Fintech 2023 Comparisons

There have been many changes in the fintech industry in South Korea in recent years. Some of the major changes are as follows.

The Credit Information Use and Protection Act was amended in 2020 to facilitate and regulate the Mydata service, which enables the credit information of individuals to be managed on an integration basis. For the MyData service to fully operate, it is essential to establish an infrastructure whereby relevant institutions can send and receive data from each other. To this end, groundworks for the necessary infrastructure continued until 2021, and the MyData service was officially launched in January 2022. Currently, the provision of the MyData service is limited to the financial field, but it is expected that similar services will be launched with respect to other fields, such as services using health information.

In 2022, fractional investment rapidly emerged in South Korea as well. Although certain fractional investment products could be classified as securities, there were no clear criteria to determine whether the issuance and distribution of fractional investment products would be subject to the regulations under the Financial Investment Services and Capital Markets Act (FSCMA). In April 2022, the Financial Services Commission (FSC) set the criteria in determining whether a product attracts characteristics of a security by publishing a guideline relating to new types of securities such as fractional investments products, and required any fractional investment product that is considered to be a security to comply with regulations under the FSCMA. The guideline also stipulates that if it is difficult to issue and distribute certain fractional investment products classified as securities under the current legal framework due to their nature, such products may be issued and distributed temporarily through the sandbox programme.

It is expected that the matters that will have major impact in the market for the next 12 months are those relating to virtual assets.

The South Korean legislature is currently trying to enact a new piece of legislation for the protection of consumers in the virtual asset market. The act in question mainly aims to prohibit unfair transaction practices, such as the use of material non-public information or price manipulation, and it also contains provisions requiring virtual asset service providers to hold the investors’ deposits in trust.

In addition, the FSC has announced its plan to permit the issuance and distribution of security tokens in February 2023. The main substance of the guideline is as follows and the relative legislative work is expected to take place in 2023.

• Security tokens that meet certain requirements will be subject to the Act on Electronic Registration of Stocks and Bonds. In this case, a holder of a security token will be presumed to have legally acquired the ownership thereof, and thus security tokens will be traded in a safer manner.
• Generally, security tokens are deemed to constitute investment contract securities, and it is contemplated that a digital security market, where investment contract securities are traded, will be established by the Korea Exchange (KRX) so that security tokens can be traded in the listed market.
• In addition to the foregoing, it is contemplated that a separate licence unit will be newly created so that service providers that obtain the licence thereof will be able to broker security token transactions with investors outside the digital security market to be established by the KRX.

In South Korea, the business models of fintech companies are continuously evolving as they predominantly involve existing financial technologies and newly emerging financial innovations, such as digital banking, mobile/online payments, peer-to-peer (P2P) lending, robo-advisers, blockchain and cryptocurrencies, digital insurance platforms, open banking, algorithm trading and crowdfunding.

Recently, the most strongly emerging players in the fintech sector are, among others, internet-only banks, virtual asset service providers (VASP) such as crypto-exchanges, and electronic payment service providers. Many of these emerging players were start-ups that have now become large companies.

Legacy players are also rapidly evolving by applying fintech business models to their existing licensed services. For example, commercial banks provide banking and payment services on mobile/online platforms, securities firms offer investment products on mobile/online platforms and co-operate with many robo-adviser service providers to provide automated advisory services. These legacy players are also constantly researching and attempting to apply blockchain technology to their legacy financial services.

In South Korea, fintech business models should comply with specific legislation applicable to their nature of business, but they should also comply with existing financial legislation. As a result, fintech companies may be subject to various legislation depending on their business elements. For the main verticals:

• online/mobile payment services (other than banks) in e-commerce are regulated as prepaid/debit e-payment means issuer or payment gateway provider under the Electronic Financial Transactions Act (EFTA);
• internet-only banks without physical offices are regulated by the Banking Act, subject to certain special treatments relating to their licensing, governance and business activities pursuant to the Special Act on the Establishment and Operation of Internet-only Bank (Internet Bank Act);
• P2P lending platform operators are regulated by the Online Investment-Linked Finance Act (P2P Lending Act) in respect of their licensing and ongoing compliance;
• robo-advisers are regulated under the FSCMA;
• algorithmic trading is subject to registration with the KRX pursuant to the KRX markets business regulations, as well as the FSCMA;
• crypto-exchanges and digital wallet service providers are regulated as VASP under the Act on Reporting and Using Specified Financial Transaction Information (Financial Transaction Information Act) in respect of their licensing and ongoing compliance including anti-money laundering obligations;
• insurtechs offering or brokering insurance products are regulated by the Insurance Business Act; and
• the MyData service is regulated as a personal credit information management business under the Credit Information Use and Protection Act (CIUPA).

