In January 2026, the Financial Supervisory Service surveyed 118 Korean financial companies on their AI governance readiness. The results were blunt: only 25% of banks had set up AI decision-making bodies. Only 7.5% of insurers had done so. And only 2.7% of securities firms. Approximately 85% of financial companies had not established AI ethics principles or risk management standards.
This is the gap between what Korean financial regulators expect and what the industry has built. The regulators are not waiting. The FSC is revising its 2021 AI guidelines. The FSS is mandating AI risk management frameworks. The AI Basic Act classifies credit scoring and loan decisions as high-impact AI. And the PIPC has already ordered an AI model destroyed for using unlawfully obtained financial data.
If you operate AI systems in Korean financial services — credit scoring, fraud detection, robo-advisory, insurance underwriting — here is what applies to you now.
Who Regulates AI in Korean Financial Services?
Four regulators have overlapping jurisdiction over AI in financial services. Each has different tools, different mandates, and different enforcement postures.
Financial Services Commission (FSC): The primary policy-maker. Issued Korea’s first Financial Sector AI Guidelines in July 2021. Currently revising them to address generative AI. Also operates the Financial Regulatory Sandbox under the Special Act on Financial Innovation.
Financial Supervisory Service (FSS): The examination and enforcement arm. Announced a mandatory AI Risk Management Framework in January 2026. Runs on-site inspections and levies fines under the Electronic Financial Transactions Act and credit information law.
Personal Information Protection Commission (PIPC): The data protection enforcer. Has jurisdiction over AI training data and automated decision-making under PIPA. Already ordered AI model destruction in the financial sector (Kakao Pay/Alipay, January 2025).
Ministry of Science and ICT (MSIT): Administers the AI Basic Act, which classifies financial AI applications as high-impact. Sets the overarching framework that sector regulators must align with.
What Are the FSC AI Guidelines?
The FSC issued its Financial Sector Artificial Intelligence Guidelines on July 8, 2021 — the first financial-sector-specific AI guidance in Korea. They are voluntary, covering the full AI lifecycle from planning through monitoring.
Four core values:
- Responsibility in the financial sector
- Accuracy and safety of AI training data
- Transparency and fairness of AI financial services
- Protection of financial consumer rights
Key requirements: Establish AI ethical principles; define roles and responsibilities for AI risk; apply strengthened risk management to “high-risk services” (those posing serious risks to individual rights, interests, safety, or freedom); provide consumers with advance notice of AI use and information on their rights of explanation and objection.
2025 revision underway. The FSC launched a research project in March 2025 to revise the 2021 guidelines, with a specific focus on generative AI governance. The study was broadened in June 2025. The existing guidelines were criticized as “overly vague and lacking legal force.” Publication of revised guidelines was planned for the second half of 2025, though the timeline was delayed by political instability following the martial law crisis.
Separately, the FSC is amending the Act on the Protection of Financial Consumers to codify current self-regulatory norms around online AI sales into binding law. The existing Act carries punitive penalty surcharges of up to 50% of related revenue.
What Is the FSS AI Risk Management Framework?
On January 15, 2026, the FSS announced it would prepare a financial-sector AI Risk Management Framework. This was prompted by the damning survey results: 85% of financial companies lacked AI ethics principles or risk management standards.
Key requirements (announced January 2026):
- Build governance systems including a dedicated AI risk management decision-making body
- Chair of the decision-making body must report regularly to the CEO
- Establish AI-related internal rules and detailed work manuals
- Manage AI from adoption through use via standardized procedures
The FSS explicitly noted that under the AI Basic Act, high-impact AI affecting loan screening is classified as high-risk regardless of its internal grading by the financial institution. In other words, a bank cannot self-certify its credit scoring AI as “low risk” to avoid obligations.
In March 2026, the FSS held a supervision briefing for 350 financial industry representatives. The key message: a shift from post-incident response to preventive oversight, with consumer protection as the top supervisory priority. The FSS will closely examine AI risk management and internal controls at large fintech operators affiliated with “big tech.”
How Does the AI Basic Act Apply to Finance?
The AI Basic Act (in force January 22, 2026) does not carve out a special regime for financial services. Instead, its general high-impact AI framework captures financial AI by function.
Article 2(4) defines high-impact AI to include systems used in “employment, loan, or other decisions that significantly affect an individual’s rights or interests.” This covers:
- Credit scoring and loan decisions — any AI system that influences whether a person gets a loan, what rate they pay, or whether their application is rejected
- Insurance underwriting — AI-driven risk assessment for life and health insurance
- Employment decisions — AI screening of job applications at financial institutions
- Automated trading — to the extent it affects individual client portfolios
Obligations for high-impact AI operators:
- Assess whether AI qualifies as high-impact before deployment
- Provide a “meaningful explanation” of outcomes, key criteria, and a summary of training data
- Create and deploy a user protection plan
- Implement human intervention and oversight mechanisms
- Document actions taken to secure trust and safety
- Conduct fundamental rights impact assessments before deployment
These stack on top of existing sector-specific obligations under the Electronic Financial Transactions Act and PIPA. Financial institutions face a compliance matrix with three regulatory layers: the AI Basic Act (MSIT), sector guidelines (FSC/FSS), and data protection (PIPC).
The Kakao Pay Precedent: Model Deletion in Financial AI
The defining enforcement action for AI in Korean financial services is the PIPC’s January 2025 decision against Kakao Pay, Apple, and Alipay.
