<Terms & Conditions Agreement of Korea Financial Telecommunications & Clearing Institute’s Digital Authentication Service>

Chapter 1. General Provisions

Article 1. (Purpose)
The purpose of this Terms and Conditions Agreement is to prescribe the rights, obligations, and responsibilities of the Korea Financial Telecommunications and Clearings Institute (hereinafter referred to as “KFTC”), subscribers, applicants for subscription and users regarding the use of the digital authentication service (hereinafter referred to as “YesKey certificate service”) provided by KFTC as the digital signature certification service provider as per the Digital Signature Act and identification service agency pursuant to the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereinafter referred to as “Information & Communications Network Act”) and Korea Communications Commission’s guidelines on designation and management of the identification service agency.

Article 2. (Definitions)
The terms used herein shall be defined as follows:
1.“Subscriber” refers to a person who obtains electronic signature certification about his or her electronic signature creation data from KFTC.
2.The applicant for subscription refers to the person who intends to receive the certificate from KFTC.
3.“User” refers to a person who uses electronic signature certification services provided by KFTC.
4.“Registration Agency” refers to an institution which verifies the identity of a subscriber and applicant for subscription and receives and registers applicants for certificate issuance, suspension, or revocation on behalf of KFTC.
5.“YesKey Digital Signature Certification Practice Statement (hereinafter referred to as “Statement”)” refers to the set of guidelines prepared by KFTC in accordance with rules set up by the Competent authority, covering overall matters related to the YesKey certificate service such as types of certificate authentication service, service methods and procedures, and service conditions and fees, etc.
6.“Accident Information” refers to the equipment information (IP and MAC addresses and the like) and personal information (name and resident registration number and the like) of which experienced electronic financial accidents or theft of certificate, etc.
7.“Device designation” refers to the method of registering the device information (e.g., the information of PC, smartphone, etc) with Registration Agency, verifying whether the device was registered by the applicant for subscription for the issuance of certificate.
8.“Additional certification” refers to verifying the identity of the applicant for subscription by using the method other than that for device designation such as mobile phone SMS certification, 2-channel certification, etc.
9.“2-channel certification” refers to verifying the identity of the applicant for subscription by using more than two(2) different communication methods.
10.“Certificate cloud service” refers to the service to save the certificate of Subscriber or other authorities in the cloud storage server of KFTC, and if necessary, provides the service to use the certificate saved on the cloud storage server or move to the facility of Subscriber to use the certificate.
11.“Financial authentication service” refers to the service that enables the subscribers to have their certificate and encrypted digital signature generation information issued and save it on KFTC’s cloud, which they can access on their cloud-registered devices (PC, mobile, etc.), as well as to manage their authentication history.
12.“The identification service agency” refers to an organization providing identity verification means without requiring the subscriber to present his/her resident registration number having been designated by the Korea Communications Commission as an identification service agency in accordance with the Article 23-3-1 of the Act on Information and Communications Network.
13.“The personally identifiable information (PII)” includes:
A. Subscriber’s name, gender, date of birth, and citizenship
B. Connecting Information (CI): encrypted identifiable information that can be used to determine whether the subscriber is identical to the person who has signed up on multiple websites in order for the user to connect membership deals or partner services
C. Duplication Information (DI): encrypted identifiable information that is used to confirm whether the subscriber has already joined (or has been using the service)
D. Other information related to real-time validity of certificate, etc.
14.“Identity verification service”refers to the service that verifies the subscriber’s identity with a certificate issued by KFTC when it is required to access the User’s offerings. When the subscriber uses the certificate as identity verification means, KFTC provides the User the subscriber’s personal data that the subscriber has consented to the use.

