The Financial Services Commission held a meeting with private sector experts, financial industry groups, and officials from the Financial Supervisory Service (FSS) and Financial Security Institute (FSI) and introduced a roadmap to bring about improvements to network separation in the financial industry on August 13.
After having a series of meetings with financial companies and operating a taskforce to gather opinions from cybersecurity experts, related industries, and organizations, the FSC has prepared a set of measures to improve upon the current regulatory system on network separation and ways to upgrade rules on financial data security.
Background
The current requirement of network separation has been pointed out as a source of inefficiency and an obstacle for research and development projects for financial companies in their use of new technologies.
In particular, with the rapid transition of software into a cloud-based software as a service (SaaS) and the growing importance of generative artificial intelligence (AI), network separation may not only present a source of inconvenience but also stand in the way of boosting competitiveness of the financial industry.
Therefore, after ten years of introducing the rule on network separation, the FSC plans to seek a paradigm shift for finding an appropriate balance between innovation and security by upgrading outmoded regulations and overhauling rules and regulations on financial data security over a medium- to long-term.
Resolving Regulatory Hurdles through Regulatory Sandbox Program
Considering that the current regulatory system on financial data security has been built on an intranet network environment, authorities will seek to ease relevant regulations gradually and in stages.
While seeking to promptly resolve regulatory hurdles through the regulatory sandbox program, authorities will prepare sufficient levels of safety mechanisms to ensure cyber and information security until a self-regulating and autonomous data security system is fully established.
First, financial companies will be allowed to make use of generative AI technologies. Most generative AI services are based on a cloud-based internet environment. However, domestic financial sectors face obstacles in embracing generative AI due to the restriction placed on their access the internet network. In this regard, a regulatory exemption will be granted through the regulatory sandbox program to allow them to have access to the internet under the condition that financial companies prepare in advance sufficient security assurance measures to prevent cybersecurity risks. The FSS and FSI will carry out inspections and offer consultations on the matter of cybersecurity to those applying for this regulatory exemption.
Second, financial companies will be allowed to make use of the cloud-based software as a service (SaaS) for more types of operational functions. Currently, the use of SaaS is permitted only for certain types of back-office functions, such as document management and human resources management, and it is not allowed for handling customers’ personal credit information. In this regard, the scope of SaaS usage will be expanded to include the areas of cyber and information security and customer relations management. In this case, too, financial companies will need to prepare sufficient security assurance measures to gain regulatory exemption.
Third, improvements will be made on financial companies’ research and development environments. The physical separation of networks and the restriction placed on the use of personal credit information have been acting as barriers for financial companies in conducting research and development projects to launch services that are more tailored to individual needs and characteristics. In this regard, authorities will seek to revise the supervisory regulation on electronic financial services to ease current rules on physical separation of networks and allow the use of pseudonymized data to promote development of more innovative financial services.
After adequately examining the progress of the aforementioned regulatory exemption programs, the FSC will then seek to allow financial companies to directly handle personal credit information in non-pseudonymized formats. In this regard, additional security assurance measures will be required in accordance with the expanded scope of data usage.
As a medium- to long-term goal, the FSC will work to make a transition toward a regulatory system centered on the principle of autonomous cybersecurity and self-accountability. Establishing a principles-centered regulatory approach—instead of merely listing rules to regulate behaviors—will help financial companies to autonomously set up internal control mechanisms on cybersecurity based on their self-assessment of risk factors. In this regard, financial companies will be required to strengthen internal governance on cybersecurity matters, and there will be legal grounds established to ensure strict compensation and penalties in the event of cybersecurity failures. Regulatory reforms intended to bolster the management of third-party risks will also be sought after.
Expectation and Further Plan
Making improvements to the current network separation rules will help to boost the competitiveness across all financial sectors. An expanded use of generative AI will bring about more benefits for financial consumers as it will help to remove the blind spot in terms of the coverage of financial services and products made available for different consumer groups. The use of generative AI in fraud detection system (FDS) is also expected to help strengthen protection for financial consumers as it can help to more effectively detect and prevent illicit transactions and fraudulent activities.
Starting from August 22, authorities will hold a series of information sessions with financial sectors and provide them with consultations on the security assurance measures financial companies need to prepare to be considered for the regulatory exemption programs.
Application for the regulatory sandbox program will open in September. Following an application review process, the use of generative AI in financial sectors may become available from as early as the end of this year.
The FSC also plans to revise the supervisory regulation on electronic financial services until the end of this year to facilitate financial companies’ research and development projects, and continue to closely examine appropriate ways to make a transition toward a new regulatory system on cyber and information security in the financial sector.
* Please refer to the attached PDF for details.