NewDo you know which regulations apply to you? Find out in under 3 minutes. Our sincere gift:EU scoperKorea scoper
How can we help?

Message us on

KakaoTalkLINE

Response within 48 hours

Send us an email →
Korean bank "security programs", demystified
Regulatory Compliance

Korean bank "security programs", demystified

July 17, 2026·Alex Holmquist, Panke IT Solutions LLC

You sit down to bank online in Korea and, before you can move a single won, the site hands you a stack of installers: names you have never heard of, a security warning to click past, sometimes a reboot. "Why you have to install all this stuff?! I just want to log in!" The answer used to be that the law requires it. However, the rule people have in mind was repealed eleven years ago, then repealed again five years after that, and the software is still on your machine. In this blog, we will show exactly what's holding it there.

An engraved brass and enamel commemorative plaque. 2014, 15 Oct: regulator barred from naming a technology. 2015, 18 Mar: certificate mandate repealed. 2020, 10 Dec: certificate abolished outright. Today: you still install. A bracket across the span reads ELEVEN YEARS since the rule died, still on your machine

The habit started with a real requirement

There used to be a rule that forced banks to push those "security programs". The name of the rule was 공인인증서, the state-accredited certificate. For years, moving money online meant holding one, and holding one meant installing the pile of ActiveX components that issued it, stored it, and checked it.

That is where the habit was born. The bank asks, you install, you don't ask what it is. You are now "secured".

So it used to be a genuine legal requirement until 2015... but we are more than a decade in the future now. So, what happened?

The mandate died in 2015

On 18 March 2015, as 아시아경제 and 허프포스트코리아 reported at the time, the 금융위원회 resolved at its regular meeting to amend the 전자금융감독규정, abolishing mandatory use of the accredited certificate for electronic financial transactions and deleting the obligation to install ActiveX security programs. Banks were left to devise their own safety measures. It took effect immediately.

Part of the pressure came from the episode the Korean press named the 천송이 코트: Chinese viewers of 별에서 온 그대 wanted the coat the show's lead had worn, and could not buy it, because Korean checkout demanded a certificate no foreigner could get.

A lit boutique window at night showing a single camel coat on a mannequin, with three shoppers outside on the wet pavement holding cards and cash, and a brass sign on the locked door reading ACCREDITED CERTIFICATE REQUIRED

The requirement was gone. The installers stayed.

The certificate lost its monopoly in 2020

Five years later the certificate lost even its special status. The Digital Signature Act (전자서명법) was rewritten end to end — 법률 제17354호, promulgated 9 June 2020 and in force 10 December 2020 — abolishing the accredited certificate system outright, so that private signature methods could compete on their merits.

What had once held its monopoly since 1999 finally became one option among many.

That is two repeals in five years, yet your bank still greets you with a stack of installers!! So it is worth asking: what does the law ACTUALLY require as of today?

The current state of the law

We checked the current Act ourselves — 전자금융거래법, 법률 제21205호, all seventy-one articles. The phrase 공인인증 appears zero times. The phrase 보안프로그램 appears zero times.

A search of the full text of 전자금융거래법, 법률 제21205호, all 71 articles: 공인인증 appears 0 times, 보안프로그램 0 times, ActiveX 0 times. The same search over the same file finds 인증서 3 times, 안전성 8 times and 접근매체 37 times

The Act is by no means silent about cybersecurity. In fact, article 21(2) binds your bank to standards set by the 금융위원회, the Financial Services Commission.

전자금융거래법 제21조 제3항: ③ 금융위원회는 제2항의 기준을 정할 때 특정 기술 또는 서비스의 사용을 강제하여서는 아니 되며, 보안기술과 인증기술의 공정한 경쟁이 촉진되도록 노력하여야 한다.
The Financial Services Commission shall not compel the use of any specific technology or service when setting the standards under paragraph 2, and shall endeavour to promote fair competition among security technologies and authentication technologies.

That text is what's in force today, as amended on 15 October 2014.

Your bank's compliance coat

The law doesn't require the software anymore. Now, your bank does. The bank sees it as a way to show they are compliant to Article 21(1):

전자금융거래법 제21조 제1항: ①금융회사등은 전자금융거래가 안전하게 처리될 수 있도록 선량한 관리자로서의 주의를 다하여야 한다.
Financial companies shall exercise the care of a good manager to ensure that electronic financial transactions are processed safely.

선량한 관리자로서의 주의 — the care of a good manager. It is a standard with no checklist attached. Nobody can tell your bank in advance what satisfies it; a court decides afterwards, once money has already gone missing.

The law stopped telling banks what to install and started holding them accountable for whether your transaction was safe. Having the user install security software is like a compliance stamp the bank can produce on paper: it documents that the bank pushed something material to prevent a security incident.

A grid of who carries what. If the bank keeps the software it has nothing to explain and you carry the install every time; if it removes the software it must explain the next fraud and you carry nothing. So it stays

That is why the banks still tell you to download that software. That's what everyone does! Leaving it there is common practice, and a bank that follows it has an easy story to tell. They don't see a large enough payback in removing the software. If they remove it and a customer is defrauded, someone will have to explain themselves.

The mandate died in 2015, and again in 2020. The incentive it built outlived it, and ending that is nobody's job.

Do you have "security programs" on your computer that you can't name?

References

  1. 국가법령정보센터 — 전자금융거래법 (법률 제21205호)
  2. 국가법령정보센터 — 전자서명법 (전부개정 법률 제17354호, 2020. 6. 9. 공포 / 2020. 12. 10. 시행)
  3. 전자신문 — 굿바이 공인인증서…민간 전자서명 시대 열렸다 (2020-12-09)
  4. 허프포스트코리아 — 공인인증서 해방? 의무사용 폐지 5문5답 (2015-03-19)
  5. 아시아경제 — 공인인증서 의무 폐지, 수혜주와 피해주는? (2015-03-19)
Concerned about your attack surface?

If you'd like to know how your infrastructure scores in an attacker's scanning model, reach out at contact@pankeit.com for an external attack surface assessment.

Subscribe to our blog

Stay up to date with the latest security trends

No spam. Unsubscribe anytime.

HomeAboutPrivacyDMCA

©2026 Panke IT Solutions LLC

Austin, TX