Fintech 2025 Comparisons

There have been significant changes in the fintech industry in Korea in recent years. Some of the key changes are as follows.

The Act on the Protection of Virtual Asset Users (the “VAUPA”), enacted on 19 July 2023, came into force on 19 July 2024. As a result, virtual asset service providers (VASPs) that have registered under the Act on Reporting and Using Specified Financial Transaction Information (the “AML Act”) are now required to comply with new obligations, including the prohibition of market manipulation and unfair trading, mandatory segregation of user assets, insurance subscription and strengthening of internal controls. With the enactment of the VAUPA, Korea’s financial regulatory authorities have introduced a comprehensive regulatory framework for the virtual asset industry.

To address the emerging use of artificial intelligence (AI) systems in Korea, the National Assembly enacted and promulgated the Framework Act on Intelligent Informatization (the “FAII”) on 21 January 2025, which is scheduled to take effect on 22 January 2026. Under this framework, businesses offering products or services utilising high-impact AI or generative AI are required to notify users in advance and clearly indicate any outputs or products generated by these AI systems. Fintech companies that will implement AI systems in areas that significantly affect individuals' rights and obligations, such as lending or credit assessments, are likely to see them classified as high-impact AI under the FAII and these fintech companies and AI systems will therefore be subject to regulation under the FAII.

In addition, the FAII introduces new obligations for businesses, including the duty to ensure system safety and various accountability measures.

In December 2024, the Financial Services Commission (the “FSC”) announced its “Support Plan for the Use of Generative AI in the Financial Sector”, which outlines a dual-track approach for the adoption of generative AI with regards to commercial AI solutions and open source AI systems deployed on internal networks. The FSC is specifically focused on:

• expanding the use of commercial AI by utilising the existing regulatory sandbox for network separation; and
• establishing a dedicated AI platform for the financial sector using open source models, enabling financial institutions to adopt these tools more easily within the existing regulatory framework.

The business models of fintech companies in Korea are continuously evolving as they predominantly involve existing financial technologies and newly emerging financial innovations, such as digital banking, mobile/online payments, peer-to-peer (P2P) lending, robo-advisors, blockchain and crypto currencies, digital insurance platforms, open banking, algorithm trading, crowdfunding and AI-based financial services and super-applications.

Most recently, the strongest players emerging in the fintech sector are internet-only banks, VASPs such as crypto exchanges and electronic payment service providers, among others. Many of these emerging players were start-ups that have now become large companies.

Legacy players are also rapidly evolving by applying fintech business models to their existing licensed services. For example, commercial banks provide banking and payment services on mobile/online platforms while securities firms offer investment products on mobile/online platforms and co-operate with multiple robo-advisor service providers to provide automated advisory services and AI-based asset management and research services. These legacy players are also constantly researching and attempting to apply blockchain technology to their legacy financial services.

Fintech business models in Korea should comply with the specific legislation that applies to them because of the nature of their business. They should also comply with existing financial legislation. Fintech companies may therefore be subject to various legislation depending on the nature of their business. The main verticals are as follows.

• Online/mobile payment services (other than banks) in e-commerce are regulated as prepaid/debit e-payment means issuer or payment gateway provider under the Electronic Financial Transactions Act (the “EFTA”).
• Internet-only banks without physical offices are regulated by the Banking Act, subject to specific special treatments relating to their licensing, governance and business activities pursuant to the Special Act on the Establishment and Operation of Internet-only Bank (the “Internet Bank Act”).
• P2P lending platform operators are regulated by the Online Investment-Linked Finance Act (the “P2P Lending Act”) in respect of their licensing and ongoing compliance.
• Robo-advisors are regulated under the FSCMA.
• Algorithmic trading is subject to registration with the KRX pursuant to the KRX markets business regulations as well as the FSCMA.
• Crypto exchanges and digital wallet service providers are regulated as VASPs under the AML Act in respect of their licensing and ongoing compliance including anti-money laundering obligations and the VAUPA in respect of their business activities and user protection.
• Insurtechs offering or brokering insurance products are regulated by the Insurance Business Act.
• MyData service is regulated as personal credit information management business under the Credit Information Use and Protection Act (the “CIUPA”).

In addition, the legislation that generally applies to fintech business models depending on their business elements are as follows.

