Following amendment to the Korean Act on Reporting and Using Specified Financial Transaction Information(the “Act”) on March 24, 2020 (to be enforced on March 25, 2021), the Korea Financial Intelligence Unit(the “KoFIU”) released a VASP Reporting Manual on February 19, 2021(the “Manual”). The Manual is a detailed guide to the newly required AML obligations for companies in the crypto business, namely virtual asset service providers(VASPs). The Manual was released pursuant to the newly Proposed Enforcement Decree of the Act.

The Manual contains a checklist of the required documents and template forms. VASP registrations for existing businesses are due within six months (September 25, 2021) after the Act is enforced on March 25, 2021.

Primary reporting requirements:

• Information Security Management System(ISMS) certificate
• real-name bank accounts (only for VASPs dealing with fiat – virtual asset exchange)
• financial offenses of representatives and officers
•  

How long will the process take?

The process will take a minimum of three months upon filing the required documents. In the case of a report change, it will take 45 days for the KoFIU to process the documents.

VASPs will have to fill out a report form which contains the following information:

1. corporate name, name of representative, address of primary office, company registration number, contact, email, internet domain name, and server host address of the reporter
2. list of company representatives and officer and their title/name/identification(e.g. Resident Registration Number)/nationality
3. the type(s) of business the VASP will conduct(all that apply)
4. information on real-name bank accounts
5. information on their ISMS certificate

The following documents needs to be attached to the report form:

Table 1. Checklist of Required Documents

– All documents in foreign language must be translated into Korean and each document needs to be notarized.

– (*) : important documents

*Note 

Financial crime?

The KoFIU may not accept the report if a company representative and/or officer of the VASP pertains to a person in whose case five years have not passed since he/her was sentenced to a fine or a heavier punishment declared by court was completely executed or exempted for financial crime. The document must be certified by both the VASP corporate entity and the natural person who is the company representative and/or officer. Criminal background checks will be carried out when the KoFIU deems it is necessary. In most cases the document in which the company representative and/or officer certifies he/she is clean suffice. “Financial crime” refers to violation of a number of finance related laws (49 statutes as of August 31, 2016) set forth in Article 5 of the Enforcement Decree to the Act on Corporate Governance of Financial Companies.

What is ISMS?

The Information Security Management System(ISMS) certificate is a credential issued by the Korea Internet and Security Agency(the “KISA”) that verifies that the certified meets a set of control requirements which help ensure the protection of information assets. There are two types of ISMS certificate—ISMS and ISMS-P which consists of a more stringent set of control requirements. A VASP may obtain either one. Certification is valid for three years, and certified entities must pass an annual audit to maintain it. The process takes about six months. The KISA published 56 new criterion for ISMS for VASPs on November 2, 2020.

What is KoFIU?

The Korea Financial Intelligence Unit(KoFIU) is an organization under the supervision of the Financial Services Commission(FSC), an independent government regulatory agency responsible for overall control over financial policies. The KoFIU is mainly responsible for the establishment of anti-money laundering policies; receipt, analysis, and report of suspicious financial transactions; compliance inspection and supervision; cooperation with foreign financial intelligence units.