The following is a summary of the press releases made by the Financial Services Commission on 22 and 24 January 2014. These are action items and policies that the FSC is seeking to implement. These press releases were made after the personal information of credit card holders of three credit companies were leaked.

  1. Collection  and  management  of  personal  information  by  financial institutions
  • Financial  institutions  will  only  be  allowed  to  collect  and  keep  personal information to the ‘necessary and minimum’ extent.
    • Information currently held by financial institutions will be examined, and measures will be taken to ensure that they only collect and keep absolutely necessary information.
    • The period for which financial institutions are allowed to hold personal credit information will be limited to ‘five years after the date of completion of transaction.’
    • Financial institutions will be instructed to store and manage information of customers, with whom transactions are completed, separately from information of customers with whom transactions are in progress, and the use of such information for external marketing purposes will be strictly prohibited.
  1. Supply of information to a third party
  • The method of the supply of information for a third party must be improved by ensuring that financial institutions specify each company to which information is supplied.
  • Obtaining ‘blanket consent’ in principle will be prohibited.
  • Financial institutions must specify the time period during which the third party is to use the information (eg. five years or when the provision of service is completed).
  • Use of information for marketing purposes will, in principle, be prohibited.
  • The sharing of customer information within a financial holding group will be restricted.
    • To date customer information may be shared among subsidiaries of a financial holding group without the consent of customers under a special provision of the Financial Holding Companies Act. However, the FSC has noted that the use of customer information under such special provision will be strictly prohibited.
    • Customer information that may be shared within a financial holding group will be limited to such information as necessary for internal business-management purposes such as credit-risk management.
    • Extremely tough standards will be applied before customer information may be used for external marketing purpose without the prior consent of customers. *

*     Example: (Before) Approval of the administrator of customer information was only needed→ (After) Approval of the board of directors and the customers are to be notified of such use

  1. Restriction on solicitation by SMS, email, etc.
  • Restriction on solicitation of loans by SMS, email or telephone
    • As marketing via SMS, email or telephone is very likely to involve illegally-circulated personal information, the necessity of SMS and email as a ‘method of indiscriminate solicitation of loans’ should be reviewed fundamentally.
    • Financial institutions will be requested to cease solicitation of loans by SMS, email or telephone for the interim period (by the end of March 2014) until current full-scale investigations are concluded.
    • FSC will push forward with the prescription of specific regulatory measures in February 2014, and the details of the plan will be determined after consultation with relevant agencies.
    • The above restriction will apply not only to the solicitation of loans but also to insurance/credit card products except insurance companies that are licensed to market insurance products via telephone are exempted to the extent such insurance companies give an assurance that the relevant information will be legitimately obtained.
  • Obligation to track how a loan is solicited for loans solicited through electronic means
    • Financial institutions will be instructed to introduce a process at the point of processing the approval of a loan to examine whether information illegally obtained was used to solicit the loan application.
    • Financial institutions will be instructed to probe not only loan agents but also customers about matters including information about the loan and to track how the loan was solicited.
  1. Heavier sanctions for leaking information
  • Introduction of a punitive fine system, etc.
    • An uncapped fine based on a formula (e.g. an amount equivalent to 1% of the relevant sales) will be imposed on a financial institution which has used information illegally collected or circulated such information in its business activities.
    • A fine based on a formula will also be imposed on a financial institution which has divulged personal information illegally (provided, however, if the illegal divulgence is not directly related to profit-making activities, an upper limit will be set on such fine.)
  • Heavier punishment.
    • The level of punishment for the divulgence of information under the relevant laws including the Use and Protection of Credit Information Act will be raised considerably to the highest- possible level under finance-related laws.

* The Banking Act provides that where an executive or employee of a bank divulges any confidential information or data that he/she becomes aware of during the course of his/her duty, such person shall be punished by imprisonment for up to ten years or levied a fine of up to KRW 500 million.

  1. Future plan
  • Actions not requiring amendment of the relevant laws will be taken as soon as possible and are to be completed by the end of the 1st quarter of 2014.
  • If there are bills pending in the National Assembly which may facilitate amendment of the relevant laws, measures will be taken to ensure that the relevant bills are passed during the extraordinary session in February 2014. Where an amendment bill is required to be drafted, the plan is to ensure such bills are read by the end of the 1st quarter of 2014 followed by discussions thereon during the National Assembly sessions in the first half of 2014.