Our bi-weekly Opinion provides you with latest updates and analysis on major capital market and financial investment industry issues.
Privacy and Consumer Welfare
Publication date Dec. 03, 2024
Summary
Since the introduction of MyData services in 2022, financial consumers have gained access to new financial products, such as loan comparison and refinancing options and insurance product comparison and recommendation services. As these services have driven increased data collection and utilization by companies, various measures have been adopted to protect private information. However, little attention has been paid to the potential risk of price discrimination arising from using private information.
Price discrimination redirects social welfare, generated through the utilization of private information, toward corporate profits. Addressing this issue requires fostering competition among companies. However, data protection requirements imposed on companies may act as entry barriers for entrants, thereby exacerbating price discrimination.
In the financial sector, MyData operates based on a licensing system that grants licenses only to companies that meet requirements regarding capital, infrastructure, and personnel. To promote innovation for financial services and enhance consumer benefits, it is crucial to develop low-cost data protection technologies. Moreover, a flexible licensing system should be adopted to encourage the participation of innovative companies in the market.
Price discrimination redirects social welfare, generated through the utilization of private information, toward corporate profits. Addressing this issue requires fostering competition among companies. However, data protection requirements imposed on companies may act as entry barriers for entrants, thereby exacerbating price discrimination.
In the financial sector, MyData operates based on a licensing system that grants licenses only to companies that meet requirements regarding capital, infrastructure, and personnel. To promote innovation for financial services and enhance consumer benefits, it is crucial to develop low-cost data protection technologies. Moreover, a flexible licensing system should be adopted to encourage the participation of innovative companies in the market.
With the proliferation of AI services, the power of technology and information has become more tangible than ever. In the financial sector, MyData services—introduced based on the principle of consumers’ right to request the transfer of private information—are now in their third year of implementation. MyData offers loan comparison and refinancing options, insurance product comparison and recommendations, and services that consolidate fragmented financial data to enhance asset management. As of the end of February 2024, the number of subscribers to these services reached 1.1787 million.1) This year also marks a relaxation of the network separation regulation, which previously restricted internet access for vital operations. This shift is expected to pave the way for more innovative financial services.
However, the storage and utilization of private information to deliver customized services present significant challenges. A primary concern is the risk of information leakage, which could lead to direct consumer harm such as identity theft. Another notable concern involves price discrimination. It refers to the practice of charging different prices based on consumer characteristics or purchasing power, such as applying different prices to students and adults, pricing hardcover books higher than paperback versions, and offering early-bird discounts or promotional coupons for movie tickets. In the past, first-degree price discrimination—customized pricing for individual customers—was deemed a theoretical concept, as it was nearly impossible to comprehensibly identify consumer characteristics. However, the utilization of private information has enabled companies to personalize their services and implement individualized pricing strategies.
Various regulations have already been introduced to prevent information leakage. For instance, network separation regulations for financial institutions and licensing requirements for MyData service providers require entities handling private information to implement physical and systematic safeguards to prevent data breaches. Furthermore, businesses handling private information are obligated to maintain financial capacity to compensate for damages resulting from data breaches. However, there are few regulations in place to address price discrimination. In Korea, the Monopoly Regulation and Fair Trade Act prohibits price discrimination, only when it restricts market competition. Charging different prices to consumers in pursuit of profits is not considered problematic. In China, the Anti-Monopoly Guidelines for the Platform Economy, introduced in 2021, explicitly prohibit price discrimination by online platform operators. Nevertheless, it is inherently difficult to directly regulate profit-driven pricing practices in a market economy. It becomes even more challenging to hold companies accountable for price discrimination if they offer personalized services that do not involve perfectly identical products.
A fundamental approach to addressing reduced consumer welfare caused by price discrimination is to foster market competition. Entry of new competitors offering identical products can create price competition, driving down market prices. However, various regulations on privacy protection and liability for damages may act as barriers to market entry, potentially limiting competition and leading to entrenched price discrimination. In the following example, the effects of competition on personalized services will be explored to provide valuable implications.
Competition for personalized services
Consider a service that provides value v to consumers. If there are two or more companies offering this service and engaging in price competition, the market price will go down, converging to the companies’ marginal cost. For simplicity, if the marginal cost of the two companies is assumed to be zero, consumer welfare is depicted in the first graph of Figure 1.
Now, let us introduce a scenario where advanced information technology enables companies to provide personalized services. In this context, consumers perceive different values for these services, which can be represented by the upward sloping solid line in the graphs below. As the value consumers derive from a service reflects their willingness to pay, utility can be defined as the difference between this value and the price paid.