• The Banking Act (if the company engages in accepting deposits from customers and providing loans).
• The FSCMA (if the company engages in investment dealing or brokerage, discretionary management or investment advice or if financial investment products such as securities or derivatives are involved).
• The Insurance Business Act (if the company sells insurance products).
• The Act on Registration of Money Lending Business and Protection of Finance Users (the “Lending Business Act”) (if the company engages in providing loans without engaging in accepting customer deposits).
• The Financial Consumer Protection Act (if the company engages in selling or advertising financial products including loans and insurance products to customers).
• The CIUPA (if the company engages in providing credit rating or credit information or is involved in the transfer of personal credit information).
• The Personal Information Protection Act (the “PIPA”) (in respect of the collection or transfer of personal information generally).
• The Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (the “IT Network Act”) (if the company is an online service provider, who is required to take certain information security measures).
• The Foreign Exchange Transactions Act (the “FETA”) (in respect of any payment between a Korean resident and a non-resident or any payment using a foreign currency).
• The Special Act on Support for Financial Innovation (in respect of the operation of the regulatory sandbox programme).

The compensation restrictions and disclosures under traditional financial regulations are applicable to fintech service providers as well.

For example, the Lending Business Act imposes a limitation on brokerage fees and restrictions on loan brokers that they may not receive brokerage fees from the users of lending services and should instead receive fees from the relevant credit financial institutions within the prescribed cap under the same Act.

Under the Financial Consumer Protection Act, if a financial product distributor solicits an ordinary financial consumer (or a retail investor) to conclude a contract or is requested by an ordinary financial consumer to provide an explanation, the financial product distributor should explain relevant fees in a way that an ordinary financial consumer can understand properly.

Financial investment service providers under the FSCMA may receive fees based on the size of transactions or assets they manage. These fees may be disclosed in periodic reports submitted to the regulators or in securities registration statements filed in connection with public offerings. In specific cases such as with investment advisory business, discretionary investment business and public offering funds, performance-based compensation may be prohibited.

Legislative bills on particular fintech business models contain provisions on fees. For example, the P2P Lending Act requires an online investment-linked financial business entity to notify information concerning fees and other incidental expenses through its online platform so that its users can easily understand it.

As mentioned in 2.2 Regulatory Regime, laws and regulations applicable to legacy players such as the Banking Act, the FSCMA, the Insurance Business Act and the Financial Consumer Protection Act apply equally to fintech companies. Additional laws and regulations related to fintech business models, such as the EFTA, the Internet Bank Act, the P2P Lending Act and the AML Act, apply depending on the nature of the business activities.

These additional laws do not necessarily suggest an application of a more stringent regulatory framework. In some cases, the new legislation excludes the application of existing regulations, thereby allowing more flexible regulatory treatment for fintech companies relatively speaking. For example, while the Banking Act limits shareholding by non-financial dominant shareholders (industrial capital) in banks to 4%, the Act on Internet-only Banks raises this limit to 34%, effectively excluding the application of the Banking Act’s restriction in this context.

To promote financial innovation, the regulatory sandbox programme was introduced in 2019. This programme fully or partially exempts eligible fintech companies from various restrictions and requirements under financial-related laws (including permits and approval requirements).

Under the Special Act on Support for Financial Innovation, financial services which are considered innovative in terms of their content, method or form compared to the existing financial services may be designated as innovative financial services (regulatory sandbox).

Once the service provider applies for the regulatory sandbox programme, the FSC will review whether the service in question is eligible for designation as an innovative financial service. As part of the review process, the following factors are considered.

• Innovativeness of the services.
• Convenience and benefits for consumers.
• Inevitability of application of regulatory exceptions.
• Stability of the financial market and financial order.

Once a company is designated as providing innovative financial services, it may engage in the innovative financial services to the extent permitted according to its designation without any separate licence or may be exempt from complying with various ongoing requirements under laws and regulations that would have been applicable in respect of licensed financial services.

The regulatory sandbox exemption period cannot exceed two years, which is extendible, only once, for up to two years.

In May 2024, the FSC revised the application process for innovative financial services. Applicants previously submitted demand surveys and consulted with regulators before applying on a rolling basis. Under the new system, applications can now be submitted freely during designated quarterly windows. The new system was implemented in the second quarter of 2024.

This change has significantly increased participation of innovative financial service providers. While only 301 applications were submitted during the five years from the programme’s launch in 2019 through to 2023, 436 applications were received in 2024 alone, reflecting a notable expansion in engagement by fintech companies.

As of 2 April 2025, a total of 549 services have been designated as innovative financial services, with 207 of those services already launched.

The FSC and the Financial Supervisory Service (the “FSS”) are the two primary institutions in charge of regulatory enforcement over fintech products and services. The FSC is a government institution mainly responsible for creating financial policies. The FSS, acting as the enforcement arm of the FSC, is responsible for supervising and inspecting financial companies.

Financial regulators in Korea operate a system like the US “no-action” letter (which is referred to as a no-action opinion. The FSS issues a written opinion upon request, confirming in advance whether a proposed business activity or financial product would violate existing laws and be subject to regulatory sanctions. This allows firms to seek regulatory clarity before launching new services or products similar to the US “no-action” letter system. Once a no-action opinion is issued, the FSS refrains from taking any legal or enforcement action contrary to the content of the opinion, unless there are exceptional circumstances.

