Skip Navigation

AML Requirements for Cryptocurrency Exchanges and Virtual Asset Service Providers Passed by the National Assembly


On March 5, 2020, the National Assembly passed a resolution on the Partial Amendment to the Act on Reporting and Using Specified Financial Transaction Information (the "Partial Amendment"). The major change in the Partial Amendment are anti-money laundering ("AML") requirements for cryptocurrency exchanges and other virtual asset service providers (each a "VASP").  The Partial Amendment had minor changes from the earlier proposed Partial Amendment (the "Proposed Amendment"), which passed the National Policy Committee of the National Assembly on November 25, 2019.  The final Partial Amendment modified the definition of a "virtual asset" and clarified the start date for the record retention period for virtual asset transaction records.  The Partial Amendment will be transferred to the Executive Branch, and the Executive Branch will promulgate the Partial Amendment within a month or so.  The effective date for the Partial Amendment is one year after the date it is officially adopted by the Executive Branch.  The details of the Partial Amendment are set forth below.

Reporting Requirements for VASPs

A VASP is broadly defined as a business professionally engaged in the (i) sale and purchase of virtual assets, (ii) exchange of virtual asset with another virtual asset, (iii) mediation or arrangement of (i) and (ii), and (iv) storage or management of virtual assets.  Under the Partial Amendment, VASPs must file a report (“VASP Report”) in advance to the Commissioner of the Korea Financial Intelligence Unit ("FIU") and must be accepted by the FIU.1  The VASP Report must contain (a) the company name, (b) the representative's name, (c) the location of the business place, and (d) contact information.  Failure to file a VASP Report could result in criminal punishment of imprisonment of up to five years or a fine of up to KRW 50 million (app. USD 43,000).

Further, the FIU may refuse to accept a VASP Report from VASPs if there are grounds for non-acceptance.2   In addition, the FIU may cancel a VASP Report when grounds for non-acceptance arises after it had been already accepted.  Once the Partial Amendment becomes effective, there is a six-month grace period for existing VASPs to file a VASP Report to the FIU.  Thus, if the FIU accepts a VASP Report submitted by existing VASPs during the grace period, then such VASP businesses are permitted to continue.

AML Requirements for VASPs

As with other financial companies, VASPs will be subject to various AML requirements, including suspicious transaction report ("STR"), currency transaction report ("CTR"), and customer due diligence ("CDD").  VASPs will also be required to set up in good faith an internal control system to fulfill such AML requirements and to separately manage transaction details of its customers.

Expanded CDD by Financial Companies

In addition to the existing CDD requirements, a financial company must ensure, among others, that a VASP has satisfied the requirements for acceptance of the VASP Report by the FIU and the requirement to separately manage deposits from its customers and its own assets.  Further, a financial company must decline or terminate transactions with a VASP if it does not have a valid VASP Report, an Information Security Management System ("ISMS") certification, a real name deposit and withdrawal account, or is otherwise unqualified.

Further details on certain important matters of the Partial Amendment will be published in its Presidential Decree,3 which is expected to be published prior to the effective date of the Partial Amendment, including the specific scope of the VASPs and the grounds for non-acceptance of the VASP Report by the FIU.4  Therefore, it is important for the industry to closely monitor the progress of the Partial Amendment in preparation and adoption of, and actively comment on, the Presidential Decree and related regulations and guidelines so that the needs of the industry are adequately reflected.

1 The VASP Report is a de facto approval by the FIU.

2 The grounds for non-acceptance of a VASP Report include: (i) failure to receive an ISMS certification; (ii) failure to engage in financial transactions using a verified real name deposit and withdrawal account; (iii) there is a record within the past five years of being sentenced to punishment more severe than a criminal fine or completion of serving such sentence for violation of the Act on Reporting and Using Specified Financial Transaction Information, the Act on Prohibition Against the Financing of Terrorism and Proliferation of Weapons of Mass Destruction, and other finance laws and regulations set forth by the Presidential Decree (including representatives and executives); and (iv) there is a record within the past five years of a rejected report for failing to meet the requirements specified in (i), (ii), and (iii) above.

3 A Presidential Decree is the regulation promulgated by the Executive Branch to cover detailed issues contemplated by a statute passed by the National Assembly.

4 For example, for financial transactions, a VASP must use deposit/withdrawal accounts that can verify the real name of the account holder. However, the standard and process for a financial company to open such accounts are delegated to the subsequent Presidential Decree and subject to amendment. Therefore, if a VASP does not meet the requirements under the Presidential Decree and the financial company refuses to open a deposit/withdrawal account, then the VASP is effectively not permitted to be in business.