Financial sector faces hurdles in AI adoption despite eased network separation rule

gettyimagesbank

Although financial authorities relaxed network-separation regulations last year for the first time in a decade, the changes have yet to ease operational difficulties for financial companies, industry insiders said Thursday.

While the revision allows firms to use generative artificial intelligence (AI), each time an AI model’s name or version is updated, companies must obtain new approval from authorities, a process that can take several months.

According to industry sources, a major financial firm secured regulatory sandbox approval earlier this year to launch a service based on OpenAI’s GPT-4 and has recently completed its system setup. However, with the debut of OpenAI’s GPT-5.1 earlier this month, the firm now faces the need to reapply for sandbox designation and repeat the approval process to implement the latest model.

The situation has raised concerns that cumbersome regulations are hindering AI adoption in the financial sector, even as the Lee Jae Myung administration aims to position Korea among the world’s top three AI leaders.

The network-separation regulation was introduced after the IT network blackout on March 20, 2013, when the computer systems of major broadcasters, banks and credit card companies were immobilized. The rule requires financial companies to separate internal work networks from external internet networks to strengthen security and protect consumers’ sensitive information and financial assets.

However, as the software market rapidly shifts from on-premise systems to cloud-based subscription services, and as generative AI becomes a key factor in industry competitiveness, the rule has been criticized for causing operational inefficiencies and hindering the adoption of new technologies.

In response, financial authorities decided last year to ease the regulation, addressing urgent IT challenges through regulatory sandboxes, while implementing additional security measures to ensure safety until autonomous security systems are fully established.

The innovative financial service program, more widely known as the regulatory sandbox, gives companies a temporary waiver from existing rules so they can test new services that would otherwise be restricted. It usually takes about six months to a year to complete the entire procedure, from preparing the application and securing designation to building the service.

Financial authorities accept applications every quarter and determine within 120 days whether to grant approval. After receiving the designation, firms must also undergo a security assessment by the Financial Security Institute.

Financial companies seeking to use external generative AI tools like ChatGPT under the sandbox are required to disclose the specific model name and version in their application. But even after approval, any update or change to the AI model requires submitting a separate amendment request and going through another approval process.

“Amid the rapid evolution of AI technology, many in the financial sector worry that lengthy administrative procedures will leave the industry lagging behind,” an official from a major bank said. “Having to obtain individual approvals even for minor model updates is highly inefficient.”

Another financial industry source noted that approvals should be streamlined so that a single authorization can cover various commercial AI tools, such as ChatGPT, Google’s Gemini and Anthropic’s Claude, instead of requiring individual approvals for each service.