AI Regulation Tracker / Draft guidance
South Korea's FSC drafts one AI code requiring a named human to sign off on financial AI decisions
Korea's financial regulator has consolidated its AI guidance into a single best-practice code that treats AI as an assistant only, requiring a named human to hold final authority and legal responsibility for every AI-driven loan, underwriting or credit-scoring decision. It is draft guidance, not statute, but it raises the supervisory expectation for any firm running AI through a Korean book.
South Korea's Financial Services Commission has stopped treating financial AI as a technology question and started treating it as an accountability question. In a draft published on December 22, 2025, the FSC, working with the Financial Supervisory Service and the industry Financial AI Council, folded three separate AI rulebooks, the 2021 and 2022 AI guidelines and the AI risk-management framework, into a single Integrated AI Guidelines for the Financial Sector. The instrument is a best-practice code, known in Korean as a 모범규준, rather than a numbered statute. There is no article to cite and no automatic penalty. What it does instead is set a supervisory expectation that a specific, named human, not the model, remains the legal owner of every AI-assisted financial decision.
A named human stays on the hook
The organizing idea sits in the code's seven principles: Governance, Legality, Subsidiarity, Reliability, Good Faith, Financial Stability and Security. Subsidiarity is the one that changes daily practice. It frames AI as an assistant tool only. A bank, insurer, card issuer or credit-scoring firm may use AI to inform a loan, an underwriting call or a credit score, but a named human must retain final decision authority and, with it, legal responsibility. The model can recommend. It cannot decide on its own account. That reallocation of responsibility, back onto an identifiable person, is the part US practitioners should not skim past.
Classify first, then govern
Before any of that, the code asks firms to sort each AI service into high, medium or low risk. The FSC recommends a quantitative scoring model that grades a service across four of its principles to produce that tier, according to analysis by Kim & Chang. A high-risk service, such as credit scoring, then carries the heavier obligations: lifecycle risk assessments, an internal AI-governance body, bias and fairness checks, and explainability, described in the code as explainability within technical limits rather than a demand for full transparency the technology cannot yet deliver. Credit-rating and scoring gets specific attention, with sample bias and performance indicators a firm is expected to monitor.
Notice, labeling and incident reporting
The consumer-facing duties are where the code reaches further than Korea's own horizontal law. Firms must give customers advance notice that AI is in use, label AI outputs, and report incidents. On the notice point, the guideline is stricter than the AI Basic Act: the advance-notice duty applies to all AI services in the financial sector, not only to services classified as high-impact under the statute. A firm that reserves disclosure for its most consequential models would meet the Basic Act and still fall short of the FSC's expectation.
What it does not do
Because this is guidance and not law, it does not create a new statutory fine, and it does not, on its own, override existing financial statutes. It also does not resolve its own timing cleanly. The December 22, 2025 document is a draft, and while a mid-2026 finalization and effective date has been reported, that date is not confirmed from a primary source. Treat the obligation as a supervisory standard forming now, not a hard deadline you can circle.
For a US reader, the cross-border angle is direct. A US bank or insurer running AI credit or underwriting through a Korean subsidiary or a Korean-customer book cannot lean on an SR 11-7 model-risk posture alone. Korea layers named-human accountability, advance consumer notice and AI-output labeling on top, duties that run broader than US adverse-action and ECOA obligations and sit closer to the direction of the EU AI Act. If your model-risk framework assumes the model is the unit of accountability, Korea is asking who the person is.
Frequently Asked Questions
What changed in South Korea's financial-AI rules?
The FSC, with the FSS and the Financial AI Council, consolidated its 2021 and 2022 AI guidelines and its AI risk-management framework into one Integrated AI Guidelines for the Financial Sector. It is a best-practice code, not a statute, and it requires a named human to hold final authority and legal responsibility for AI-assisted financial decisions.
Who does this affect?
Banks, insurers, card issuers, and credit-scoring or credit-rating firms operating in Korea, including the Korean subsidiaries and Korean-customer books of foreign financial firms using AI in lending, underwriting or scoring.
Is this binding law with fines?
No. It is regulatory guidance, a best-practice code (모범규준), not a numbered statute, so there is no article to cite and no automatic penalty. It sets a supervisory expectation that firms are expected to meet.
When does it take effect?
The draft was published December 22, 2025, with a comment window reported to about January 31, 2026. A finalization and effective date around mid-2026 has been reported but is not confirmed from a primary source, so no single hard date should be assumed.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.