Chambers PA: FinTech 2020 South Korea
Currently there are no prohibitions or restrictions on specific types of financial technology (“FinTech”) businesses in Korea nor an existing Korean regulatory regime that specifically regulates cryptocurrency or blockchain. However, FinTech businesses are likely to be subject to existing Korean laws and regulations depending on the specific nature of the business undertaken.
Korean financial regulators and policy-makers are generally receptive to FinTech innovations and technology-driven new entrants to regulated financial services markets in Korea. The Korean government identified FinTech as one of its 24 key areas to support innovation as a means to spur growth in the Korean financial industry. For example, the Korean government established the FinTech Support Centre that provides guidance on FinTech-related projects and an opportunity for FinTech start-ups to present their services to Korean financial institutions.
In terms of specific FinTech-friendly policies, the Special Act on Assistance to Financial Innovation, which became effective on 1 April 2019, introduced a regulatory sandbox scheme in Korea. This new law introduced expedited confirmation on regulation and relaxed regulatory standards for financial services designated as innovative financial services by the Korean government. Pursuant to such policy, as of May 2019, 18 FinTech solutions were selected for inclusion in the regulatory sandbox, three of which incorporate blockchain technology.
Furthermore, the Korean government offers special incentive schemes mainly in the form of tax incentives for FinTech businesses including small/medium-sized businesses in Korea. Notably, small/medium-sized businesses established in certain areas of Korea that are not located in highly populated cities can receive 50% corporate income tax relief for up to five years. Also companies identified as “venture businesses” by the Korean government, which could include many FinTech companies, may receive 50% corporate tax relief even if they are located in highly populated cities in Korea. For certain R&D costs (including labour costs and material costs), an R&D tax deduction may be available as well.
Despite promoting policies conducive to FinTech businesses, the Korean government has also shown concern for anti-money laundering and other consumer protection matters. Korea’s Financial Services Commission (the “FSC”) amended the Anti-Money Laundering Guidelines for Cryptocurrencies (“AML Guidelines”) in June 2018, requiring, among others, that financial institutions enhance monitoring for accounts of cryptocurrency companies used for operating expenses and file lists of foreign cryptocurrency companies.
Also, Korea’s “P2P Loan Guidelines” was amended in 2019 to expand the scope of disclosure for P2P lenders. The main contents of the amended P2P Loan Guidelines are as follows:
- For an individual investor, investment limits of KRW 10 million per one P2P business (KRW 5 million for an equivalent borrower), provided that an additional KRW 10 million is permitted for credit loans.
- An individual investor who has satisfied income requirements, KRW 40 million per one P2P business (KRW 20 million for an equivalent borrower).
- For corporate investors and individual professional investors, no credit limit.
- Regulation of advertisements and regulation of mandatory disclosure items.
- Regulation of business activities in which P2P lending businesses cannot participate in P2P lending as the investor.
Currently, there are no prohibitions or restrictions for specific types of FinTech businesses in Korea. However, FinTech businesses providing certain financial services are required to obtain a licence under the relevant Korean financial laws and regulations.
Specifically, Korea’s Electronic Financial Transaction Act (the “EFTA”) regulates electronic financial transactions in Korea. The EFTA covers the:
a. rights and obligations of parties to an electronic financial transaction;
b. provisions to ensure the safety of electronic financial transactions and protection of users; and
c. authorization, registration and specific scope of activities of electronic financial businesses.
as the EFTA defines “electronic financial business” to include:
a. issuance and management of electronic currency;
b. electronic funds transfer services;
c. issuance and management of electronic debit payment services;
d. issuance and management of electronic prepayment services;
e. electronic payment settlement agency services;
f. depository service for settlement of transactions; and
g. intermediary electronic collection and payment services between payors and payees.
Other than the issuance and management of electronic currency, which must be licensed by the FSC, the above types of electronic financial businesses must be registered with the FSC and are supervised by the FSC and Korea’s Financial Supervisory Service (the “FSS”).FinTech businesses that do not engage in electronic financial business activities under the EFTA but intend to undertake regulated activities in Korea, such as banking or credit card businesses, should review whether it is required to obtain appropriate authorization (licence or registration) from the relevant Korean regulatory authorities such as the FSC or the FSS.
There are no laws or regulations that specifically regulate transactions involving cryptocurrencies in Korea. However, Korean regulators tend to apply existing relevant Korean laws such as the Financial Investment Services and Capital Markets Act (the “FSCMA”) and the Criminal Act to cryptocurrency-related transactions. The FSCMA defines securities as “financial investment products for which investors do not owe any obligation to pay anything in addition to the money or any other valuables paid at the time of acquiring such instruments.” Securities are categorized into six classes under the FSCMA: debt securities, equity securities, beneficiary certificates, investment contract, derivatives-linked securities, and depositary receipts. Cryptocurrency could likely fall under the FSCMA’s definition of debt security, equity security or investment contract depending on the specific facts and circumstances involved.
