Expansion of cloud service usage pathways for financial companies... Internal network SaaS restrictions permitted

Financial institutions are increasingly able to use cloud-based software within their internal business networks. As the Financial Committee completes revisions to the detailed implementation rules of the Electronic Financial Regulatory Regulations on April 20, 2026, office and management support software-as-a-service (SaaS) with certain security requirements can now be used within internal networks, even without undergoing a separate innovative financial service review.

Previously, the financial sector strictly separated and operated external internet and internal business networks in accordance with the network separation provisions of the Electronic Financial Transactions Law. This mechanism was designed to prevent hacking attacks and information leaks, but it also became a constraint on applying cloud-based collaboration tools or the latest artificial intelligence technologies to business operations. The recent revision somewhat relaxes this restriction, representing a policy adjustment aimed at balancing work efficiency and security.

However, not all exceptions are fully permitted. When financial institutions handle users’ unique identification information or personal credit information, the network separation exception does not apply. This indicates that sensitive information with a high risk of personal disclosure will still be treated strictly as before. Additionally, when using pseudonymous information, the process must still follow the designated procedures for innovative financial services, just as in the past. In other words, while general collaboration and management activities are now more open, areas directly related to customer information will continue to maintain high regulatory thresholds.

Along with the easing of regulations, security controls will become more stringent. Financial companies must only use SaaS evaluated by the incident response agency, and must implement additional protective measures for devices accessing these services. Furthermore, they are required to review information security controls every six months to ensure proper implementation and report to the company’s internal Information Protection Committee. This is not merely a regulatory relaxation but also a requirement to establish a responsible usage system.

The financial authorities expect that this measure will promote an environment for real-time sharing of project updates, schedules, documents, and meeting results. This will facilitate cooperation not only between domestic headquarters and branches but also among overseas subsidiaries. It is anticipated to lead to increased productivity, reduced IT operational burdens, and standardized internal management systems. The Financial Committee explained that, due to increasingly sophisticated hacking techniques and the need to advance artificial intelligence innovation, utilizing external network computing resources has become crucial. Therefore, the existing regulatory framework can no longer be rigidly maintained. This trend may further expand the scope of application in the future, potentially including generative AI services within the network separation exceptions.