Virtual Asset Oversight

Virtual Asset Oversight Key Policy Initiatives


Background


Since the emergence of the first digital coin—Bitcoin—in January 2009, there now exist some 9,500 different types of virtual assets available worldwide. Last year, the skyrocketing price of Bitcoin from around December 2020 led to the rapid growth in the number of users as well as surging volumes of trades in virtual assets. At the end of April 2021, the total number of virtual asset users at the four largest virtual asset trading platforms in Korea was estimated to have reached over 5.8 million cumulatively. The daily average trading volume at the four largest virtual asset service providers (VASPs) in April 2021 rose to about KRW22 trillion before falling to some KRW15 trillion by the end of May.

Since 2017, the government has been closely monitoring developments around the burgeoning virtual asset sector with aims to stabilize market overheating caused by excessive speculation, prevent unlawful activities and improve transparency in financial transactions linked to virtual assets. At the same time, the government has continued to promote blockchain technology to bring about innovation in diverse industry areas. As concerns grew in recent years about user protections against the soaring price volatility and the risk of virtual assets’ possible link to illicit activities, the government introduced the following measures to strengthen oversight and help improve transparency in virtual asset transactions.

Key Measures


I. AML GUIDELINES ON VIRTUAL ASSETS
The Korea Financial Intelligence Unit (KoFIU) came up with a set of guidelines in January 2018 after finding a number of loopholes in banks’ compliance with the anti-money laundering (AML) regulations. The guidelines—taking effect from January 30, 2018—require enhanced due diligence (EDD) from financial institutions (FIs) when dealing with a VASP, provide details about the specific types of suspicious transaction activities using virtual assets, mandate banks to reject opening a new account for a VASP when it fails to provide users’ identification information or when it is deemed to be carrying high risk of money laundering, and require FIs to strengthen internal controls and share information on VASPs with other FIs and relevant institutions. Beginning on January 30, 2018, the real-name bank account policy also went into force on users of virtual asset transaction services, requiring them to have a real-name bank account at the same bank with a VASP. In June 2018, the KoFIU introduced a revision to the guidelines to further strengthen monitoring and EDD of FIs by requiring them to enhance monitoring on VASPs’ non-trading accounts (as well as money-collecting accounts) and conduct EDD if they find any suspicious transaction activities. The revised guidelines also bolstered FIs’ monitoring requirement on overseas VASPs. These measures were introduced to prevent virtual assets from being exploited for illegal activities, such as money laundering and tax evasion.


II. SUPERVISION AND OVERSIGHT OF VASPS
The Act on Reporting and Using Specified Financial Transaction Information—or the Financial Transaction Reports Act (“the Act” hereinafter)—was enacted in November 2001 to serve as the backbone of Korea’s anti-money laundering and countering the financing of terrorism (AML/CFT) regime. To bolster AML controls by VASPs and FIs with regard to their handling of financial transactions linked to virtual assets, the government introduced a set of revisions to the Act, which became effective on March 25, 2021. The revised Act provides legal definitions on virtual assets and VASPs, prescribes specific duties and requirements for FIs and VASPs while placing Korea’s legal framework on virtual assets more closely in line with the international standards set forth by the Financial Action Task Force (FATF). Below is a list of key details of the revised Act and its subordinate statute and rules.
Virtual Asset Oversight Info
a) Scope of VASP: Virtual asset service providers include virtual asset trading service providers, virtual asset safekeeping and administration service providers and virtual asset digital wallet service providers engaged in the purchase and sale, exchange and transfer, safekeeping and administration, or intermediation and brokerage of virtual assets and virtual asset transactions.

b) Scope of virtual asset: A virtual asset is defined by the Act as a digital token with economic value that is digitally tradable and transferrable. The Act precludes the following items from the scope of virtual assets—digital tokens that cannot be exchanged into a fiat currency, commodities and services whose purpose of use is limited by the issuer, prepaid electronic payments or e-money, electronically registered stocks, electronic notes, electronic B/L, prepaid cards, mobile gift cards, electronic bonds and others specified by the Enforcement Decree.

c) Real-name verified account: The Act mandates the use of real-name verified bank accounts by VASPs for financial transactions with their customers. In addition, VASPs are required to keep customers’ deposits separate from their operating money, obtain a certificate of Information Security Management System (ISMS) from Korea Internet & Security Agency, show no records of fines or other penalties at least within five years, keep separate management of customers’ transaction records and have money laundering risk assessments conducted by an FI.