Under the Regulations on Outsourcing of Business of Financial Institutions (the “Business Outsourcing Regulations”), financial companies such as banks, insurance companies and credit card companies are allowed to outsource their business operations, except in the following cases:

• when the work involves “essential elements” of the financial company's business that require a licence;
• when the relevant laws and regulations require the financial company to perform the work; or
• when the outsourcing may harm the financial company's credibility, cause financial disorder or harm financial users.

Financial companies must inform the regulator of their outsourcing at least seven business days before the start date, unless exempted under the Business Outsourcing Regulations.

The Data Processing Outsourcing Regulations may also apply to financial companies with respect to the outsourcing of data processing. Financial companies are allowed to outsource their data processing, unless:

• it is prohibited by relevant laws and regulations;
• the financial company has received a warning or sanction regarding user information in the last three years; or
• the outsourcing may harm the financial company's credibility, cause financial disorder or harm financial users.

In addition, financial companies are not permitted to outsource the processing of “uniquely identifiable information”, such as resident registration numbers, to offshore companies.

Financial companies must report the outsourcing of data processing to the regulator at least seven days before in the case of domestic companies and 30 days before in the case of offshore companies unless exempted under the relevant regulations.

Depending on the specific business model, other regulations, such as the FSCMA, may apply with respect to outsourcing.

Fintech service providers who fall under the scope of financial companies are subject to various regulations requiring them to comply with specific prescribed gatekeeper responsibilities, including suspicious transaction reporting (STR), anti-money laundering (AML) and know your customer (KYC) regulations under the AML Act. New fintech players such as VASPs and P2P lending platform operators are also considered financial companies for the purposes of these regulations.

In addition, fintech providers can be subject to further specific obligations under the regulations applicable to the fintech provider depending on their business models, the steps they take to prevent illegal activities and ensure cybersecurity and the due diligence they carry out on customers’ suitability.

As the VASP registration regime under the AML Act has become the primary regulatory framework for virtual assets in Korea, the Financial Intelligence Unit (the “FIU”) under the FSC has adopted a strict enforcement stance. In principle, the FIU now prohibits any unregistered VASPs from conducting business in Korea and actively sanctions entities that support or facilitate transactions with these unregistered VASPs. In February 2025, the Korean financial authorities imposed one of the most significant regulatory penalties to date on Korea’s largest virtual asset trading platform operator.

The sanctions included a three-month suspension of particular business operations and were based on multiple compliance failures, including: providing transactional support to an unregistered overseas VASP; inadequate KYC procedures; failure to file STRs; and facilitating non-fungible token (NFT) transactions without conducting an AML risk assessment first. This enforcement action is widely viewed as a landmark case, signalling the regulators’ intention to strengthen oversight of the virtual asset sector and to raise compliance expectations across the industry.

In a separate case, the FIU fined another domestic exchange KRW2 billion for violations of KYC-related obligations. The exchange contested the fine and initiated an administrative lawsuit. In the latest court ruling, it annulled the FIU’s penalty. Legal proceedings are expected to continue and the outcome may have broader implications for how compliance requirements are interpreted and enforced going forward.

Personal data protection in Korea is governed by the PIPA. Meanwhile, the handling of credit information is regulated by the Credit Information Use and Protection Act. These laws apply to all financial institutions, including legacy players.

Financial security requirements are specifically addressed in the EFTA. The provisions of the EFTA apply to financial institutions (legacy players) and registered electronic financial business operators. However, fintech companies that operate without a financial licence are not subject to the security-related obligations under the EFTA.

As well as regulators like the FSC, the FSS and the KRX, there are self-regulatory organisations in particular industries such as the following.

• The Korea Financial Investment Association which was established under the FSCMA to be in charge of: imposing self-regulations; registering and managing the professional workforce; conducting preliminary reviews of certain over-the-counter derivative products; and providing financial investment business-related training to protect investors and promote sound business operations among members of the Association.
• The Specialised Credit Financial Business Association which was established under the Specialised Credit Finance Business Act and is responsible for: recommending improvements to business operation methods for members; reviewing the advertisements of specialised credit financial companies; and publication and amendment of industry standard terms and conditions.
• The Insurance Association which was established under the Insurance Business Act and is responsible for: the determination of regulations on entrustment to insurance agents; the comparison and disclosure of insurance products and publication; and amendment of the rules required to be complied with by insurance companies.

Companies engaging in financial services under the requisite licence are usually restricted in terms of their business scope and activities. If a licensed financial service company intends to provide any unregulated products and services, which does not fall within the scope of the financial licence held, the company will have to file a report in advance to the financial regulators, who have certain discretion in this matter, unless specifically permitted under the relevant regulations.

