Enactment of the Financial Consumer Protection Act
The Financial Consumer Protection Act (FCPA) is scheduled to take effect on 25 March 2021, and aims to combine provisions governing the protection of financial consumers that are scattered across different statutes and regulations into a single statute in order to enable the effective administration of the relevant provisions. For this purpose, the FCPA reclassifies financial products and sales channels so that the same regulations apply to financial products that have the same functions. Specifically, financial products are reclassified into:
Overall, the FCPA will apply stricter consumer protection standards than the existing rules and will introduce new provisions relating to consumer rights, such as the right of a consumer to terminate contracts that violate the Sales Principles (as defined below), a prohibition on financial companies (including banks) abandoning dispute resolution procedures, and the shifting of the burden of proof to financial companies in lawsuits concerning a violation of the “duty to explain”.
Banks in Korea that offer financial products regulated under the FCPA (including deposit, loan and credit card products) will need to comply with stricter consumer protection measures adopted under the FCPA.
Application of the Sales Principles and the right to withdraw from or terminate financial contracts
The existing rules apply the following six basic Sales Principles to the sale of certain financial products:
The FCPA will expand the application of these Sales Principles to more categories of financial products. Specifically, the principle of suitability, which prohibits financial companies from offering financial products that are not “suitable” based on the consumer’s net worth and financial transaction experience, will apply to all financial products (Article 17). The principle of adequacy, which requires financial companies to inform a consumer when financial products sought to be purchased by such customer are not suitable based on the consumer’s net worth, will apply to all financial products except for deposit products (Article 18). The “duty to explain”, the prohibition on unfair practices, the prohibition on misleading or unsolicited recommendations and the prohibition on false or exaggerated advertisements will apply to all financial products.
The FCPA will also grant termination rights pursuant to which consumers will be able to unilaterally terminate a contract for a financial product if the seller has violated the Sales Principles without a reasonable excuse (Article 47). The draft Enforcement Decree to the FCPA, which was announced on 28 October 2020, allows such termination rights to be exercised either within five years of the date of the relevant financial contract or within one year of the date on which the financial consumer becomes aware of the violation, whichever is earlier. A seller who has violated the Sales Principles without a reasonable excuse will not be entitled to receive any reimbursement of expenses in connection with the unilateral termination of the relevant financial contract by the consumer.
In addition, the FCPA gives consumers the right to withdraw a subscription of financial products (other than deposit products) during a certain cooling-off period. Consumers will be able to require a financial company to return any amounts paid to it in connection with a subscription if such subscription is withdrawn during the cooling-off period. The cooling-off period for investment products is seven days from the date on which the relevant financial contract was entered into or the date on which the contract documents were delivered to the consumer. This period is extended to 14 days for loan products and 15 days for insurance products (Article 46).
Further enhanced consumer protection measures
In addition to the above mentioned withdrawal and termination rights, the FCPA will also introduce a number of new ex-post consumer protection measures, including a prohibition on financial companies abandoning dispute resolution procedures that are in progress. Specifically, financial companies will not be permitted to commence legal proceedings with respect to disputes regarding claims that do not exceed KRW20 million in amount and are in mediation proceedings; if legal proceedings are pending in court concurrently with dispute resolution procedures, the court will be entitled to suspend the legal proceedings until the dispute resolution procedures have been concluded (Articles 41 and 42). With respect to any damage or loss resulting from a breach of the “duty to explain”, the FCPA will shift the burden of proof to financial companies so that, in the event of a lawsuit concerning a breach of the “duty to explain”, financial companies will be required to prove that the breach does not constitute intentional misconduct or negligence on the company’s part (Article 44).
Further customer protection measures set out in the FCPA include the requirement on sellers of financial products to establish internal control standards for consumer protection (Article 16) and the right of regulators to restrict sales of a financial product that is expected to cause significant damage to consumers (Article 49). The obligation of sellers to establish internal control standards under the FCPA is separate from the obligation to maintain internal control standards under the Act on Corporate Governance of Financial Companies. The FCPA will also impose stricter penalties on non-compliant financial companies by increasing the threshold for administrative fines and criminal penalties (Articles 67 and 69) and allowing the imposition of punitive fines of up to 50% of the offender’s revenues in the case of a major breach of the Sales Principles (Article 57).
Financial companies are advised to pay close attention to the heightened consumer protection measures in the FCPA and to implement appropriate policies and procedures in their sales and customer support practices.
Amendments to the Three Major Data Laws and Introduction of the My Data Business
Earlier this year, the 20th National Assembly passed amendments to the following three major data privacy laws (the so-called Three Major Data Laws) to expand the range of information available for use by individuals and businesses:
These amendments became effective on 5 August 2020. The main objective of these amendments is to enable more use of data. Banks will need to assess and monitor how the Three Major Data Laws will impact the ways in which they manage and use personal information in their business operations.
Main features of the amendments to the Three Major Data Laws
The PIPA newly defines “pseudonymised data” as personal information that has been partially deleted or partially or totally substituted, such that the information can no longer be used to identify an individual without being combined with additional information (pseudonymisation). The PIPA allows a person or entity who determines the purposes and means of personal data processing (a Data Controller) to process pseudonymised data without the data subject’s consent for purposes such as statistical (data) preparation, scientific research and the preservation of public records. While the legal basis for businesses to use pseudonymised data has been established, it will be necessary to monitor the regulatory interpretation of this provision, particularly as to whether the use of pseudonymised data will be allowed for commercial purposes.
