| Article 1 |
These matters are established in accordance with Article 2, paragraph 1, subparagraph 5 of the Standards Governing Principal Identification and Management of Credit Line Categorization in the Processing by Securities Firms of Account Opening.
|
| Article 2 |
Mobile ID means an ID authentication process whereby, after a securities firm obtains the consent of a principal, the principal first verifies through a third-party authentication institution with the telecommunications carrier of the principal, using the principal's mobile device with a SIM card that has a service number with 4G or higher technology, the mobile telephone number, national ID number, and date of birth of the principal against the application data of the mobile service number subscriber from the telecommunications carrier to confirm consistency, then notifies the securities firm.
For the purposes the preceding paragraph, a service number with 4G or a higher generation of technology means a service number for which a principal applies over the counter at a direct selling store of a telecommunications carrier by delivering the principal's national ID card and a second authenticable identification document and completing signing in person, excluding service numbers of stored value cards, child supplementary cards, prepaid cards, and corporate cards, and also service numbers for which applications are made through an agent etc., where it is impossible to identify the application as made and personally signed by the principal itself.
For the purposes of these matters, a third-party authentication institution means an approved certification authority as publicly announced by the Ministry of Digital Affairs in accordance with Article 11, paragraph 4 of the Electronic Signatures Act.
|
| Article 3 |
A securities firm engaging in the business contemplated by these matters shall comply with its standard directions on internal control systems, the Personal Data Protection Act, anti-money laundering and countering of terrorist financing related regulations, and shall formulate operating and processing procedures and risk control measures including but not limited to the following, with examination records retained of the related control mechanism:
- A third-party authentication institution providing mobile ID service shall be required to confirm that a service number that is subject to a principal's mobile ID conforms to the definition in paragraph 2 of the preceding article, and consent to the provision of the personal data of a service number subscriber to a third person shall be procured.
- It shall be ensured that a principal has read and agrees to the terms of the mobile ID service user agreement and privacy notice before mobile ID may proceed.
- It shall be ensured that a principal has been ID-authenticated by mobile ID, has read and agrees to the terms of the engagement contract, the statement on the collection, processing, and use of personal data, and the risk disclosure statement, has uploaded an image file of the national ID card, and has filled in its personal particulars.
- The opening of accounts by and data screening of a principal shall conform to the securities firm's standard directions on internal control systems CA-11110: Regular Trading Accounts: Account Opening and Screening Procedure.
- Prior to a principal's execution of an account opening contract, the securities firm shall, as secondary verification, send a One Time Password, OTP, by text or make a personal telephone call to validate the principal's acts, and the procedures in the preceding four subparagraphs shall be confirmed completed, before the account opening contract may be executed in accordance with the Electronic Signatures Act. The account opening application will be terminated in the event of any data discrepancy.
|
| Article 4 |
A securities firm authenticating ID by mobile ID shall formulate an information security mechanism, including the following:
- An information security policy shall be formulated in respect of the process of data transmission, data storage, and other aspects of the security control mechanism concerning a principal using mobile ID to authenticate identity.
- Records or trails of a principal's use of mobile ID shall be retained.
- A review procedure shall be developed against unauthorized use in regard to data furnished by a principal.
- A cyber security incident notification procedure shall be developed.
|
| Article 5 |
The procedures, mechanisms, and risk control measures devised by a securities firm in accordance with the preceding two articles shall be incorporated in the internal control system or internal management system and approved by the board of directors before mobile ID may be offered to a principal for identity authentication.
|
| Article 6 |
A securities firm performing mobile ID shall conduct a regular examination and review at least once every six months, and shall prepare and submit to the board of directors an improvement plan if notice is received from a principal indicating that the account opening contract was not executed with the principal's own true intention or that a transaction dispute has occurred.
|
| Article 7 |
These matters shall take effect after having been submitted to and approved by the competent authority and publicly announced. Subsequent amendments thereto shall be effected in the same manner.
|