Korea fines Lotte Card for privacy violations; potential operational impacts loom

Korean credit rating agency Korea Ratings said in a briefing on December 12 that Lotte Card faces a material but uneven set of regulatory penalties for privacy violations. The Personal Information Protection Commission fined Lotte Card 9.62 billion won and 4.8 million won in administrative penalties, and ordered a broad review of its privacy protections, plus stronger accountability and independence for its Chief Privacy Officer. The actions center on violations of the Personal Information Protection Act related to the handling of resident registration numbers. Penalties under other laws, including the Credit Information Act and the Specialized Credit Finance Act, have not yet been announced.

Korea Ratings noted that the direct financial hit from the current penalties is limited relative to Lotte Card’s size, but the situation could become more burdensome if the regulator imposes suspensions or other restraints on business operations. The agency emphasized that a suspension could curtail the bank card issuer’s revenue-earning activities by shrinking its operating base, even if the immediate fine itself is not large.

The agency cited Lotte Card’s scale to frame potential impact. As of September 30, the company’s total capital stood at about 3.6 trillion won, and the cumulative rolling 12-month net income through the third quarter was about 141.3 billion won. Lotte Card’s market footprint also includes around 8.39 to 8.76 million active cardholders in 2025, with a notable drop between June and September.

Any further penalties tied to violations of the Credit Information Act would be capped by law. Korea Ratings said even if additional fines are imposed, the statutory ceiling for such penalties—up to 5 billion won—would limit the incremental impact on the issuer’s finances, making the immediate risk more about operational disruption than further solvency concerns.

Korea Ratings warned that beyond the fines themselves, costs linked to reissuing cards, covering fraud losses, and other customer-support obligations could weigh on profitability. The agency noted Lotte Card’s return on assets has already been weak, reporting around 0.6% ROA for 2024 and for the cumulative results through the third quarter of 2025, reflecting ongoing impairment and delinquency pressures in related portfolios.

The case matters beyond Korea because it highlights how stringent privacy regimes and enforcement can affect major consumer financial players in Asia, with potential implications for international banks, fintechs, and networks that operate or plan to operate in Korea. For U.S. readers, the episode underscores the growing regulatory costs of data protection, the risk of operational disruption from compliance actions, and the potential ripple effects on cross-border payments, digital banking, and consumer credit markets as regulators tighten oversight of data security and privacy. It also serves as a reminder to investors and multinational firms of how domestic regulatory actions in Korea can influence the profitability and market position of large financial service providers with Korean operations.