Article 3. (Effect and Amendment of the Agreement)
① These Provisions become effective as from the date of the notification on KFTC’s Financial Authentication Center website.
② When KFTC modifies this Agreement, the contents of modification shall be posted on the homepage at least 1 month prior to the date of implementation, and unless any Subscriber raises any objection prior to the date of implementation, the modification of the Agreement shall be considered as approved. Provided, however, in the event that the modified Agreement is not consented, the service use, such as, closure of the certificate, may be suspended.
③ In the event that the contents of modification under Clause 2 is adverse to Subscriber, KFTC shall individually notified to Subscribers at least 1 month prior to the date of implementation via e-mail and others as provided in advance. Provided, however, in the event that Subscriber expressly indicated its intent not to receive such e-mail, it shall not be the case.
④ In the event that the notice under Clause 3 is made, KFTC shall include the contents of followings; “in the event that Subscriber fails to consent to the modification, it may request to suspend the service use within 1 month from the date of receiving the notice, and in the event that the intend to suspend the service use is not indicated, it shall be considered as consented to the modification.”
⑤ In the event that Subscriber fails to indicate its intent to suspend the service use within 1 month from the date of receiving the notice under Clause 3, it shall be considered as consented to the modification.

Article 4. (Application of Law, etc)
① Other matters that are not stipulated in these provisions shall be governed by the CPS and related acts such as Digital Signature Act, Information and Communications Network Act and Personal Information Protection Act.
② KFTC shall disclose the CPS to Subscriber, Applicant for Subscription, and User for reference.

Chapter 2. Use of YesKey Certificate Service

Article 5. (Service Types)
The following are the types of YesKey certificate service:
1. Certificate issuance
2. Certificate reissuance
3. Certificate renewal
4. Updating subscriber information
5. Certificate revocation
6. Certificate suspension
7. Certificate reinstatement
8. Providing access to Certificate Suspension/Revocation Lists, as well as the entire certificate lists
9. Real-time Validation of certificates
10. Time-stamping electronic documents
11. Certificate Cloud Service
12. Identity verification service
13. Other services provided by KFTC in relation to the digital certificate practice

Article 5-2 (Type and purpose of Certificates)
KFTC may issue following certificates and types and purpose of them will be determined by the CPS.
1. Joint Certificate
2. Financial Certificate

Article 6. (Issuance and Management of Certificate)
① The applicant shall request a certificate upon in-person identification (identification includes those deemed to be in compliance with operational standards for electronic signature certification services in the Digital Signature Act) at KFTC or a Registration Agency. However, subscribers to electronic financial transaction whose identity has been verified by the Registration Agency may request issuance of a certificate upon confirming the following online:
1. Electronic financial transaction subscriber’s login information such as ID and password, or account number and account password
2. Electronic financial transaction subscriber’s identifiable number such as his/her resident registration number, etc.
3. One time password (including password of security card) provided by a financial institution to the subscriber or two or more sets of personal information only known to the subscriber
4. Other information, such as the subscriber’s credit card details, etc., apart from the afore-mentioned items. However, an overseas resident, corporation, organization, foreigner or braille security card user (except braille security card user who has consented to verification of the information) is excluded.
② The Registration Agency may strengthen the verification process for the applicant for subscription through the designation of device or additional certification process to increase safety.
③ In accordance with the foregoing, KFTC shall issue a certificate for valid application upon confirming application details of the subscriber with verified identity.
④ KFTC shall cancel issuance if the subscriber does not get his/her certificate in 7 days from application, including the application date.
⑤ KFTC and the Registration Agency shall restrict the issuance of certificate to the applicant for subscription under any of the following cases:
1.The application for certificate is submitted under the name of another person.
2.False information is entered in the application, or false documents are attached.
3.The certificate is not issued due to the operational or technical problems of Registration Agency
4.The application for certificate or issuance of certificate is made by using the accident information.
5.The designation of device or additional certification, etc., fails.
6. When it has been confirmed that the subscriber can no longer use the certificate due to reasons such as a death, etc.
7. When occurrence or expansion of damage is prevented as reasons corresponding to the abovementioned cases are recognized.
⑥ The provisions specified in Clause 1 shall apply to identification for re-issuance or restoration of the subscriber's certificate.
⑦ The subscriber’s certificate-based digital signature shall be used as an identification method when the subscriber renews or make changes to his/her certificate.
⑧ When the subscriber’s certificate becomes invalid or is revoked, identification shall be executed in accordance with ① above, or the subscriber’s certificate-based digital signature will be used. However, when online identification stated in ① is used, two or more items shall be verified.


