Columns

Security's strongest shield becomes a barrier to innovation

Korea’s digital finance success now risks stalling unless outdated network separation rules are reformed to support AI, cloud and stronger cybersecurity.

Published
Visitors explore exhibition booths at the 25th World Security Expo (Secon 2026) and the 14th eGisec (eGovernment Information Security Solution Fair 2026), held at Kintex in Goyang, Gyeonggi, on March 18. Secon 2026, Asia's largest integrated physical and cybersecurity exhibition, showcased the latest security technologies and solutions for emerging IT environments, including AI, big data and the metaverse. eGisec 2026 featured information security solutions for e-government as well as public- and private-sector organizations.


 Kim So-young 

The author is a professor of economics at Seoul National University and a former vice chairman of the Financial Services Commission. 


Cloud computing, blockchain and artificial intelligence are rapidly transforming financial services. A decade ago, sending money required a bank account number, a visit to a bank or a computer login using an accredited certificate. Today, a transfer can be completed in seconds through a messaging or payment app with biometric authentication. Bank accounts, securities holdings and even forgotten insurance policies can now be viewed through a single asset management application.

Korea's digital finance sector has advanced dramatically over the past decade. Fintech emerged between 2013 and 2015 as finance and information technology began to converge. Subsequent reforms, including the abolition of mandatory accredited certificates, the launch of internet-only banks and remote identity verification, accelerated innovation. Regulatory sandboxes, open banking, MyData and fintech investment funds further expanded the ecosystem. Since 2024, the focus has shifted to AI transformation, with financial institutions building AI platforms, updating AI guidelines and gradually easing network separation rules.

Simple payment and money transfer services best illustrate this transformation. The average daily value of mobile payments has more than tripled in six years. According to the Bank for International Settlements, Korea ranked second in the world in per capita real-time payments in 2024 and third in average transaction value. Simple transfers using phone numbers or social media accounts instead of bank account numbers also increased more than fourfold during the same period, reaching 7.42 million transactions a day in 2025.

Open banking and MyData have further reshaped financial services. Open banking enables customers to manage accounts at multiple banks through a single application using standardized application programming interfaces, or APIs. While the Britain introduced the concept first and Australia later adopted it, Korea expanded far more rapidly, reaching 30 million subscribers and 100 million registered accounts within two years.

MyData extended the concept by allowing consumers to consolidate financial information held by banks, card companies and insurers into one application with their consent. By the end of 2025, cumulative registrations had reached nearly 180 million and daily API transmissions exceeded 850 million. Integrating financial information allows consumers to better manage assets while AI supports more personalized financial services.

Digital finance has improved convenience, reduced costs and intensified competition by encouraging innovation from both financial institutions and fintech companies. Big data and AI can improve credit assessment, promote financial inclusion and allocate capital more efficiently. Infrastructure such as real-time payments, open banking and MyData has become part of Korea's digital competitiveness.

Yet one regulation now threatens the next stage of digital finance: the network separation rule.

Network separation requires financial institutions and public agencies to keep their internal business networks physically isolated from the internet. The policy originated during the Cold War to protect classified systems and was adopted in Korea after major cyberattacks, first for public institutions in 2007 and later for financial institutions in 2014.

For years, the regulation was considered highly effective. During the 2017 WannaCry ransomware attack, which infected more than 200,000 computers in 150 countries, Korea's financial sector suffered little damage because malicious software could not easily penetrate isolated internal networks. As digital finance evolved and AI became essential, however, perceptions changed. Strict network separation limited the adoption of cloud computing and generative AI, turning what had been regarded as the strongest shield for cybersecurity into a barrier to innovation.

The productivity gap between companies that can freely use AI and those that cannot is likely to widen, particularly in finance, where digital technologies spread rapidly. If overseas financial institutions face few restrictions while Korean firms remain constrained, their global competitiveness will inevitably weaken.

Recognizing the problem, financial authorities announced a roadmap in August 2024 to gradually allow generative AI, expand the use of software-as-a-service (SaaS) and improve research and development environments. Since April 2026, financial institutions meeting specified security standards have also been permitted to use SaaS on internal business networks.

Even so, further reform is needed. First, cybersecurity technology itself must improve. As long as security depends primarily on physical network separation, incentives to develop more advanced defenses remain weak. Authorities are therefore promoting a principle-based security framework while encouraging AI-based security systems capable of using AI to defend against AI-driven threats.

Second, financial institutions must invest more aggressively. Making effective use of AI requires comprehensive changes to management, business operations, software development and security systems. Yet many firms continue to rely heavily on outsourced AI services instead of building their own capabilities, a strategy that could undermine long-term competitiveness.

Finally, network separation in the public sector also deserves reconsideration. Although the government is moving toward a more flexible framework based on the National Network Security Framework, implementation needs to proceed faster. Network separation remains necessary where classified information is involved. In less sensitive areas, however, excessive restrictions may prevent government agencies from making full use of AI at a time when it is becoming essential across society.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.