'TIMF' Response... Imposing Management Obligations on Financial Companies Including Non-Financial PG Companies as 'Indirect Regulation'

Financial authorities are stepping up operational risk management for non-financial companies such as platform operators and financial brokerage and agency firms across the financial sector, influenced by recent incidents like the T-Mef (Timon·Wemakeprice) case. Instead of direct intervention, the authorities plan to impose management obligations on financial companies doing business with these entities, thereby regulating them indirectly.

On the 5th, the Financial Supervisory Service (FSS) held a kickoff meeting for the 'Operational Risk Management Enhancement Task Force (TF)' chaired by Senior Deputy Governor Lee Se-hoon, discussing plans to strengthen operational risk management across sectors including banking, insurance, credit cards, and IT. Deputy Governor Lee said, "Recently, the market size of relatively lightly regulated non-regulated financial areas (IT, platforms, brokerage, agency, etc.) outside traditional financial firms has rapidly expanded. It is necessary to establish a minimum risk management system to prevent unstructured financial risks from becoming a source of instability in the financial market and to eliminate regulatory blind spots."

The main topic discussed at the meeting was how to manage non-financial companies that have penetrated comprehensively into the financial sector. Internationally, there are three regulatory approaches by financial authorities toward non-financial companies: 'conduct-based regulation,' which applies the principle of same function, same regulation; 'indirect regulation,' which imposes management obligations on financial companies regarding non-financial companies; and 'entity-based direct regulation,' where financial authorities directly regulate non-financial companies. South Korea's financial authorities have so far focused on conduct-based regulation but plan to establish an indirect regulation system going forward.

Deputy Governor Lee explained that under the existing conduct-based regulatory system, it was ambiguous how far regulation should extend even if the same function was involved. He said, "For example, it is difficult to answer whether a telecommunications company offering small postpaid payments via mobile phones should be subject to capital adequacy ratio regulations under the Bank for International Settlements (BIS) standards as if it were engaged in lending. There are limits to the same function, same regulation principle, so this is a step further."

As a common task for financial companies, responsibility for operational risk management by executives and boards of directors is expected to be strengthened. The accountability structure will be managed so that duties related to delegation and entrustment are assigned to appropriate executives. There will also be efforts to reflect operational risk management obligations arising from delegation and entrustment in the internal control standards of financial companies, which are subject to board deliberation and resolution.

An operational risk management guideline will also be prepared. It will provide specific standards regarding the types and scope of operational risks to be managed, recognition, evaluation, and criteria. Additionally, measures to substantially enhance financial companies' loss absorption capacity in preparation for operational risks such as financial accidents will be pursued.

Schedule for Strengthening Operational Risk Management by Financial Sector. (Source: Financial Supervisory Service)

By sector, for credit card companies, responsibility for online payment risks will be strengthened. When credit card companies enter into contracts with primary electronic payment gateway (PG) companies, they will inspect and guide the screening and selection criteria and whether the appropriateness of PG companies' sub-merchants is verified. Based on inspection results and government system improvement plans for PG companies, the industry (card companies and PG companies) and related ministries will collaborate to establish measures to strengthen online payment risk management. Although there are calls for direct regulation of PG companies and e-commerce following the T-Mef incident, it is considered premature. Deputy Governor Lee said, "Direct intervention in non-financial companies should be aligned with international discussions, and at this stage, it is a challenging task to review concretely. In the case of PG businesses, authorities have room for direct supervision, so some direct supervision is conducted, but moving to a broad direct supervision system is cautious."

For insurance companies, plans are underway to expand the required capital reserves according to accident risks in sales channels. Evaluation criteria considering various factors such as the sales quality of delegated corporate insurance agencies (GA) will be established, and insurance companies will be regularly assigned evaluation grades. Based on evaluation grades, the required capital under the solvency ratio (K-ICS) will be differentially imposed, and effective measures such as management improvement agreements will be considered for companies with inadequate operational risk management. Details of the evaluation system will be discussed at the Insurance Reform Committee.

For banks, practical improvements in operational risk management will be encouraged. The effectiveness of the 'Revised Operational Risk Management Standards for Banks (PSMOR),' implemented since January this year, will be reviewed, and the need to supplement details such as the scope and calculation method of operational risk will be examined. Deputy Governor Lee said, "We will check the implementation level of each bank to ensure that the introduction of PSMOR leads to practical improvements in operational risk management in the banking sector. We will guide banks to improve any deficiencies and actively share best practices to raise the overall level of operational risk management in the banking sector."

For the financial IT sector, a concentrated risk management system related to IT outsourcing and partnerships in the financial sector will be inspected. For financial companies conducting electronic financial services, a three-step process of information collection → analysis of IT outsourcing and partnership status → safety inspection of concentrated companies will be conducted to develop measures to strengthen IT outsourcing risk management in the financial sector.

Sector-specific matters will be concretely planned through the TF in the second half of this year. After collecting opinions by sector, pilot operations will be conducted sequentially. Additionally, plans to strengthen operational risk management in small and medium financial sectors (savings banks, mutual finance, capital companies) will also be reviewed sequentially in the future.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.