Update on the Korea's Financial Services on the Cloud
ACCA FSI Update: Korea’s Regulations Revised
By Matthew Hunter, Olswang Asia LLP and Stacy Baird, Chairman, ACCA Data Sovereignty Working Group
In June 2015, the Korean financial services regulator announced regulatory changes that will make it easier for financial services institutions (FSIs) in Korea to use cloud computing services. First, FSIs will now be allowed to engage cloud service providers (CSPs) whose data hosting infrastructure is located overseas. Second, FSIs will no longer need approval from the regulator to use cloud computing services. Third, FSIs will no longer need to sign the regulator’s standard form contract with CSPs, so the parties can agree their own contract. These reforms substantially bring Korea in line with ACCA recommendations.
What has changed?
The Financial Services Commission (FSC) and the Financial Services Supervisor (FSS) announced in a joint press release (on the 9 June 2015) revisions to the Regulation on Financial Institutions’ Outsourcing of Data Processing Business & IT Facilities (dated June 2013) (the Regulation). The FSC stated that with these changes it “intends to reduce financial institutions’ burden relating with outsourcing of data processing”. These changes bring the Korean regime more into line with the regimes in many other countries in the Asia-Pacific region, including Singapore, New Zealand, Australia, Hong Kong and Japan.
There are four changes:
1. FSIs will be allowed to offshore data processing to a professional IT company whose infrastructure is located outside of Korea. (Previously, international FSIs could transfer data to their other locations around the world for processing. Domestic FSIs were unable to enjoy the benefits of offshore service providers. Now all FSIs can transfer data offshore, to other branches (for international FSIs) and to IT service providers, including CSPs.)
2. FSIs will no longer be required to obtain the approval from the FSC in order to outsource IT facilities.
3. FSIs will be allowed to outsource their data processing without notifying all the information to the FSS prior to outsourcing data processing. Instead they can report the outsourcing after the event to the FSS. FSIs will only be required to notify an outsourcing in advance to the FSS if customers’ financial transaction information will be outsourced.
4. FSIs will no longer be required to sign the standard form contract when contracting with CSPs, as long as the contract includes the regulatory requirements (e.g. obligations to permit the regulator to supervise and inspect the CSP).
These changes also bring the Korean regime into line with the recommendations for regulators made in the ACCA Report. The ACCA Report states that regulators should: allow the use by FSIs of offshore CSPs; not require FSIs to obtain approval for the use of cloud computing services; and not be prescriptive about the content of contracts between FSIs and CSPs. Korea now scores well against these recommendations. The next iteration of the ACCA report will be updated to reflect these steps forward for cloud computing in Korea.