Companies need private information to provide customized services. Consider two companies: Company 1, which has security safeguards to prevent data breaches or sufficient resources to compensate fully in the event of a breach, and Company 2, which lacks reliable security measures or sufficient financial resources for compensation, exposing consumers to potential harm. Assume that consumer utility becomes zero if a data breach occurs. If a government agency only permits Company 1 to tap into consumer information, Company 1 can provide personalized services, while Company 2 still only offers standard services. In this scenario, consumers can choose between personalized services from Company 1 or standardized services from Company 2. In market equilibrium, consumers can purchase personalized services from Company 1 by paying only the additional value they derive from the services. Under price competition, Company 2 would offer its standardized services for free, forcing Company 1 to charge consumers the price equal to the additional value. Graph 2 of Figure 1 illustrates consumer welfare in this scenario, where consumer welfare does not diminish compared to Graph 1, but the additional value generated by personalized services is captured entirely as Company 1’s profit.
What happens if Company 2 is also able to provide personalized services? If these services of Company 2 are priced lower enough to compensate for the risk associated with data breaches, consumers may be incentivized to purchase from it.2) Graph 3 illustrates the distribution of corporate profits and consumer welfare in this scenario. Compared to Graph 2, overall social welfare remains unchanged, but the allocation between consumer welfare and corporate profits has shifted. Whether consumer welfare increases or decreases depends on the competitiveness of Company 2. The greater the new competitor’s capability to manage private information and the lower the consumer harm caused by data breaches, the greater the potential increase in consumer welfare. On top of that, the larger the proportion of utility derived from personalized services relative to the common value (v), the greater the welfare gains from the new competitor’s market entry. This underscores the need for establishing flexible entry barriers that account for the characteristics of services, rather than uniformly imposing high entry barriers.
Current MyData Framework and Implications
In the financial sector, a company seeking to provide MyData services must obtain a license from the Financial Services Commission (FSC). This requires meeting specific criteria not only for business plan feasibility but also for capital, infrastructure, and personnel. Companies must have a minimum capital of KRW 500 million and maintain appropriate system configurations and security measures. Personnel requirements include the eligibility of major shareholders, evaluated based on investment capacity, financial stability, and social credibility; the qualifications of executives as specified by the Act on Corporate Governance of Financial Companies; and sufficient expertise to manage personal data used for MyData.3) When MyData launched in 2022, 33 companies were officially licensed as MyData service providers, and as of the end of February 2024, this number has increased to 69. This is relatively modest compared to the 116 companies that expressed interest in the 2020 demand survey. Participation varies by business type, with only three insurance companies and two savings banks obtaining licenses. Also notable is significant market concentration, with the top three fintech and IT companies accounting for 84.2% of the market.4) Notably, as MyData service providers can only access private information with consumer consent, the number of customers directly determines the volume of data they can secure. As a result, the current market structure, characterized by high concentration, will inevitably widen the competitive gap between established players and new entrants.
Following the successful launch of financial MyData services, the scope of MyData offerings will expand to include the healthcare and telecommunications sectors. The newly announced requirements for MyData service providers emphasize security-related physical requirements as mandatory, while criteria for minimum capital or personnel are not applicable.5) Instead, service providers must secure insurance or mutual aid coverage of at least KRW 1 billion to compensate for potential damages. This requirement may be substituted by the assessment of service providers’ revenues, suggesting lower entry barriers compared to licensing requirements in the financial sector. The evaluation criteria for financial MyData service providers have been designed to reflect the features inherent in the financial services industry, where data breaches can cause more significant damages. This highlights the non-negotiable nature of security requirements, but it is worth considering a flexible approach for personnel requirements as long as a company demonstrates sufficient capacity to guarantee compensation for damages. Given that MyData service providers seeking to engage in concurrent or incidental business operations6) must fulfill separate requirements and reporting obligations, the relaxed licensing criteria focusing on business plans are less likely to create significant regulatory gaps.
The loan refinancing service, introduced last year, operates on the MyData framework, making eligibility as a MyData service provider a prerequisite for operating loan financing platforms. This suggests that many forthcoming services are likely to define the MyData service provider status as a critical requirement. The FSC’s MyData 2.0 initiative outlines measures to enhance consumer convenience, such as expanding the utilization of public data and simplifying asset inquiries across financial institutions. However, this initiative lacks measures aimed at encouraging new competitors to enter the market. For the development of information-driven innovative services and the continuous improvement in consumer welfare, it is necessary to devise cost-effective methods for protecting private information and strategies to facilitate the participation of new market players.
