Easing regulations on cloud-based software for work (SaaS, Software as a Service), one of the long-cherished goals of financial companies, has passed the regulatory review by the financial authorities. Financial companies delivered several opinions, including easing SaaS reviews and expanding the scope of the system's application, but as the financial authorities decided not to accept them all, some are voicing dissatisfaction, calling it a "half-baked deregulation."
According to the financial sector on the 17th, the financial authorities recently convened a Regulatory Review Committee and passed a revision to the Detailed Enforcement Rules of the Electronic Financial Supervision Regulations that would allow exceptions to network separation rules when financial companies use SaaS on internal business networks.
SaaS is application software provided via cloud servers, such as document drafting, collaboration tools, video conferencing, and human resources and performance management. For SaaS services, data exchange between cloud servers operated by external software vendors and financial companies' internal business servers is essential. Because the financial sector is subject to network separation rules that physically separate external internet networks from internal business networks to block hacking and other cyber threats, there have been constraints on adopting SaaS.
Since 2023, the financial authorities have allowed limited use of SaaS through the "innovative financial services" system, and this time decided to ease it to permanent permission. As the revision has passed regulatory review, it is expected to take effect as early as this month.
During the preannounced legislation period for the revision, financial companies reportedly delivered more than 20 opinions to the financial authorities. A representative request was to allow the processing of unique identification information or personal credit information through SaaS. Financial companies believe that raw personal credit information is necessary to properly utilize SaaS. Currently, only encrypted pseudonymous information can be used.
There were also opinions calling for easing the security level and reporting obligations. Under the revision, financial companies must use only SaaS that has passed evaluations by incident response institutions such as the Financial Security Institute. Financial companies argued that the rules are excessive, but the request was not accepted.
Financial companies that adopt SaaS must establish strict information protection controls, check compliance with security measures every half-year, and report to the internal Information Protection Committee. Financial companies also proposed extending the reporting cycle. There were opinions that the rule strictly blocking other external internet access beyond the permitted SaaS services should be relaxed, considering system updates, but a rejection decision was made due to concerns about hacking incidents.
While the financial sector welcomes the relaxation of SaaS network separation rules, there is also dissatisfaction that it is "half-baked." This is because the use of SaaS becomes restricted for corporations' core tasks—such as human resources and performance management—that require the use of personal information. The financial authorities also plan to push for network separation rules for generative artificial intelligence (AI) going forward, while financial companies say the use of personal information is necessary.
A financial industry official said, "It is true that technological innovation and robust security must be balanced, but it is also true that the easing of regulations feels limited."