SOUTH KOREA Law and Practice Contributed by: Jongbaek Park, Seungil Hong, Seyeong Im and Eric Jeong, Bae, Kim & Lee LLC
have been applicable in respect of licensed financial services. The regulatory sandbox exemption period may not exceed two years, which is extendible, only once, for up to two years. In May 2024, the FSC revised the application process for innovative financial services. Applicants previously submitted demand surveys and consulted with regu - lators before applying on a rolling basis. Under the new system, applications can now be submitted freely during designated quarterly windows. The new sys - tem was implemented in the second quarter of 2024. 2.6 Jurisdiction of Regulators The FSC and the Financial Supervisory Service (the “FSS”) are the two primary institutions in charge of regulatory enforcement over fintech products and services. The FSC is a government institution mainly responsible for creating financial policies. The FSS, acting as the enforcement arm of the FSC, is respon - sible for supervising and inspecting financial compa - nies. 2.7 No-Action Letters Financial regulators in Korea operate a system simi - lar to the US “no-action” letter system, although the “letter” is referred to as a “no-action opinion”. The FSS issues a written opinion upon request, confirming in advance whether a proposed business activity or financial product would violate existing laws and be subject to regulatory sanctions. This allows firms to seek regulatory clarity before launching new services or products. Once a no-action opinion is issued, the FSS refrains from taking any legal or enforcement action contrary to the content of the opinion, unless there are exceptional circumstances. 2.8 Outsourcing of Regulated Functions Under the Regulations on Outsourcing of Business of Financial Institutions (the “Business Outsourcing Regulations”), financial companies such as banks, insurance companies and credit card companies are allowed to outsource their business operations, except in the following cases:
• when the work involves “essential elements” of the financial company’s business that require a licence; • when the relevant laws and regulations require the financial company to perform the work; or • when the outsourcing may harm the financial com - pany’s credibility, cause financial disorder or harm financial users. Financial companies must inform the regulator of their outsourcing at least seven business days before the start date, unless exempted under the Business Out - sourcing Regulations. The Data Processing Outsourcing Regulations may also apply to financial companies with respect to the outsourcing of data processing. A financial company is allowed to outsource its data processing, unless: • it is prohibited by relevant laws and regulations; • the financial company has received a warning or sanction regarding user information in the last three years; or • the outsourcing may harm the financial company’s credibility, cause financial disorder or harm finan - cial users. In addition, financial companies are not permitted to outsource the processing of “uniquely identifiable information”, such as resident registration numbers, to offshore companies. Financial companies must report the outsourcing of data processing to the regulator at least seven days before in the case of domestic companies and 30 days before in the case of offshore companies unless exempted under the relevant regulations. Depending on the specific business model, other reg - ulations, such as the FSCMA, may apply with respect to outsourcing. 2.9 Gatekeeper Liability Fintech service providers that fall under the scope of financial companies are subject to various regulations requiring them to comply with specific prescribed gatekeeper responsibilities, including suspicious transaction reporting (STR), anti-money laundering (AML) and know your customer (KYC) regulations
759 CHAMBERS.COM
Powered by FlippingBook