In addition, the legislation that generally applies to fintech business models, depending on their business elements are as follows:

• the Banking Act, if the company engages in accepting deposits from customers and providing loans;
• the FSCMA, if the company engages in investment dealing or brokerage, discretionary management, or investment advice, or if financial investment products such as securities or derivatives are involved;
• the Insurance Business Act, if the company sells insurance products;
• the Act on Registration of Money Lending Business and Protection of Finance Users (Lending Business Act), if the company engages in providing loans without engaging in accepting customer deposits;
• the Financial Consumer Protection Act, if the company engages in selling or advertising financial products (including loans and insurance products) to customers;
• the CIUPA, if the company engages in providing credit rating or credit information, or in respect of the transfer of personal credit information;
• the Personal Information Protection Act (PIPA), in respect of the collection or transfer of personal information generally;
• the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc, (IT Network Act), if the company is an online service provider, which is required to take certain information security measures;
• the Foreign Exchange Transactions Act (FETA), in respect of any payment between a Korean resident and a non-resident, or any payment using a foreign currency; and
• the Special Act on Support for Financial Innovation, in respect of the operation of the regulatory sandbox programme.

The compensation restrictions and disclosures under traditional financial regulations are also applicable to fintech service providers.

For example, the Lending Business Act imposes a limitation on brokerage fees and restrictions on loan brokers that they may not receive brokerage fees from the users of lending services and instead should receive fees from the relevant credit financial institutions within the prescribed cap under the same act. Under the Financial Consumer Protection Act, if a financial product distributor solicits an ordinary financial consumer (or a retail investor) to conclude a contract or is requested by an ordinary financial consumer to provide an explanation, the financial product distributor should explain relevant fees in a manner that an ordinary financial consumer can properly understand.

Legislative bills on certain fintech business models contain provisions on fees. For instance, the P2P Lending Act requires an online investment-linked financial business entity to notify information concerning fees and other incidental expenses through its online platform so that its users can easily understand.

As mentioned in 2.2 Regulatory Regime, laws and regulations applicable to legacy players (for example, the Banking Act, FSCMA, Insurance Business Act and Financial Consumer Protection Act) equally apply to fintech companies. Additional laws and regulations related to fintech business models, such as the EFTA, the Internet Bank Act, the P2P Lending Act and the Financial Transaction Information Act, apply depending on the nature of the business activities.

In addition, to promote financial innovation, the regulatory sandbox programme was introduced in 2019, which exempts, either fully or partially, eligible fintech companies from various restrictions and requirements under financial-related laws (including permits and approval requirements). This exemption will be granted for up to two years as a general rule and may be extended once for another two years.

Under the Special Act on Support for Financial Innovation, financial services which are considered innovative in terms of their content, method or form compared to the existing financial services may be designated as innovative financial services (regulatory sandbox).

Once the service provider applies for the regulatory sandbox programme, the FSC will review whether the service in question is eligible for designation as an innovative financial service. As part of the review process, the following factors are considered:

• innovativeness of the services;
• convenience and benefits for consumers;
• inevitability of application of regulatory exceptions; and
• stability of the financial market and financial order.

Once a company is designated as an innovative financial service, the company may engage in the innovative financial services to the extent permitted according to its designation without any separate licence, or may be exempt from complying with various ongoing requirements under laws and regulations that would have been applicable in respect of a licensed financial services provider.

The regulatory sandbox exemption period cannot exceed two years, which is extendable, only once, for up to two years.

The FSC and the Financial Supervisory Service (FSS) are the two primary institutions in charge of regulatory enforcement over fintech products and services. The FSC is a government institution mainly responsible for creating financial policies. The FSS, acting as the enforcement arm of the FSC, is responsible for supervising and inspecting financial companies.

