendment”) aims to improve financial security regulations by changing them from “rule-based” to “principle-based” and protect the financial systems from various threats, including disasters and electronic intrusions by strengthening the stability of the financial IT system.
To enable financial companies to respond to new risks on their own with flexibility, the number of rules will be reduced to 166 (i.e., 134 deleted, five strengthened, 114 maintained, and 45 adjusted and rationalized) from 293 through the proposed amendment of the EFSR. By changing the form of the EFSR to focus on goals and principles, certain provisions will be relaxed so that financial companies can make decisions on detailed matters by themselves. However, certain regulations on the stability of financial IT systems (cyber resilience), user protection, and financial security governance will be strengthened.

Examples of Major Relaxed Regulations

In principle, the Proposed Amendment would remove certain provisions to the extent: (i) details are too peripheral or microscopic; (ii) they are excessive compared to similar legislative cases; (iii) the autonomy of financial companies should be respected; and (iv) sanctions are rarely imposed based thereon. Some of the deleted provisions will be set forth in the Detailed Enforcement Rules of the EFSR (29 out of a total of 134 cases), while other provisions will be abolished, consolidated, or explained in explanatory notes. The key provisions of the EFSR subject to deletion are as follows:

  • Provisions on management and protection of buildings, facilities, IT rooms, etc. (Articles 9 to 11)

  • Provisions on measures to manage malicious code and open web servers (Articles 16 to 17)

  • Provisions on information protection training hours (Article 19-2)

  • Detailed provisions on separation of duties (Article 26)

  • Provisions on control of batch work (Article 30)

  • Provisions on password setting methods (Articles 32 to 33)

  • Provisions on notice of matters to be noted to users (Article 35)

Key Enhanced and Adjusted Provisions


Expanded Obligation to Install Disaster Recovery Center (Article 23)

In light of the growing need for rapid restoration of business continuity through a disaster recovery center in the event of a disaster, the Proposed Amendment newly requires, among others, certain small and medium-sized financial companies and electronic financial business operators to establish a disaster recovery center if they meet certain conditions.

Type of Business Operator

Proposed Conditions

Electronic financial business operators

Annual electronic financial transactions amounting to KRW 2 trillion or more in total

Credit-specialized financial companies (engaged in lease, installment financing, and venture capital)

Total assets of KRW 2 trillion or more and a full-time employee count of 300 persons or more

Mutual savings banks

Where an internal computer system is established and operated



Upward Adjustment of the Limit of Liability Insurance for Electronic Financial Incidents (Article 5)
Reflecting the expanded amount of electronic financial transactions, inflation, and other factors, the compensation limits for certain sectors have been rationalized. Furthermore, for financial investment businesses with assets of KRW 2 trillion or more that have experienced frequent electronic financial incidents in the past three years, the minimum compensation limit has been adjusted upward.




Prepayment service, payment gateway (“PG”), etc.

KRW 100 million

KRW 200 million

Credit-specialized financial companies, insurers, and savings banks

KRW 100 million

KRW 200 million

Financial investment businesses

KRW 500 million in a lump sum

KRW 1 billion for those with assets of KRW 2 trillion or more



Enhanced Financial Security Governance (Articles 8 and 8-2)

The current EFSR prescribes that the Chief Information Security Officer (“CISO”) report the Information Protection Committee’s deliberations and resolutions to the Chief Executive Officer (“CEO”). The Proposed Amendment, however, extends this requirement by specifying that deliberations and resolutions of the Information Protection Committee, which seriously affect the safety and reliability of electronic financial transactions, must also be reported to the board of directors. Furthermore, a new provision regarding information protection training has been introduced. This provision requires the CEO to evaluate the previous year’s training plan and reflect the results of such evaluation in the current year’s training plan.


Administrative Fines Upon a Breach of the Obligation to Report Incidents (Articles 37-4 and 37-5)
A detailed notification procedure for, among others, security incidents has been introduced, and both financial companies and electronic financial business operators are required to report such incidents to the FSC using the newly introduced Annex Form No. 7. This report should be made within 24 hours from the time they become aware of the incident unless there is a justifiable reason for delay. In addition, Article 73, Chapter 6 (Supplementary Provisions) of the EFSR has been moved to Article 37-5, Chapter 3 (Ensuring Safety of Electronic Financial Transactions and Protecting Users). Consequently, the regulatory framework has been adjusted so that any breach of the obligation to report incidents may be subject to an administrative fine for violation of Article 21 (Obligation to Ensure Safety) of the Electronic Financial Transactions Act.

Future Strategies
With respect to the Proposed Amendment to the EFSR, opinions will be collected during the 40-day pre-announcement period from February 1, 2024 to March 12, 2024. Thereafter, the Proposed Amendment will take effect upon the public notice thereof after undergoing certain legislative procedures, including the FSC’s resolution. That said, for strengthened regulations, such as the expanded obligation to establish a disaster recovery center, a grace period of at least six months may be granted based on the industry comments which have been collected.
Meanwhile, the FSC has established a plan to enhance the financial security based on a phased approach. Following the forthcoming revision of the EFSR (Phase One), the FSC plans to separately amend laws for the financial security sector alone (Phase Two) and subsequently review a phased transition to an autonomous security system based on the foregoing developments (Phase Three). In particular, please note that, with respect to the amendment of laws, the FSC plans to (i) design internal governance to strengthen the responsibilities of the CEO, the board of directors, and the front office; (ii) materialize the administrative penalty system to strengthen the responsibilities after incidents; and (iii) lay the foundation for introducing a regulatory framework in proportion to the risks (e.g., imposition of differentiated amount of administrative fines).
The Proposed Amendment aims to expand the discretion of financial companies and encourage active investments in security. However, financial companies may be subject to new or expanded obligations due to strengthened regulations (e.g., requirement to establish of a disaster recovery center). Therefore, it is necessary for financial companies to review whether their existing business structure and security system would align with the Proposed Amendment and be prepared to adjust relevant internal rules and policies. Additionally, it is advisable for financial companies to assess the need to promptly present their opinions on matters that have been pre-announced (for example, in cases where the interpretation of the Proposed Amendment of the EFSR is unclear).


[Korean Version]