Korean Update: Key Provisions in the Proposed Amendment to the Electronic Financial Transactions Act (“EFTA”) Chapter 3

On July 27, 2020 the Korean financial authorities announced “Comprehensive Innovation Plan for Digital

Finance” which included a plan to bring significant amendment to the EFTA. Following such announcement,

on November 27, 2020, the legislative bill for the amendment to the EFTA was submitted to the National

Assembly (“Proposed Amendment”).

We explain below the key provisions in the Proposed Amendment that may affect global fintech players.

You can see our previous newsletters on this topic below:

• Chapter 1: Major Changes in the Regulatory Framework for the Electronic Financial Industryclick here
• Chapter 2: Key Regulatory Changes for E-Wallet Businesses in Koreaclick here 

Today, we bring to you Chapter 3: Major changes to the Financial Security Requirements.

Chapter 3: Major Changes to the Financial Security Requirements

1. Duty to ensure safety of the financial transactions is strengthened.

– The current Article 21(2) of the EFTA broadly provides the duty to ensure safety of the electronic

financial transactions, and delegates the power to set specific regulatory standards to the Financial

Services Commission (“FSC”), which in turn, prescribes such standards in its “Supervisory

Regulation”. The Proposed Amendment introduces a set of financial security principles to regulate

financial institutions and e-finance businesses (Article 20-2 of the Proposed Amendment), including,

for example, the obligation to implement access control, protect integrity and accessibility of the data,

and to ensure sustainability of the electronic financial system.

– In addition, the Proposed Amendment provides in additional detail the specific provisions to be

prescribed in the Supervisory Regulation, including provisions on human resources, facilities, budget,

sustainability of electronic financing, emergency response training to deal with accidents or disasters,

and training in connection with financial security. A subsequent amendment to the Supervisory

Regulation is to follow in which specific items therein are likely to be supplemented or strengthened.

– Furthermore, the Proposed Amendment creates legal grounds for imposing administrative fines

with respect to a breach in connection with each category of the duty to ensure safety, making it

possible to impose a separate and individual fine for each type of violation. This provides a much

stronger enforcement tool compared with the current EFTA, which prescribes that a person who fails

to perform his/her duties with the “standards determined by the Financial Services Commission”

shall be subject to an administrative fine not exceeding KRW 50 million (Article 51(1) of the EFTA),

meaning that even if the company breaches the duty to ensure safety on several occasions, the

maximum fine that it could be subject to is limited to KRW 50 million.

2. Companies providing outsourcing service to the electronic finance businesses will

also be responsible to ensure safety of the financial transactions pursuant to the

Supervisory Regulation.

– The current EFTA imposes a duty to ensure safety and reliability of financial transactions on the

financial companies and e-finance businesses when they outsource their work to external

service providers (Article 40 of the EFTA, Article 60 of the Regulation). The Proposed Amendment

extends such duty to the outsourcing providers, and also to the financial platform operators and

digital signature certification providers providing certification services to the financial companies or

e-finance businesses (Article 21(1) of the Proposed Amendment).

– The scope of outsourcing providers and financial platform operators who would bear such

responsibility is expected to be specified in the enforcement decree.

3. Stricter scrutiny over outsourcing and the FSC’s rights to investigate and take action

against outsourcing providers is introduced.

– Pursuant to the Proposed Amendment, when financial companies or e-finance businesses outsource

their electronic finance or IT functions to a third party (including affiliates), a system to manage

outsourcing should be established to ensure the maintenance of financial security(Article 20-2(7) of

the Proposed Amendment).

– Under the Proposed Amendment, the FSC has the authority to directly supervise the “major

outsourcing providers”, meaning the companies which perform outsourced functions that

crucially impact the safety and reliability of electronic financial transactions. The scope of the “major

outsourcing providers” is to be decided in the enforcement decree. The aforementioned authority to

directly supervise such “major outsourcing service providers” is in addition to the current regulatory

system which provides for indirect supervision through the financial companies and e-finance

businesses that hire the outsourcing providers.

– Under the Proposed Amendment, the FSC will be able to request submission of documents from

the “major outsourcing providers” and investigate their work performed and assets in connection

with the outsourcing contract (Article 40-2 of the Proposed Amendment). Based on the results of

such investigation or review of the submitted documents, the FSC shall have a right to order the

“main outsourcing service providers” to take certain actions deemed necessary by the FSC for the

protection of the users or for the maintenance of a sound business environment.

– Further, the Proposed Amendment enables the FSC to take actions such as notifying the financial

companies or electronic finance businesses if the “main outsourcing service providers” do not comply

with the FSC’s orders, and also restricting them from entering into a new agreement with the “main

outsourcing service providers” within six months from the termination date of the existing outsourcing

agreement (Article 40-2(3) of the Proposed Amendment).

4.The board of directors is to be held accountable to financial security. 

– The Proposed Amendment stipulates that the board of directors is ultimately responsible for the

financial security from undertaking day-to-day business to making key business decisions (Article 20-

2(4) of the Proposed Amendment).

– Considering that the representative director is also a member of the board of directors, and a

significant number of representative directors concurrently serve as the chair of the board of

directors, it should be noted that the Proposed Amendment intends to elevate the ultimate legal

responsibility for financial security, which currently lies with the Chief Information Security Officer

(“CISO”), to the board level, including the representative director.

5. Chief Financial Security Officer and Financial Security Council are introduced, with

responsibilities to ensure financial security.

– Under the Proposed Amendment, the CISO will be replaced with the Chief Financial Security

Officer (“CFSO”). The responsibility of the CFSO will include assisting the board of directors on

making decisions with respect to financial security related matters, reporting to the board of directors,

conducting regulator audit on the financial security, and submitting the result of such audit to the

FSC.

– Also, financial companies and e-finance businesses shall be required to establish a Financial

Security Council which should consist of officers of relevant teams such as IT, risk management,

legal compliance, consumer protection, and data protection. The CFSO shall be responsible to chair

and run the Financial Security Council (Article 21-3 of the Proposed Amendment).

Key Takeaways

• The Proposed Amendment introduces stronger corporate governance requirements in terms financial

security. In particular, the Proposed Amendment increases the responsibilities of the Chief Financial

Security Officer (currently the “CISO”), introduces the Financial Security Council, and entrusts the

ultimate responsibility for financial security to the board of directors.

• The Proposed Amendment grants stronger supervisory powers to the financial authorities over the

financial companies, e-finance businesses, and outsourcing providers.

By Yulchon, Korea, a Transatlantic Law International Affiliated Firm. 

For further information or for any assistance please contact korea@transatlanticlaw.com 

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.