Under the Regulations on Outsourcing of Business of Financial Institutions (Business Outsourcing Regulations), financial companies such as banks, insurance companies and credit card companies are allowed to outsource their business operations, except in the following cases:

• when the work involves “essential elements” of the financial company’s business that require a licence;
• when the relevant laws and regulations require the financial company to perform the work; or
• when outsourcing may harm the financial company’s credibility, cause financial disorder or harm financial users.

Financial companies must inform the regulator of their outsourcing at least seven business days before the start date, unless exempted under the regulations.

The Data Processing Outsourcing Regulations may also apply to financial companies with respect to the outsourcing of data processing. Financial companies are allowed to outsource their data processing, unless:

• it is prohibited by relevant laws and regulations;
• the financial company has received a warning or sanction regarding user information in the past three years; or
• the outsourcing may harm the financial company’s credibility, cause financial disorder or harm financial users.

In addition, financial companies are not permitted to outsource the processing of “uniquely identifiable information”, such as resident registration numbers, to offshore companies.

Financial companies must report the outsourcing of data processing to the regulator at least seven days prior for domestic companies and 30 days prior for offshore companies unless exempted under the relevant regulations.

Depending on the specific business model, other regulations, such as FSCMA, may apply with respect to outsourcing.

Fintech service providers which fall under the scope of financial companies are subject to various regulations requiring them to comply with certain prescribed gatekeeper responsibilities, including suspicious transaction reporting (STR), anti-money laundering (AML) and know-your-customer (KYC) regulations under the Financial Transaction Information Act. Notably, new fintech players such as VASP and P2P lending platform operators are also considered as financial companies for the purposes of these regulations.

Furthermore, fintech providers can be subject to further specific obligations under the regulations applicable to the fintech provider depending on their business models to take steps to prevent illegal activities, ensure cyber security, and conduct due diligence on customers’ suitability.

Following the Terra/Luna meltdown in May 2022, Korean investors have filed complaints against the founders of the Terra project and the matter is now under investigation by the Prosecutors’ Office. Among numerous unsettled discussions related to this investigation, the point of contention is whether the Luna token is considered as “investment contract securities” under the FSCMA and whether there was any fraudulent act of the founders towards the investors.

In South Korea, matters relating to personal information and credit information are governed by the PIPA and the CIUPA, respectively.

Under the IT Network Act, online service providers are required to implement a set of technical and administrative measures to ensure information security. These measures include specific requirements on establishing and operating an information security department within the company, which will internally implement information security measures and comply with incident response plans.

As the PIPA, the CIUPA and the IT Network Act equally apply to all companies, fintech business operators are also required to comply with those acts just like legacy players.

In addition, the EFTA is applicable to financial companies and electronic financial business operators that provide financial products and services through any electronic devices. The act specifies, in detail, security-related regulations that are required to be complied with by the subject companies. However, a fintech company that does not obtain any licence for its financial business or for its electronic financial business is not subject to such information security regulations.

Besides the regulators, such as the FSC, the FSS and the KRX, there are self-regulatory organisations in certain industries. Some examples are as follows.

• The Korea Financial Investment Association was established under the FSCMA to be in charge of imposing self-regulations, registering and managing professional workforce, conducting preliminary review of certain OTC derivative products and providing training relating to financial investment business, to protect investors and promote sound business operation among the members of the association.
• The Specialised Credit Financial Business Association was established under the Specialised Credit Finance Business Act and is in charge of recommending on improvement of business operation methods for the members, reviewing of advertisements of specialised credit financial companies, and publication and amendment of industry standard terms and conditions.
• The Insurance association was established under the Insurance Business Act and is responsible for determination of regulations on entrustment to insurance agents, comparison and disclosure of insurance products and publication and amendment of the rules required to be complied with by insurance companies.

Usually, companies engaging in financial services under the requisite licence are restricted in terms of their business scope and activities. If a financial service licensed company intends to provide any unregulated products and services, which do not fall within the scope of the financial licence held, such company shall file a report in advance to the financial regulators, who have certain discretion on this matter, unless specifically permitted under the relevant regulations.

For instance, there is no law regulating NFTs and companies are allowed to broker NFT transactions without any licence, but if a licensed bank is to provide such services, the bank may be required to file a report in relation to it as an incidental business engaged by the bank.

In Korea, the Financial Transaction Information Act governs anti-money laundering as described in 2.8 Gatekeeper Liability.

