Seoul Court Upholds KRW 12.98 Billion FSS Fine, Rejecting "Outsourcing" Defense
A Seoul court has ruled that KakaoPay (377300.KS), South Korea's leading mobile payment service, failed in its legal challenge against the Financial Supervisory Service (FSS) over a KRW 12.98 billion (approximately USD 8.9 million) fine — the largest single financial-data enforcement action in Korea's history. The June 2026 verdict leaves KakaoPay facing a combined regulatory bill of KRW 18.9 billion (approximately USD 13 million) and an active criminal investigation.
The dispute centers on a data pipeline that operated from April 2018 to May 2024, through which KakaoPay routed 54.2 billion records of personal credit information — covering 40.45 million users — to Alipay, the Ant Group-affiliated platform that provided fraud screening for Apple App Store payments in South Korea. KakaoPay argued the arrangement was lawful outsourcing for fraud-prevention purposes. The court rejected the argument, ruling that Alipay's access to and use of the data exceeded what outsourcing rules permit under the Credit Information Act, making the transfers an illegal "provision" to a foreign third party.
Cumulative Penalties and Criminal Exposure
The ruling stacks two enforcement actions:
- Personal Information Protection Commission (PIPC): KRW 5.97 billion fine imposed January 2025 for violating the Personal Data Protection Act
- Financial Supervisory Service (FSS): KRW 12.98 billion fine issued February 2026 for breaching the Credit Information Act and Electronic Financial Transactions Act
- Police investigation: The Gyeonggi Nambu Provincial Police Agency opened a criminal probe in May 2026, booking KakaoPay as a corporation under the Credit Information Act — a pathway that could expose executives to personal liability
Combined, the civil penalties reach KRW 18.95 billion, roughly equal to 11% of KakaoPay's 2025 full-year operating loss of KRW 174 billion.
What "Outsourcing vs. Provision" Means for Korean Fintech
The legal crux — whether international data routing for platform services qualifies as outsourcing or provision — now sets a binding precedent. Under Korean law, outsourcing does not require individual user consent, while provision to a third party does. The court's decision means that any Korean fintech routing user financial data through a foreign service — even one performing a technical function like fraud detection — must obtain explicit consent from each affected customer.
Industry observers say the ruling will force payment operators, lending platforms and open-banking intermediaries to audit every overseas API integration. Companies using global fraud-scoring networks or cross-border credit-data sharing agreements face the highest retrofit costs.
Broader PIPC Enforcement Signals Sector-Wide Risk
South Korea's PIPC has indicated it will extend cross-border data enforcement beyond KakaoPay. Parallel probes targeting Alipay's own Korean entity, AliExpress, Meta and Chinese AI start-up DeepSeek suggest that international data flows across the fintech, e-commerce and AI sectors face systematic review into 2027.
KakaoPay (377300.KS) and parent Kakao Corp (035720.KS) both underperformed the KOSPI following each enforcement action since 2024. KakaoPay shares remain roughly 35% below their 2021 IPO price of KRW 90,000.
Sources: FSS enforcement notices (Feb 2026), PIPC sanction decision (Jan 2025), Seoul Administrative Court ruling (Jun 2026), Gyeonggi Nambu Police statement (May 2026), Asia Economy reporting (Jun 21, 2026).
