The criteria for imposing fines on financial companies that have neglected their obligations to prevent cyber security incidents, such as hacking, will be strengthened. Until now, fines were imposed as one case if similar issues were deemed to be in violation of several regulations; however, in the future, fines will be imposed for each individual regulation violation.
The Financial Services Commission held a regular meeting on the 3rd and noted that it revamped the criteria for fines imposed due to violations of the obligation to ensure security under the Electronic Financial Transactions Act. The revised criteria will take effect from that day.
Up until now, the Financial Services Commission has treated violations of multiple regulations within one 'clause' as one case for imposing fines even if several regulations were violated if there was a similarity among the violations. This was in response to concerns that excessive penalties could be imposed if every aspect was treated as a violation due to the regulations being so detailed.
However, starting from that day, it will be judged based on the obligations according to individual regulations. In addition, similarity will only be recognized if there are three conditions met: temporal and spatial proximity between violations, acknowledgment of singular intent for each act, and legal identity as defined by regulation. Instead, the Financial Services Commission reduced the number of items from 293 to 166 by reorganizing localized compliance items last February.