Cryptocurrency exchanges are currently not directly subject to any anti-money laundering requirements under Korea’s Act on Reporting and Use of Certain Financial Transaction Information (the “AML Act”). However, cryptocurrency exchanges are indirectly affected by the AML Act’s anti-money laundering requirements through its application to financial institutions.
Financial institutions doing business with virtual currency exchanges and/or custodial wallet providers are subject to the AML Guidelines. The notable requirements under the AML Guidelines include: (i) real-name verification for fiat withdrawal from and deposits to cryptocurrency exchanges; (ii) customer due diligence to check the identity of users, maintenance of a separate transaction record for each user, and compliance with cryptocurrency-related policies; and (iii) monitoring and reporting suspicious transactions. Korean financial regulators may issue correction orders or business suspension orders pursuant to the AML Act if a financial institution violates a provision of the AML Guidelines.
There are also several bills seeking to directly regulate cryptocurrency exchanges proposed in Korea’s National Assembly including the Special Act on Cryptocurrency Business, which seeks to, among others, impose licensing requirements, anti-money laundering requirements, consumer protection and cybersecurity requirements for cryptocurrency exchanges and cryptocurrency-related businesses, impose record-keeping obligations, explicitly incorporate cryptocurrency businesses into the AML Act, and mandate the adoption of cybersecurity measures. Moreover, in November 2019, the National Assembly’s national policy committee passed a bill that defines virtual currencies as digital assets. Under the new bill, all cryptocurrency businesses are required to report and register as digital asset businesses. Upon approval by the judiciary committee and main floor of the National Assembly, the bill will become effective within a year.
There are no Korean tax laws that explicitly regulate cryptocurrencies. Some accounting firms have interpreted cryptocurrencies as “intangible assets” for Korean accounting treatment. Korea’s National Tax Service (“NTS”) has called for the need to develop accounting standards for cryptocurrencies. Korea’s Ministry of Economy and Finance has announced that plans for the taxation of cryptocurrencies are being developed, but no decisions have been made. The NTS published its preliminary assessment of taxing cryptocurrencies, which is not an official policy but does represent the only published position or research on cryptocurrency taxation by the government. The NTS’ assessment noted that cryptocurrencies tend to be hybrid products that may have characteristics of, among others, fiat currency, securities and goods. Based on this determination, the NTS has made a preliminary assessment of taxation on cryptocurrencies under the existing laws as follow:
Corporate Income Tax (11%-27.5%): Theoretically taxable under current law
Corporate or Individual VAT (10%): Undecided
(Individual) Income Tax (6.6%-46.2%): Theoretically taxable under current law
Capital Gains Tax (6.6%-46.2%): Undecided, but for retail investors, levying Capital Gains Tax is advisable
Inheritance and Gift Tax (10%-50%): Theoretically taxable under current law
In addition, the NTS has noted that to increase transaction transparency and to prevent tax avoidance, strengthening the regulation of cryptocurrencies is required. The NTS mentioned the introduction of a registration requirement for cryptocurrency exchanges, the implementation of the Real Name Verification System, and the imposition of anti-money laundering requirements and reporting requirements on cryptocurrency exchanges as examples of possibly regulatory improvements.IV. Initial Coin Offerings
In September 2017, the FSC issued a press release prohibiting initial coin offerings (“ICOs”) in Korea, but no laws or regulations have yet to been enacted to enforce this prohibition of ICOs. Subsequently, in January 2019, the Korean government announced the result of its monitoring of the ICO practice in Korea and its proposed approach in regulating ICOs. In this announcement, the Korean government stated that they identified companies bypassing the government’s prohibition on ICOs by performing ICOs through paper companies in foreign jurisdictions (such as Singapore) while raising funds from domestic investors. The Korean government announced that such practice substantively constitutes domestic ICOs, albeit in the form of a foreign ICO. Moreover, the Korean government stated that domestic investors were at significant risk due to such practice, because the companies performing the ICOs did not disclose substantial information for the investors to make an informed decision.
In addition, the Korean government also deemed that certain ICO projects may violate the FSCMA in case an ICO project involves (i) issuance and transaction of P2P collateralized loan tokens, (ii) sale of cryptocurrencies investment funds, or (iii) operation of unauthorized financial investment business by providing investment services with ICO tokens.