1) This figure includes overlapping counts of consumers using multiple services (Financial Services Commission (FSC), September 30, 2024, The establishment of a regulatory framework for “MyData 2.0”), press release.
2) In equilibrium, the price of Company 2 is set as zero, and thus, Company 1 must provide the utility equivalent to the service offered by Company 2 to attract consumers.
3) Financial Supervisory Service (FSS), August 2020, MyData licensing manual.
4) FSS, April 13, 2023, Analysis of the 2022 sales performance of the financial data industry.
5) Personal Information Protection Commission, September 30, 2024, Administrative notice on the draft of “Guidelines for Transmitting Personal Information and Designating Professional Information Management Agencies.
6) Concurrent business operations include investment advisory services using robo-advisors under the Financial Investment Services and Capital Markets Act and online investment-linked financial services. Incidental business operations include data analysis and consulting services for credit data subjects and the provision of accounts for managing and using personal credit data.
However, the storage and utilization of private information to deliver customized services present significant challenges. A primary concern is the risk of information leakage, which could lead to direct consumer harm such as identity theft. Another notable concern involves price discrimination. It refers to the practice of charging different prices based on consumer characteristics or purchasing power, such as applying different prices to students and adults, pricing hardcover books higher than paperback versions, and offering early-bird discounts or promotional coupons for movie tickets. In the past, first-degree price discrimination—customized pricing for individual customers—was deemed a theoretical concept, as it was nearly impossible to comprehensibly identify consumer characteristics. However, the utilization of private information has enabled companies to personalize their services and implement individualized pricing strategies.
Various regulations have already been introduced to prevent information leakage. For instance, network separation regulations for financial institutions and licensing requirements for MyData service providers require entities handling private information to implement physical and systematic safeguards to prevent data breaches. Furthermore, businesses handling private information are obligated to maintain financial capacity to compensate for damages resulting from data breaches. However, there are few regulations in place to address price discrimination. In Korea, the Monopoly Regulation and Fair Trade Act prohibits price discrimination, only when it restricts market competition. Charging different prices to consumers in pursuit of profits is not considered problematic. In China, the Anti-Monopoly Guidelines for the Platform Economy, introduced in 2021, explicitly prohibit price discrimination by online platform operators. Nevertheless, it is inherently difficult to directly regulate profit-driven pricing practices in a market economy. It becomes even more challenging to hold companies accountable for price discrimination if they offer personalized services that do not involve perfectly identical products.
A fundamental approach to addressing reduced consumer welfare caused by price discrimination is to foster market competition. Entry of new competitors offering identical products can create price competition, driving down market prices. However, various regulations on privacy protection and liability for damages may act as barriers to market entry, potentially limiting competition and leading to entrenched price discrimination. In the following example, the effects of competition on personalized services will be explored to provide valuable implications.
Competition for personalized services
Consider a service that provides value v to consumers. If there are two or more companies offering this service and engaging in price competition, the market price will go down, converging to the companies’ marginal cost. For simplicity, if the marginal cost of the two companies is assumed to be zero, consumer welfare is depicted in the first graph of Figure 1.
Now, let us introduce a scenario where advanced information technology enables companies to provide personalized services. In this context, consumers perceive different values for these services, which can be represented by the upward sloping solid line in the graphs below. As the value consumers derive from a service reflects their willingness to pay, utility can be defined as the difference between this value and the price paid.
Companies need private information to provide customized services. Consider two companies: Company 1, which has security safeguards to prevent data breaches or sufficient resources to compensate fully in the event of a breach, and Company 2, which lacks reliable security measures or sufficient financial resources for compensation, exposing consumers to potential harm. Assume that consumer utility becomes zero if a data breach occurs. If a government agency only permits Company 1 to tap into consumer information, Company 1 can provide personalized services, while Company 2 still only offers standard services. In this scenario, consumers can choose between personalized services from Company 1 or standardized services from Company 2. In market equilibrium, consumers can purchase personalized services from Company 1 by paying only the additional value they derive from the services. Under price competition, Company 2 would offer its standardized services for free, forcing Company 1 to charge consumers the price equal to the additional value. Graph 2 of Figure 1 illustrates consumer welfare in this scenario, where consumer welfare does not diminish compared to Graph 1, but the additional value generated by personalized services is captured entirely as Company 1’s profit.