Kakao Pay transferred data from approximately 40 million users to Alipay, which built “NSF scores” — creditworthiness algorithms for Apple Pay micropayment bundling — without user consent. The PIPC fined Kakao Pay KRW 5.97 billion and Apple KRW 2.45 billion (total ~$5.9 million). Critically, the PIPC ordered Alipay to destroy the AI model itself — the NSF scoring algorithm trained on the unlawfully obtained data.
This model deletion order established “algorithm disgorgement” as a PIPC remedy. It is comparable to US FTC algorithm disgorgement orders but with explicit statutory basis. Korea is now at the global leading edge of AI model deletion as a privacy enforcement tool.
The FSS separately fined Kakao Pay approximately KRW 13 billion (~$8.9 million) in February 2026 for the same underlying conduct under credit information law — bringing total penalties to nearly $15 million.
Kakao Pay has challenged the PIPC sanction in court; an injunction suspending the penalty was granted in May 2025. The litigation is ongoing.
What AI Is Actually Deployed in Korean Banking?
Korean banks and fintechs have moved fast on AI deployment, creating the compliance urgency that regulators are now racing to address.
KakaoBank declared “AI-native banking” as its core model in 2025. Deployed applications include conversational AI search (1.7 million users by year-end), an AI financial calculator, AI-powered transfers via natural language, AI smishing detection (210,000+ users in 3 months), and five alternative credit scoring models using 18 million pseudonymized non-financial data points. The alternative credit models have generated approximately KRW 989 billion in additional mid-credit loans.
Toss Bank deployed machine learning for proactive fraud detection in October 2025, blocking 6,200 risky accounts and preventing approximately KRW 3 billion (~$2.1 million) in losses.
Shinhan Bank introduced a generative AI-based loan screening support agent for corporate lending in March 2026, analyzing financial data, industry trends, collateral values, and technological competitiveness across 12 industries.
Hanwha Life received sandbox approval for two AI tools in September 2025: an AI translation service for foreign clients and an AI planning agent that cut insurance plan design time from 9 minutes to under 1 minute.
The Koscom Robo-Advisor Testbed — a mandatory verification infrastructure for all Korean robo-advisors — now covers 374,853 subscribers with KRW 1.17 trillion in assets. 116 companies and 725 algorithms have passed verification. Average robo-advisor return in 2025: 14.89%.
How Does Korea Compare to the EU and UK?
| Dimension | Korea (AI Basic Act + FSC/FSS) | EU AI Act | UK (FCA) |
|---|---|---|---|
| Credit scoring classification | High-impact AI (functional definition) | High-risk (explicitly listed in Annex III) | Principles-based (no explicit listing) |
| Legal basis | Framework law + sector guidelines | Binding EU regulation | Principles integrated into FCA/PRA rules |
| Explainability | Mandatory for high-impact AI | Mandatory for all high-risk AI | “Explainability” as one of five principles |
| Model deletion power | PIPC has exercised it (Kakao Pay, Jan 2025) | Not established | Not established |
| Penalty ceiling (AI law) | KRW 30M (~$21K) under AI Basic Act; heavier via PIPC and FSS | EUR 35M or 7% global turnover | Existing FCA/PRA powers |
| Innovation support | Financial Regulatory Sandbox (active since 2019), Koscom RA Testbed | Mandatory conformity assessment | FCA “Supercharged Sandbox” with NVIDIA (Oct 2025) |
Korea occupies a middle ground. More prescriptive than the UK’s principles-based approach — the AI Basic Act creates affirmative obligations for high-impact AI — but less prescriptive than the EU AI Act, which includes an explicit Annex-based risk classification. Korea’s distinctive contribution is the PIPC’s model deletion precedent, which is more aggressive than either EU or UK practice. The FSS’s preventive supervision posture mirrors the direction of EU financial AI supervision, but through guidance rather than binding regulation.
What Should You Do This Week?
- Map your AI applications against the high-impact criteria. Any system involved in credit decisions, loan screening, insurance underwriting, or employment at financial institutions is almost certainly high-impact under the AI Basic Act.
- Establish an AI risk management decision-making body. The FSS survey revealed 85% of financial companies lack one. The FSS AI Risk Management Framework will make this a supervisory expectation in 2026 examinations.
- Document your training data sources. The Kakao Pay precedent means unlawfully sourced training data can trigger model deletion. Maintain clear provenance records for all data feeding financial AI models.
- Prepare explainability infrastructure. The AI Basic Act requires “meaningful explanations” of high-impact AI outcomes. For credit scoring and loan decisions, this means being able to explain why a specific application was approved or rejected — in terms the consumer can understand.
- Watch the FSC guideline revision. The revised Financial Sector AI Guidelines — expected to address generative AI specifically — will likely become the practical compliance standard for financial institutions, even if technically voluntary.
For the broader AI Basic Act framework, see our article-by-article guide. For PIPC enforcement trends, see our enforcement analysis. For Korea’s approach to AI-generated content, see our copyright rules guide.
Disclaimer: This content is for informational purposes only and does not constitute legal advice.
Last verified: April 10, 2026
Compare: EU vs South Korea
For the global keystone comparison across twelve dimensions — high-impact vs high-risk classification, mandatory vs voluntary conformity, KRW 30M vs €35M penalties, Korea’s innovation chapter, and a five-step dual-market compliance baseline — see EU vs South Korea AI Act: High-Impact vs High-Risk Compared (2026).