Improvements to Cloud Computing and Network Separation Rules in Financial Sector

On April 14, 2022, the Financial Services Commission unveiled its plans to improve regulations on cloud computing and network separation in the financial sector. This improvement plan aims to support the financial sector’s efforts for digital transformation in a stable manner, in response to the financial industry’s concerns about the difficulties in adopting and using new digital technologies because of excessive regulations on cloud computing and network separation.

The main contents of the improvement plan are as follows.

Regulatory Improvements on the use of Cloud Computing:

  1. Make clear the assessment standards for determining the level of work significance in the use of cloud computing
  2. Reduce the number of assessment criteria for cloud service providers (CSPs) from 141 to 54 criteria
  3. Differentiate the process for cloud computing usage based on the level of work significance
  4. Introduce a uniform assessment system on CSPs to reduce burdens on financial companies
  5. Draw up a distinctive set of assessment standards for SaaS
  6. Simplify the paperwork required for submission such as the “work consignment operational standards”
  7. Change the current requirement of prior reporting to an ex post facto reporting for the use of cloud computing

Regulatory Improvements on Network Separation:

  1. Exemption of network separation rules for development and test servers
  2. Exemption of network separation rules for non-electronic financial work and SaaS
  3. Step-by-step deregulation of network separation over medium to long term

Further Plans and Business Implications

The financial authorities will soon work to revise the Enforcement Decree of the Electronic Financial Transactions Act and its supervisory regulation with an aim to begin the enforcement of the changed rules. At the same time, the authorities will also prepare a revision to the guideline on the use of cloud computing service in the financial sector to be effective in 2023. In particular, since financial companies’ internal control measures on a voluntary basis are crucial for the proposed change in the regulatory requirements on cloud computing and network separation, the authorities will carry out inspections on their internal control system such as the establishment and operation of an internal data protection deliberation body in the second half of this year.

Therefore, in accordance with the improvements to cloud computing and network separation rules in the financial sector, we think that financial companies or electronic financial business operators such as big tech and fintech companies that wish to expand the use of cloud, engage in the usage of SaaS, change the network separation structure in development/test fields, and exclude network separation for non-financial businesses and SaaS, should start preparations such as maintenance of the internal control system, substantialization of the personal information protection commission, and application for regulatory sandboxes for non-financial business and SaaS sectors.

If you have any questions regarding this article, please contact below:

Hyunkoo KANG (hyunkoo.kang@leeko.com)

Hwan Kyoung KO (hwankyoung.ko@leeko.com)

Chloe Jung-Myung LEE (chloe.lee@leeko.com)

Sungin CHO (sungin.cho@leeko.com)

For more information, please visit our website: www.leeko.com

More from Lee & Ko