Inspection Opinion Letter Sent for Violations of the Electronic Financial Transactions Act, Specialized Credit Finance Business Act, and Credit Information Act
No Intervention in Management Decisions... Focus on IT and Internal Control in Ad-Hoc Insp
The Financial Supervisory Service (FSS) has completed its ad hoc inspection of the Lotte Card cyber incident in just two months, sent its inspection opinion letter, and begun the process of hearing the company's explanation. This process involves notifying the company of any legal violations found during the inspection and then listening to the company's legal opinions, a procedure that is expected to be repeated several times going forward. Within the financial sector, there is a consensus that it will be difficult for the FSS to submit any regulatory action regarding Lotte Card to the Sanctions Deliberation Committee within this year.
According to the financial industry on November 11, the FSS completed its ad hoc inspection of the Lotte Card cyber incident at the end of last month and sent the first inspection opinion letter. Although the FSS set the deadline for Lotte Card to submit its response to the first opinion letter for the previous day, this deadline is not strictly enforced. Lotte Card has reportedly stated that it requires legal review and thus cannot submit a response within the roughly ten-day period (from the end of last month to the previous day) following the inspection.
The contents of the FSS inspection opinion letter are confidential, as external disclosure is prohibited under Article 33 of the "Regulations on the Inspection and Sanctions of Financial Institutions." However, according to multiple sources in the financial sector, the letter is believed to focus on legal violations identified during the inspection of Lotte Card’s IT and information security systems, including WebLogic management. The FSS reportedly did not intervene in management decisions such as the resignation of Lotte Card’s CEO, organizational restructuring, or adjustments to the proportion of the information security budget relative to the total IT budget.
Typically, the FSS specifies in its inspection opinion letter details such as "Violation of Law A by failing to fulfill regulatory obligation B," then receives a response from the inspected institution (Lotte Card), reviews it, and sends additional inspection opinion letters as needed, repeating this process. In this ad hoc inspection, it was confirmed that Lotte Card violated the Electronic Financial Transactions Act, the Specialized Credit Finance Business Act, and the Credit Information Act, so all violations under these laws are believed to have been communicated to the company.
According to the FSS, after an ad hoc inspection, the process leading up to submission to the Sanctions Deliberation Committee generally follows these steps: "reporting back to headquarters → sending the inspection opinion letter and hearing the institution’s opinion → preparing the inspection report → internal review and review by the Sanctions Deliberation Bureau of the proposed actions and inspection report."
The "Enforcement Rules of the Regulations on the Inspection and Sanctions of Financial Institutions" stipulate that the results should be communicated within 152 days of completing the ad hoc inspection, but this is not a mandatory rule. The 152-day period does not include the time given to the inspected institution to submit its explanation. According to the regulations, the results could be announced externally by early April next year, 152 days after the inspection's conclusion, but the actual announcement may be delayed further.
The financial authorities, apart from the sanction regulations, have decided to conclude the Lotte Card case as quickly as possible, given that cyber incidents at financial companies have become a significant social issue. However, they have also established the principle of making judgments based on the provisions of the Electronic Financial Transactions Act, the Specialized Credit Finance Business Act, and the Credit Information Act, as well as precedents, rather than considering the severity of sanctions imposed in major hacking cases involving institutions such as SK Telecom (50-day business suspension) and KT. There are no plans to combine the ongoing regular inspection, which began the previous day, with the ad hoc inspection.
An FSS official stated, "The specific procedures for handling the sanctions have not yet been determined," adding, "It will be difficult to merge the regular inspection of Lotte Card, which began yesterday, with the ad hoc inspection."
The highest level of sanctions the financial authorities can impose on Lotte Card include a six-month business suspension under the Specialized Credit Finance Business Act and a fine of 5 billion won under the Credit Information Act. Since it has already been confirmed that information was leaked, sanctions related to the Credit Information Act are inevitable. Lotte Card is reportedly more concerned about the severity of sanctions under the Specialized Credit Finance Business Act (business suspension) than those under the Credit Information Act (fine). A Lotte Card representative commented, "It is difficult to say which of the three laws' violations is more important or sensitive," adding, "We will faithfully follow the authorities' sanction procedures."
Meanwhile, Lotte Card has replaced four out of its seven division heads and upgraded its information security unit to report directly to the CEO. At a public apology press conference on September 18, CEO Cho Jwajin stated, "Including my own resignation and that of the executive team, we will implement a level of personnel reform by the end of the year that will be acceptable to the market."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