As these rules apply to “financial companies” as defined under the same Act, certain fintech companies, such as VASP, P2P lending platform operators that are classified as “financial companies” under the act, should satisfy the applicable regulations under the Act. However, unregulated fintech companies who do not fall under the scope of “financial companies” are not directly subject to the act.

Robo-advisers must satisfy the prescribed requirements to become an “electronic investment advice device” under the FSCMA and pass a screening test. However, there is no requirement for different business models to be adopted for different asset classes.

Many traditional financial companies have developed robo-adviser systems. In addition, they are also actively implementing solutions developed by other fintech companies specialised in robo-adviser business.

Since the introduction of the robo-adviser system, the number of consumers using robo-adviser services is gradually increasing.

Currently, there are no “best execution” obligations applicable to a robo-advisers. However, a financial company utilising a robo-adviser in providing financial services owes a duty of care to its customers that is generally applicable to a financial company according to the FSCMA. 

Under the Financial Consumer Protection Act, financial consumers are categorised into (i) professional financial consumers and (ii) ordinary financial consumers.

Lenders offering loan products to ordinary financial consumers should comply with a set of rules, such as obligations to identify a customer’s status, to refrain from offering inappropriate products or unfair terms, and to explain material terms of the product offered. Individuals and small businesses with less than five employees are classified as “ordinary financial consumers”.

It should also be noted that internet-only banks may provide loans only to individuals and SMEs pursuant to the Internet Bank Act, while other commercial banks are generally not subject to such restriction.

There is no separate regulation regarding the underwriting of online lending. However, under the Lending Business Act, licensed lenders and credit financial institutions such as banks can transfer loan receivables only to registered debt collection agencies, other credit financial institutions or other entities specifically listed under the law.

Separately, the FSS has issued a guideline for debt collection and sale of loan receivables. Under the guideline, a financial company that wishes to sell loan receivables shall (i) have a consistent standard regarding the sale of loan receivables, (ii) report relevant information to the management and board of directors in a timely manner, and (iii) conduct regular monitoring on the sale of loan receivables.

Banks take deposits from customers and use them to provide loans to borrowers, subject to certain deposit reserves and other various regulations under the Banking Act. Non-bank lenders, who are generally regulated under the Lending Business Act, cannot take deposits from customers and may only use their own funds to provide loans to customers. P2P lending platforms accept cash investments from investors and utilise the investment amount to provide loans to borrowers, subject to certain investment cap and other regulations under the P2P Lending Act. It is not common to raise capital through securitisation to fund online lending businesses in South Korea.

Online loan syndication is not common in South Korea as banks typically syndicate loans for large-volume transactions, which do not usually proceed online.

There is no legal requirement for a payment processor to use the existing payment rails.

A payment processor that starts a new business may utilise a partnership with an existing payment processor that already has an established network, however such business practice is not driven by legal factors but on a commercial decision.

Cross-border payments and remittances are subject to the FETA.

Any person who intends to engage in the business of cross-border payment and remittance is required to register the business with the Ministry of Economy and Finance in advance in accordance with the FETA. Financial companies are generally permitted to make cross-border payments within the scope of their registered foreign exchange businesses. Also, a registered small-amount cross-border remittance business entity may handle cross-border payment and receipt for up to certain threshold per transaction with an annual aggregate cap.

Unless exempted by registration or other grounds, any person who engages in a cross-border capital transaction (such as lending/borrowing, raising capital and investing) may be required to file a report with the foreign exchange regulators. In addition, any person who pays or receives any amount exceeding a certain threshold to or from overseas may be required to submit evidentiary documents.

The types of investment funds mostly developed in South Korea are a trust-type fund and a company-type fund, and the former is more prevalent than the latter.

In the case of trust-type funds, the trust property is transferred to, and managed by, a trustee based on a trust relationship formed by entering into a trust agreement (or trust deed) by and between an asset manager and a trustee. Company-type funds are also required to entrust the custody/management of the fund property to a trustee. As part of the entrustment to the trustee, the tasks expected of the trustee are not limited to merely holding the property in custody but include execution of any acquisition/disposal, etc, as instructed by an asset manager and, in some cases, a trustee acts as a supervisor in the management of the fund assets.