Article 6-2 (Applicability of Certificate and Effect of Digital Signature)
① Certificate issued by KFTC can be used for the following purposes:
1. To verify identity of subscribers
2. To prevent tampering of electronic documents
3. To serve as proof of transactions, and
4. Others determined by KFTC
② Details of each purpose in ① will be subject to instructions on registration agency or user’s service page.
③ Electronic signature created by certificate issued from KFTC will carry effect stated in the Article 3 of the Digital Signature Act.

Article 7. (Use of certificate cloud service)
① Subscribers or identification agencies wishing to use certificate cloud service give consent to the use of certificate cloud service as per terms of use set by KFTC and complete application by entering their personal information, such as name, mobile number, etc.
② When an applicant signs up for certificate cloud service, KFTC may confirm his/her personal information such as mobile number via mobile service carriers.
③ If the subscriber or identification agency does not wish to use certification cloud service, they may cancel the subscription by removing their certificate stored in the storage server.

Article 8. (Use of financial authentication service)
① Subscribers wishing to use financial authentication service should sign up by agreeing to the terms of service and entering their personal information such as name, mobile number, date of birth, etc.
② When the applicant signs up for financial authentication service, KFTC may confirm his/her personal information such as mobile number via mobile service carriers.
③ If the subscriber no longer wishes to use the financial authentication service, he/she may do so by removing his/her cloud account.
④ With regard to the use of corporate financial certificate service, the financial certificate can be shared only to those who have obtained approval by lawfully from the person who issued the financial certificate.

Article 8-2 (Personal information protection of financial authentication service subscriber)
KFTC shall process and retain personal information according to the following cases:
1. When the subscriber requests for removal of his/her financial certificate;
A. The personal key is immediately destructed.
B. The certificate is separatedly stored immediately and destructed after 3 months.
C. When all financial certificates stored in the cloud are deleted, after 3 months from the last cloud access date, the account information of financial authentication service cloud (name, mobile number, date of birth) is separately stored and destructed in 3 months.
2. When all financial certificates stored in the cloud are expired or revoked;
A. The personal key is destructed in 3 months thereafter.
B. The certificate is separately stored in 3 months thereafter and destructed after another 3 months pass.
C. The account information of financial authentication service cloud (name, mobile number, date of birth) is separately stored in 3 months thereafter and destructed after another 3 months pass.
3. When the subscriber requests for withdrawal from financial authentication service.
A. The personal key is immediately destructed.
B. The certificate is separately stored immediately and destructed after 3 months.
C. The account information of financial authentication service cloud (name, mobile number, date of birth) is separately stored immediately and destructed after 3 months.

Article 9. (Use of identity verification service)
① Subscribers wishing to use the identity verification service should consent to collection and use of personal information on the identity verification service page, select personally identifiable information they agree to provide and complete the application by entering certificate password.
② When the subscriber signs up for the identity verification service, KFTC provides the personally identifiable information the subscriber has agreed to provide to the User.
③ KFTC notifies the subscriber details of identity verification service use via his/her email it collected.
④ The subscriber may unsubscribe identity verification service on KFTC’s Financial Authentication Center website. When the person who has previously unsubscribed signs up for the service in ①, KFTC shall not provide personally identifiable information.
⑤ The person who has unsubscribed may restart his/ her subscription on KFTC’s Financial Authentication Center website. KFTC will provide personally identifiable information of the person when he/she restarts the subscription to service in ①.

