South Korea Financial Services Commission proposes easing the network separation rule to permit internal use of cloud-based SaaS

The South Korea Financial Services Commission published a preliminary notice to revise the supervisory regulation on electronic financial services to exempt financial companies from the network separation rule when using cloud-based Software as a Service in internal networks, provided firms can demonstrate the capability to comply with network security protocols. The change is intended to allow broader use of SaaS for administrative and back office functions without requiring case-by-case approval via the financial regulatory sandbox. The exemption would apply to SaaS programs specified under the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users, while excluding activities involving personal identification information or personal credit information. In exchange, firms would face strengthened information protection requirements including Financial Security Institute pre-screening of SaaS programs, stricter access controls for endpoint devices, enhanced monitoring and controls over the input, processing and transfer of critical information, measures to prevent unnecessary information sharing and block access to unauthorized internet services, and network encryption where SaaS is used, alongside a requirement to assess compliance every six months and report results to the chief information security officer. Public comments are open from January 20 to February 9, 2026, after which the proposal will proceed through the regulatory review process before taking effect.