As regulation and compliance evolves rapidly in the hot-button area of finance, it is imperative to keep up to date on new developments. Here we engage expert views on related laws and regulations in Japan and Korea.
In Japan, the first entirely internet-based bank opened in October 2000. At the time it was commonly referred to as an “internet bank”. Subsequently, with the spread of smartphones, Japan’s traditional financial institutions (megabanks and regional banks) gradually started to offer banking service apps that enabled transactions to be completed entirely online.
More recently, some banks have begun working with securities and insurance companies to offer super-apps that allow users to not only access banking services, but also trade securities and purchase insurance.
As in other countries, digital banking in Japan became increasingly popular from 2020 onwards following the pandemic outbreak. In addition to operating their own banking business, some banks have started to offer Banking as a Service (BaaS) platforms through application programming interfaces (APIs) to
companies.
Up until now, many of Japan’s internet banks have been offering services primarily targeting individuals. However, in 2023, a bank group announced the establishment of a digital bank specialising in lending for companies online, aiming to open for business by the end of 2024.
These days, banks are not the only players when it comes to digital banking in Japan. Unbundling is one of the features of Japan’s recent financial regulations, and the government has arranged a different type of licence for businesses that perform some of the traditional banking services.
LICENSING SYSTEM
The Banking Act defines banking as performing either: (1) Acceptance of deposits or instalment savings, as well as lending funds or discounting of bills and notes; or (2) Dealing in funds transfer transactions, stating that a licence must be obtained from the prime minister to engage in banking. This means that a licence must be obtained from the prime minister when also providing banking services as a digital bank.
The Banking Act stipulates two examination criteria for a banking licence:
(1) The applicant must have sufficient financial resources to perform services of a bank soundly and efficiently, and have good prospects for income and expenditure in connection with those services;
(2) Regarding personnel, the applicant must have the knowledge and experience to perform services of a bank appropriately, fairly and efficiently, and have sufficient social credibility.
In addition, the Banking Act and the Order for Enforcement of the Banking Act require banks to have stated capital of at least JPY2 billion (USD13.4 million).
Note “knowledge and experience to perform the services of a bank appropriately, fairly and efficiently” in criteria (2) means knowledge and experience sufficient to understand and enforce the aims of banking services indicated in the Banking Act and other related regulations and supervisory guidelines, along with sufficient compliance and risk management knowledge and experience necessary for sound and appropriate management of banking services.
In addition, supervisory guidelines issued by the Financial Services Agency describe the main supervisory aims of licence examinations for banks that do not have manned offices and specialise in non-face-to-face transactions such as internet transactions.
The guidelines state that matters to be checked during licence examination are:
(1) Whether the bank has systems in place to: appropriately handle complaints and consultations from customers; respond to customers in the wake of a system shutdown; fulfil accountability to customers based on laws and regulations; make disclosures; and fulfil the duty of checking at the time of transaction, reporting suspicious transactions to counter organised crimes including money laundering, even without manned offices;
(2) Regarding prospective income and expenditure, whether the bank has clear contingency plans in case of a worsening business environment – such as the entry of competitors or system obsolescence – and whether the plan anticipates a certain level of earnings;
(3) Whether the bank has a solid measure to ensure liquidity in case of a temporary and massive customer churn, taking into account interest rates or any other condition-sensitive customer segment, as well as transactions for which cancellations and changes are easily made; and
(4) Whether the security level of the bank’s system is satisfactory, and has appropriately set up any security management system for system operations (including the management of any outsourced contractor) and crisis management systems in case of the occurrence of failure – for which the submission of evaluation documents from an external institution is required.
KEY ISSUES
Since digital banks provide their services online, in addition to inherent risks – such as the inability to confirm unusual transaction patterns – banks also need to take information security measures from a user-protection perspective.
The supervisory guidelines issued by the Financial Services Agency expand on points to keep in mind for internet banking licensing examination. Regarding developing an internal control environment for countermeasures against criminal activities, the guidelines require the measures be positioned among highest priority management issues, and that banks: implement a necessary review by the board of directors to improve the security level; develop a control environment to provide customers with explanations of points to keep in mind when using internet banking services; and establish an environment in which each division shares information on its current status, and issues are addressed by the entire bank to secure the sound and proper operation of internet banking.
The guidelines also require that the PDCA cycle – conducting risk analysis, setting a plan, and practising, evaluating and reviewing security measures – works well. Furthermore, to ensure security, banks are required to take measures according to the characteristics of their customers and operations, while identifying risk arising at the time of structuring its IT system and each phase of use, based on the content of discussions at the Study Group on Cyber Security.
