All international and overseas activity outside South Korea that has domestic effects or impacts will be subjected to the amended cryptocurrency regulation. Due to anonymity or pseudonymity, digital assets are believed to be harboring the risks of money laundering and financial terrorism.
The Financial Action Task Force (FATF) adopted changes in October 2018 to its recommendations on financial activities that involved digital assets, adding the definitions “virtual asset service provider” (VASP) and “virtual asset” (VA).
Since that time, the FATF has adopted a risk-based approach to VA activities or operations and VASPs. The new approach comprises the supervision of VASPs to guarantee compliance in the sectors of licensing and registration and prohibitive measures like transaction reporting, customer due diligence, and record-keeping.
It also features monitoring VASPs to fight money laundering and the financing of terrorism. Taking this strategy boosts the effectiveness of sanctions and other enforcement measures and international cooperation. Thus, VASPs, have a similar full set of obligations as the financial institutions.
VASP Regulation Within South Korea
While operating in line with the guidance that was issued by the FATF recommending a risk-based approach toward VASPs and virtual assets regulation, Korea’s Anti-Money Laundering-related (AML) law, the Act on Reporting, and Using Specified Financial Transaction Information, was amended recently. The law went into effect on March 25, 2021.
Under this amended act, VASPs are compelled to register their business with the Korea Financial Intelligence Unit (KoFIU) before starting their business operations. All the other existing businesses that qualify as VASPs are needed to complete the new registration process within six months since the law went into effect. The due date for the registration is September 24, 2021.
Furthermore, upon registration, VASPs will be subjected to a variety of AML regulations, like authenticating the identity of their clients and filing reports on any suspicious transactions. The financial authorities will soon conduct extensive inspections of VASPs and supervise their compliance with AML obligations from the time of their company and business registration.
Under the revised act, VASPs are defined as virtual asset safekeeping and administration service providers, virtual asset trading service providers, and virtual asset digital wallet service providers. They are all believed to engage in the exchange, transfer, purchase, sale, and safekeeping/administration of virtual assets, or even intermediation and brokerage of various virtual asset transactions.
The Korea Financial Intelligence Unit
This amended act also offers that any offshore activity happening outside South Korea and has any domestic effects or impacts will be subjected to the act. The KoFIU has accordingly sent out notices to 27 offshore VASPs with most business operations “targeting users in Korea” regarding their set obligation to register with the KoFIU by September 24.
Whether these business operations of non-Korean VASPs are perceived as “targeting users in Korea” might be a fact-specific determination that is based on factors like whether they offer Korean-language translation services on their platforms. Whether they are involved in advertising and marketing activities that target Koreans, or whether they offer transactions and payment services using the Korean won.
What is now definite is that offshore VASPs that have not got any notice from the KoFIU but have various business operations that target users in South Korea are also needed to register with the KoFIU. If they do not register with the regulator, the firms must suspend their business operations that target users based in South Korea from September 25.
In case the offshore VASPs that are subjected to this registration requirement do not register with the KoFIU, their operation will eventually be regarded as illicit business activities from September 25. The KoFIU said that it would take action like blocking access to the VASPs’ sites. All blocked VASPs will cease their business operations targeting the users in Korea from September 25.
In case they ignore and continue with their business operations without registering, exchange operators will be subjected to five years of imprisonment or a maximal fine of around $43,500, as defined by the updated law. The KoFIU said that they would also file comprehensive charges with the investigative authorities, prosecutors, and the police, against the unregistered offshore VASPs.
KoFIU will also actively seek other ways, including close cooperation with non-domestic financial intelligence units and international judicial mutual assistance, in criminal matters. In that case, there is a possibility that users might incur some damages by using services offered by the unregistered VASPs since they might not be able to withdraw their virtual assets or fiat funds.
Thus, users are advised to check the business registration status of the relevant VASPs that target South Korean users, request a lot of information about their resident registration numbers, and take the necessary proactive actions. These actions include withdrawal of funds and virtual assets where needed to prevent possible damages.
What Should Foreign VASPs Consider?
Many now wonder, what requirements should the VASPs meet whenever they register with the KoFIU? Among other needs, they have to acquire an Information Security Management Systems (ISMS) certification issued by the Korea Internet and Security Agency (KISA).
Furthermore, they need to use real-name accounts opened at a major bank for money remittance between the users and the VASPs, unless the involved VASPs do not obtain money from their users and there is no exchange of money for virtual assets. By July 22, the financial authority in Korea (the Financial Services Commission) confirmed that no offshore VASPs had acquired an ISMS certification.
On a separate occasion, the FSC published on July 28 the result of extensive inspections done on the legitimacy of deposit accounts that were held by VASPs. By the end of June, it was discovered that 79 VASPs had 94 deposit accounts. 14 among them were discovered to be connected to fictitious and fraudulent activities.
The KoFIU will use the suspicious transaction reports to relay cases linked to money laundering or other illegal activities to the appropriate law enforcement bodies. Furthermore, the FSC stated that financial authorities will continue to monitor all deposit accounts held by VASPs keenly until the registration deadline of September 24.
In that case, all offshore VASPs need to consider whether they fall in the category of the offshore VASPs depending on the registration need under the amended act. The act targets all of those that target users in Korea and the involved agencies check the VASPs’ marketing channels, distribution channels, translation service, and settlement currencies.
Furthermore, offshore VASPs that want to actively market their service to users based in Korea after September 24, need to consider their business structure and check the registration requirements with the KoFIU.