April 2, 2012
Ms. Suzanne Hayes
Assistant Director
Division of Corporation Finance
Securities and Exchange Commission
100 F Street N.E.
Washington, D.C. 20549
|Re:
|Shinhan Financial Group Co., Ltd.
Form 20-F for Fiscal Year Ended December 31, 2010
Filed June 28, 2011 and Amended on July 15, 2011
File No. 001-31798
Dear Ms. Hayes:
We are writing in response to your letter, dated March 19, 2012, containing the additional comment of the Staff of the Securities and Exchange Commission (the “Commission”) on the annual report on Form 20-F filed with the Commission on June 28, 2011 and amended on July 15, 2011.
Our response to the Staff’s comment is set forth in this letter and follows the text of the paragraph of the comment letter to which it relates.
***********
Form 20-F for Fiscal Year Ended December 31, 2010
Item 3.D. Risk Factors, page 10
Risks Relating to Our Credit Card Business, page 19
|1.
|We note from recent news articles that the Financial Supervisory Service is investigating the cyber security practices of major credit card companies and that there have been reported customer complaints relating to voice “phishing” scams in the credit card market. Please tell us what consideration you are giving to including expanded risk factor disclosure consistent with the guidance provided by the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm in future filings, including your Form 20-F for the fiscal year ended December 31, 2011.
Response:
In response to the Staff’s comment, we undertake to add a disclosure in our future filings substantially as follows:
“Our customers may become victims to “voice phishing”, other financial scams or cyber security breaches, for which we may be required to make monetary compensation and suffer damage to our business and reputation.
|Securities and Exchange Commission
|April 2, 2012
In recent years, financial scams known as voice phishing have been on the rise in Korea. While voice phishing takes many forms and has evolved over time in terms of sophistication, it typically involves the scammer making a phone call to a victim under false pretenses (for example, the scammer pretending to be a member of law enforcement, an employee of a financial institution or even an abductor of the victim’s child) and luring the victim to transfer money to an untraceable account controlled by the scammer. More recently, voice phishing has increasingly taken the form of the scammer “hacking” or otherwise wrongfully obtaining personal financial information of the victim (such as credit card numbers or Internet banking login information) over the telephone or other means and illegally using such information to obtain credit card loans or cash advances through automated telephone banking or Internet banking. Reportedly, a substantial number of such scammers belong to international criminal syndicates with bases overseas, such as China, with operatives in Korea.
In response to the growing incidents of voice phishing, regulatory authorities have undertaken a number of steps to protect consumers against voice phishing and other financial scams. However, there is no assurance that the regulatory activities will have the desired effect of substantially eradicating or even containing the incidents of voice phishing or other financial scams. In addition, in November and December 2011, the Financial Supervisory Service conducted an investigation of major credit card companies, including Shinhan Card, in relation to card loan-related voice phishing, with a focus on whether these companies are in compliance with the related FSS regulations and the scope of damage suffered by their customers as a result of voice phishing. No official results of such investigation have been made available to us or Shinhan Card.
Pursuant to guidelines set forth by the Credit Finance Association of Korea, credit card companies in Korea, including Shinhan Card, adopted a standard compensation scheme for victims of voice phishing, under which the credit card companies would compensate up to 50% of the damage suffered by such victims, depending on the nature of the victims (for example, more compensation if the victim is handicapped or at the lowest income bracket) and the level of precautionary steps undertaken by the relevant credit card company before approving the credit card loans or cash advances in connection with voice phishing; provided that if the applicant personally made the application, for example, through an ATM terminal or an outcall procedure was undertaken to confirm the personal identity of the applicant, no compensation would be made. The compensation scheme applies to claims of voice phishing received for the period from January 1, 2011 to January 31, 2012. Although the financial institutions are often not legally at fault for the damage suffered by victims of voice phishing, the compensation scheme was adopted largely in consideration of social responsibility among financial institutions and that the financial institutions were not required to, and therefore in many instances did not, confirm the personal identity of the card loan or cash advance applicants prior to the adoption of such scheme. On December 8, 2011, Shinhan Card began implementing a mandatory outcall procedure to verify the personal identity of applicants for card loans and cash advances if not requested in person. Accordingly, we believe that Shinhan Card’s liability for voice phishing claims filed after such date will be substantially limited.
2
|Securities and Exchange Commission
|April 2, 2012
In 2011, Shinhan Card received 1,209 customer claims in relation to voice phishing in the aggregate amount of Won 8 billion. In 2011, Shinhan Card reserved as other provisioning Won 3.1 billion to cover potential liability in relation to non-frivolous claims of voice phishing in the amount of Won 7.7 billion. The average payout to-date has been approximately Won 3 million per claim. No voice phishing related complaints have been filed against any of our other subsidiaries.
Other than voice phishing, the cyber security risks relating to our businesses primarily involve the potential security breaches of our customers’ personal and financial information and illegal use thereof through system-wide “hacking” or other means. We are fully committed to maintaining the highest standards of cyber security and consumer protection measures and upgrading them continually. We believe that our ISO 27001-certified security management system is among the best-in-class in the industry. Our security management system continuously monitors for signs of potential cyber attacks, and is designed to provide early warning alerts to enable prompt actions on our part. We also actively provide employee training on cyber security and have adopted advanced security infrastructure for online financial services such as mandatory website certification and keyboard security functions. In addition, in compliance with applicable regulations we have recently obtained insurance to cover cyber security breaches up to Won 2 billion in relation to our banking business, Won 3 billion for our securities investment business and Won 1 billion for our credit card business.
We do not believe that the currently outstanding claims in relation to voice phishing will have a material adverse impact on our business, financial condition or results of operations. Additionally, other than voice phishing incidents as discussed above, we have not experienced any material breaches of cyber security in the past. Furthermore, we are actively taking steps to implement preventive and other steps recommended or required by the regulatory authorities in relation to actual and potential financial scams. However, other major financial institutions in Korea have fallen victim to cyber security attacks in the past, and given the unpredictable and continually evolving nature of cyber security threats due to advances in technology or other reasons, we cannot assure you that, notwithstanding our best efforts at maintaining the best-in-class cyber security systems, we will not be vulnerable to major cyber security attacks in the future, which may have a material adverse effect on our business, financial condition and results of operations. In addition, we may be required to incur substantial costs in terms of compensation to victims of cyber security attacks and compliance costs with the present and future regulatory restrictions as well as suffer reputational costs in the case of a widespread cyber security breach.”
3
|Securities and Exchange Commission
|April 2, 2012
***********
In connection with the above comment, we acknowledge that:
|•
|
we are responsible for the adequacy and accuracy of the disclosure in the filing;
|•
|
staff comments or changes to disclosure in response to staff comments do not foreclose the Commission from taking any action with respect to the filing; and
|•
|
we may not assert staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.
Please do not hesitate to contact myself at 822-6360-3074 or our external counsel, Jin Hyuk Park of Simpson Thacher & Bartlett (35th floor, ICBC Tower, 3 Garden Road, Central, Hong Kong, telephone number 852-2514-7665 and fax number 852-2869-7694), if we can be of any assistance to the Staff.
Kindly acknowledge receipt of this letter by stamping the enclosed copy of this letter and returning it to our messenger.
Thank you in advance for your cooperation in connection with this matter.
|Very truly yours,
|
/s/ Jung Kee Min
|Name: Jung Kee Min
|Title: Chief Financial Officer
4