Article 10. (Generation and provision of CI and DI)
① Based on the resident registration number collected with consent from the subscriber, KFTC will provide CI and DI to the user, while CI and DI provides the value generated by an identification service agency, I-PIN.
② KFTC connects securely to an identification service agency, I-PIN. via communications network and whenever a subscriber attempts to use the identity verification service it will request CI and DI to I-PIN, which will respond to the request.
③ Accuracy of the subscriber’s CI and DI can be confirmed at the corresponding identification service agency, I-PIN, and KFTC shall bear no responsibility for the accuracy of the information.

Article 11. (Service Hours)
① In principle, KFTC shall provide the Yeskey certificate service 24 hours a day. However, KFTC may limit the service hours to maintain and improve security or to inspect servers, etc.
② In case that KFTC limits the service hours according to the provision of Clause (1) of Article 10, KFTC shall post the corresponding details on its Financial Authentication Center website in advance.

Chapter 3. Obligations of the parties

Article 12. (Obligations of KFTC)
① KFTC shall regularly update and disclose the list of terminated and revoked certificates, in a 24-hour cycle at the maximum, in accordance with the Statement to help the subscribers check validity of their certificate.
② In relation to certificate cloud service and financial authentication service, KFTC shall manage subscribers’ certificates stored in cloud in a secure manner.
③ In relation to the identity verification service, KFTC shall provide personally identifiable information to the Users with whom the subscriber has agreed to share his/her personal information.
④ KFTC will not be held liable for services provided by the User and information provided to it will be used, managed and discarded in accordance with the terms and conditions Agreement signed between the User and subscribers.

Article 13. (Obligations of subscribers, applicants and users)
① The subscriber and applicant are required to provide correct information to registration agencies and KFTC and when there is change to essential information, such as the resident registration number, they shall promptly notify the agencies and KFTC.
② If the subscriber finds that the content of the certificate issued by KFTC contains incorrect information, he/she shall correct it by themselves on KFTC website or notify KFTC of it by landline, etc.
③ The subscriber shall securely manage his/her digital-signature-creating key and certificate password.
④ The subscriber shall not use others’ certificate in an inappropriate manner.
⑤ Subscribers and applicants shall comply with the CPS and the provisions.

Article 14. (Personal information protection)
KFTC and the registration agencies shall not use the subscriber’s personal information for purposes other than YesKey certificate service, prevention of improper issuance of certificate and financial incidents nor provide it to third parties at their own discretion. They shall compensate for damages caused by personal information leak. However they shall not be held liable in any of the following situations:
1. When the data subject, (i.e. subscriber) has given consent to the use of his/her personal information for other purposes, and
2. When information can be used without the consent of the data subject in accordance with related act

Chapter 4. Limitations to the service

Article 15. (Reasons for certificate revocation)
In any of the following circumstances, KFTC and the registration agencies shall revoke the certificate:
1. When a subscriber has requested revocation of his/her certificate
2. In the event of the death or dissolution of a subscriber
3. When a person under limited guardianship has his/her certificate issued without consent from legal guardian although certificate issuance requires the consent under law
4. When the valid period for the certificate has expired
5. When the subscriber has obtained the certificate in an illegitimate way such as identity theft;
6. When the subscriber’s digital-signature-creating key has been lost, damaged, or stolen
7. When the restriction is necessary to maintain and improve security aspects of YesKey certificate service
8. When the subscriber’s essential information, such as unique identifiable information, does not match with the information registered with KFTC
9. When mobile phone number linked to the cloud account for a financial certificate is illegally used
10. When the subscriber has removed his/her personal financial certificate
11. When the subscriber has not complied with his/her obligations under Article 13 of this Terms and Conditions Agreement or CPS.

Article 16. (Restricted use of service)
In order to protect the subscriber’s personal information, KFTC may restrict use of YesKey certificate service by limiting login attempts, etc.

Chapter 5. Fees
Article 17. (Certificate Issuance Fees)
① Registration Authorities shall post the fees and payment method at the counters of branches or through service media and the subscribers shall pay fees at the counters of branches or through service media of registration agencies.
② KFTC shall post certificate types, valid period, and details of any change in fees on its Financial Authentication Center website.