A company-type fund is required to outsource works relating to (i) the issuance of, and transfer of, the title to shares, (ii) the calculation of the company’s wealth and (iii) convening and hosting board of directors’ meetings and general meetings of shareholders and preparation of minutes, etc, to a fund administrator. Although trust-type funds are not statutorily obliged, it is common that the trust-type funds also outsource works regarding the calculation task, etc, to a fund administrator by entering into a consignment agreement. A fund administrator does not act as a custodian for custody/management of the fund assets.

A trustee must be a licensed trustee (in practice, most of the trustees for funds are banks) and a fund administrator is required to be registered in advance in accordance with the FSCMA.

A trustee bears a fiduciary duty of care while in custody of the fund assets. The FSCMA prescribes that a trust agreement between a trust-type fund and an asset manager should contain provisions concerning the services each to be performed by the asset manager and the trustee, investments, valuation and calculation of NAV price, profit distribution and redemption, and termination. The market practice is to use an industry standard trust agreement that is built on the aforementioned provisions.

A fund administrator also bears a fiduciary duty of care in connection with the consigned tasks thereof. While the substance of a consignment agreement is not regulated by the laws, standardised administration agreement templates are commonly used within the industry.

In South Korea, financial investment products are listed and traded on the KRX and unlisted stocks are traded on over-the-counter trading platforms. 

Although the amendment to the FSCMA in 2013 provided for the ground to establish an alternative trading system (ATS), there is no licensed ATS operating in South Korea. Nonetheless, it is expected that the first ATS in South Korea will obtain its licence and start the service next year, in 2024.

With respect to virtual assets, approximately 30 registered virtual asset service providers are operating crypto-exchanges, where virtual assets that do not constitute financial investment products are traded on. 

Financial investment products, such as stocks, bonds, securities and derivatives, are mainly regulated by the FSCMA.

On the other hand, virtual assets, electronic certificates that have an economic value and that can be traded or transferred electronically, are regulated by the Financial Transaction Information Act.

The regulation on the transaction of financial investment products under the FSCMA is much stricter than the regulation on the transaction of virtual assets. For example, filing of a securities registration statement (SRS) is required for the public offering of securities. In addition, insider trading, market manipulation and other unfair trading activities related to financial investment products are prohibited under the FSCMA. However, with respect to virtual assets, no such regulation has been established so far.

The emergence of cryptocurrency exchanges has led to the revisions of Financial Transaction Information Act, which became effective on 25 March 2021. As part of the changes, virtual asset service providers have also become subject to regulations, and there have been largely three main changes to cryptocurrency exchanges:

• a deposit to a virtual asset service provider should be made through a bank account for which the real name of the account holder has been authenticated;
• for registration, a virtual asset service provider shall obtain ISMS (Information Security Management System) certification; and
• obligation to file a report for any suspicious transaction to the Korean Financial Intelligence Unit.

In October 2022, the bill for the Legislation to Restore Fairness in the Digital Asset Market and to Create a Safe Trading Environment (DAFA) was proposed before the National Assembly, which is expected to pass in due course. The key content of the DAFA includes the following:

• require digital asset service providers to segregate consumer’s money deposits from their proprietary assets;
• prohibit insider trading based on non-public material information;
• prohibit manipulative trading for the purpose of inducing other parties’ trading of digital assets;
• prohibit use of unfair means, plans, schemes, or techniques for trading of digital assets; and
• require monitoring of suspicious trading and take necessary measure to ensure market order.

In addition, the Framework Act on Digital Assets, aimed at regulating all types of tokens other than securities-type tokens, is expected to be enacted roughly around 2024. This Act is expected to be codified in reference to similar regulations of the US and EU, but its details are still under discussion.

As for the listing rules for the KRX, quantitative requirements such as (i) operating history, (ii) capital size, (iii) share distribution, (iv) financial requirement, (v) restriction on stocks transfer, (vi) corporate governance and (vii) accounting standards, are reviewed during the listing approval process. In addition, qualitative requirements such as (i) company’s continuity, (ii) management’s transparency, and (iii) investor protection, are also considered.

With respect to the virtual asset market, each virtual asset service provider has its own listing regulations and standards. Generally, the level of security, sustainability, and expertise and capability of the issuer will be mainly considered.

