The Financial Services Commission proposed a revision to the supervisory regulation on electronic financial services on February 1. The revision is intended to shift the current regulatory framework from rule-based to principle-based one, allowing more room to make autonomous decisions for financial companies, and bolster the resilience of electronic financial system to disasters and cyberthreats. 

It has been pointed out that the current framework of the supervisory regulation on electronic financial services, which remained little changed since it was established in 2006, makes it difficult to flexibly respond to evolving security threats and encourage passive responses from financial companies. In particular, there has been a growing need for making financial industry’s cybersecurity system more adaptable and resilient in response to technology advances (e.g. artificial intelligence or cloud computing) and evolving cyberthreats.

Against this backdrop, the revision proposal is focused on allowing more room for financial companies to make decisions on their own on financial security matters and encouraging them to make more investment in cyber security by making financial security regulations more goal-and-principle oriented.

First, the revision proposal reduces the number of rules to 166 from 293 previously to ensure that financial businesses can flexibly respond to new risks. Instead of prescriptive and exhaustive rules, the revised regulations will only present principles and goals and allow financial companies to make decisions on details on their own. For example, the revision proposal abolishes provisions specifying the method of creating users’ passwords and allows financial companies to adopt their own method of creating passwords and managing authentication system.

Second, to bolster cyber resilience against disasters and electronic incidents, the revision proposal introduces requirements for certain types of small- and medium-sized financial companies and electronic financial service providers, which have been in regulatory blind spots, to set up disaster response centers and establish specific goals regarding service restoration time.

Third, to enhance governance over cybersecurity across the financial sector, the revision strengthens the role of chief executives and board of directors in the process of decision-making over the companies cyber and information security matters.

Fourth, to provide better protection for consumers and expedite the payment of compensation for consumer damages, the proposed revision also raises the minimum insurance level financial companies need to sign up for in order to be prepared for cybersecurity incidents and compensation of consumer damages.

Beginning with revision to the supervisory regulation, the FSC will seek to revise the Electronic Financial Transaction Act in close consultation with the National Assembly to strengthen financial companies’ self-governance responsibility over cyber and information security.

The proposal will be put up for public comment from February 1 until March 12, 2024 and take effect after a final deliberation process by the FSC.

* Please refer to the attached PDF for details.