The guidelines also require banks to aim at improving security as a whole, rather than taking individual measures in an impromptu manner, by combining multiple effective measures, as well as determining necessity and measures to take prompt action on recognising the existence of risk sufficiently, and developing a control environment to prepare a verified security programme against various crimes, revisable as needed.
FINTECH AND STABLECOIN
(1) Remittance and payments.Following enactment of the Payment Services Act in 2010, a funds transfer services licensing system was introduced enabling banks to conduct funds transfers of up to JPY1 million per transaction without a banking licence. A system of issuers of prepaid payment instruments was also introduced that focuses more on the payment function than on fund transfers.
At that time, electronically issued prepaid payment instruments were not common, but in recent years they have become widely recognised as non-refundable electronic money. Subsequently, the revised Payment Services Act, enacted in 2021, resulted in the introduction of three types of licensing systems for fund transfers: one for transactions over JPY1 million; another for transactions over JPY50,000 and under JPY1 million; and a third for transactions under JPY50,000.
This was accompanied by the imposition of strict regulations such as requiring type 1 fund transfer services with no maximum remittance amount to be not only registered but also licensed.
(2) Stablecoins.Japan’s revised Payment Services Act, enacted in 2017, introduced a registration system for crypto asset exchange services. However, the regulatory treatment of subsequently launched stablecoins was unclear, so Japan led the world in introducing regulations on stablecoins, clarifying their position in financial regulations. These regulations are expected not only to contribute to user protection in Japan, but also stimulate innovative financial services using blockchains.
As of 18 March 2024, there are no examples of businesses registered for electronic payment instruments business to conduct the purchase and sale of electronic payment instruments, namely stablecoins. But several businesses are expected to obtain licences and begin distributing stablecoins in Japan by the end of 2024.
(3) Financial service intermediary business.The Act on the Provision of Financial Services, enacted in 2021, established a new financial services intermediary business that enables intermediary business operations in all areas of banking, securities, insurance and money lending by submitting just one registration.
This licence is primarily used by fintech companies developing businesses enabling users to access a variety of financial services through a single app, and non-financial businesses, to enter financial businesses.
CHUO SOGO LAW OFFICE
Hibiya Kokusai Building 18th floor,
2-2-3 Uchisaiwai-cho,
Chiyoda-ku, Tokyo 1000011, Japan
Tel: +81 3 3539 1877
Email Address: info@clo.gr.jp www.clo.jp/english
SOUTH KOREA
In South Korea, digital banking lacks a precise legal definition. Simplistically viewing it as merely banking services rendered online fails to capture the full scope of how such operations have evolved digitally in the country.
Lately, there has been a shift towards modularising banking services by function, and making them accessible to fintech companies without traditional banking licences. This shift, known as banking as a service (BaaS), is chiefly realised by integrating banking functionalities into fintech applications.
Banks supply the requisite financial infrastructure in this framework, but do not necessarily engage in direct customer interactions. Consequently, digital banking in the country includes a significant transition from an exclusive realm of traditional banks to a more inclusive environment, welcoming new entrants such as fintech firms.
LEGAL REGULATORY SYSTEM
Like banks worldwide, core operations of South Korean banks involve deposits, loans, and domestic and foreign exchange transactions. Although digital banking regulation in South Korea can be described in various ways, this discussion will focus on the legal and institutional rules applied to providing traditional banking functions within a digital environment.
INTERNET-ONLY BANKS
The most definitive way to offer digital banking services in South Korea is by acquiring an internet-only banking licence. This allows the holder to perform general banking operations, excluding corporate lending. Three operators in South Korea hold internet-only banking licences and conduct digital banking operations. The legal requirements for obtaining an internet-only banking licence are as follows:
(1) To secure a licence, an entity must have a minimum capital of KRW25 billion (USD18.6 million). During the review for granting such a licence, financial authorities assess whether the proposed funding is feasible and whether additional capital can be raised.
(2) The bank must be equipped with suitable personnel, business facilities and computer systems to conduct operations.
(3) In particular, when a foreign financial company, or the holding company of a foreign financial firm, applies for an internet-only banking licence, the lawful consent of the regulatory authority of the respective country is required. The financial and managerial status must be sound and have internationally recognised credibility. The Korean financial supervisory authorities must be given sufficient information about the banking business’ management and operational activities.
(4) Even if all the above-mentioned conditions are met, the Korean financial authorities can impose additional conditions at the time of authorisation, such as “faithful implementation of the capital increase plan”.
