Q1. Why do financial companies require resident registration number for first-time transactions?
A1. The government, centered by the Ministry of Security and Public Administration, is reviewing various measures to replace resident registration number.
However, as of now, there is no other way for financial companies to identify customer’s real name without making inquiries using resident registration number.
After first-time transactions, financial firms will be able to verify customer’s identity using ID cards, authentication systems such as I-pin, and other personal information including address and date of birth.
Q2. What is the purpose for the financial firms to collect 6 to 10 items of customer’s personal data?
A2. Name, resident registration number, contact number, address, occupation, and nationality are 6 necessary personal information that are needed for financial transactions and are stipulated in the related laws to be collected by financial companies.
However, financial institutions will be permitted to collect other personal data aside from the above 6 items upon customer consent only.
Q3. Why do financial institutions need to store customer’s data for 5 years?
A3. In principle, financial firms must delete customer data upon termination of transaction. However, there are possibilities that financial companies can get involved in lawsuits related to customer’s past transaction. Personal identification and financial transaction data must be available for reference in order for the financial companies to effectively respond to legal actions.
All personal and transaction information must be deleted after 5 years since termination of transaction. However, financial institutions are permitted to store customer data for more than 5 years in special cases but only in an encrypted form.
Q4. Isn’t it true that financial firms can save themselves from punitive sanctions only by complying with the necessary minimum guidelines?
A4. The measures announced recently by the government not only suggest guideline for data protection but also put emphasis on the actual enhancement of financial firms’ conditions of protecting customer data. The measures will also be reflected in the related laws and regulations.
However, the government will grant financial institutions autonomous rights regarding details and technical aspects when establishing and introducing data security systems.
Q5. Financial companies which use or fail to protect customer data will have to pay fines of up to 3% of their total sales from the respective business. Doesn’t 3% seem too generous?
A5. “Sales from business using illegal personal information” include sales accrued from businesses both directly and indirectly using illegal customer data. In case a company is alleged of using illegal personal data, all businesses engaged in customer marketing of the respective company are being regarded as having shared and made use of the illegal customer information. For instance, large credit card companies’ average total sales from customer marketing accounts for 1 to 4 trillion won, which means they would have to pay fines of 30 to 120 billion won.
Q6. Will the newly-established agency for data security be granted authorities to take control over financial companies?
A6. The purpose of establishing a special agency for data security is to enhance efficiency and responsibility of the existing institutions related to financial data protection by streamlining overlapped roles among each other. Main role of the agency will be providing data security-related services to financial companies such as data security consulting, analysis of data breach accident, and education. Therefore, the agency will not have any supervisory authorities.
Q7. How do you plan to cover other issues such as compensation for victims and replacement of resident registration number which are absent in the announced plan?
A7. The announced measures are the countermeasures against the recent credit card information accident which mainly put focus on preventing the recurrence of such incident. A government-level task force is formed led by the Prime Minister’s Office and will draft comprehensive measures to protect personal information within the first half of this year.
The Ministry of Security and Public Administration and other relevant government bodies are reviewing means to replace resident registration number. The MSPA, Ministry of Justice, and Korea Communications Commission are working on compensation and indemnification measures.
Q8. The latest plan doesn’t look much different from the measures announced in the past. What are the differences?
A8. The measures announced in January focused on setting main directions of responsive actions while the measures announced on March 10th contain more detailed and concrete action plans developed from the basic response directions.
Q9. Is there any possibility that the announced measures would result in granting even stronger authoritative power to the financial regulators?
A9. The announced measures are expected to strengthen the rights of financial customers rater than those of the financial authorities. Wider range of customer rights including the rights to make inquiries on the use of personal information, rights to require financial firms to delete submitted personal data, and etc. have been newly added in the latest measures which reflects the government’s intention to give more autonomous rights to customers when it comes to personal data protection.
Moreover, the announced plan clearly states that the ultimate responsibility for customer data protection will be on the financial companies and that those who fail to fulfill data security duties will be punished with heavy sanctions.
Q10. When will the measures come into force?
A10. The government will exert its utmost efforts in persuading the National Assembly to pass the revisions of the Use and Protection of Credit Information Act, Electronic Financial Transactions Act, and other related laws within the first half of 2014.
Other measures which do not require amendment of the related law will be put into force at the end of March.