Cloud-Based Office Management Software
Amendment Allows Bypassing Innovative Financial Services Review Process
Financial authorities are moving to ease network separation regulations so that financial institutions can smoothly utilize a variety of cloud-based office management and work support application software without undergoing the review process for innovative financial services.
The Financial Services Commission and the Financial Supervisory Service announced that they will conduct a preliminary notice of the proposed amendment to the "Enforcement Rules of the Electronic Financial Supervisory Regulations" starting January 20, 2026. The main point is to allow exceptions to the network separation regulation when financial institutions use cloud-based application software (SaaS) on their internal networks, provided that certain security protocols are observed.
SaaS allows software providers to support updates and maintenance, enables flexible office work on various cloud-based devices, and reduces the burden of managing in-house IT infrastructure by utilizing external storage, among other advantages. As a result, its use for office management and work support is rapidly increasing among many companies. However, because SaaS services require data exchange between cloud servers operated by external software providers and the internal servers of financial institutions, there has been a conflict with network separation regulations applied in the financial sector.
In response, financial authorities have allowed the use of SaaS for services with sufficient security measures (such as provider assessments against security threats and internal security measures by financial institutions) through the innovative financial services review process. They have also been preparing and promoting a plan to institutionalize exceptions to network separation regulations once enough cases have accumulated to resolve security concerns during SaaS operation.
First, SaaS services will be explicitly stated as grounds for exceptions to network separation regulations. However, in consideration of concerns about personal information leaks, exceptions will not be permitted when processing users' unique identification information or personal credit information.
As exceptions to network separation regulations are permitted, institutional measures for information protection controls will be made mandatory. Financial institutions must use SaaS services that have been evaluated by incident response agencies (such as the Financial Security Institute). They must also establish protection measures for access devices (computers, mobile devices, etc.), apply secure authentication methods, grant minimum necessary privileges, and implement strict security management. Monitoring and control of the input, processing, and leakage of critical information, as well as prevention of unnecessary sharing or processing of data within SaaS and control of unauthorized external internet access, are required. Encryption must be applied to the SaaS network section, and these protocols must be established and operated. Compliance with information protection controls must be evaluated semiannually and reported to the financial institution's Information Protection Committee.
The Financial Services Commission stated that this amendment is expected to significantly improve efficiency across all aspects of financial companies' work, including office processing, organization, performance management, and security management. It is also expected to make collaboration within and between organizations much easier by establishing standardized office processing systems with overseas branches and global affiliates.
The proposed amendment will undergo a 20-day preliminary notice period and regulatory reform committee review before being finalized and implemented quickly. A security guide detailing specific response measures to address security threats will also be prepared and distributed in line with the implementation date.
The Financial Services Commission commented, "This is a critical time to achieve fundamental innovation in financial services through the use of artificial intelligence (AI) technology and data. At the same time, recent hacking incidents have heightened concerns about security breaches. While we are actively pursuing institutional improvements to allow financial companies to focus on service enhancement using various IT technologies, we will also work quickly to establish systems that ensure the easing of network separation regulations does not lead to a weakening of security standards in the financial sector, encouraging financial institutions to autonomously and systematically maintain robust security."
The Commission added, "We will also closely collaborate with the financial sector to ensure that additional network separation improvement tasks, such as generative AI, can deliver results as quickly as possible."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
