The Financial Services Commission(the “FSC”) Korea, proposed an enforcement decree(the “Proposed Enforcement Decree”) to the Act on Reporting and Using Specified Financial Transaction Information(the “Act”) from November 3, 2020, to December 12, 2020. The Proposed Enforcement Decree sets the details to the newly amended Act which was approved at the plenary session of the National Assembly on March 5, 2020, promulgated on March 24, 2020, and will be enforced on March 25, 2021. This amendment defines cryptocurrency as a “virtual asset” and requires virtual asset service provider(VASP)s to follow AML obligations.

Key aspects of the Proposed Enforcement Decree are as follows.

1. The Scope of VASP governed by the Act

Article 2 subparagraph 2(n) of the Act defines “VASP” as a business that conducts one or more of the following actions on behalf of its clients:

1) the buying and selling of virtual assets;

2) exchange of one or more forms of virtual assets;

3) transfer of virtual assets;

4) safekeeping and/or administration of virtual assets;

5) mediation of the actions 1) and 2);

6) and other businesses which are prescribed by the Enforcement Decree as likely to be used for money-laundering and/or the financing for public intimidation(e.g. terrorist groups).

VASP, according to the Act, will probably include but not be limited to 1) cryptocurrency exchanges, 2) virtual asset custodians, and 3) wallet service providers. Businesses that merely provide the information of offers and/or sales of virtual assets or offer advice or technology related to the exchange of virtual assets will be excluded. Crypto custody service providers that do not hold private keys, and thus are not centralized custodians will also be excluded from the scope of VASP under the Act.

2. The Scope of “Virtual Assets” governed by the Act

Article 2 subparagraph 3 of the Act defines “virtual assets” as “electronic certificates that can be transferred and that hold economic value”. Prepaid cards, mobile gift cards, electronic bonds are not included in the definition of “virtual assets”. Other non-transferrable electronic certificates and virtual game tokens will not be governed by the Act.

3. The Issuance Criteria for Real-Name Accounts

1) Customer deposits must be managed separately from the VASP’s assets (Subparagraph 1(1) of Article 12-8 of the Proposed Enforcement Decree);

2) VASPs must obtain Information Security Management System(ISMS) certification (Subparagraph 1(2) of Article 12-8 of the Proposed Enforcement Decree);

3) VASPs must manage transaction details separately for each customer (Subparagraph 1(4) of Article 12-8 of the Proposed Enforcement Decree);

4) The CEO and/or other directors must not have been punished by finance-related laws in the last five years and etc (Subparagraph 1(3) of Article 12-8 of the Proposed Enforcement Decree);

Real-Name Accounts will not be issued to VASPs that fails to meet one or more of the above criteria, thus prohibiting the VASP from conducting VASP business.

It is an obligation on part of the financial institutions to identify, analyze, and evaluate the money laundering risks that are inherent in financial transactions. Subparagraph 2 of Article 12-8 states that financial institutions may do this by examining the systems, procedures, and business guidelines established by the VASPs prior to the opening of real-name accounts.

4. VASP Obligations in Handling Virtual Asset Transfers (the “Travel Rule”)

The Travel Rule, prescribed in Article 11 of the Proposed Enforcement Decree, requires the transmitting VASP to provide the name and virtual asset address of both the originator and the beneficiaries. The Travel Rule is required for all virtual asset transfers worth 1,000,000 or more but is subject to change in the future. Travel Rule under the Enforcement Decree will apply to transactions between VASPs and other VASPs, VASPs, and individuals, but not between individuals and individuals. The Travel Rule will be enforced one year after the Act is enforced (i.e. March 25, 2022) in order to ensure VASPs implement a joint verification system.

5. VASP Reporting Obligations

The Korea Financial Intelligence Unit(the “KoFIU”) will handle VASP registrations. VASP registrations are due within six months after the Act is enforced(i.e. September 25, 2021). A sample application form will soon be published by the KoFIU.