Considering that ICOs pose high investment risks and lack a global regulatory framework, the Korean government announced that it will take a conservative approach in legalizing ICOs. In the same vein, the Korean government maintained an equivocal position as to whether it will publish an ICO guideline, saying that the government’s issuance of such a guideline may give the market the wrong impression that the government had officially approved domestic ICOs.
V. Personal Data Protection
In Korea, the protection and regulation of personal data is primarily governed by Korea’s Personal Information Protection Act (“PIPA”). PIPA is the overarching personal data protection law in Korea that may apply to FinTech businesses operating in Korea. PIPA prescribes detailed measures for each of the stages involved in the processing of personal data such as collection and use, provision to a third party, outsourcing and destruction. PIPA must be followed by all personal information processing entities, which are defined as all persons, organizations, corporations and governmental agencies that process personal data for business purposes. Under PIPA, data subjects must be informed of, and provide their consent to the following matters before their personal data is collected or used: (i) the purpose of the collection and use; (ii) the items of personal information that will be collected; (iii) the duration of the possession and use of the personal information; and (iv) disclosure that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result due to such refusal.In addition, there are various sector-specific privacy laws such as the Act on the Promotion of IT Network Use and Information Protection (the “Network Act”) and the Use and Protection of Credit Information Act (the “Credit Information Act”) that complements PIPA. The Network Act regulates the processing of personal information in the context of services provided by online service providers (e.g., personal information collected through a website). The Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities. Both the Network Act and the Credit Information Act can apply to FinTech businesses operating in Korea.
Korea’s Ministry of the Interior and Safety is responsible for enforcing the PIPA. Korea’s Korean Communications Commission and Ministry of Science and ICT are responsible for enforcing the Network Act. The FSC and the FSS are responsible for enforcing the Credit Information Act. Each of these regulatory agencies can make requests for information and conduct inspections at the premises of data controllers to ensure they are compliant with the respective privacy laws. In addition, once a violation of a relevant privacy law is confirmed, each of these respective regulatory agencies can impose administrative penalties, such as corrective orders and fines, and, as necessary, refer the case for criminal prosecution. Criminal sanctions can be imposed following an investigation by the police or prosecutor’s office, either on its own initiative or upon a referral by the relevant regulatory authority.
As for the applicability of these laws to overseas entities, PIPA applies to all personal information processing entities regardless of whether they are located overseas. In addition, sector specific privacy laws such as the Network Act would apply to overseas online service providers collecting personal information in Korea. Further, the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in Korea. Although PIPA, the Credit Information Act, and the Network Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have measures to ensure compliance by overseas entities with these laws.
That said, on January 9, 2020, the National Assembly passed amendments to the PIPA, Network Act, and Credit Information Act (the “Amendments”). The Amendments (i) clearly distinguish between different types of personal data, pseudonymized data and anonymized data, and enact detailed provisions on the processing of pseudonymized data; (ii) establish the Personal Information Protection Commission (the "PIPC") into the central data privacy regulatory authority; (iii) transfer to PIPA all privacy provisions in the previous Network Act relating to online service providers; and (iv) clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also applies to all commercial companies and grant the PIPC with the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act. The Amendments will become effective six months from the promulgation by the President, except for certain provisions in the Credit Information Act, which will come into effective in 12 to 18 months after the promulgation, to be specified in the Presidential Decree.
The main statutes in the context of cybersecurity that apply to FinTech businesses are the PIPA and the Network Act. The PIPA and the Network Act prescribe detailed technical security and administrative requirements for cybersecurity such as: (i) the establishment and implementation of an internal management plan for the secure processing of personal information; (ii) installation and operation of an access restriction system for preventing illegal access to and leakage of personal information; and (iii) the application of encryption technology to enable secure storage and transfer of personal information.
Further, the EFTA criminalizes certain types of cyber activities that may apply to FinTech businesses operating in Korea. The EFTA criminalizes cyber activities that: (a) intrude on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing or leaking data that is saved in such infrastructures; and (b) destroy data, or deploy a computer virus, logic bomb or program such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures.
In Korea’s recent FinTech environment, a variety of industries have been established, and the related market is developing rapidly. As explained above, Korea’s financial supervisory authorities have recently announced various policies to promote FinTech. Although the Korean government has shown hesitance in endorsing or institutionalizing cryptocurrencies and has repeatedly warned investors about the potential dangers of investing in them, it has expressed interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans. Furthermore, while the central government appears to be uneasy about cryptocurrencies, some local governments have shown interest in issuing their own cryptocurrencies. The pending bills and enacted regulations explained above should be closely monitored as they may provide a more coherent framework for the regulation of cryptocurrencies and other FinTech related issues.