Network separation rules for financial firms set for easing to facilitate AI integration

Financial firms will be allowed to use generative AI in their internal networks as the government moves to update rules on network separation for security purposes.

Financial Services Commission Chairman Kim Byoung-hwan, left, speaks during an event to announce the government's plan to deregulate network separation rules held in Gimpo, Gyeonggi, on Tuesday. [NEWS1]

Financial firms in Korea will be allowed to use generative AI in their internal networks as early as this year with the government's announcement of its plan to overhaul decade-old rules on network separation.

The Financial Services Commission (FSC) and Financial Supervisory Service on Tuesday outlined their plan to scale back the current stringent rules on network separation that mandate a physical separation of internal and external networks for security purposes.

The regulation, which was first implemented in 2013, has been a major obstacle in the adoption of new digital services in the financial sector, especially with the accelerated integration of generative AI and cloud computing technologies over the past few years.

“We have reached a point where more efficient measures to separate networks are needed to address the rapidly changing digital environment, driven by cloud technology and generative AI,” said FSC Chairman Kim Byoung-hwan during an announcement of the road map with industry representatives and government officials held in Gimpo, Gyeonggi, on Tuesday.

“Under the principle that every policy should be assessed and refined based on the global standard, we need to boldly improve the current regulations that have been isolating Korea from the rest of the world,” said Kim.

The government will exempt financial firms from the network separation rules through a regulatory sandbox program, which will allow the companies to connect external generative AI models such as ChatGPT to their internal network systems. Relevant regulations will be revised so that the firms can process pseudonymized personal data through external networks as well, on the condition that overseas operators agree to the financial authorities’ supervision. The companies also need to come up with additional security measures to prevent accidents when applying for the sandbox program.

The scope of utilization of cloud-powered software-as-a-service (SaaS) will be expanded as well, as the current rule only allows the adoption of SaaS in less crucial tasks such as document management. Upon the deregulation, companies will be allowed to use SaaS solutions in customer relations and security management.

Moreover, the government will ease relevant regulations to allow the utilization of pseudonymized personal information in research and development for financial services and products to foster innovation.

The financial authorities are expecting the deregulation to accelerate automation in the workplace, and facilitate big data utilization in the financial sector.

The application for the sandbox program will begin in September, according to the FSC. The regulatory exemption is likely to take effect as early as this year.

BY SHIN HA-NEE [shin.hanee@joongang.co.kr]