For example, there is no law regulating NFTs and NFT transactions can be brokered without any licence. However, for a licensed bank to provide these services it may have to file a report in relation to it as an incidental business engaged in by the bank.

In Korea, the AML Act governs AML as described in 2.8 Gatekeeper Liability.

As these rules apply to “financial companies” as defined under the same Act, particular fintech companies, such as VASPs and P2P lending platform operators which are classified as “financial companies” under the Act, should satisfy the applicable regulations under the Act. However, unregulated fintech companies who do not fall under the scope of “financial companies” are not directly subject to the Act.

As a member of the Financial Action Task Force (the “FATF”), Korea has established its AML and countering the financing of terrorism (CFT) framework based on FATF Recommendations. These requirements are codified in the AML Act, which is the primary legislative basis for Korea’s AML/CFT regime.

Under this regime, financial institutions have to carry out key compliance measures, including KYC, STR and large cash transaction reporting (CTR).

While the concept of reverse solicitation is generally recognised in Korea, the extent of its application varies across different industries and within different sectors of the financial industry in Korea.

For example, under the FSCMA, foreign investment dealers or brokers do not have to obtain a Korean licence if they do not engage in solicitation or advertising in Korea or towards Korean residents and merely engage in dealing or brokering transactions in response to reverse inquires initiated by Korean residents.

In contrast, most other Korean financial regulatory laws do not explicitly address reverse solicitation and market practices regarding its interpretation differ by sector. For example, in the virtual asset sector, a foreign service provider is considered to be engaged in business or marketing activities towards Korean users, if it: offers a Korean-language website; conducts marketing campaigns targeting Korean users; or enables Korean customers to purchase virtual assets using credit cards.

Robo-advisors must satisfy the prescribed requirements to become an “electronic investment advice device” under the FSCMA and pass a screening test. However, there is no requirement for different business models to be adopted for different asset classes.

Many traditional financial companies have developed a robo-advisor system. In addition, they are also actively implementing solutions developed by other fintech companies specialised in robo-advisor business.

Since the introduction of the robo-advisor system, the number of consumers using robo-advisor services has gradually increased.

There are currently no “best execution” obligations applicable to robo-advisers. However, a financial company utilising a robo-adviser in providing financial services owes a duty of care to its customers in the same way, generally speaking, a financial company does under the FSCMA.

Under the Financial Consumer Protection Act, financial consumers are categorised into professional financial consumers and ordinary financial consumers.

Lenders offering loan products to ordinary financial consumers should comply with a set of rules, such as obligations to identify a customer’s status, to refrain from offering inappropriate products or unfair terms and to explain material terms of the product offered. Individuals and small businesses with less than five employees are classified as ordinary financial consumers.

It should also be noted that internet-only banks may only provide loans to individuals and small and medium enterprises (SMEs) in line with the Internet Bank Act. This restriction does not generally apply to other commercial banks.

There is no separate regulation regarding the underwriting of online lending. However, under the Lending Business Act, licensed lenders and credit financial institutions such as banks can only transfer loan receivables to registered debt collection agencies, other credit financial institutions and other entities specifically listed under the Act.

Banks take deposits from customers and use them to provide loans to borrowers, subject to specific deposit reserves and other various regulations under the Banking Act. Non-bank lenders, who are generally regulated under the Lending Business Act, cannot take deposits from customers and may only use their own funds to provide loans to customers. P2P lending platforms accept cash investments from investors and utilise the amount of the investment to provide loans to borrowers, subject to certain investment cap and other regulations under the P2P Lending Act. It is not common for capital to fund online lending businesses in Korea to be raised through securitisation.

Online loan syndication is not common in Korea as banks typically syndicate loans for large volume transactions, which does not usually proceed online.

There is no legal requirement for a payment processor to use the existing payment rails. A payment processor that starts a new business may utilise a partnership with an existing payment processor that already has an established network. However, this business practice is driven by commercial considerations rather than legal factors.

Cross-border payments and remittances are subject to the FETA.

Any person who intends to engage in a cross-border payment and remittance business has to register the business with the Ministry of Economy and Finance in advance in line with the FETA. Financial companies are generally permitted to make cross-border payments within the scope of their registered foreign exchange businesses. A registered small amount cross-border remittance business entity may also handle cross-border payment and receipt up to a specific threshold per transaction and an annual aggregate cap.

Unless exempted by registration or other grounds, any person who engages in a cross-border capital transaction (such as lending/borrowing, raising capital and investing) may be required to file a report with the foreign exchange regulators. In addition, any person who pays or receives any amount exceeding a certain threshold to, or from, overseas may be required to submit documents as evidence.

