The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

Comparison Study between Institutional Response to Security Risks of the EU's Revised Payment Services Directive and Domestic Electronic Finance Regulation

개정된 유럽연합 지급결제서비스지침의 보안위험에 대한 제도적인 대응과 관련 국내 전자금융 규제와의 비교 연구

  • Kim, Hyun Boo (Graduate School of Information Security, Korea University) ;
  • Kim, In Seok (Graduate School of Information Security, Korea University)
  • Received : 2019.10.02
  • Accepted : 2019.11.12
  • Published : 2019.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Traditionally banks and other financial institutions use customers' accounts and information managed by them and provide payment services in dominant positions. Recently, EU amends Payment Services Directive to institutionally guarantee access to customers' accounts and use of account-related information even to third parties, which facilitates competition in financial markets and promotes innovation. However, this kind of change can increase potential security risks and therefore institutional responses from financial authorities are required so that all participants in financial markets can properly respond to security risks. In this study institutional responses to the security risks in the EU's new Payment Services Directive (PSD2) are analyzed, comparisons between this and domestic electronic financial regulations are analyzed, and implications for the direction of improving domestic electronic financial regulations will be suggested.

전통적으로 은행 등 금융기관은 자신이 관리하는 고객의 계좌와 정보를 이용하여 지배적인 위치에서 금융서비스를 제공하여 왔다. 최근 유럽연합은 지급결제서비스지침을 개정하여 고객계좌에 대한 접근과 계좌 관련 정보의 제공을 제3자에게도 허용하는 것을 제도적으로 보장하여, 금융시장에서 경쟁을 촉진하고 혁신을 도모하고 있다. 그렇지만 이러한 변화는 잠재적인 보안위험을 증가시킬 수 있으며, 따라서 신·구 시장참여자 모두가 금융시장에서 보안위험에 적합하게 대응할 수 있도록 금융당국의 제도적인 대응이 요구된다. 본 연구에서는 유럽연합의 새로운 지급결제서비스지침(Payment Service Directive, PSD2)에서 확인할 수 있는 보안위험에 대한 제도적 대응을 분석하고 이를 국내의 전자금융규제와 비교·분석하여 시사점을 도출함으로써 국내 전자금융규제의 개선 방향을 제안하고자 한다.

