As the public cloud market in the financial sector is set to open in January next year, global cloud companies, including Amazon Web Services (AWS), are taking aim at the South Korean finance cloud market. AWS and Microsoft (MS) already hold nearly 70 percent of the domestic cloud service market.
However, the financial authorities place more weight on a voluntary restraint through the financial sector, or indirect control, than a direct control of global companies. Accordingly, there are growing concerns that the government’s executive power over global companies will not function properly when hacking incidents occur.
According to the Financial Services Commission (FSC) and related industry sources on Dec. 3, the revised regulations on supervision of the electronic financial business, which enlarge the range of public finance cloud application to personal credit information and unique identifying information, come into effect starting from January next year. Even now, cloud is being used in all sectors other than the financial industry without limits. Accordingly, the FSC is currently revising the guideline of finance cloud services in order to lead an innovative growth in the fintech industry.
The problem is that the government’s direct control of cloud service providers is omitted in the guideline. The FSC said it would specify the duty of cooperation with the financial authorities in investigation and approach, including site visit, when financial companies and cloud service providers sign a contract. In other words, it believes that it can secure the primary supervisory power with an indirect control through the financial sector. However, in the European Union and Britain, financial authorities directly oversee cloud service firms.
In this regard, an official from the FSC said, “In the EU which has specified direct control, each country has to legislate direct supervision separately into the national law. When specifying the obligation of cooperation in a contract through financial companies, we think we can have the right of inspection.” He said he would consider legislation of direct control after watching the management situation in the future.
There is another problem. When the cloud service management system is not located in South Korea, the main body of administrative control and governance control will be the headquarters in foreign countries. Therefore, it cannot stop the outflow of personal credit information.
The guideline, currently under revision by the FSC, requires to situate only cloud data centers in the nation. An official from the industry said, “It is risky because sensitive information can leak but the government needs to check how the nation’s management system for sensitive information, like finance, work and why such information is so important on this occasion. The government also should strengthen the management and supervision system and come up with damage relief measures even it needs to delay the time of implementation.”