In Korea, financial investment products are listed and traded on the KRX and the alternative trading system (the “ATS”). Unlisted stocks are traded on the over-the-counter trading platform.

Korea’s first ATS, Nextrade, launched on 4 March 2025. This marks the first operation of a multiple and competition-based stock trading system in the capital market in Korea.

With respect to virtual assets, approximately 28 registered VASPs are operating crypto exchanges. Virtual assets that do not constitute financial investment products are traded on these exchanges.

Financial investment products that are classified into securities (such as stocks, bonds, trust interests) and derivatives are mainly regulated by the FSCMA.

Meanwhile, virtual assets and electronic certificates that have an economic value and that can be traded or transferred electronically are regulated by the VAUPA.

Financial investment service providers must obtain the relevant licences under the FSCMA. The FSCMA also prohibits insider trading, market manipulation and other unfair trading activities related to financial investment products.

When it comes to virtual assets, VASPs have to register with the financial authority. Following the enactment of the VAUPA, insider trading, market manipulation and unfair trading activities related to virtual assets are now expressly prohibited.

Although regulations for virtual assets have been introduced gradually, the regulation on the transaction of financial investment products under the FSCMA is relatively more stringent than the regulation on the transaction of virtual assets. For example, public offering or trading of listed securities is subject to various disclosure regulations and increased regulatory scrutiny.

The emergence of cryptocurrency exchanges has led to the enactment of the VAUPA, which came into effect on 19 July 2024. The VAUPA aims to protect virtual asset users and establish a sound order in the virtual asset market.

The VAUPA contains definitions of virtual assets and non-virtual assets. It authorises VASPs to keep users’ deposits and virtual assets safe and to manage them. The VAUPA also establishes legal grounds to impose penalties and sanctions on unfair trading activities, such as the use of material non-public information and market manipulation.

In terms of the listing rules for the KRX, quantitative requirements such as:

• the operating history;
• capital size;
• share distribution;
• financial requirement;
• restriction on stocks transfer;
• corporate governance; and
• accounting standards are reviewed during the listing approval process.

In addition, qualitative requirements such as:

• company continuity;
• management transparency; and
• investor protection, are also considered.

In terms of the virtual asset market, each VASP has its own listing regulations and standards. The level of security, sustainability and expertise and capability of the issuer will generally be considered primarily.

According to the standard internal control criteria for financial investment companies presented by the Korea Financial Investment Association, if a financial investment company is entrusted with the sale and purchase orders for customers, the following principles should be complied with:

• a company should handle orders in a fair way and on the basis of the principle of good faith. The company should not obtain or allow any third party to obtain benefits by harming the interests of the investors without any justifiable reasons;
• a company has a fiduciary duty of care to set up a system for taking and handling customers’ sale and purchase orders in a prompt, fair and accurate way and an internal control system for inspection and verification;
• a company should provide explanations to customers so that they can understand the methods of ordering, methods of handling and the terms and conditions of services provided, etc and allow them to independently make the relevant decisions; and
• a company should receive customers’ sale and purchase orders in a fair and safe way for each method of ordering. They should also verify whether the person placing an order has the legitimate authority to make the order upon receipt of it.

Cryptocurrency exchanges are, in principle, prohibited under the AML Act from sharing order books with other cryptocurrency exchanges. The sharing of order books refers to an act of matching bid or ask prices and concluding transactions by sharing order books between cryptocurrency exchanges. However, a VASP is permitted to share order books if the:

• other party is a VASP that has obtained authorisation in Korea or other countries and performs money laundering prevention obligations; and
• VASP can verify information on the counterparty customers of the other VASP whom the customers of the VASP trade with.

In terms of markets for trading financial investment products, only those authorised in line with the FSCMA, such as the KRX and ATS mentioned in 7.1 Permissible Trading Platforms, are permitted. Although the interest in P2P platforms for brokerage of unlisted stocks have emerged in recent years, the compliance with laws varies depending on specific trading methods and business models.

The markets for trading virtual assets are mainly facilitated by centralised exchanges (server-client model, ie, exchanges broker investors’ transactions on virtual assets). The FSS has stated that if the operating entity controls the decentralised exchange and provides services as deposits, loans or staking of virtual assets, then these services provided by a decentralised exchange will fall within the scope of buying or selling, exchanging, transferring, safekeeping and administrating, etc of virtual assets and the Act on the Protection of Virtual Assets and the Act on Reporting and Use of Certain Financial Transaction Information will apply.

There are no specific regulations on payment for order flow in Korea.

The FSCMA prohibits the use of material non-public information of a listed company for the sale and purchase of securities (insider trading). The FSCMA also prohibits market manipulation and market disturbance as well as unfair trading activities, such as utilising an unfair scheme in connection with the trading of financial investment products.