What happens if Company 2 is also able to provide personalized services? If these services of Company 2 are priced lower enough to compensate for the risk associated with data breaches, consumers may be incentivized to purchase from it.2) Graph 3 illustrates the distribution of corporate profits and consumer welfare in this scenario. Compared to Graph 2, overall social welfare remains unchanged, but the allocation between consumer welfare and corporate profits has shifted. Whether consumer welfare increases or decreases depends on the competitiveness of Company 2. The greater the new competitor’s capability to manage private information and the lower the consumer harm caused by data breaches, the greater the potential increase in consumer welfare. On top of that, the larger the proportion of utility derived from personalized services relative to the common value (v), the greater the welfare gains from the new competitor’s market entry. This underscores the need for establishing flexible entry barriers that account for the characteristics of services, rather than uniformly imposing high entry barriers.
In the financial sector, a company seeking to provide MyData services must obtain a license from the Financial Services Commission (FSC). This requires meeting specific criteria not only for business plan feasibility but also for capital, infrastructure, and personnel. Companies must have a minimum capital of KRW 500 million and maintain appropriate system configurations and security measures. Personnel requirements include the eligibility of major shareholders, evaluated based on investment capacity, financial stability, and social credibility; the qualifications of executives as specified by the Act on Corporate Governance of Financial Companies; and sufficient expertise to manage personal data used for MyData.3) When MyData launched in 2022, 33 companies were officially licensed as MyData service providers, and as of the end of February 2024, this number has increased to 69. This is relatively modest compared to the 116 companies that expressed interest in the 2020 demand survey. Participation varies by business type, with only three insurance companies and two savings banks obtaining licenses. Also notable is significant market concentration, with the top three fintech and IT companies accounting for 84.2% of the market.4) Notably, as MyData service providers can only access private information with consumer consent, the number of customers directly determines the volume of data they can secure. As a result, the current market structure, characterized by high concentration, will inevitably widen the competitive gap between established players and new entrants.
Following the successful launch of financial MyData services, the scope of MyData offerings will expand to include the healthcare and telecommunications sectors. The newly announced requirements for MyData service providers emphasize security-related physical requirements as mandatory, while criteria for minimum capital or personnel are not applicable.5) Instead, service providers must secure insurance or mutual aid coverage of at least KRW 1 billion to compensate for potential damages. This requirement may be substituted by the assessment of service providers’ revenues, suggesting lower entry barriers compared to licensing requirements in the financial sector. The evaluation criteria for financial MyData service providers have been designed to reflect the features inherent in the financial services industry, where data breaches can cause more significant damages. This highlights the non-negotiable nature of security requirements, but it is worth considering a flexible approach for personnel requirements as long as a company demonstrates sufficient capacity to guarantee compensation for damages. Given that MyData service providers seeking to engage in concurrent or incidental business operations6) must fulfill separate requirements and reporting obligations, the relaxed licensing criteria focusing on business plans are less likely to create significant regulatory gaps.
The loan refinancing service, introduced last year, operates on the MyData framework, making eligibility as a MyData service provider a prerequisite for operating loan financing platforms. This suggests that many forthcoming services are likely to define the MyData service provider status as a critical requirement. The FSC’s MyData 2.0 initiative outlines measures to enhance consumer convenience, such as expanding the utilization of public data and simplifying asset inquiries across financial institutions. However, this initiative lacks measures aimed at encouraging new competitors to enter the market. For the development of information-driven innovative services and the continuous improvement in consumer welfare, it is necessary to devise cost-effective methods for protecting private information and strategies to facilitate the participation of new market players.
1) This figure includes overlapping counts of consumers using multiple services (Financial Services Commission (FSC), September 30, 2024, The establishment of a regulatory framework for “MyData 2.0”), press release.
2) In equilibrium, the price of Company 2 is set as zero, and thus, Company 1 must provide the utility equivalent to the service offered by Company 2 to attract consumers.
3) Financial Supervisory Service (FSS), August 2020, MyData licensing manual.
4) FSS, April 13, 2023, Analysis of the 2022 sales performance of the financial data industry.
5) Personal Information Protection Commission, September 30, 2024, Administrative notice on the draft of “Guidelines for Transmitting Personal Information and Designating Professional Information Management Agencies.
6) Concurrent business operations include investment advisory services using robo-advisors under the Financial Investment Services and Capital Markets Act and online investment-linked financial services. Incidental business operations include data analysis and consulting services for credit data subjects and the provision of accounts for managing and using personal credit data.