As big tech-affiliated financial services become part of daily financial infrastructure, financial authorities are demanding IT stability and internal control systems commensurate with their growth. They have expanded their user base and upgraded services, but authorities see system failures as likely to lead directly to consumer harm and a loss of market trust.

The Financial Supervisory Service held a meeting on Tuesday with chief information officers at big tech-affiliated electronic financial service providers. CIOs and audit officials from six companies attended, including Naver Financial, Kakao, Kakao Pay, Kakao Mobility, Viva Republica and Toss Payments.

System outages this year at big tech-affiliated electronic financial service providers are cited as cases that exposed accumulated management burdens during service expansion. Disruptions ranged from suspensions of key services such as payments, top-ups and remittances to online and offline payment failures and duplicate withdrawals on automatic transfers. Fintech firms are now being required to have IT internal controls and consumer response systems on par with traditional financial institutions.

The problem is that big tech financial services are already used like everyday financial infrastructure. If payment, remittance and top-up functions stop, it can lead not only to access problems but also to transaction gaps and consumer harm. In particular, when payments, top-ups, remittances and affiliated financial company services are provided together within a platform, a failure in a specific function could spread into a full service shutdown.

A one-app structure and the expansion of externally linked services are also raising the difficulty of management. That is because services of multiple affiliates are connected within a single app, and links with cloud and external systems are increasing, meaning failures may not remain within one company. The watchdog also called for isolation systems to prevent failures on a specific platform from spreading to overall services or affiliated financial companies.

Another burden is that many major incidents are linked to inadequate basic IT internal controls. In some cases, an update program error sharply increased network traffic, or a surge in access during events was not sufficiently forecast, causing database server overload. Other cases cited included delays in order and payment processing because third-party verification was omitted during program changes or advance testing was insufficient.

The industry is moving to strengthen internal controls to prevent system failures. The companies agreed to build IT internal control systems matching their IT risks and carry out voluntary control activities. They plan to conduct prior impact analysis and sufficient testing when introducing new functions or updates, and to check system availability by analysing expected inflows before major events or new services. They also plan to strengthen real-time monitoring to detect failures and errors early and to establish contingency measures to rapidly add emergency IT resources.

Against this backdrop, major fintech firms are also overhauling their management systems, focusing on system change management, blocking external linkage failures and securing business continuity. With failures able to spread beyond a single function to the entire service, they are focusing on separating and checking core services and externally linked sections.

Naver Pay said it has an organisation and specialist personnel responsible for reviewing validity and deliberating and approving system changes. It said it separates and isolates externally linked services from core services to prevent failures from spreading into internal systems. It also said it checks the effectiveness of recovery procedures through drills that assume disaster and failure situations and quickly reviews compensation measures if damage occurs.

Kakao Pay also said it is operating IT risk management and failure-spread prevention systems. It said a dedicated audit organisation establishes and implements IT risk assessment plans in line with the watchdog's IT internal control system guidelines, and that its IT organisation also performs its own IT audit role. It said it operates failure-blocking systems including distributed tracing, system distribution and circuit breakers to isolate operations so that failures in some systems do not spread to overall services.

Toss focuses on IT operational control and securing business continuity. Toss said it independently checks key IT operational controls through IT and security specialist audit functions within its internal audit team, including system change management, failure and incident management, externally linked services, business continuity plans and disaster recovery. It also said it operates redundant infrastructure at all times and, because multiple affiliate services are connected in a one-app environment, it also operates joint response processes for connection sections between affiliates.

All of the companies said they are upgrading consumer protection systems so that damage assessment, customer guidance and follow-up measures can be carried out quickly when failures or incidents occur.

The watchdog stressed company-wide efforts to prevent system incidents, as big tech financial services are closely linked to the daily lives of the public. It said it would conduct on-site inspections of electronic financial service providers where incidents occur frequently, and would take strict measures if major system incidents occur due to inadequate basic internal controls.

Lee Jong-oh (이종오), deputy head of the Financial Supervisory Service's Digital and IT division, said thorough prevention was needed to avoid large-scale inconvenience and economic damage from system incidents, given the close connection to the daily lives of the public. He stressed the need for company-wide efforts to secure IT stability exceeding that of traditional financial companies.

The industry broadly agrees on strengthening system stability, but some opinions say detailed standards need to be designed with the characteristics of the fintech sector in mind.

An industry official said big tech-affiliated electronic financial service providers are also continuing investments and making major efforts to secure security and IT stability. The official said that in the process of specifying internal control standards, it is necessary to also look at the structure of each service and its technical environment.