South Korea Financial Services Commission relaxes network separation rule to allow specified SaaS use without regulatory sandbox approval

The South Korea Financial Services Commission (FSC) announced that, from April 20, financial companies and electronic financial service providers can adopt cloud-based Software as a Service (SaaS) for a range of administrative and back-office functions without going through the financial regulatory sandbox approval process. Revised supervisory rules on electronic financial services took effect the same day, exempting financial companies from the network separation rule for using SaaS on internal networks, subject to security conditions. The exemption applies to SaaS programs specified under the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users, but does not cover handling personal identification information or personal credit information. Where SaaS use involves pseudonymized personal data, financial companies must still obtain regulatory sandbox approval. In exchange for the relaxed network separation requirement, firms must strengthen information security controls, including pre-screening of SaaS programs by the Financial Security Institute (FSI), stricter access controls for endpoint devices, and semi-annual compliance evaluations with findings reported to the chief information security officer. The FSC and the Financial Supervisory Service plan further work to upgrade network separation rules and to seek easing of related rules for the use of generative AI services.