Good news from Korea for FSI cloud customers and CSPs

by

A guest post by @matthew1hunter and @danieljung88

This week the Korean financial services regulator announced regulatory changes that will make it easier for financial services institutions (FSIs) in Korea to use cloud computing services.  First, FSIs will now be allowed to engage cloud service providers (CSPs) whose data hosting infrastructure is located overseas.  Second, FSIs will no longer need approval from the regulator to use cloud computing services.  Third, FSIs will no longer need to sign the regulator’s standard form contract with CSPs, so the parties can agree their own contract. 

In this post, we look at what has changed, how do the changes compare with regulations in other countries and why these changes are good news.  You should also note that this is the second of two recent steps forward for cloud computing in Korea; in April this year we posted a report on Korea’s new (and the world’s first) cloud-specific law.

What has changed?

The Financial Services Commission (FSC) and the Financial Services Supervisor (FSS) announced in a joint press release (on the 9 June 2015) revisions to the Regulation on Financial Institutions’ Outsourcing of Data Processing Business & IT Facilities (dated June 2013) (the Regulation).  The FSC stated that with these changes it “intends to reduce financial institutions’ burden relating with outsourcing of data processing”.

There are four changes:

  1. FSIs will be allowed to offshore data processing to a professional IT company whose infrastructure is located outside of Korea.
  1. FSIs will no longer be required to obtain the approval from the FSC in order to outsource IT facilities.
  1. FSIs will be allowed to outsource their data processing without notifying all the information to the FSS prior to outsourcing data processing.  Instead they can report the outsourcing after the event to the FSS.  FSIs will only be required to notify an outsourcing in advance to the FSS if customers’ financial transaction information will be outsourced.
  1. FSIs will no longer be required to sign the standard form contract when contracting with CSPs, as long as the contract includes the regulatory requirements (e.g. obligations to permit the regulator to supervise and inspect the CSP).

How do the Korean regulations compare now to those in other countries?

These changes bring the Korean regime more into line with the regimes in many other countries in the Asia-Pacific region, including Singapore, New Zealand, Australia, Hong Kong and Japan.

For more information on the regulations that impact the use of cloud computing by FSIs in the Asia-Pacific region, see our report, published with the Asia Cloud Computing Association (the ACCA Report).

These changes also bring the Korean regime into line with the recommendations made in the ACCA Report.  The report sets out recommendations to regulators.  The aim of the recommendations is to make it easier for FSIs to use cloud computing services.  The ACCA Report states that regulators should: allow the use by FSIs of offshore CSPs; not require FSIs to obtain approval for the use of cloud computing services; and not be prescriptive about the content of contracts between FSIs and CSPs.  Korea now scores well against these recommendations and the report will be updated in the next version.

Why are these changes good news for FSIs and CSPs?

  • These changes will make it easier for FSIs in Korea to use cloud computing services.  FSIs around the world are benefiting from cloud computing services.  The services offer many benefits to FSIs, including security, agility, reliability, scalability and (not to forget) potential cost savings. Korean FSIs should and now will be able to benefit in the same way as FSIs in other countries.
  • These changes will help domestic FSIs in Korea to compete more evenly with international FSIs. Before now, international FSIs could transfer data to their other locations around the world for processing.  Domestic FSIs were unable to enjoy the benefits of offshore service providers.  Now all FSIs can transfer data offshore, to other branches (for international FSIs) and to IT service providers, including CSPs.
  • These changes should make it easier in the future for other cloud customers in Korea (not just FSIs) to use cloud computing services. The FSI sector is generally recognized as a heavy user of IT services and this activity is heavily regulated.  Potential cloud customers in other sectors may look towards the FSI sector for a lead.  The more the FSI sector opens up to the use of cloud, the more other sectors are likely to follow.
  • These changes may influence other regulators in the region to take similar approaches. Regulators talk, and they watch one another.  There has been plenty of discussion about increased rules on data sovereignty.   In these discussions it is helpful to be able to point to regulators, like the FSC in Korea, that allow international transfers of data.  The focus should not be on the location of the data, but always on whether or not the data is adequately protected.  The more markets that follow this lead, the better.
  • The changes will increase and improve competition in the Korean CSP market.  International CSPs will be able to compete to provide services to FSI cloud customers in Korea, where they were previously unable to.  CSPs who were reluctant to enter into the Korean market, may now be persuaded to do so.  We believe that increased competition is healthy for customers and between competitors.

We believe this is a good step forward for the cloud computing market in Korea.  We hope that more regulators will follow suit.  We will keep you posted on further developments.