On February 1, 2024, the Financial Services Commission (the “FSC”) pre-announced a proposed amendment to the Electronic Finance Supervisory Regulations (the “EFSR”). Such proposed amendment (the “Proposed Amendment”) aims to improve financial security regulations by changing them from “rule-based” to “principle-based” and protect the financial systems from various threats, including disasters and electronic intrusions by strengthening the stability of the financial IT system.
To enable financial companies to respond to new risks on their own with flexibility, the number of rules will be reduced to 166 (i.e., 134 deleted, five strengthened, 114 maintained, and 45 adjusted and rationalized) from 293 through the proposed amendment of the EFSR. By changing the form of the EFSR to focus on goals and principles, certain provisions will be relaxed so that financial companies can make decisions on detailed matters by themselves. However, certain regulations on the stability of financial IT systems (cyber resilience), user protection, and financial security governance will be strengthened.
Examples of Major Relaxed Regulations
In principle, the Proposed Amendment would remove certain provisions to the extent: (i) details are too peripheral or microscopic; (ii) they are excessive compared to similar legislative cases; (iii) the autonomy of financial companies should be respected; and (iv) sanctions are rarely imposed based thereon. Some of the deleted provisions will be set forth in the Detailed Enforcement Rules of the EFSR (29 out of a total of 134 cases), while other provisions will be abolished, consolidated, or explained in explanatory notes. The key provisions of the EFSR subject to deletion are as follows:
-
Provisions on management and protection of buildings, facilities, IT rooms, etc. (Articles 9 to 11)
-
Provisions on measures to manage malicious code and open web servers (Articles 16 to 17)
-
Provisions on information protection training hours (Article 19-2)
-
Detailed provisions on separation of duties (Article 26)
-
Provisions on control of batch work (Article 30)
-
Provisions on password setting methods (Articles 32 to 33)
-
Provisions on notice of matters to be noted to users (Article 35)
Key Enhanced and Adjusted Provisions
1. |
Expanded Obligation to Install Disaster Recovery Center (Article 23) |
Type of Business Operator |
Proposed Conditions |
Electronic financial business operators |
Annual electronic financial transactions amounting to KRW 2 trillion or more in total |
Credit-specialized financial companies (engaged in lease, installment financing, and venture capital) |
Total assets of KRW 2 trillion or more and a full-time employee count of 300 persons or more |
Mutual savings banks |
Where an internal computer system is established and operated |
2. |
Upward Adjustment of the Limit of Liability Insurance for Electronic Financial Incidents (Article 5) |
Sector |
Current |
Improved |
Prepayment service, payment gateway (“PG”), etc. |
KRW 100 million |
KRW 200 million |
Credit-specialized financial companies, insurers, and savings banks |
KRW 100 million |
KRW 200 million |
Financial investment businesses |
KRW 500 million in a lump sum |
KRW 1 billion for those with assets of KRW 2 trillion or more |
3. |
Enhanced Financial Security Governance (Articles 8 and 8-2) |
4. |
Administrative Fines Upon a Breach of the Obligation to Report Incidents (Articles 37-4 and 37-5) |
Future Strategies
With respect to the Proposed Amendment to the EFSR, opinions will be collected during the 40-day pre-announcement period from February 1, 2024 to March 12, 2024. Thereafter, the Proposed Amendment will take effect upon the public notice thereof after undergoing certain legislative procedures, including the FSC’s resolution. That said, for strengthened regulations, such as the expanded obligation to establish a disaster recovery center, a grace period of at least six months may be granted based on the industry comments which have been collected.
Meanwhile, the FSC has established a plan to enhance the financial security based on a phased approach. Following the forthcoming revision of the EFSR (Phase One), the FSC plans to separately amend laws for the financial security sector alone (Phase Two) and subsequently review a phased transition to an autonomous security system based on the foregoing developments (Phase Three). In particular, please note that, with respect to the amendment of laws, the FSC plans to (i) design internal governance to strengthen the responsibilities of the CEO, the board of directors, and the front office; (ii) materialize the administrative penalty system to strengthen the responsibilities after incidents; and (iii) lay the foundation for introducing a regulatory framework in proportion to the risks (e.g., imposition of differentiated amount of administrative fines).
The Proposed Amendment aims to expand the discretion of financial companies and encourage active investments in security. However, financial companies may be subject to new or expanded obligations due to strengthened regulations (e.g., requirement to establish of a disaster recovery center). Therefore, it is necessary for financial companies to review whether their existing business structure and security system would align with the Proposed Amendment and be prepared to adjust relevant internal rules and policies. Additionally, it is advisable for financial companies to assess the need to promptly present their opinions on matters that have been pre-announced (for example, in cases where the interpretation of the Proposed Amendment of the EFSR is unclear).