Acquiring an internet-only banking licence is the most direct and definitive way to engage in the digital banking business in South Korea. However, it necessitates adherence to high entry regulations and passing the scrutiny of financial supervisory authorities. Because authorisation requires close communication with financial supervisory authorities and a thorough review of relevant legal and regulatory issues in advance, the assistance of experts is virtually indispensable.
REMITTANCES AND PAYMENTS
The domain of domestic exchange transactions, once the exclusive purview of banks, has transformed into a competitive market teeming with fintech companies thanks to the advent of “simple remittance” services. Introducing these services, leveraging “prepaid electronic payment instruments” defined under the Electronic Financial Transactions Act, and implementing open banking has shifted domestic exchange transactions from a banking monopoly to a competitive marketplace.
Furthermore, the recent establishment of a small overseas remittance licence under the Foreign Exchange Transactions Act has seen a surge of fintech companies venturing into cross-border remittances. Below is a brief overview of the regulatory entrance requirements related to remittances and payments:
(1) Issuance and management of prepaid electronic payment instruments and payment gateway services are subject to registration with the Financial Services Commission (FSC).
(2) The minimum capital requirement is KRW2 billion for those engaged in issuing and managing prepaid electronic payment instruments, and KRW1 billion for payment gateway services.
(3) Applicants must meet specific financial soundness criteria such as debt ratios, and possess sufficient expertise and physical facilities to conduct electronic financial business.
(4) Licences for small overseas remittance businesses, necessary for cross-border remittances, must be registered not with the FSC, but with the Ministry of Economy and Finance. The minimum capital requirement for operating a small overseas remittance business is KRW1 billion, and it must be connected to a central foreign exchange information system.
(5) Similarly, conducting cross-border payment gateway services requires registering foreign exchange businesses with the Ministry of Economy and Finance. It is important to note that eligibility for registering foreign exchange businesses for cross-border payment gateway services is limited to those holding a payment gateway licence under the Electronic Financial Transactions Act.
(6) With the recent amendment of the Electronic Financial Transactions Act in Korea, a legal foundation has been established to provide “buy now, pay later” (BNPL) services.
DEPOSITS
The business of accepting deposits remains the exclusive domain of banks. Consequently, as previously discussed, there is no direct means of handling deposit products without obtaining an internet-only bank licence. However, the FSC recently announced a pilot operation for an online deposit product brokerage service, selecting participating companies.
The online deposit product brokerage service is still in its pilot phase, with no existing legal licence governing it.
Under South Korea’s Special Act on Financial Innovation Support, businesses meeting specific criteria can apply for a pilot operation of financial services not permitted under current laws through the “financial regulatory sandbox” system. Businesses under this sandbox can trial various services not otherwise allowed under financial regulations for two years (extendable to a maximum of four years).
Applicants for sandbox designation are limited to financial firms in South Korea and companies with offices in the country. Submitting an application for sandbox designation to the FSC and supporting documentation per the commission’s prescribed format can be successful after a review process.
LOANS
As with banking deposits, lending has traditionally been a core bank function. However, recent years have seen a shift in the traditional lending market with the emergence of platform operators mediating loans online through peer-to-peer (P2P) methods.
Additionally, new online services have emerged that compare loan products from various financial institutions and recommend the optimal product.
(1) South Korea has legislated the P2P lending business through the Act on Online Investment-Linked Finance and User Protection. To operate an online investment-linked finance business, the following conditions must be met:
(a) Registration with the FSC is required for online investment-linked finance businesses;
(b) A minimum capital of at least KRW500 million is needed, depending on the scale of the loans; and
(c) The business plan must be viable and sound, and directors must meet the qualifications set by law. Major shareholders must possess sufficient investment capacity, a sound financial state and social credibility.
(2) Online loan brokerage services are legally based on the Financial Consumer Protection Act. To conduct online loan brokerage services, the following legal conditions must be fulfilled:
(a) Subject to registration with the FSC;
(b) Representatives or executives of corporations must complete education related to loan products;
(c) Standards work must be established, and professional personnel and computing facilities must be provided;
(d) A guarantee deposit of at least KRW50 million won must be placed or insured for financial consumer damage compensation; and
(e) Conflict of interest prevention certification must be obtained for algorithms.
CONCLUSION
Digital banking fundamentally revolves around unbundling traditional banking processes and modularising their functions. Thus, a thorough grasp of each banking activity’s regulatory landscape is crucial to mitigate legal compliance risks. Companies eager to explore the digital banking sector in South Korea must understand the applicable legal frameworks for each banking operation and function, devising their strategies with care.