According to the standard internal control criteria for financial investment companies presented by Korea Financial Investment Association, if a financial investment company is entrusted with the sale and purchase orders for customers, the following principles should be complied with:

• a company should handle orders in a fair manner based on the principles of good faith and should not itself obtain or allow any third party to obtain benefits by harming the interests of the investors without any justifiable reasons;
• a company has a fiduciary duty of care to be set up with a system for taking and handling customers’ sale and purchase orders in a prompt, fair and accurate manner and an internal control system for inspection and verification thereof;
• a company should provide explanations to customers so that they could understand the methods of ordering, methods of handling and the terms and conditions of services provided, etc, and allow them to independently make decisions in that regard; and
• a company should receive customers’ sale and purchase orders in a fair and safe manner for each method of ordering and verify whether the person placing an order has the legitimate authority to make the order upon receipt of the order.

Although there are no special order-handling rules applicable to cryptocurrency exchanges, it is prohibited, in principle, under the Financial Transaction Information Act to share order books between cryptocurrency exchanges. The sharing of order books refers to an act of matching bid or ask prices and concluding transactions by sharing order books between cryptocurrency exchanges. However, a virtual asset service provider is permitted to share order books if:

• the other party is a virtual asset service provider that has obtained authorisation in Korea or other countries and performs money laundering prevention obligations; and
• the virtual asset service provider can verify information on the counterparty customers of the other virtual asset service provider whom the virtual asset service provider customers trade with.

With respect to markets for trading financial investment products, only those authorised in accordance with the FSCMA, such as the KRX and ATS as mentioned in 7.1 Permissible Trading Platforms, are permitted. Although the interest in P2P platforms for brokerage of unlisted stocks has emerged in the recent years, the compliance with laws varies depending on specific trading methods and business models.

The trading markets for virtual assets were mainly facilitated by centralised exchanges (server-client model – ie, exchanges broker investors’ transactions on virtual assets) and there is no specific law or regulation that is applicable to P2P-based decentralised exchanges. Yet, if the services provided by a decentralised exchange fall within the scope of any regulated activities under the existing laws or regulations, such decentralised exchange should comply with the relevant laws and regulations thereof.

The FSCMA specifies the duty of best execution which requires securities companies (broker-dealers) to execute customers’ trades at the most favourable terms reasonably available under the circumstances and the duty is applicable in trading listed securities and depository receipts. To be specific, securities companies are obliged to:

• prepare and announce guidelines for the best execution of customers’ trades for financial investment products;
• review and update the contents of the best execution guidelines on a quarterly basis and announce the changes thereto, if any; and
• deliver to customers a written explanation wherein the guidelines for best execution are described or indicated.

Currently, there is no explicit requirement on the best execution obligation that is adopted in trading virtual assets.

There are no specific regulations on payment for order flow in Korea.

The FSCMA prohibits the use of material, non-public information of a listed company for the sale and purchase of securities (insider trading). In addition, the FSCMA prohibits market manipulation and market disturbance as well as unfair trading activities, such as utilising an unfair scheme in connection with trading of financial investment products.

The prohibition of insider trading and market manipulation under the FSCMA is not applicable to virtual asset exchanges. However, under the Financial Transaction Information Act, a virtual asset exchange is prohibited from brokering the trading of virtual assets issued by itself or its related person.

The KRX recently made some amendments to the securities and derivatives markets business regulation, aiming to improve the risk management regime of the Korean capital market. 

Under the revised regulation, “high-speed algorithmic trade” is defined as any algorithmic trade conducted (i) by installing an exclusive ordering system owned or directly controlled by an investor at the IT (computing) centre of a KRX member or (ii) as proprietary trading by a KRX member firm.

Any investor who intends to entrust to a KRX member to place orders for high-speed algorithmic trading must be registered as a high-speed algorithmic trader with the KRX, and any KRX member who intends to engage in high-speed algorithmic trade themselves must file a report as a high-speed algorithmic trader in advance. If an investor is not registered as a high-speed algorithmic trader, the KRX member must refuse to accept the high-speed algorithmic trade order.

Notably, different asset classes do not have different regulatory regimes.

In general, market players functioning in their principal capacity are not required to register as a market maker.

In South Korea, the market-making system aims at increasing the market liquidity of a target security with poor liquidity as chosen by the KRX, whereby a market maker enters into a market-making agreement with the KRX to continuously offer both buy and sell for the target securities. It should be noted that only KRX members can become a market maker.

The regulations on high-speed algorithmic trade by the KRX do not make a distinction between funds and dealers.

