South Korea mulls easing “network separation” rules on financial companies

It has formed a sandbox program to allow FIs to explore the use of gen AI.

South Korea’s financial regulators are rethinking a decade-old requirement that has kept financial institutions’ (FI) system operations separate from the internet.

Amongst improvements include giving regulator exemptions to FIs so that they can explore the use of gen AI, and allowing FIs to adopt cloud-based software as a service (SaaS) for more types of functions.

Authorities said that they will also seek to revise the supervisory regulation on electronic financial services to ease current rules on physical separation of networks.

First introduced in 2014, the Electronic Financial Transactions Act mandates network separation for FIs, involving the physical division of internal and external networks. FIs are required to ensure that "computers for system operation, development, and security are on separate networks.” 

But this has also made it difficult for FIs to adapt newer technologies, such as cloud-based software and generative AI.

“Network separation may not only present a source of inconvenience but also stand in the way of boosting competitiveness of the financial industry,” the Financial Services Commission (FSC) said in a press release.

“The current requirement of network separation has been pointed out as a source of inefficiency and an obstacle for research and development projects for financial companies in their use of new technologies,” the FSC added.

Officials from the FSC, the Financial Supervisory Service (FSS), and the Financial Security Institute (FSI) met with financial companies, private sector experts, and related industries and organizations on 13 August to introduce a new roadmap seeking to improve network separation and upgrade rules on financial data security. 

Sandbox, cloud access
South Korea will build a regulatory sandbox program that gives FIs regulatory exemption to access the internet for the basis of using gen AI. 

To access the sandbox prgram, FIs will need to prepare “advance sufficient security assurance measures to prevent cybersecurity risk,” the FSC said.

Application for the regulatory sandbox program will open in September, and with reviews and approvals given out as early as end-2024.

The FSS and FSI will carry out inspections and offer consultations on the matter of cybersecurity to those applying for the regulatory exemption.

Authorities have also expanded the scope of SaaS usage to include the areas of cyber and information security, and customer relations management.

Currently, SaaS is permitted only for certain types of back-office functions, such as document management and human resources management. It is not allowed for handling customers’ personal credit information. 

After adequately examining the progress of the aforementioned regulatory exemption programs, the FSC said that it will then seek to allow financial companies to directly handle personal credit information in non-pseudonymized formats, albeit requiring additional security assurance measures. 
 
As a medium- to long-term goal, the FSC said that it will work to make a transition toward a regulatory system centered on the principle of autonomous cybersecurity and self-accountability. 

Starting from August 22, authorities will hold a series of information sessions with financial sectors and provide them with consultations on the security assurance measures financial companies need to prepare to be considered for the regulatory exemption programs.