"From 'Compliance' to 'Designation of Responsible Parties' - The Transition of 2026 Digital Finance Regulation [Bae, Kim & Lee's Future Finance]"

'AI Framework Act' about to take effect

Must prepare for strengthened governance regulation such as designation of responsible persons

The emergence of new task performers: AI agents and legal gaps

On January 22, 2026, the Artificial Intelligence (AI) Framework Act will come into force. This law focuses not on whether AI is 'used' but on 'how it is operated as a trustworthy accountability system.' Although it adopted a promotion-centered, loose regulatory regime, the governance framework has in fact been strengthened, for example by elevating the National AI Strategy Committee and mandating a Chief AI Officer (CAIO).

At this point, AI in the financial sector evolves beyond simple inquiries and recommendations into 'task performers.' The 'agentic AI' presented by the Institute for Information and Communications Technology Planning and Evaluation refers to AI that makes decisions and acts on its own, and it is expanding into loan screening assistance, asset allocation execution, anomaly transaction detection, and so on.

The problem is a legal gap. Current regulations assume that a 'person' performs tasks, so the locus of responsibility is unclear when AI performs them. For example: if AI assigns low credit scores to certain occupational groups? Due to the black-box nature of deep learning models, it is difficult to explain "why such a judgment was made." If an investment advisory service using the ChatGPT API provided false information because of hallucination? If an incomplete sale occurred during a sales process using AI, can full responsibility be imposed on the financial company, or on the AI model provider?

As AI agents evolve into task performers, explainability, recordability, and the design of human intervention points become central to disputes. Although the Personal Information Protection Commission's guidance, released in August 2025, reflects this awareness of the issue, concrete legal standards that reflect the characteristics of the financial sector are still lacking. Ultimately, the situation requires designing well 'who is responsible for the outcome' rather than 'what the AI did.'

From physical separation to logical control: a philosophical shift in network separation regulation

2026 is the year the Financial Services Commission's network separation improvement roadmap enters its third phase (stabilization). Through the tentatively titled "Digital Financial Security Act," a legal foundation will be established for shifting from micro technical regulation to principle-based regulation. Financial companies will be able to choose network configuration methods based on their own risk assessments, and the specific application of logical network separation technologies is expected to be discussed for information systems other than core banking and parts of the account system.

This is not a simple IT policy change. Financial authorities no longer instruct 'which technology to use.' Instead, financial firms are expected to design logical control systems such as zero trust and cloud configuration management themselves, and take full responsibility for the results. The fact that the first keyword among the 2026 top 10 trends presented by the Financial Security Institute is 'financial company-led security' demonstrates this philosophical shift.

Legally, this means the question shifts from "Did you comply?" to "Who is responsible?" However, easing network separation accelerates innovation while rapidly increasing dependence on third parties. Supply chain risks such as cloud infrastructure failures, OpenAI API outages, and open-source vulnerabilities translate directly into financial service disruptions. As control methods change, the areas that are uncontrollable also increase.

So what should be prepared?

The characteristic of 2026 digital finance legislation is that it emphasizes principles and responsibility rather than detailed provisions. In the past, the question might have been "Did you comply with Article 00 of the Electronic Financial Supervisory Regulations?" Now the question is "How did you design a system to identify and control risks?"

The legal status of AI agents is unclear, the relaxation of network separation has increased uncontrollable areas, and accountability charts make it difficult to capture complex collaborative structures. In this legal vacuum and uncertainty, financial companies must design their own accountability systems. Specifically, they should clearly design log recording systems for AI decision-making and human intervention points, specify responsibility-sharing clauses and incident response processes in contracts with third-party cloud and SaaS providers, and align accountability charts with actual decision-making structures.

Notably, these changes are not tasks for compliance or IT departments alone. As digital transformation becomes a core strategy for financial firms, how the board and management design and operate risk management systems is emerging as an important management agenda. 2026 will be a turning point to verify whether these new accountability systems actually operate.

The Future Finance Strategy Center of Bae, Kim & Lee Law Firm (Center Director: Advisor Han Jun-seong) was launched in May 2024 and has formed a top-tier team of experts in finance and IT fields—including virtual assets, electronic finance, regulatory response, and information protection—in line with accelerating digital innovation in the financial sector and the advancement of financial technology.