Keywords

References

  1. Bank of Korea, 2017 Financial Informatization Promotion, https://www.bok.or.kr/portal/bbs/P0000272/view.do?nttId=10047572&menuNo=200728&pageIndex=, 2018.
  2. Cortet, M., Rijks, T., and Nijland, S., "PSD2: The digital transformation accelerator for banks," Journal of Payments Strategy & Systems, Vol. 10, No. 1, pp. 13-27, 2016.
  3. Euro Banking Association, Understanding the business relevance of Open APIs and Open Banking for banks, https://www.abe-eba.eu/publications/, 2016.
  4. European Banking Authority, Consultation Paper on the security measures for operational and security risks of payment services under PSD2, 2017.
  5. European Banking Authority, Guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers under Article 5(5) of Directive (EU) 2015/2366, 2017.
  6. European Banking Authority, Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2), 2018.
  7. European Commission, Fact Sheet - Payment Services Directive: frequently asked questions, https://ec.europa.eu/commission/presscorner/detail/en/memo_15_5793, 2018.
  8. European Commission, The Directive on security of network and information systems (NIS Directive), https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive, August 7, 2019.
  9. European Union Agency for Cybersecurity, Good practices on the implementation of regulatory technical standards MS approaches on PSD 2 implementation: commonalities in risk management and incident reporting, https://www.enisa.europa.eu/publications/good-practices-on-the-implementation-of-regulatory-technical-standards, 2018.
  10. Financial Conduct Authority, [1] Payment Services and Electronic Money - Our Approach, The FCA's role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011, https://www.fca.org.uk/firms/emi-payment-institutions-key-publications, 2019.
  11. Financial Services Commission, "Press Releases, 2018. 7. 18," http://www.fsc.go.kr/info/ntc_news_view.jsp?bbsid=BBS0030&page=1&sch1=subject&sword=%EB%A7%88%EC%9D%B4%EB%8D%B0%EC%9D%B4%ED%84%B0&r_url=&menu=7210100&no=32579, Aug 15, 2019.
  12. Financial Services Commission, Credit Information Use and Protection Act, No. 16188, 2018.
  13. Financial Services Commission, Electronic Financial Transactions Act, No. 14828, 2017.
  14. Financial Services Commission, Press Releases, 2015. 1. 27, http://www.fsc.go.kr/info/ntc_news_view.jsp?bbsid=BBS0030&page=1&sch1=subject&sword=%EC%9C%B5%ED%95%A9&r_url=&menu=7210100&no=30227, Sep 30, 2019.
  15. Financial Services Commission, Press Releases, 2018. 3. 20, http://www.fsc.go.kr/info/ntc_news_view.jsp?bbsid=BBS0030&page=1&sch1=subject&sword=%ED%95%80%ED%85%8C%ED%81%AC%20%ED%98%81%EC%8B%A0%20%ED%99%9C%EC%84%B1%ED%99%94%20%EB%B0%A9%EC%95%88&r_url=&menu=7210100&no=32368, Aug 15, 2019.
  16. Financial Services Commission, Press Releases, 2019. 2. 25, http://www.fsc.go.kr/info/ntc_news_view.jsp?bbsid=BBS0030&page=1&sch1=subject&sword=%EA%B8%88%EC%9C%B5%EA%B2%B0%EC%A0%9C&r_url=&menu=7210100&no=32976, Aug 15, 2019.
  17. Financial Services Commission, Regulation on Supervision of Credit Information Business, No. 2019-33, 2019.
  18. Financial Services Commission, Regulation on Supervision of Electronic Financial Transactions, No. 2018-36, 2019.
  19. Financial Supervisory Service, Manual for Authorization of Financial Institutions, http://www.fss.or.kr/fss/kr/bbs/view.jsp?bbsid=1207388946537&url=/fss/kr/1207388946537&idx=1549530368762, 2019.
  20. Gozman, D., Hedman, J., Sylvest, K., and Bank, D., "Open Banking: Emergent Roles, Risks & Opportunities," The 26th European Conference on Information Systems (ECIS), pp. 1-15, 2018.
  21. Ju, Y. S., "The role of IT in Korean financial market from business ecosystem view," Master's Thesis, Korea University, 2008.
  22. Kim, D. C. and Kim, I. S., "A Study on Cybersecurity Regulation for Financial Sector: Policy Suggestion based on New York's Cybersecurity Regulation," The Journal of Society for e-Business Studies, Vol. 23, No. 4, pp. 87-107, 2018. https://doi.org/10.7838/JSEBS.2018.23.4.087
  23. Kim, E. K., "The Application of Fin-tech industry and Law in European Union," Kangwon Law Review, Vol. 49, pp. 617-654, 2016. https://doi.org/10.18215/kwlr.2016.49..617
  24. Korea Internet & Security Agency, Information Security Management System[ISMS] Certification, https://isms.kisa.or.kr/main/isms/notice/ (Page3, No.28), Aug 15, 2019.
  25. Korea Internet & Security Agency, Personal Information & Information Security Management System Certification Guidebook, https://isms.kisa.or.kr/main/ispims/notice/ (Page1, No.8), Sep 30, 2019.
  26. Lee, H. K., "A Study on Regulations, Current Status and Implications of Electronic Finance and Financial Security in the U.S.," Business Law Review, Vol. 31, No. 3, pp. 491-529, 2017. https://doi.org/10.24886/BLR.2017.09.31.3.491
  27. Milne, A., "Competition policy and the financial technology revolution in banking," DigiWorld Economic Journal, Vol. 103, pp. 145-161, 2016.
  28. Ministry of Science and ICT and Korea Internet & Security Agency, 2017 Survey on Information Security : Business, http://www.kisa.or.kr/public/library/etc_View.jsp?regno=0099060&searchType=&searchKeyword=&pageIndex=4, 2018.
  29. Ministry of Science and ICT, Press Releases, 2018. 11. 6, https://www.msit.go.kr/web/msipContents/contentsView.do?cateId=mssw311&artId=1411436, Aug 15, 2019.
  30. National Information society Agency, NIA Special Report 2018-15, https://www.nia.or.kr/site/nia_kor/ex/bbs/View.do?cbIdx=82618&bcIdx=20329&parentSeq=20329, 2018.
  31. National Institute of Standards and Technology, NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final, 2012.
  32. National Institute of Standards and Technology, NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, https://csrc.nist.gov/publications/detail/sp/800-39/final, 2011.
  33. Noctor, M., "PSD2: Is the banking industry prepared?," Computer Fraud & Security, Vol. 2018, No. 6, pp. 9-11, 2018. https://doi.org/10.1016/S1361-3723(18)30053-8
  34. Office of the Comptroller of the Currency, OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies, https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-74.html, Aug 8, 2019.
  35. Park, J. S., Kim, M. J., and Hwang, B. I., "The development background and major trends of fintech," The Journal of The Korean Institute of Communication Sciences, Vol. 33, No. 2, pp. 52-58, 2016.
  36. The European Commission, Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, OJ L Vol. 69, pp. 23-43, 2018.
  37. The European Parliament and The Conucil of The European Union, Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC OJ L Vol. 337, pp. 35-127, 2015.
  38. The Institute of Internal Auditors, IIA Position Paper: The three lines of defense in effective risk management and control, https://global.theiia.org/standards-guidance/recommended-guidance/Pages/The-Three-Lines-of-Defense-in-Effective-Risk-Management-and-Control.aspx, 2013.
  39. Wolters, P. T. J. and Jacobs, B. P. F., "The security of access to accounts under the PSD2," Computer Law & Security Review, Vol. 35, No. 1, pp. 29-41, 2019. https://doi.org/10.1016/j.clsr.2018.10.005