In our April 2013 newsletter, we provided a summary of the draft “Regulations on Delegation of Information Processing and IT Facilities of Financial Companies” (the “Initial Draft”). Since then, after listening to comments from various governmental agencies, academia, and industry experts on the Initial Draft, the Financial Services Commission (“FSC”) announced on June 25, 2013 that it will adopt a revised set of “Regulations on Delegation of Information Processing and IT Facilities of Financial Companies” reflecting certain of the comments that were provided (the “Regulations”). Set forth below is a summary of the material provisions of the Regulations with highlights of the changes made from the Initial Draft.
- Permitted Scope and Delegation Procedures
Article 4 of the Regulations permits financial companies, which includes “foreign financial companies” (i.e., Korean branches or affiliates of financial companies established under the laws of a foreign country), to delegate the processing of information to a third party; however, in the case of delegation to an offshore third party, such third party must be the head office, a branch office or an affiliate of the foreign financial company in order to protect the interests of financial services users and ensure that regulatory supervision is available.
Financial companies are not permitted to delegate the processing of information if prohibited by applicable laws or if they have received two or more institutional warnings or more severe sanctions, or two or more criminal sanctions, in the immediately preceding three years in the course of regulatory inspections relating to the management of information of financial services users and submission of materials for inspection (Article 4(2) of the Regulations). As such, the scope of prohibition on delegation has been narrowed under the Regulations in comparison to the Initial Draft, which prohibited financial companies from delegation if they received two or more fines/penalties of not less than KRW 3 million.
To protect financial services users and ensure regulatory supervision after delegation, one of the requirements for delegation under the Regulations is that parties must use standard terms for delegation (Article 4(3) of the Regulations). However, the Regulations will allow such standard terms to be used with some modification, subject to the approval of the FSC.
Article 7(1) of the Regulations requires that a financial company report any delegation of information processing to the Governor of the Financial Supervisory Service (“FSS”) at least seven business days prior to the scheduled date of execution of the delegation agreement, which was also required by the Regulations on Delegation of Businesses of Financial Institutions in the past. The Regulations also require, as one of the documents to be attached to such report of business delegation, “documents necessary to verify the feasibility of regulatory supervision on the operation of the information processing” (Article 7(1)6 of the Regulations).
Article 4(4) of the Regulations prohibits sub-delegation, except as approved by the Governor of the FSS and to the extent that such sub-delegation does not harm financial services users or hinder the FSS’ exercise of financial supervisory powers. This modification to the Initial Draft has been made to address (i) the ambiguity as to whether the Initial Draft prohibits all types of sub-delegation, (ii) the concern that such prohibition may have an adverse effect on the development of small and mediumsized IT companies in Korea, and (iii) the argument that sub-delegation should be permitted to the extent that financial services users’ interests are protected and financial supervisory powers are properly exercisable.
- Protection of Entrusted Information
As provided in the Initial Draft, Article 5 of the Regulations requires a financial company delegating its information processing to take protective measures (including obtaining the prior consent of financial services users, encryption of personal information, etc.) prescribed under the Personal Information Protection Act, the Real Name Financial Transactions and Guarantee of Secrecy Act, the Use and Protection of Credit Information Act and all other applicable laws (Article 5(1)). Transfers of resident registration numbers of individual customers to foreign countries are prohibited. In addition, a financial company is required to give public notice on its website of the protective measures taken for delegation of information processing and provide separate notice to the relevant individual customers in case of delegation of processing of certain personal information defined as “Sensitive Information” under the Personal Information Protection Act and its Presidential Decree (including an individual’s health status and other personal information, the disclosure of which may materially affect the individual’s privacy), whether such delegation is made in or out of Korea (Article 5(2)).
In addition, Article 4(7) of the Regulations expressly provides for the joint and several liability of both the delegating party and the delegatee, for any and all damages incurred by information owners or users which may result from any breach by the delegatee of the applicable laws and regulations, including the Regulations and the standard terms for delegation set forth in Appendix 1 to the Regulations.
- Overseas Delegation of IT Facilities
Article 4 of the Regulations provides that a financial company can delegate the operation of information processing facilities to its head office, branch, or affiliate located in foreign country; this has been modified from the Initial Draft to allow delegation to a branch in a foreign country. However, delegation of operations of the types of major facilities listed below may be prohibited by the FSC similarly as in the Initial Draft in order to protect the interests of financial services users and the performance of the FSC’s supervisory functions (Article 6(2) of the Regulations):
- Ledgers of financial transactions deemed necessary to protect the interests of financial services users and the performance of the FSC’s supervisory functions;
- Facilities directly related to the services provided to financial services users (except for certain facilities of which operation is deemed necessary to be transferred to a foreign country due to the types of financial services users and products);
- IT facilities not suitable to be installed abroad for legitimate access or connection by other institutions in Korea;
- IT facilities, of which foreign installation may cause a financial company to fail to comply with the requirements of applicable laws, such as the quality of services provided to financial services users, security and prompt recovery in the event of disaster; and
- Data networking-based facilities and IT security systems that support the IT facilities of any of the foregoing.
The requirement that IT & disaster recovery centers be located in Korea as set forth in Article 11 of the Regulations on Supervision of Electronic Finance will continue to apply even after the enactment of the Regulations.
- Enforcement Date and Transitional Measures
The Regulations took effect upon their announcement (June 25, 2013), and their addenda expressly state that the Regulations shall not be construed to impose additional obligations or restrictions with respect to information processing and IT facilities that have already been legitimately delegated under the applicable laws and regulations as of the above enforcement date of the Regulations (Articles 1 and 2 of the Addenda).
- Prior Notice of Changes in Other Regulations
Along with the promulgation of the Regulations, the FSC also amended the Regulations on Delegation of Businesses of Financial Institutions, the Regulations on Supervision of Electronic Finance Businesses, and the Regulations on Supervision of Insurance Businesses as follows:
- The Regulations on Delegation of Businesses of Financial Institutions will no longer apply to the delegation of information processing and IT facilities.
- The Regulations on Supervision of Electronic Finance Businesses will be amended to permit a financial institution or electronic financial business entity to retain and store financial information to the extent necessary for performance of its electronic financial business. Storage of financial information was generally prohibited in the past.
- The FSC approval required for “foreign transfer of IT facilities” in the Regulations on Supervision of Insurance Businesses will be abolished so that the procedures and methods of transfer of facilities by insurance companies will be governed by the Regulations.