On April 16, 2013, the Financial Services Commission (“FSC”) proposed draft Regulations on the Delegation of Information Processing and IT Facilities of Financial Companies (the “Regulations”).
Currently, the delegation of information processing and use of offshore IT facilities are permitted on a very limited basis pursuant to the Regulations on Delegation of Businesses of Financial Institutions. In contrast, such delegation has been widely permitted in other jurisdictions. In addition, each of the Korea-EU FTA and the Korea-US FTA contemplates the transfer of information to be permitted within two years from the date on which each of the Korea-EU FTA (July 1, 2011 ~ June 30, 2013) and the Korea-US FTA (Mar. 15, 2012 ~ Mar. 14, 2014) took effect. Accordingly, there is a need for certain measures to be put in place for the overseas transfer of information required for data processing of financial companies.
The following is a summary of the proposed Regulations.
1. Permitted Scope and Delegation Procedures
Article 4 of the Regulations permits financial companies, including “foreign financial companies” (i.e., Korean branches or affiliates of financial institutions that have been established under the laws of a foreign jurisdiction and are licensed to engage in financial businesses under Korean law), to delegate the processing of information to a third party; however, in the case of delegation to an offshore third party, such third party must be the head office or affiliate of the foreign financial company in order to protect the interests of financial service users and ensure that regulatory supervision is available.
Financial companies are not permitted to delegate such processing of information if prohibited by any applicable laws or if they have been sanctioned more than two times in the most recent three years by means of institutional warning or more severe sanction or fine/penalty exceeding KRW 3 million in the course of regulatory inspection relating to the management of information of financial service users and submission of materials (Article 4(2) of the Regulations).
A delegation under the Regulations must be made in accordance with the standard delegation terms set forth in Appendix 1 to the Regulations, which provides for such matters as the rights of financial service users, the obligation to cooperate with regulatory authorities, the prohibition of re-delegation and further transfer of information to third parties, the joint and several liability of the parties and the application of Korean jurisdiction.
Article 7(1) of the Regulations also requires a financial company to report any delegation of information processing work to the Governor of the Financial Supervisory Service within seven business days prior to the scheduled date of execution of the relevant delegation agreement, which is consistent with the reporting obligation set forth in the current Regulations on Delegation of Businesses of Financial Institutions.
2. Protection of Entrusted Information
Article 5 of the Regulations requires a financial company delegating its information processing to take protective measures (including obtaining the prior consent of financial service users, encryption of personal information, etc.) prescribed under the Personal Information Protection Act, the Act on Real Name Financial Transactions and Guarantee of Secrecy, the Act on Use and Protection of Credit Information Act and any other applicable laws (Article 5(1)). Transfers of resident registration numbers of individual customers to foreign countries are prohibited (Article 5(2)). In addition, a financial company is required to give public notice on its website of the protective measures taken for delegation of information processing and provide separate notice to the relevant individual customers in case of delegation of processing of certain types of personal information defined as “Sensitive Information” under the Personal Information Protection Act and its Presidential Decree (including an individual’s health status and other personal information, the disclosure of which may materially affect the individual’s privacy), whether such delegation is made in or out of Korea (Article 5(3)).
3. Overseas Delegation of IT Facilities
Article 4 of the Regulations provides that a financial company can delegate the operation of information processing facilities to its head office or affiliate located in a foreign country; however, delegation of operations of the types of major facilities listed below may be prohibited by the FSC to protect the interests of financial service users and perform supervisory functions (Article 6(2) of the Regulations):
- Ledgers of financial transactions deemed necessary to protect the interests of financial service users and perform supervisory functions (except for certain facilities of which operation is deemed necessary to be transferred to a foreign country due to the type of financial service users and products);
- Facilities directly related to the services for financial service users;
- IT facilities that are not suitable to be installed abroad due to the risks of potential access or connection by other institutions outside Korea;
- IT facilities, of which the foreign installation may cause a financial company to fail to comply with the requirements of applicable laws, such as the quality of services provided to financial service users, security and prompt recovery in the event of disaster; and
- Data networking-based facilities and IT security system that support the IT facilities of any of the foregoing.
The requirement that IT & disaster recovery centers be located in Korea as set forth in Article 11 of the Regulations on Supervision of Electronic Finance will continue to apply even after the enactment of the Regulations.
4. Prior Notice of Changes in Other Regulations
Along with the promulgation of the Regulations, the FSC announced the following proposed changes in other relevant regulations.
- The Regulations on Delegation of Businesses of Financial Institutions will no longer apply to the delegation of information processing and IT facilities.
- The Regulations on Supervision of Electronic Finance Business will be amended to permit a financial institution or electronic financial business entity to retain and store financial information to the extent necessary for the conduct of its electronic financial business. The storage of financial information has generally been prohibited in the past.
- The FSC approval required for “foreign transfer of IT facilities” in the Regulations on Supervision of Insurance Businesses will be abolished so that the procedures and methods of transfer of facilities by insurance companies will be governed by the Regulations.