Financial Companies Will be Able to Use Cloud-based Software as a Service on Internal Network from April 20

The Financial Services Commission announced that financial companies and electronic financial service providers will be able to adopt and use cloud-based Software as a Service (SaaS) for various types of administrative and back office functions without the need to go through an approval process under the financial regulatory sandbox program from April 20.

The revised rules on the supervision of electronic financial services went into effect on April 20, granting financial companies exemption to the network separation rule for the use of SaaS in their internal networks on the condition that they comply with certain security requirements.

Key Revision Details

First, SaaS programs specified under the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users will be exempted from the network separation rule pursuant to the Electronic Financial Transactions Act and the supervisory regulation on electronic financial services.

However, to prevent potential breaches of personal information, the exemption form the network separation rule will not apply to the handling of personal identification information or personal credit information. For the use of pseudonymized personal data in their SaaS programs, financial companies will still need to get an approval through the financial regulatory sandbox program.

Second, with the granting of exemption from the network separation rule, financial companies will be required to maintain a more rigorous level of information protection control measures. More specifically, financial companies will need to (a) have their SaaS programs pre-screened by the Financial Security Institute (FSI), (b) maintain strict IT security protocols (certification, authorization, etc.) for access devices (computers and mobile devices), (c) have their compliance measures evaluated every six months and report finding to their chief information security officers (CISOs).

To facilitate the adoption of various IT security and control measures by financial companies, the FSI has also made available an information booklet on financial IT security, which contains information about the use of SaaS and the types of security risks and response strategies.

Anticipated Effcts

First, the eased rule on the use of SaaS in the internal network of financial companies will help to boost the efficiency and cooperation in how financial companies handle and process their work between divisions and/or with overseas offices.

Second, it will help to enhance productivity and reduce the cost and burden of IT management as financial companies are no longer required to maintain servers and relevant IT infrastructures on their premise.

Third, an expanded use of SaaS programs in the areas of performance management, collaboration tracking, and so on will help to make financial companies' decision making process more data-driven and make their internal management procedures more systematic and standardized.

The upgraded network separation rule facilitating the use of SaaS will help to promote financial companies to make transitions to more proactive, autonomous, and systematic ways of handling IT security management.

The FSC and the FSS plan to continue to work on upgrading rules on the network separation of financial companies and seek to ease relevant rules on the use of generative AI services as well to promote innovative ways to ensure IT security management in the financial industry.

* Please refer to the attached PDF for details.