As the financial sector’s AI (AX) transformation accelerates, response systems for digital risks such as hacking and voice phishing are emerging as a key task. Financial authorities ordered the sector to broaden AI use by easing network separation regulations while also tightening internal controls and consumer protection systems to counter security threats from the spread of high-performance AI and the sophistication of financial fraud.

On Tuesday, the Financial Services Commission held an "AX era hacking and voice phishing response meeting" at the Korea Federation of Banks in Seoul. It was chaired by FSC Chairman Ok-won Lee (이억원) and attended by Yong-byung Cho (조용병), head of the federation, officials from the five major financial holding companies (KB, Shinhan, Hana, Woori and NongHyup), and participants from the Financial Supervisory Service, the Financial Security Institute, the Korea National Police Agency and private-sector experts.

The financial sector’s AI transition is no longer a matter of choice but of speed. As task automation and the use of generative AI expand, efficiency in financial services can rise, but the risks of hacking and financial fraud also grow. With concerns that high-performance AI could be misused to find security flaws or for phishing crimes, the sector’s AX strategy has entered a phase in which it must also review security and consumer protection systems, beyond adopting technology.

The FSC highlighted two broad risks. One is that frontier AI with the highest existing level of performance could be used not only to detect security vulnerabilities but also to plan and carry out hacking. The other is the spread of voice phishing crimes using AI voice manipulation, deepfakes and inducements to install malicious apps. There is concern that existing fraud response systems may become insufficient to block new types of crimes.

The FSC decided to expand the use of AI for security purposes. It plans to quickly allow exceptions to network separation rules so AI can be used to check for security vulnerabilities, and to share response know-how identified during inspections across the entire financial sector. It also aims to implement within the year a plan to fully lift network separation rules for selected financial companies with security and AI capabilities.

Easing network separation rules could help bring forward the financial sector’s AI transition. For financial companies, though, it also increases responsibility for security management. As the separation between internal and external networks is partially loosened, demands are expected to follow for basic systems such as security testing, access controls, IT resource management and incident response scenarios before expanding the scope of AI use.

Responding to voice phishing was also addressed as a key agenda item. The FSC said it will upgrade ASAP, the voice phishing information-sharing and analysis AI platform launched in October last year centred on the banking sector, and expand the scope of shared information to include telecommunications and investigative data. It plans to draw up guidelines so suspected accounts can be detected early through AI pattern analysis by crime type and accounts can be frozen immediately even for new types of phishing crimes.

Lee orders "bold break" from existing methods

The burden of consumer protection in the financial sector is expected to grow. The FSC said it will also speed up the introduction of a voice phishing no-fault liability system to strengthen accountability and make victim relief more substantive. If introduced, financial companies would need to raise management standards across the board, going beyond detecting unusual transactions to accident prevention, customer guidance and post-incident compensation systems.

A problem is that the entities responsible cannot remain limited to individual financial companies. AI-based hacking or voice phishing can spread beyond one bank’s IT and business operations to customer touchpoints across financial groups, including cards, insurance and securities. This is why financial authorities ordered the five major financial holding companies to respond at the holding company level. It means they must build group-wide systems such as in-house penetration testing and crisis-response scenarios, dedicated security organisations and systems for sharing suspicious transaction information among affiliates.

Financial holding companies are also moving quickly to overhaul their response systems. The five major groups said they are pursuing measures including introducing AI-based security monitoring and penetration testing solutions, setting up dedicated security organisations and building AI-based intelligent systems to detect abnormal transactions. As post-incident relief measures such as compensation insurance for voice phishing losses are also being considered, digital risk management in the financial sector is expected to broaden toward having prevention, detection and compensation systems together.

The financial sector says it is being pressured on both AI transition and risk management. Expanding AI use has emerged as an essential task for boosting productivity and innovating services, but responsibility for financial companies could also grow if hacking or voice phishing incidents occur. Ultimately, AX competitiveness is expected to be decided not only by the speed of AI adoption but also by how tightly the sector builds security investment, internal controls and consumer loss relief systems.

Lee said, "The more a financial company has strong capabilities and resources, the more it must boldly break away from existing methods, lead the market and build up success cases so that many financial companies can use them as a guide and join innovation with peace of mind." He added, "Please move forward courageously with improving your constitution through AI."

A financial sector official said, "Going forward, digital risk management by financial companies is likely to become an important task that ties together group-level internal controls and consumer protection systems, beyond the technical responses of IT security departments."