The global financial and fintech industries are closely monitoring a proposed amendment to Korea's Electronic Financial Transactions Act that would impose revenue-based administrative fines on financial institutions in the event of personal data breaches.
Recently, the Foreign Investment Ombudsman, a foreign-invested enterprise support body under KOTRA, identified the proposed bill's revenue-based penalty framework as a potential risk. The Ombudsman noted that “as the penalty system shifts to a revenue-based model, the burden is likely to increase for foreign financial institutions with large revenues.” It further observed that the framework “could be viewed as similar to the revenue-based penalty models adopted under major regulations such as the EU's GDPR and Korea's Personal Information Protection Act.”
In other words, global Big Tech companies and financial institutions are concerned that a GDPR-style regulatory framework--which has already been a significant compliance burden internationally--could expand into Korea's financial sector.
In April, Democratic Party lawmaker Kim Yong-man introduced a bill to amend the Electronic Financial Transactions Act, aimed at strengthening accountability and sanctions related to electronic financial transaction information leaks. The amendment would place direct responsibility on Chief Information Security Officers (CISOs) for managing internal security control systems. It would also make the adequacy of day-to-day security management a factor in determining sanctions.
If an incident occurs due to inadequate implementation of security measures, the Financial Services Commission would be authorized to impose administrative fines of up to 3% of a company's revenue. Where revenue is difficult to calculate, fines of up to KRW 5 billion (approximately USD 3.6 million) could be imposed. Additional sanctions could include administrative penalties of up to KRW 50 million and business suspension orders of up to six months.
The Foreign Investment Ombudsman characterized the bill as a potentially burdensome regulation for businesses. It noted that penalties could increase substantially following an actual breach and that firms may face additional costs to build systems that comply with detailed security requirements to be established by financial regulators in the future.
The Ombudsman also raised concerns about possible conflicts between global corporate security policies and Korea's regulatory requirements. Foreign financial institutions and fintech companies may need to comply not only with their global headquarters' security standards but also with separate security frameworks mandated by Korean financial authorities.
A financial industry official commented, “No matter how much security is strengthened, it is practically impossible to prevent hacking incidents with 100% certainty.” The official added, “The key issue is the uncertainty over what level of security measures financial regulators will deem 'sufficient' after an incident occurs.” The official further noted that foreign financial institutions could face the added burden of maintaining separate security systems specifically for the Korean market.
