The FSC unveiled its plans to introduce a routine inspection of personal data protection at financial institutions on December 4 to ensure consistency in data protection and improve accountability. The plans include establishing specific inspection standards according to the data lifecycle, providing feedbacks on a regular basis through Financial Security Institute and setting up self-inspection guidelines for financial institutions. The routine inspection on the performance of data protection is scheduled to go into effect on February 4, 2021.

BACKGROUND

With the availability of new technologies, data pseudonymization/anonymization, data convergence and so on, the process of monitoring and inspecting how financial institutions handle data protection needs improvements. In this regard, the following issues have been identified as problematic—(a) lack of specific inspection standards, (b) difficulty in carrying out a comprehensive and systematic inspection on more than 3,000 financial institutions and (c) lack of self-inspection guidelines for financial institutions. To address these issues, the FSC has drawn up the following measures.

KEY MEASURES

I. IMPROVE INSPECTION CRITERIA & STANDARDS

In order to ensure a close inspection of the performance of data protection, specific inspection criteria will be established with 9 overall categories and 143 subcategories. The detailed inspection criteria will reflect the different stages of data lifecycle and will be measured in four levels—(a) compliant, (b) partially compliant, (c) not compliant and (d) not applicable.

To guarantee a systematic management and monitoring of the newly available technologies, such as data pseudonymization/anonymization, data convergence and so on, a close inspection on the compliance status of technical and managerial data protection measures will be carried out. Financial institutions with outstanding performance and an accident-free status for a certain period will be awarded safety certification.

II. IMPROVE EFFICIENCY IN INSPECTION SYSTEM

A more efficient inspection system will be introduced through Financial Security Institute, with more inspection personnel and an establishment of a routine and automated inspection assistance process using regtech.

Based on the findings of routine inspections, financial institutions will be provided with feedbacks regarding the results of their own self-inspection, third-party inspection conducted by FSI as well as field inspection and target inspection carried out by the regulatory authorities.

III. PROVIDE ASSISTANCE

Regardless of the size and capacity of individual companies, financial institutions will be encouraged to maintain a certain level of data protection capability and will be provided with assistance accordingly.

The authorities will develop guidelines to help financial institutions to conduct self-inspections on their own.

The routine inspection assistance process will make diverse support programs available to promote financial institutions’ self-inspection of their data protection.

FURTHER PLANS

The routine inspection on the performance of data protection will be test-run between December and January 2021 after an information session held by Financial Security Institute on December 4. The guidelines containing details of the routine inspection as well as financial institutions’ self-inspection procedures will be distributed in January 2021 with routine inspections going into effect starting from February 4, 2021.

The FSC expects that the introduction of the routine inspection will help ensure consistency in data protection and improve accountability amid a rapidly changing environment surrounding the data industry.

* Please refer to the attached PDF for details.