The financial authorities held a briefing session on the improvement measures for network separation in the financial sector, which involves operating external networks such as the internet separately from internal business networks. They explained the step-by-step roadmap, the direction for operating the regulatory sandbox, and enhanced security measures. Detailed security consulting for each financial company will also be conducted through sector-specific briefings in the future.
Below are questions and answers related to the financial authorities' roadmap for improving network separation in the financial sector.
Q. In the case of allowing generative AI (artificial intelligence), is only specific services (such as ChatGPT) allowed, or are services applying generative AI technology allowed?
A. The allowance of generative AI through the regulatory sandbox is not limited to specific services; any service applying generative AI technology can apply for the regulatory sandbox.
Q. Can generative AI services in the form of PaaS (Platform as a Service) be used regardless of the roadmap?
A. Regardless of the operational structure of generative AI (SaaS or PaaS), if a network separation regulatory exception is required, application and approval through the regulatory sandbox are necessary.
Q. Is sandbox review and approval required even if generative AI does not handle customers' personal credit information?
A. The network separation-related regulatory sandbox allows exceptions to Article 15 (Measures to Prevent Hacking, etc.) Paragraph 1 Subparagraph 3 or 5 of the Electronic Financial Supervisory Regulations. Regardless of whether personal credit information is handled, if an exception to these regulations is needed, sandbox review and approval are required.
Q. Are there necessary protective measures such as pseudonymization adequacy evaluation and export criteria for pseudonymized personal credit information?
A. The 'pseudonymization' mentioned in the roadmap refers to pseudonymization under the Credit Information Act, and compliance with the rules of conduct stipulated in related laws is mandatory. Depending on the intended use, it is necessary to determine the level of pseudonymization, the method of pseudonymization, conduct adequacy reviews, and perform post-management in compliance with regulations.
Q. When allowing generative AI, large amounts of pseudonymized information may be processed overseas; are there any privacy protection issues?
A. Regarding the overseas processing of pseudonymized information through generative AI, prior consultation will be conducted with the Personal Information Protection Commission (hereinafter referred to as PIPC) to promote collaboration with the sandbox. When designating the sandbox, PIPC will also participate in granting exceptions under the Personal Information Protection Act, and various security measures necessary for personal information processing, transfer, and protection will be reflected as additional conditions.
Q. What are the security inspections and consulting during the sandbox process?
A. When designating the sandbox, security measures according to risks are imposed as additional conditions. The Financial Supervisory Service and the Financial Security Institute will provide prior consulting on the adequacy, vulnerabilities, and necessary improvements of security measures established by individual financial companies, and will inspect whether the relevant security measures are properly in place before the service launch.
A meeting between Kim Byung-hwan, Chairman of the Financial Services Commission, and heads of major banks was held on the 20th at the Seoul Banking Hall. Chairman Kim is delivering a greeting. Photo by Heo Young-han younghan@
Q. For companies that have received exceptions for using Software as a Service (SaaS) through the existing sandbox, are additional measures required due to this improvement?
A. The improvement of network separation expands the scope of SaaS usage, and the target, scope, and additional conditions differ from the SaaS allowed through the existing sandbox. If a company intends to operate services within the previously designated scope under the existing regulatory exception, no additional measures are required. However, if the company wishes to newly expand the scope of SaaS usage according to the improvement plan, a separate sandbox designation application is necessary.
Q. What is the future schedule for the regulatory sandbox related to the roadmap? Is it a one-time application or can applications be submitted continuously?
A. The regulatory sandbox related to the roadmap, including generative AI, is scheduled to accept the first applications in September this year. Detailed schedules will be announced through each association and the financial regulatory sandbox webpage. Applications for the roadmap-related regulatory sandbox are not one-time; additional application periods will be considered based on demand.
Q. Are there criteria for the scope of research and development network usage?
A. The scope of research and development network usage should, in principle, be determined by each financial company considering physical and human factors as well as security factors (security capabilities, protection necessity, external network open risks, etc.). Financial companies should identify the importance and risks of information assets and systems, analyze and evaluate the impact, decide on the use of the research and development network, and operate it after approval by the internal information protection committee. However, it is necessary to strictly comply with alternative information protection controls under network separation exceptions and regularly inspect vulnerabilities and implement security measures.
Q. When is the detailed guideline for research and development network usage expected to be published?
A. By the end of this year, the 'Electronic Financial Supervisory Regulations' and enforcement rules will be revised to improve network separation in the research and development field. After collecting industry opinions, detailed guidelines including the specific scope of research and development network usage, necessary security measures, and best practices will be published together.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Clutching a Stolen Dior Bag, Saying "I Hate Being Poor but Real"... The Grotesque Con of a "Human Knockoff" [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
