BACKGROUND
The FSC approved the proposed legislation of ‘Regulations on Financial Institutions’ Outsourcing of Data Processing Business and IT Facilities’ on June 19, 2013. The legislation is to establish detailed regulations in accordance with Korea’s free trade agreements (FTAs) with the US and the EU on the cross-border transfer of financial information required in the ordinary course of business of financial institutions, while reflecting a global trend that financial firms are increasingly outsourcing their data processing business and IT facilities.
MAJOR CONTENTS
1. Scope and procedure of outsourcing
A financial institution is permitted to outsource data processing business “required in the ordinary course of business” to a third party, domestic or overseas. In case a financial institution intends to outsource data processing business to an overseas company only its head office, branches, and affiliates subordinated to such financial institution are permitted to do so as a means to ensure consumer protection and financial regulators’ access to records of financial institutions relating to the handling of information.
In principle, the outsourced company, domestic or overseas, is prohibited to extend the contract to another subcontractor.
If related laws prohibit outsourcing, or if a financial institution has punitive records under related laws, the financial firm is forbidden to outsource data processing to a third party.
Financial institutions are mandated to apply the provisions of standard form contract when signing an outsourcing contract with a third party to ensure consumer protection and financial regulators’ access to records of financial institutions relating to the handling of information.
A financial institution is obliged to report the FSS governor in advance to outsourcing data processing business.
2. Protection of data outsourced to a third party
In regard with outsourcing data processing, all protective measures must be ensured under relevant laws and regulations including the Act on the Protection of Personal Information, the Act on Real Name Financial Transactions and Confidentiality, and the Use and Protection of Credit Information Act.
In any case, overseas transfer of individual customer’s resident registration number is prohibited without prejudice to requirements for such protective measures.
A financial institution is required to put a public notice on such protective measures on its website and mandated to make additional notification to the data subject when the data outsourced to a third party, domestic or overseas, contains sensitive information about its clients.
3. Outsourcing IT Facilities to an overseas party
When outsourcing IT facilities to an overseas party a financial institution is required to obtain an approval from the FSC. Subjects permitted to outsource IT facilities to an overseas party are limited only to the financial institution’s overseas head office, branches and affiliates.
Outsourcing can be restricted for important IT facilities deemed necessary in ensuring consumer protection and financial regulators’ access to records of financial institutions relating to the handling of information.
4. Supervision and inspection on outsourced data processing business
A financial institution and the third party which carries out the outsourced business are obliged to accept and comply with the FSC and FSS’s supervision and inspection inquiry.
FSC chairman and FSS governor can impose necessary measures and give warnings to a financial institution and third party which carries out the outsourced business in case either one of them violates relevant laws and regulations.
5. Revision to relevant regulations
In order to prevent overlapping applications of regulations, the application scope of the Regulations on Financial Institutions’ Outsourcing of Business will be reduced so that this newly-legislated can be exclusively applied to financial institutions’ outsourcing of data processing business and IT facilities.
Revision was made to Regulation on Supervision of Electronic Financial Activities to ease restrictions on financial data storage.
*(Before revision) Outsourced contractors’ financial data storage is prohibited.
*(After revision) Outsourced contractors are permitted to store financial data in case data processing has been outsourced following due process. Storing data without permission will be prohibited in all cases.
Relevant provisions on offshore transfers of the IT facilities under Regulation on Insurance Business Supervision were also revised in accordance with the Regulations on Financial Institutions’ Outsourcing of Data Processing Business and IT Facilities.
FUTURE PLAN
Proposed legislation of the Regulation and relevant revisions will be announced on June 25, 2013. The regulation will become effective upon announcement.
*Please read the attached file for details.