Under the Presidential Decree to the amended PIPA, a Data Controller may use or transfer personal data without the consent of the data subject in the following scenarios:
Prior to the amendment, Data Controllers could not collect, use or provide personal data beyond the scope for which the data subject had given his/her consent. Following the amendment, a Data Controller can process personal data that it already possesses without the data subject’s consent, so long as the requirements set forth in the Presidential Decree are met.
While the previous Network Act required a data subject’s consent for delegating the processing of their personal data to a third party pre-amendment, consent is not required for delegation under the amended regulations. Also, user consent will not be required for the delegation of the processing or storage of personal data to an overseas entity, if the online service provider discloses certain statutorily specified information on the overseas delegation to the users.
In order to support an individual data subject’s management of its credit information, the amended Credit Information Act introduces a new business category, the “My Data” business. My Data business operators will collect and combine a data subject’s credit information in accordance with methods prescribed by the Credit Information Act and related regulations. The My Data business model grants data subjects the right to data portability, as operators are required to transmit the combined credit information of a data subject to persons designated by the data subject, including the data subject itself, other My Data business operators, financial institutions and credit agencies.
Government-led My Data business
Korea's financial industry is moving towards greater innovation, based on various applications of big data from customers. With the implementation of the amendments to the Three Major Data Laws, financial institutions such as banks now have more flexibility in their use of customers' information to create and improve their financial services. The My Data business is one such service.
Under the My Data business plan, financial institutions provide customers' personal information to a third party approved by the Government as a My Data business operator. Such operator then compiles customers' information, allowing customers to enjoy a streamlined service where they can browse all of their financial information in one glance using the My Data business operator’s website or mobile app. The introduction of the My Data business will allow customers to have greater control over their personal data, while allowing operators to analyse customer data and suggest the most suitable financial products to their customers.
In order to operate a My Data business, one must first obtain a licence from the Financial Services Commission. To obtain such a licence, several requirements must be met, including minimum capital requirements, investor requirements and feasibility business plan requirements, and the operator must also possess the necessary equipment. A large number of financial institutions, including banks, have already applied for a My Data business licence with the expectation that the My Data business will enable financial businesses to reach into other industries by utilising elements from other industries, and to resolve customer pain points and develop tailor-made financial products through an enhanced understanding of customer needs. The FSC is currently in the process of reviewing applications for the My Data business licence, with the final results of such review expected to be released in early 2021.
Designation of the Personal Information Protection Commission as the central data privacy regulatory authority
The amended PIPA designated the Personal Information Protection Commission (PIPC) as the central administrative agency for data privacy regulation, and transferred the data privacy regulatory functions of the Ministry of the Interior and Safety and the Korea Communications Commission to it. As such, PIPC will now be responsible for the enforcement of privacy regulations, which was previously spread among the related authorities.
The establishment of PIPC as the central administrative data regulatory agency will enable the Government to effectively negotiate with the European Commission in relation to an “adequacy decision” under the EU’s General Data Protection Regulation. It is currently expected that Korea will be granted an adequacy decision by the European Commission, which will mean that Korea is deemed to have adequate personal information protection measures corresponding to the EU standards. In turn, such adequacy decision will allow for an unimpeded flow (or transfer) of personal data between the European Union and Korea.
Proposed Expansion of Class Action Law and Punitive Damages in Commercial Law
The Ministry of Justice has recently proposed legislation that would expand the scope of the country’s existing class action law and awards of punitive damages. The proposed changes purportedly aim to provide a legal remedy for collective harm to the Korean public, and are likely to have a significant impact on the business community if passed. Currently, class action suits are only available for securities-related cases, but the proposed act (Class Action Act) would allow litigants to contest their cases as a class action in all areas of the law (ie, expanded to all incidents with more than 50 victims). Consequently, all companies – including banks that are organised as a company – could now find themselves facing class action lawsuits for any alleged wrongdoing in Korea.
To complement the proposed Class Action Act, the proposed changes to the Commercial Act (Amendment to the Commercial Act) introduce punitive damages in all commercial causes of action that will be applicable to “merchants”, which are defined as “companies or owners operating as a business”. Currently, punitive damages are only available under certain statutes, such as the Products Liability Act or the PIPA, and, most recently, under the Patent Act for wilful infringement. The Amendment to the Commercial Act will allow claimants to collect punitive damages of up to five times the damages sustained from a company’s or business owner’s intentional or grossly negligent conduct.
The scope of the law’s applicability of punitive damages is consistent with the Korean government’s policy reasoning to punish and deter incidents that harm society in the pursuit of economic gain. Recent examples of such incidents include the controversial humidifier steriliser case, the automobile emissions scandal, the scandal involving certain private equity funds, the proliferation of fake news and massive human disasters that have resulted from violations of safety standards. Accordingly, banks (along with other financial institutions) would be subject to the proposed law and will need to take the risk of class action into account when establishing compliance guidelines for dealing in various financial products.
While these two anticipated bills are still proposals, the Korean National Assembly (the nation’s highest legislative body) is supportive of these efforts. The potential ramifications of the proposed Class Action Act require careful consideration by businesses, as the act in its current proposal would allow claimants to bring action against businesses for events that occurred prior to the effective date of the law. Thus, causes of action that occurred prior to the passing of the legislation may still be subject to class action lawsuits if the statute of limitations has not expired. Unlike the Class Action Act, the Amendment to the Commercial Act is not retroactive, but will be applied prospectively after the bill passes.