The Financial Supervisory Service is preparing for a sanctions review committee process over Coupang Pay's insufficient IT controls identified in 2022. The FSS is also conducting a legal review to decide whether to sanction Coupang Pay in connection with last year's Coupang personal data leak. With the possibility of overlapping FSS sanctions, Coupang Pay's burden is expected to grow.
On the 12th, according to the financial authorities, the Financial Supervisory Service compiled violations of relevant laws such as the Electronic Financial Transactions Act and the Credit Information Use and Protection Act identified in an ad hoc inspection of Coupang Pay in 2022 and referred them to the Sanctions Review Bureau. The bureau plans to soon gather Coupang Pay's views and then decide the level of sanctions. Once the bureau's review is completed, the agenda will be submitted to the sanctions review committee.
At the time, the Financial Supervisory Service found that Coupang Pay had inadequate management of membership terms under the Electronic Financial Transactions Act and insufficient controls over its data center. It also determined that while financial firms must obtain an exception approval from the financial authorities to use external networks for work, this was not properly observed, and that internal training for employees handling personal credit information was not adequately carried out.
The Financial Supervisory Service is also reviewing whether to sanction last year's Coupang personal data leak. In Nov. last year, information from 33.7 million customer accounts leaked at Coupang. The leaked data included customer names, email addresses, shipping address books, and some order information. In Jan., the FSS conducted an inspection at Coupang Pay, a subsidiary linked to Coupang through a "one-ID (one ID managing multiple services)" structure, to check whether personal information was leaked there.
As related agencies have recently issued sanctions against Coupang, pressure is mounting across its affiliates. The Personal Information Protection Commission the previous day imposed a penalty surcharge of 423.6 billion won for the personal data leak at Coupang and 201.1 billion won for violations including the unauthorized collection of online activity records of more than 10 million members. It is the largest penalty surcharge ever for a single personal data leak incident and also the largest total penalty surcharge imposed on multiple violations by a single company.