South Korea Tells Banks to Prepare for AI-Powered Fraud & Cyberattacks

Key Takeaways

• AI Is Becoming Both the Threat and the Defense: South Korean regulators are increasingly focused on the reality that the same AI technologies driving innovation in financial services are also enabling more sophisticated cyberattacks and deepfake-enabled fraud schemes.
• Network Separation Rules Face a Strategic Reassessment: The FSC's decision to ease network separation requirements for AI cybersecurity applications signals a significant shift in how regulators balance security controls against the need for more effective AI-driven defenses.
• Deepfake Vishing Has Moved Into the Mainstream Regulatory Agenda: Voice phishing attacks enhanced by AI-generated voices and other synthetic media capabilities are now being treated as a material risk requiring coordinated industry and government action.
• Information Sharing Is Being Positioned as Critical Infrastructure: Regulators want financial institutions to contribute intelligence on phishing tactics, transaction patterns, and fraud typologies to strengthen collective defenses through the ASAP platform.
• Financial Institutions Are Expected to Lead AI Transformation Responsibly: The FSC is encouraging larger financial groups to move aggressively on AI adoption while simultaneously investing in cybersecurity, governance, testing, and fraud prevention capabilities.

Deep Dive

South Korea's financial regulator is asking some of the country's largest financial institutions to prepare for a future in which artificial intelligence is no longer simply a productivity tool but a weapon. At a meeting in Seoul, Financial Services Commission Chairman Lee Eog-weon met with the chief executives of five major financial holding companies to discuss a problem confronting regulators around the world. The same technologies banks hope will make operations faster and more efficient are also making scams more convincing, cyberattacks more sophisticated, and fraud harder to detect.

Much of the discussion centered on deepfake voice phishing schemes and the risks posed by increasingly capable AI systems. Lee specifically pointed to frontier AI models and warned that financial institutions will need stronger defenses as the technology becomes more powerful and more accessible.

The concern is no longer theoretical. Voice phishing has long been a problem across Asia. What changes when AI enters the equation is scale. Criminals can generate convincing voices, automate interactions, and adapt attacks in ways that were difficult or expensive only a few years ago. A scam that once required a skilled fraudster can now be replicated thousands of times with software.

The government's response is notable because it is not limited to tougher enforcement or new reporting requirements. Regulators are increasingly betting that AI itself will become part of the solution.

Lee highlighted several initiatives already underway, including expanded use of the AI-based Anti-Phishing Sharing & Analysis Platform, known as ASAP, which is designed to identify emerging phishing techniques and distribute intelligence across the financial sector. The government is also preparing to ease network separation requirements for financial companies when AI is being used for cybersecurity purposes.

That represents a meaningful shift. Network separation rules have long been a cornerstone of cybersecurity policy in South Korea's financial sector. Relaxing those requirements, even selectively, reflects a growing belief among policymakers that defensive AI systems may require broader access to data and infrastructure than existing regulations permit.

Regulators are also preparing to introduce a strict liability framework intended to strengthen compensation and remedies for victims of financial fraud. The proposal would place greater responsibility on financial institutions when losses occur.

For banks and financial groups, the message from the FSC was to prepare now. Lee urged financial institutions to participate actively in government-sponsored AI cybersecurity testing and to develop concrete plans for how AI will be deployed across their operations as restrictions are gradually removed. He also called for closer cooperation with law enforcement authorities and the Korea Financial Intelligence Unit to identify emerging fraud patterns and improve information sharing.

The regulator's expectations extend well beyond parent companies. Financial holding groups were told they should ensure that subsidiaries maintain adequate cybersecurity capabilities, conduct appropriate testing, and share intelligence on phishing activity. The FSC also encouraged firms to explore insurance mechanisms that could provide additional protection for fraud victims.

None of these measures would be surprising. Collectively, they point to a broader shift in regulatory thinking. For years, financial-sector cybersecurity policy largely focused on protecting institutions from external threats. Increasingly, regulators are grappling with a more complicated reality. The technologies financial institutions are adopting to improve productivity, automate processes, and transform customer experiences are the same technologies that criminals are learning to exploit.

The challenge for policymakers is no longer whether AI will reshape financial services. It is whether defensive capabilities can evolve quickly enough to keep pace with the threats that AI is creating. South Korea appears determined to find out.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.