The Financial Services Commission issued a preliminary notice of rule change regarding the supervisory regulation on electronic financial services on January 19. The proposed rule change will grant financial companies an exemption from the network separation rule for making use of a cloud-based Software as a Service (SaaS) program in their internal network with a condition that they demonstrate a certain level of capacity to comply with network security protocols. The rule change proposal will be put up for public comment from January 20 until February 9, 2026. With the upgraded rule in place, financial companies will be able to adopt and make use of various SaaS programs for their administrative and back office operations without having to go through an approval process under the financial regulatory sandbox program.

Background

In August 2024, the FSC introduced a roadmap for making improvements to the network separation rule in the financial industry, allowing the use of SaaS for financial companies on a temporary basis under the financial regulatory sandbox program if they have established adequate network security measures. Under the announced policy roadmap, the FSC also had plans for granting exemption on a more permanent basis in the future once there accumulates an ample volume of cases of SaaS program usage by financial companies.

In this regard, since September 2023, a total of 32 financial companies have been permitted to operate 85 different SaaS programs under the financial regulatory sandbox program thus far, which demonstrates a level of stability and the volume of accumulated usage cases sufficient for financial authorities to grant exemption from the network separation rule on a permanent basis through a revision of relevant regulation.

Key Revision Details

First, SaaS programs specified under the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users will be exempted from the network separation rule pursuant to the Electronic Financial Transactions Act and the supervisory regulation on electronic financial services.

However, to prevent potential breaches of personal information, the exemption form the network separation rule will not apply to the handling of personal identification information or personal credit information.

Second, with the granting of exemption from the network separation rule, financial companies will be required to maintain a more rigorous level of information protection control measures. More specifically, financial companies will need to (a) have their SaaS programs pre-screened by the Financial Security Institute, (b) maintain strict IT security protocols (certification, authorization, etc.) for access devices (computers and mobile devices), (c) monitor and control input, processing, and transfer of critical information, (d) prevent the sharing and processing of unnecessary information within SaaS programs and block access to unauthorized internet services, and (e) adopt encryption for networks where SaaS programs are being utilized.

Financial companies should evaluate compliance with the abovementioned information protection management measures once every six months and report findings to their chief information security officers (CISOs).

Expectation

With the revised rule in place, financial companies will be able to make use of SaaS programs for various functions without having to go through an approval process for each program under the financial regulatory sandbox program. It will help to boost the efficiency of administrative and various back office functions for financial companies and make both intra- and inter-group relations and collaborations more convenient. With the more efficient use of IT resources, financial companies will also be able to save related costs.

The revised rule will enter a twenty-day comment period from January 20 until February 9, 2026 and go through a regulatory review process before going into effect.

The FSC will continue to work on regulatory reform agendas to facilitate financial companies to make use of diverse IT services for bringing about improvements in their service provision. At the same time, the FSC will also prepare measures to make sure that financial companies are subject to rigorous and systematic self-regulatory practices to help maintain a high level of IT security in the financial sector.

* Please refer to the attached PDF for details.