The VAUPA also prohibits the use of material non-public information of virtual assets for the sale and purchase of virtual assets (insider trading). In addition, the VAUPA prohibits market manipulation and market disturbance.

The KRX made some amendments to the Securities and Derivatives Markets Business Regulation in 2023. The aim was to improve the risk management regime of the capital market in Korea.

Under the revised Regulation, “high-speed algorithmic trade” is defined as any algorithmic trade conducted:

• by installing an exclusive ordering system owned or directly controlled by an investor at the IT (computing) centre of a KRX member; or
• as proprietary trading by a KRX member firm.

Any investor who intends to entrust a KRX member to place orders for high-speed algorithmic trading must be registered as a high-speed algorithmic trader with the KRX and any KRX member who intends to engage in “high-speed algorithmic trade” themselves must file a report as a high-speed algorithmic trader in advance. If an investor is not registered as a high-speed algorithmic trader, the KRX member must refuse to accept the “high-speed algorithmic trade” order.

Notably, different asset classes do not have different regulatory regimes.

Only licensed investment dealers or brokers are generally permitted to act as market makers under the FSCMA.

The market making system is aimed at increasing the market liquidity of a target security with poor liquidity as chosen by the KRX. A market maker enters into a market making agreement with the KRX to continuously offer to both buy and sell the target securities. It should be noted that only KRX members who are investment dealer-brokers can become a market maker.

The regulations on “high-speed algorithmic trade” by the KRX do not distinguish between funds and dealers.

There is no law or regulation that directly applies to programmers who develop and create trading algorithms and other electronic trading tools. However, they may be found guilty of being an accomplice to any act generally prohibited by the FSCMA, such as price manipulation or market disturbance depending on their specific conduct and be penalised accordingly.

Any person who wishes to sell insurance products has to be registered with the FSS as an insurance agent, insurance solicitor or insurance broker and comply with the relevant regulations under the Insurance Business Act. The sale of insurance products to customers is also governed by the Financial Consumer Protection Act as described in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities.

The underwriting processes may include gathering financial records and personal data to determine the risk profile of the customer and set insurance premiums. The use of an automated data processing method in the underwriting process is increasing, which highlights the growing importance of data protection and privacy laws.

Under the Insurance Business Act, there are three types of insurance:

• life insurance;
• non-life insurance; and
• type 3 insurance business.

A person who intends to engage in insurance business has to obtain a licence from the FSC according to the types of insurance business and the capital and fund requirements vary depending on the type of insurance business.

In principle, insurance companies are prohibited from concurrently operating a life insurance business and a non-life insurance business. However, operating both types of insurance business is allowed if it involves a parent company or its subsidiary.

While regtech has continued to develop its presence and grow in importance, there is no regulation in Korea that relates specifically to regtech providers. Regtech service providers are therefore regulated under the existing legal framework depending on their activities for now.

There is no regulation that relates to the performance and accuracy of the services of regtech providers. The contractual terms sought by financial service firms with regtech providers are usually driven by internal regulations of the financial services firms and may vary depending on the specific type of service provided by regtech providers.

Existing financial companies continue to conduct experiments to utilise blockchain technology in various fields. For example, some companies have introduced decentralised ID (DID) technology. This involves encoded identification information being stored in a blockchain and the information can be confirmed whenever necessary. There have also been attempts to utilise blockchain technology in connection with cross-border remittances.

In addition, the Bank of Korea is conducting an experiment in connection with the introduction of central bank digital currencies (CBDC). Several commercial banks have also engaged in issuing deposit tokens, which tokenise bank deposits into digital assets on distributed ledger systems.

Meanwhile, the (draft) Digital Asset Basic Act is expected to be introduced soon. According to the draft legislation, the issuance of stablecoins will have to be approved by the FSC. However, general virtual assets will only need to be reported to the regulators before they are issued.

Regulatory authorities in Korea are encouraging innovation through the utilisation of blockchain technology. The Korea Internet & Security Agency (the “KISA”) specifically, under the guidance of the Ministry of Science and ICT, is looking to promote the enactment of a draft Blockchain Basic Act to expand the adoption of blockchain and support the development of the industry in the country. As part of this initiative, it is conducting research on blockchain-related technologies, including distributed ledger technology (DLT), evaluation standards for DID and providing legal force to smart contracts.

Meanwhile, to issue security tokens in Korea, amendments to the FSCMA and the Act on Electronic Registration of Stocks and Bonds are needed. Amendments to both Acts have recently been proposed with the goal of institutionalising the security token offering (STO) and fractional investment markets.

In addition, several blockchain-based services are exempt from specific regulations through the financial regulatory sandbox programme.

