The FSC/FSS announced new rules and regulations on electronic financial transactions that pave the way for the oversight of financial service providers facilitating electronic financial transactions in support of the Electronic Financial Transactions Act that took effect January 1, 2007.* The new rules and regulations, which also took effect at the beginning of the year, are primarily aimed at ensuring the security of electronic financial activities and protecting consumers. The following is an outline of the newly announced rules and regulations.
Ensuring Security of Electronic Financial Transactions
- User authentication and OTP
User authentication programs must be used as a rule in all electronic financial transactions except for cases where the amount to be transacted is trivial, or the application of user authentication program is technically not feasible. One-time password (OTP) or other one-time security codes must be used in all online financial transactions. (A few exceptions may apply for cases involving the use of ATM for money transfers and other similar activities.)
- Use of PIN-pad
PIN-pads or other similarly secure input devices must be used when receiving customer PIN to keep it safe and secure from others.
- Contingency plans and operational disaster recovery centers
Financial institutions and other electronic financial service providers must maintain backup facilities or redundancies for the critical IT networks and telecommunication systems. Banks, securities firms, and other large financial institutions whose network failure can disrupt the IT networks and the telecommunication systems must maintain operational disaster recovery centers. Financial institutions must also develop operational manuals and personnel management for the protection of the critical IT systems.
Consumer Protection
- Insurance for financial incidents
Financial institutions are to be held liable for damage for financial incident unless it occurred because of gross negligence or fraudulent intent of the customer. The risk for damage from financial incidents must be insured or otherwise covered with special reserves.
- Standard terms and conditions for electronic financial transaction services
Financial institutions must offer consumers standard terms and conditions for electronic financial transactions (separate from other standard terms and conditions for financial products and services).
- PIN protection, SMS and e-mail services
Financial institutions must inform customers of the due care that should be taken with the use of PIN to keep it safe from electronic interference or theft. Financial institutions must also maintain computer systems that enable customers to receive records of electronic financial transactions via SMS or e-mail.
Electronic Financial Service Providers
- Financial soundness criteria
Companies seeking to provide electronic financial services must meet certain financial soundness criteria at the time of registration or regulatory approval as summarized in the table below.
- Capital adequacy, asset soundness, and liquidity of electronic financial service providers
Electronic financial service providers must comply with certain capital, asset, and liquidity ratio guidelines and requirements as summarized in the table below.
- Prompt corrective action for electronic money service providers
Prompt corrective action including management improvement recommendation or order may be issued to electronic money service providers for failure to comply with the established management guidelines and requirements.
- Assessment of IT in management status evaluation
Assessment of financial institutions’ IT management may be made and reflected in the management status evaluation.
* Please refer to the attached PDF for details.