CONTENTS
- 1. Regulation on Supervision of Electronic Financial Activities | Scope and Purpose
- 2. Regulation on Supervision of Electronic Financial Activities | Key Points of the Amendment
- - New Duty for the CISO to Report to the Board
- - Expanded Duty to Establish a Disaster Recovery Center
- - Higher Coverage Limits for Electronic Financial Incident Liability Insurance
- - Deregulation and Self-Imposed Accountability
- 3. Regulation on Supervision of Electronic Financial Activities | Items to Review
- - Key Review Items for Financial Companies
- - Key Review Items for Electronic Financial Business Operators
- 4. Regulation on Supervision of Electronic Financial Activities | The Need for Legal Counsel
- - Daeryun's Legal Response System
1. Regulation on Supervision of Electronic Financial Activities | Scope and Purpose
The Regulation on Supervision of Electronic Financial Activities sets the security framework and operating standards that financial companies and electronic financial business operators must put in place to ensure the safety of electronic financial transactions and to protect users.
Its subjects include traditional financial companies such as banks, insurers, and securities firms, as well as a range of operators involved in electronic financial transactions.
▷ Specialized credit finance companies engaged in installment finance, equipment leasing, and the like
▷ Mutual savings banks and others that have built their own computing systems
The amended Regulation, which took effect in February 2025, expanded the scope of entities required to set up a disaster recovery center and, among other changes, newly brought electronic financial business operators and specialized credit finance companies above a certain size within the scope of regulation.
A company that has become subject to these obligations for the first time because of growth in its transaction or asset size should review in advance whether any part of its existing operating system falls short of the Regulation's standards.
2. Regulation on Supervision of Electronic Financial Activities | Key Points of the Amendment
The Regulation on Supervision of Electronic Financial Activities was amended on February 5, 2025. To keep pace with technological progress and the changing digital finance environment, the detailed security provisions were reduced from 293 to 166, giving financial companies a foundation on which to design and operate their own security frameworks.
The amended regulation also tightens certain requirements, and several provisions carry separate grace periods, so companies should complete their preparations before those dates arrive.
New Duty for the CISO to Report to the Board
Previously, the CISO could simply report matters deliberated and resolved by the information protection committee to management. The amended regulation now requires that key matters be reported directly to the board of directors as well.
Companies should establish internal standards governing what must be reported to the board and, where necessary, revise the relevant internal rules.
Expanded Duty to Establish a Disaster Recovery Center
Building a disaster recovery center involves more than securing physical space. It also requires system construction, redundancy design, and recovery testing, so companies should set a preparation schedule in advance with the effective date in mind.
Newly Covered Entities | Criteria |
Electronic financial business operators | Annual electronic financial transactions totaling 2 trillion won or more |
Specialized credit finance companies | Total assets of 2 trillion won or more, plus 300 or more full-time employees |
Mutual savings banks | Where they build and operate their own computer systems |
Higher Coverage Limits for Electronic Financial Incident Liability Insurance
To strengthen user protection when an electronic financial incident occurs, the liability insurance coverage limits for each type of business have generally been raised.
Category | Before Amendment | After Amendment |
Prepaid payment instrument issuers / electronic payment settlement agents | 100 million won | 200 million won |
Credit finance companies / insurance companies / mutual savings banks | 100 million won | 200 million won |
Financial investment companies with assets of 2 trillion won or more, among others | 500 million won | 1 billion won |
Deregulation and Self-Imposed Accountability
Detailed prescriptive rules, such as standards for buildings, facilities, and computer rooms, the specifics of malware countermeasures, password-setting methods, and the particulars of separation of duties, have largely been deleted or consolidated into principle-based provisions.
This shift toward a principle-based approach widens the scope within which financial companies may design their own security frameworks, but it also means the companies themselves now bear direct responsibility for the results.
Financial regulators have already signaled that they will reshape the digital finance security legal framework to strengthen after-the-fact accountability where a company fails to build a self-managed security framework or where a security incident occurs.
Financial companies should therefore treat the deletion of detailed rules not as the disappearance of their obligations, but as a reason to design and operate an effective internal control system that maintains an appropriate level of security on their own initiative.
3. Regulation on Supervision of Electronic Financial Activities | Items to Review
The Regulation on Supervision of Electronic Financial Activities imposes on financial companies a range of legal duties across their entire security framework to secure the safety of electronic financial transactions and protect users. With the amended regulation now in effect, companies are expected to review their internal control systems and related internal rules as a whole.
Key Review Items for Financial Companies
· Where the company is subject to the duty to establish a disaster recovery center, whether a construction schedule and preparation plan are in place
· Whether the liability insurance meets the amended standards and whether renewal is needed
· Whether existing internal rules, such as malware countermeasures and web server management measures, have been aligned with the framework of the amended regulation
· Where the IT department structure is being reorganized, whether the question of where responsibility falls in the event of an incident has been reviewed in advance
· Whether a substantive level of security is being maintained in the areas now left to self-management
· Whether procedures for handling electronic financial incidents (classification of types, processing stages, severity assessment, and the like) are set out in detail in the internal rules
Gaps in internal control procedures can, in particular, translate into personal liability for individual executives when an incident occurs, so it is important to review internal work processes comprehensively in line with the entry into force of the amended regulation.
Key Review Items for Electronic Financial Business Operators
Electronic financial business operators that run services such as simple payment, PG, and prepaid balances bear security duties comparable to those of financial companies, and the applicable standards vary with their size and the nature of their services.
· Whether the coverage limit of the electronic financial incident liability insurance meets the amended standards and whether renewal is needed
· Whether the operator accurately understands the reporting thresholds for electronic financial incidents (delay or suspension time, number of subscribers, and the like)
· Whether internal rules on incident reporting have been aligned with the enforcement decree standards of the amended regulation
· Whether measures to prevent malware infection and to manage public web servers have been updated in line with the amended regulation
· Whether a level of security at or above that of the pre-amendment rules is being maintained in the areas now left to self-management
Because electronic financial business operators deal directly with users, security incidents often spread into user harm and disputes.
Operators that have newly become subject to these duties as they have grown in size should also realign their overall operating framework with the standards of the regulation.
4. Regulation on Supervision of Electronic Financial Activities | The Need for Legal Counsel
A violation of the Regulation on Supervision of Electronic Financial Activities may lead not only to administrative sanctions (suspension of business, penalty surcharges, or revocation of registration), but also to damages disputes arising from user harm or to questions of executive liability.
Since the amended regulation took effect, the adequacy of a self-managed security framework is likely to carry significant weight in any assessment, so it is important to review in advance whether the internal control system is designed to align with the purpose of the regulation.
Daeryun's Legal Response System
Drawing on its experience in financial regulation and corporate legal matters, Daeryun responds in a structured way to issues arising under the Regulation on Supervision of Electronic Financial Activities.
· Responding to on-site and document-based examinations by the Financial Supervisory Service and submitting opinions
· Analysis of legal risks relating to the internal control responsibilities of the CISO and executives
· Legal review of preparations for the effective date, such as building a disaster recovery center and renewing insurance
· Handling user disputes and damages claims when an electronic financial incident occurs
· Legal review of internal rules and work processes for building a self-managed security framework
Electronic finance disputes often turn on a combination of technical facts and regulatory interpretation, so a structured legal review from the earliest stage of a matter is important.
If you would like legal counsel on the Regulation on Supervision of Electronic Financial Activities, please submit a 🔗consultation request with a finance attorney at Daeryun.