Article 18. (Other service charges)
KFTC may charge users for services ranging from real-time validity of certificate, timing of electronic documents, identity verification, etc. and the amount to be charged will be subject to a separate agreement between KFTC and the users.

Article 19. (Refund of Certificate Issuance Fees)
① Subscriber may get a refund of certificate issuance fees under any of the following circumstances. In this case, the relevant certificates shall be revoked.
1. The application for issuance is canceled within 7 days after the application was submitted.
2. The issuance of certificate is canceled within 7 days after the issuance.
3. Although 7 days have elapsed since the application for the issuance or the issuance of certificate, the application for the issuance of certificate or the issuance of certificate can be canceled if there are faults attributable to KFTC or the Registration Agency.
② KFTC and Registration Agency may deduct the required expenses before returning the fees.

Chapter 6 Compensation for Damages, etc

Article 20. (Collection of Information and Use)
① To provide YesKey certificate service, KFTC and registration agencies collect and use minimum amount of personal information under subscriber’s consent.
② KFTC may share collected information with Registration Agency to prevent unfair/fraudulent issuance and usage of certificate.
③ KFTC may request registration agencies to submit following resources and the agencies shall provide them:
1. Records of certificate application (issuance/ suspension/ reinstatement/ revocation) and processing
2. Copy of documents and credentials the subscriber has submitted as proof of his/her identity

Article 21. (Announcement and Notification of Information)
① KFTC and the Registration Authorities may announce or notify the following items to subscribers through KFTC’s Financial Authentication Center website, email, or telephone(including the mobile phone):
1. Changes in the status of the digital signature service provider, and/or registration agency such as temporary closure, suspension or abolition of the certification service or the termination of the license of the digital signature service provider, etc.
2. Revocation of certificates without the consent of subscribers due to the loss or theft of KFTC's electronic signature creation data or other reasons that may affect the reliability or effectiveness of certificates
3. Information on the status of certificates such as Certificate Suspension/Revocation Lists, etc.
4. Guidance on certificate renewal due to expiration of the certificates
5. Information deemed necessary by KFTC to promote the utilization of certificates and subscriber's use of the YesKey certificate service including information on applicable use of certificate
6. Details related to the issuance and revocation of certificate
7. Changes to subscriber’s personal information
8. Details of identity verification service use
② KFTC and/or the Registration Authorities shall not be held liable for any damage sustained by subscribers in case they have not been notified of the details described in Clause (1) of Article 16 due to failure to enter any or incorrect email address and telephone(including the mobile phone) number.

Article 22. (Indemnification)
KFTC and a Registration Agency shall indemnify the subscriber or user against damages they have inflicted in relation to carrying out electronic signature certification service. However, they will be given an indemnity if they prove that they have not acted by intention or negligence as in the Article 20 of the Digital Signature Act.

Article 23. (Court of Jurisdiction)
The court of jurisdiction over any litigation arising in relation to this Agreement shall follow the matters set forth under the Civil Procedure Act.

Addendum (Dec. 21, 2018)

This Terms & Conditions Agreement shall enter into force on December 21, 2018.

Addendum (Dec. 10, 2020)

This Terms & Conditions Agreement shall enter into force on December 10, 2020.

Addendum (Nov. 1, 2021)

This Terms & Conditions Agreement shall enter into force on November 1, 2021.

Addendum (Dec. 10, 2021)

This Terms & Conditions Agreement shall enter into force on December 10, 2021.

Addendum (Sep. 30, 2022)

This Terms & Conditions Agreement shall enter into force on September 30, 2022.

Addendum (Aug. 2, 2023)

This Terms & Conditions Agreement shall enter into force on September 12, 2023.

Addendum (Oct. 30, 2023)

This Terms & Conditions Agreement shall enter into force on November 30, 2023.

Addendum (Dec. 19, 2024)

This Terms & Conditions Agreement shall enter into force on January 20, 2025.