There is no law or regulation that directly subjects programmers who develop and create trading algorithms and other electronic trading tools. However, they may be subject to punishment as an accomplice of any act generally prohibited by the FSCMA, such as price manipulation or market disturbance depending on their specific conducts.

No specific regulation exists on financial research platforms.

Under the FSCMA, however, any entity which intends to provide advice on the value of, or investment judgement of, certain assets such as financial investment products are obliged to register (ie, an investment advisory business entity). Moreover, a business is deemed to be providing a quasi-investment advisory business if they regularly publish materials containing advice on the value of, or making investment decisions in, relation to financial investment instruments through publication or electronic mail to unspecified target audiences, and requires such business to file a report in advance.

Therefore, if a financial research platform is deemed to be engaged in investment advisory business or quasi-investment advisory business, the platform may be required to be registered in accordance with the FSCMA.

Under the FSCMA, an act of disseminating a rumour with the intention to affect trading of any financial investment instrument or cause a fluctuation in the market price constitutes “unfair trading practice”. Any person who engages in any unfair trading practice may be punished by imprisonment of not less than one year or imposed with a fine of an amount between three-to-five times the amount which the person made profit or avoided in making a loss through the unfair trading practice.

Furthermore, the FSCMA specifies that an act that falls short of unfair trading practice, but is likely to cause other persons to misjudge or misapprehend the status of supply and demand of, or the prices therefrom, or is likely to distort the prices of any listed security or exchange-traded derivative by spreading a rumour, is “market disturbance”. Any person who engages in market disturbance may be subject to a penalty surcharge of an amount not exceeding KRW500 million.

The financial supervisory authorities and the Korea Financial Investment Association publish explanation materials and casebooks on unfair trading practice and market disturbance on a non-regular basis and such materials are adopted by the market as a guideline.

Any person who wishes to sell insurance products is required to be registered with the FSS as an insurance agent, insurance solicitor or insurance broker and comply with the relevant regulations under the Insurance Business Act. Furthermore, the sale of insurance products to customers is also governed by the Financial Consumer Protection Act as described in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities.

The underwriting processes may include gathering financial records and personal data to determine the risk profile of the customer and set insurance premiums. The use of automated data processing methods in the underwriting process is increasing, which highlights the growing importance of data protection and privacy laws.

Under the Insurance Business Act, there are three types of insurance, namely, (i) life insurance, (ii) non-life insurance, and (iii) type-three insurance business. A person who intends to engage in insurance business is required to obtain a licence from the FSC according to the type of insurance business, and the capital and fund requirements vary depending on the type of insurance business.

In principle, insurance companies are prohibited from concurrently operating a life insurance business and a non-life insurance business. However, engagement in both types of insurance businesses are allowed between a parent company and its subsidiary.

While there has been growing importance and presence of regtech, there is no regulation in Korea that relates specifically to providers of regtech. For now, regtech service providers are regulated under the existing legal framework, depending on their activities.

There is no regulation that relates to the performance and accuracy of the services of regtech providers. The contractual terms sought by financial service firms with regtech providers are usually driven by internal regulations of the financial services firms and may vary depending on the specific area of service provided by regtech provider.

The existing financial companies continue to conduct experiments to utilise blockchain technology in various fields. For instance, some companies have introduced the use of Decentralised ID (DID) technology, whereby encoded identification information is stored in a blockchain and the information can be confirmed whenever necessary. Also, there have been attempts to utilise the blockchain technology in connection with cross-border remittances.

In addition, the Bank of Korea is conducting an experiment in connection with the introduction of CBDC.

South Korean regulatory authorities are encouraging innovation through utilisation of the blockchain technology. Although there have not been any separate laws or regulations presented to promote the utilisation of the blockchain technology, many blockchain-based services are exempt from certain regulations through the financial regulatory sandbox programme.

However, the regulatory authorities distinguish between the blockchain technology and virtual assets and are rather taking a reserved approach with respect to the virtual asset industry.

The Financial Transaction Information Act defines virtual assets as electronic certificates that have an economic value and that can be traded or transferred electronically (except for electronic currency and electronic prepayment means, etc), and blockchain assets that satisfy such requirements will be classified as virtual assets.

There are no other financial laws or regulations that specifically regulate blockchain assets. However, depending on their specific nature, a blockchain asset may be classified as a financial instrument that is regulated under the existing legal framework.

