Regulatory Alert: FSC announces De-regulation on
Cloud Computing for Financial Institutions

Global financial institutions actively utilize specialized cloud-based services for the operation of key IT infrastructures, core analytical processes as well as client interfacing platforms. In contrast, financial institutions in Korea face regulatory challenges in integrating such public cloud-based services due to the prohibitive effects of the Regulations on E-Finance which govern the use of public cloud services by financial institutions in Korea.

Under the current regulatory regime, financial institutions are only permitted to process “non-critical” information via public cloud servers – and the Regulations on E-Finance expressly exclude personal credit information and/or unique identification information from the scope of “non-critical information”. Consequently, financial institutions have only been able to use cloud services for a narrow scope of purposes, mostly for functions which do not pertain to the essential features of the financial business and are of limited use for global financial institutions.

The FSC now proposes to amend the Regulations on E-Finance to permit financial institutions in Korea to process personal credit information and unique identification information on public cloud servers located in Korea.

Although the contents of the amendments remain to be seen and the existing data protection laws and regulations of Korea will continue to apply, the financial institutions in Korea may soon be able to enjoy the benefits of cloud services in its core operations, including:

• Utilization of high-capacity cloud servers to run big data and artificial intelligence (AI) based systems for core financial analysis and related client interfacing (e.g., credit analysis, underwriting, etc.).
• Conversion of transactional services to cloud-based models with the ability to process key personal identification information such as resident registration number via cloud services.

The FSC has reserved that any measures for cloud computing deregulation will be guided by the publication of a new set of compliance requirements and guidelines, including specific reporting requirements for financial institutions; and that the FSC will have the express authority to supervise and audit any cloud-based service providers in Korea. The FSC will elaborate on the details of the deregulation over the course of the next six months.

The FSC organized a Task Force in July 2018 and based on on-going discussions it is expected to propose a draft amendment in August – September of 2018 for further public comment. The FSC has set the target implementation date for the amendment as January of 2019 but it is unknown whether it will take immediate effect.

Please contact us should you have any questions or require assistance in lodging comments to the FSC and the Task Force. In addition, our Finance Team along with our Data Protection and Privacy Law experts are ready to counsel and assist in the implementation of cloud-based financial services in Korea in light of the expected changes.