However, the financial regulatory authorities distinguish between the blockchain technology and virtual assets and are taking a reserved and restrictive approach to the virtual asset industry.

The VAUPA and the AML Act define virtual assets as electronic certificates that have an economic value and can be traded or transferred electronically (except for electronic currency and electronic prepayment means, etc) and blockchain assets that satisfy these requirements will be classified as virtual assets.

There are no other financial laws or regulations that specifically regulate blockchain assets. However, depending on their specific nature, a blockchain asset may be classified as a financial instrument and be regulated under the existing legal framework.

For example, any blockchain asset that satisfies the definition of “securities” under the FSCMA may be classified as a security and the regulations applicable to a security or any blockchain asset will apply. The security will also have to satisfy the requirements for electronic prepayment means and may have to be classified as an electronic prepayment instrument. In addition, the security will have to follow the applicable regulations. However, since electronic prepayment means require a centralised issuer, blockchain assets are unlikely to fall under this category.

The Korean government announced the prohibition of initial coin offerings (ICOs) in 2017 and has kept this position to date. It is therefore a fact that issuing any blockchain assets that constitute virtual assets in Korea is not allowed. However, the government is planning to permit the issuance of security tokens by amending the relevant laws and regulations and is expected to permit the issuing of other virtual assets as well once the laws and regulations to build a legal framework for virtual assets are enacted.

Under the AML Act, a person who intends to engage in the sale, exchange and brokerage of virtual assets as a business is required to register as a VASP. The obligation to register as a VASP under the Financial Information Transaction Act was mainly established to impose AML obligations on VASPs. Most of the obligations imposed on VASPs under the Financial Information Transaction Act are therefore related to the AML regime. On the other hand, no special regulation applies to P2P transactions.

The FSC is planning to create a new separate licence unit for the operation of security token trading platforms as discussed in 1.1 Evolution of the Fintech Market.

Staking services are not prohibited under Korean law. However, under the VAUPA, a staking service provider must retain actual possession of the virtual assets entrusted by users. Providers may therefore only offer staking services they operate directly rather than outsourcing these activities to third parties. In addition, if a provider takes custody of users’ virtual assets, it is required to obtain a virtual asset custody service licence for these activities.

Lending services relating to cryptocurrencies are not prohibited or restricted under Korean law. The financial authorities have interpreted that virtual assets do not fall within the scope of “money or the like,” which is subject to regulation under the Lending Business Act. The restrictions under the Lending Business Act are currently understood to only apply to businesses involved in lending fiat currency and not therefore to those involving virtual assets. Lower courts have also ruled that virtual assets such as bitcoin do not constitute “money” as defined in the Lending Business Act.

Derivatives with virtual assets as underlying assets are currently prohibited under the policies of the Korean financial authorities. Virtual asset exchanges in Korea do not therefore offer products such as futures or options based on virtual assets. While traditional securities exchanges recognise particular qualified entities as market makers or liquidity providers, these roles are not recognised in the context of virtual assets.

There is no clear legislation that defines or regulates decentralised finance (DeFi). It therefore remains uncertain whether one can avoid virtual asset-related regulations on the basis that a service qualifies as DeFi. However, the VAUPA and the AML Act apply to entities that conduct virtual asset-related activities as a business. If a particular entity continuously and repeatedly derives profit, such as by receiving a particular form of revenue, including fees, regardless of their structure, that entity may be subject to regulation under these laws, even if the service is operated under the name of DeFi.

Conversely, if there is only a protocol in place and no specific entity exercises control or significant influence over its operation, nor engages in the continuous and repeated pursuit of profit, the protocol or any related entity is unlikely to be subject to regulation under these laws.

The financial supervisory authorities are currently largely against investment in virtual assets by funds established by domestic collective investment business entities. This is because virtual assets are not considered eligible investment targets under the FSCMA, and given consideration to these circumstances, funds established onshore do not invest in virtual assets. They are instead known to invest in blockchain assets indirectly by investing in the companies that own the blockchain technology.

The FSC specifically prohibits the issuance of spot bitcoin exchange traded funds and the brokerage of overseas spot bitcoin exchange trade funds. This is because these activities could be considered to be inconsistent with the government’s established position and may violate the FSCMA. However, overseas bitcoin futures exchange traded funds are permitted.

Under the existing legal framework, there is no clear definition of virtual currency. However, in the market it refers to blockchain assets which function as means of payment in general. It may be defined in the EFTA which is awaiting amendment or another act. In terms of stablecoins, the applicable legal framework remains to be determined.

In terms of virtual assets, the VAUPA defines virtual assets as electronic certificates that have economic value and that can be traded or transferred electronically except for the following.