For instance, any blockchain asset that satisfies the definition of “securities” under the FSCMA may be classified as a security and shall follow the regulations applicable to a security, or any blockchain asset that satisfies the requirements for electronic prepayment means may be classified as an electronic prepayment instrument and shall follow the applicable regulations.

The South Korean government announced the prohibition of ICOs in 2017 and kept its position to this date. Therefore, it is factually difficult to issue any blockchain assets that constitute virtual assets in Korea. However, the government is planning to permit the issuance of security tokens by amending the relevant laws and regulations and is expected to permit issuance of other virtual assets once the laws and regulations are enacted to build a legal framework for virtual assets.

Notably, NFTs are generally not treated as virtual assets, and therefore there does not exist any regulation in connection with the issuance of NFTs.

Under the Financial Transaction Information Act, a person who intends to engage in the sale, exchange and brokerage of virtual assets is required to register as a virtual asset service provider. Fundamentally, the obligation to register as a virtual asset service provider under the Financial Information Transaction Act was established mainly to impose AML obligations on virtual asset service providers, and therefore most of the obligations imposed on virtual asset service providers under the Financial Information Transaction Act are related to AML regime. On the other hand, there is no special regulation applicable to P2P transactions. 

Please note that the FSC is planning to create a new separate license unit for the operation of security token trading platforms as discussed in 1.1 Evolution of the Fintech Market.

Currently, the financial supervisory authorities are largely against the investment in virtual assets by funds established by domestic collective investment business entities and, in consideration of such circumstances, funds established onshore do not invest in virtual assets. Instead, they are known to invest in blockchain assets indirectly by investing in the companies that own the blockchain technology.

The Financial Transaction Information Act defines virtual assets (virtual currency) as electronic certificates that have economic value and that can be traded or transferred electronically except for the following:

• electronic certificates that cannot be exchanged for money, goods, or services, etc, or, if as part of information about the certificate, the place and purpose of the use of the certificates are restricted by the issuer;
• products obtained through gaming services or products;
• electronic prepayment means and electronic currency; and
• electronically registered stocks, electronic bills and electronic bills of lading.

The majority of blockchain assets are likely to satisfy the above definition of virtual asset, and therefore there will not be much difference between virtual assets and blockchain assets in their treatment.

For reference, in general, NFTs are not treated as virtual assets in South Korea.

The Korean laws do not separately regulate DeFi and the financial supervisory authorities have not presented any guideline with respect thereto.

There does not exist any separate regulation on NFTs and NFT platforms.

As discussed in 12.5 Regulation of Blockchain Asset Trading Platforms, the Financial Transaction Information Act is applicable to any platforms where trading of virtual assets is made available, yet NFTs are generally not treated as virtual assets.

Currently, open banking is operated in accordance with the rules of the Korea Financial Telecommunications and Clearings Institute (KFTC). However, the FSC is planning to establish a legal basis for open banking.

In general, fintech service providers that have executed an agreement for the use of open banking with KFTC, and financial institutions participating in open banking (“Institutions Using Open Banking”), may expeditiously and easily launch various fintech services by utilising open APIs and testbeds to integrate new IT technology into the existing financial services.

However, (i) “withdrawal agency services” in which “Institutions Using Open Banking” make withdrawals, acting as agent, or resell the right to withdraw, with a user’s consent to withdrawal obtained through a third party and (ii) “payment services” in which “Institutions Using Open Banking” collect a certain amount on a regular and repeated basis in return for the goods or services that they provide to a user, are services excluded from the use of open banking. Also, any company likely to engage in an act that may disturb the financial order or cause damages to consumers may not be permitted to use open banking.

“Institutions Using Open Banking” should manage the personal information of users or recipients obtained in connection with the open banking business in a way to prevent any unauthorised disclosure and, unless the subject of the information provides a consent, may not use the information for any purpose other than the intended business purposes. If an incident happens due to any violation of the foregoing privacy requirement, the “Institution Using Open Banking” should indemnify the relevant user or third party for any damages incurred by them in the absence of any special circumstances to be considered.

In this respect, “Institutions Using Open Banking” intend to thoroughly prepare to prevent any breach of personal information by putting procedures in place for protection of personal (credit) information as required by the relevant laws, including the PIPA and the CIUPA.