The Personal Information Protection Commission announced on the 10th that it reviewed and approved the results of the preliminary appropriateness assessment regarding LG Uplus and KT's 'financial institution-linked voice phishing detection service' during its 15th plenary session held the previous day.
The preliminary appropriateness assessment system is a system where, if there is uncertainty about compliance with the Personal Information Protection Act while a business plans a new service, it collaborates with the Personal Information Protection Commission to establish legal application plans suitable for the personal information processing environment. If a business passes the preliminary appropriateness assessment, it is exempt from legal actions such as administrative sanctions regarding the assessed parts.
Looking at the structure of this service, each telecommunications company develops a model using artificial intelligence (AI) that learns the call and text patterns of voice phishing phone numbers shared from law enforcement agencies. Through this, phone numbers similar in call patterns to voice phishing phone numbers are classified to build a 'voice phishing suspicious number databases (DB).'
When a situation suspected of voice phishing occurs, the financial institution checks with the telecommunications company whether the customer has contacted a recent suspicious voice phishing number and takes measures such as blocking the transaction if it is determined to be voice phishing. The inquiries and responses between telecommunications companies and financial institutions are conducted through intermediaries that have already established a system linkage with the financial institution.
After the preliminary appropriateness assessment, the Personal Information Protection Commission required telecommunications companies and financial institutions to clearly notify users through the privacy policy that this service is only operated for the purpose of preventing voice phishing. It also mandated that the telecommunications company signs a personal information processing consignment contract with the intermediary and supervises whether the voice phishing suspicious number databases (DB) are safely processed solely for voice phishing detection tasks. Additionally, it demanded that financial institutions sign contracts with telecommunications companies or intermediaries stating that they are obliged to respond to the telecommunications company regarding their decision to block or allow financial transactions.
A Personal Information Protection Commission official noted, 'We will continue to prevent elements of personal information infringement proactively by establishing legal application plans suitable for the personal information processing environment through the preliminary appropriateness assessment system.'