• Electronic certificates that cannot be exchanged for money, goods or services, etc or, if as part of information about the certificate, the place and purpose of the use of the certificates are restricted by the issuer.
• Products obtained through gaming services or products.
• Electronic prepayment means and electronic currency.
• Electronically registered stocks, electronic bills, electronic bills of lading and electronic forms of currency and related services.

The majority of blockchain assets are likely to satisfy this definition of virtual assets and there will therefore not be many differences between the treatment of virtual assets and blockchain assets.

The FSC has issued guidelines for determining whether NFTs qualify as virtual assets. Under these guidelines, NFTs must be assessed first to determine whether they constitute “securities” under the FSCMA. If they do not, the next step is to determine whether they fall under the category of "virtual assets" as defined in the VAUPA.

Regardless of their form or underlying technology, if the rights acquired by the investor are considered to constitute securities under the FSCMA, the FSCMA will apply.

If the NFT does not qualify as a security under the FSCMA, it must then be determined whether it qualifies as a virtual asset. In making this determination, the following factors are considered.

• Whether the NFT is issued in large quantities or as part of a large-scale series and is highly interchangeable.
• Whether it is divisible, thereby significantly reducing its uniqueness.
• Whether it can be used, directly or indirectly, as a means of payment for specific goods or services;
• Whether it can be exchanged between unspecified parties for virtual assets or used in connection with other virtual assets for the payment of goods or services.

If any of these criteria are met, the NFT will be regulated under the VAUPA as a virtual asset.

Open banking is currently operated in line with the rules of the Korea Financial Telecommunications and Clearings Institute (the “KFTC”). However, the FSC is planning to introduce a legislative basis for open banking.

Fintech service providers that have executed an agreement for the use of open banking with the KFTC and financial institutions participating in open banking (“Institutions Using Open Banking”), may in general expeditiously and easily launch various fintech services by utilising open application programming interfaces (APIs) and testbeds to integrate new IT technology into existing financial services.

However:

• “withdrawal agency services” in which “Institutions Using Open Banking” make withdrawals acting as agent, or resell the right to withdraw thereto, with a user’s consent to withdrawal obtained through a third party; and
• “payment services” in which “Institutions Using Open Banking” collect a certain amount on a regular and repeated basis in return for the goods or services that they provide to a user, are excluded from using open banking.

Any company likely to engage in an act that may disturb the financial order or cause harm to consumers may also not be permitted to use open banking.

“Institutions Using Open Banking” should manage the personal information of users or recipients obtained in connection with the open banking business in a way that prevents any unauthorised disclosure and, unless the subject of the information provides consent, may not use the information for any other purposes than the intended business purposes.

If an incident happens because this privacy requirement is violated, the “Institution Using Open Banking” should indemnify the relevant user or third party for any damages incurred by them in the absence of any special circumstances to be considered.

In this respect, “Institutions Using Open Banking” must thoroughly prepare to prevent any breach of personal information by putting procedures in place for the protection of personal credit information as required by the relevant laws, including the PIPA and the CIUPA.

Fraud is primarily regulated under the Criminal Law as a criminal offence. The elements of fraud are generally categorised as follows:

• fraudulent conduct;
• causing a mistake;
• a dispossession act;
• causal relationship between the fraudulent conduct and the mistake as well as between the mistake and the dispossession act;
• acquisition of property benefit; and
• occurrence of property damage.

In addition, specific types of fraud are regulated under specialised laws. For example, the Specialised Credit Finance Business Act regulates the act of forging or altering credit cards or using or selling forged or altered credit cards. In these cases, the elements related to the forgery or alteration of the credit card must be met for the offence to apply. Similarly, the EFTA regulates acts involving means of access.

Regulatory authorities monitor various types of fraud, including:

• electronic communications financial fraud (such as phishing, smishing and pharming);
• authorised push payment fraud;
• illegal loan fraud; and
• cryptocurrency-related fraud (eg, market manipulation).

Special attention is given to monitoring electronic communications financial fraud that involves the leaking of personal information.

Under the EFTA, financial institutions or electronic financial service providers (hereinafter referred to as "electronic financial service providers") are liable for compensating customers for all damages arising in the following cases:

• accidents caused by the forgery or alteration of means of access;
• accidents arising from the electronic transmission or processing of contract formation or transaction instructions; and
• accidents resulting from the use of means of access obtained through false or fraudulent means by intruding into electronic devices or information communication networks for electronic financial transactions.

However, electronic financial service providers may have a defence if they can prove that: the customer acted with intent or gross negligence; and if an agreement was made with the customer in advance regarding the customer bearing partial responsibility for damages in these cases or if due diligence was sufficiently performed for corporate clients, the customer may bear all or part of the responsibility for the damage.