As the government investigates how customer information was leaked at Woori Bank, the financial sector expects the bank's management could face sanctions over the incident. That is because in April a banking sector best-practice code took effect that strengthens management accountability when outsourcing work to external vendors, making it possible to sanction executives when accidents occur.

According to the financial authorities on the 8th, the Financial Supervisory Service requested that Woori Bank conduct its own review of how the customer information was leaked and its measures to prevent a recurrence. As the Personal Information Protection Commission has launched a formal investigation into the incident, the Financial Supervisory Service is also looking into the situation. The Financial Supervisory Service plans to conduct an on-site inspection immediately if a credit information leak is confirmed.

Woori Bank headquarters in Jung-gu, Seoul./Courtesy of Chosun DB

Woori Bank announced on the 3rd that 17,551 items of personal information were leaked among users who agreed to services related to non-fungible token (NFT) wallets. The bank said an external development firm (a sub-contractor) that carried out the 2024 NFT platform build project leaked personal information it had stored arbitrarily due to an employee's negligence at that company.

Industry watchers say the incident exposed vulnerabilities in financial companies' third-party risk management. As the Financial Supervisory Service last year called on the entire financial sector to strengthen risk management for outsourced third-party work, there is also speculation in the financial sector that this incident could warrant sanctions against management.

The Financial Supervisory Service prepared "third-party outsourcing risk management guidelines" last year and called for their application across the financial sector. Based on this, the banking sector prepared a best-practice code and implemented it starting Apr. 1. The crux of the best-practice code is for banks to establish, implement and maintain a third-party risk management framework integrated with their enterprise-wide risk management processes. In particular, boards of directors and management were made responsible for implementing the third-party risk management framework.

The Financial Supervisory Service also required that the third-party risk management framework be reflected in the responsibility map. A responsibility map is a system that sets in advance the scope of internal control responsibilities for a financial company's CEO and executives. Executives listed on the responsibility map are held accountable depending on the scope of an incident and its connection to their duties when a financial accident occurs. This means that if an incident occurs due to a failure to properly fulfill the obligation to manage outsourced work specified in the responsibility map, executives and other members of management can be sanctioned.

Major banks are reported to have incorporated parts of the Financial Supervisory Service's guidelines into their responsibility maps in advance, before the best-practice code took effect. The financial sector is watching to see whether this incident becomes the first case in the banking sector of sanctions against management over an outsourced third-party incident.

※ This article has been translated by AI. Share your feedback here.