VASPs whose service activities entail no exchange between virtual asset and fiat currency will be exempted from the real-name account rule that requires them to maintain partnership with a bank for real-name verified accounts for business registration.

d) AML and reporting requirements: VASPs are required to report their transactions to the KoFIU, subject to basic AML requirements such as customer due diligence (CDD) and suspicious transaction reporting (STR) and bound to follow additional obligations as prescribed by the relevant rules.

e) Requirements for FIs: Financial institutions dealing with VASPs are required to conduct CDD on VASPs and check whether they report their business activities to the KoFIU and maintain customers’ deposit separately. A failure to report to the authority or being identified as a high-risk entity for money laundering may result in termination (or rejection) of transactions by FIs. FIs should file an STR to the KoFIU within three business days from the time their AML officer detects a suspicious financial transaction for money laundering.

f) Travel rule on VASPs: The FATF travel rule, which requires “all financial institutions to pass on certain information to the next financial institution in certain funds transmittals involving more than one financial institution,” will be applied on VASPs in their transactions of virtual asset transfers, starting from March 25, 2022. A virtual asset transfer of KRW1 million or more will be subject to the travel rule. The one-year postponement in the implementation of the travel rule was granted to give VASPs sufficient time to develop an electronic system for information sharing.

g) Penalties: Under the revised supervisory regulation announced on March 10, 2021, FIs and VASPs will be subject to penalties if they are found to be in violation of internal control duties (e.g. failure to report suspicious transaction activities), data maintenance duties (e.g. failure to keep relevant data on suspicious transactions) and duties specifically pertaining to VASPs (e.g. failure to keep separate management of customers’ transactions records).

h) Business registration: VASPs are required to register their business with the KoFIU prior to the commencement of their business operation. The existing virtual asset service operators were given a six month grace period (until September 24, 2021) to file registration with the KoFIU. Unregistered entities beyond this registration deadline will be subject to penalties of up to five years of imprisonment or KRW50 million. If a registered entity fails to maintain its ISMS certification, it may be subject to revocation of registration.

i) Conflict of interest rule: The conflict of interest rule was established to prevent harm to users and improve transparency in virtual asset transactions. The rule prohibits VASPs from trading virtual assets issued by their own platforms or by other specially related entities while restricting operators and staff members of VASPs from trading via their own platforms. VASPs should set up internal standards regarding the conflict of interest rule. A failure to implement the rule may be subject to suspension of business or a fine of up to KRW100 million.

VASPs Registered with KoFIU


As the six-month grace period for business registration expired on September 24, 2021, a total of 42 VASPs filed registration reports with the KoFIU out of some 66 existing entities previously in operation. The 42 registrants include 29 virtual asset trading platforms (or ‘crypto exchanges’) and 13 other virtual asset-related services (e.g. wallet or depository service providers). As of November 12, 2021, the KoFIU has approved the registrations submitted by three virtual asset trading platforms with the registration review process still ongoing for other registrants.


<Registration Status of VASPs as of September 24, 2021>

scroll

Type Requirement # of entities with ISMS certification # of entities that have filed registration
Virtual Asset Trading Platforms (crypto exchanges)
ISMS + real-name bank accounts
4
4
ISMS only
25
25
Others (wallet or depository service providers)
ISMS only
14
13
Total
43
42


For months before the September 24 deadline, the authorities held a series of information sessions with VASPs and offered on-site consulting to provide assistance with their registration. In the process, the KoFIU sent out a notice to 27 foreign VASPs in July, informing them about their obligation to register by the deadline as well as the possibility of facing penalties if they continue to offer virtual asset services targeted at Korean users without registering with the authority. The KoFIU also informed foreign VASPs about stern measures it plans to take against unregistered entities, such as blocking access to their platforms, pursuing charges through law enforcement agencies and seeking other tools in close cooperation with foreign FIUs.

At the same time, the authorities also stepped up efforts for months prior to the deadline to caution users about the possibility of business closure of unregistered entities in order to help prevent situations where users are unable to withdraw their deposit money due to an abrupt suspension in business operation. The FSC has worked to guide an orderly exit of unqualified VASPs to help minimize damages to users and reorganize the market with more transparency. As a result, by the time the registration deadline reached, the total amount of user deposits (in KRW) held by these unqualified entities dropped dramatically from more than KRW260 billion in April this year to about KRW4.18 billion by September 21. To make sure that users are able to withdraw their deposits without much difficulty, the authorities advised these entities to give at least 30 days for withdrawing funds. Those entities that had not been able to obtain a qualified status for business registration had also taken appropriate steps toward business closure, issuing advance notices to their customers about terminating their business operations. As a result, the impact of their business closure has been limited on the users and the market.

Other Measures


In order to help bolster the KoFIU’s oversight and supervisory function over the virtual asset sector, the virtual asset investigation division has been newly created at the KoFIU. This organizational change adding a new division and personnel specifically tasked with the management and supervision of VASPs and their AML duties will help improve transparency in virtual asset transactions and strengthen the KoFIU’s regulatory capacity for inspection and analysis. The government will continue to work on upgrading the regulatory framework on the virtual asset sector to enhance supervision and risk-management while providing consumer protections.


Last updated: Nov. 16, 2021