Currently there are no prohibitions or restrictions on specific types of financial technology (“FinTech”) businesses in Korea nor an existing Korean regulatory regime that specifically regulates cryptocurrency or blockchain. However, FinTech businesses are likely to be subject to existing Korean laws and regulations depending on the specific nature of the business undertaken.
Korean financial regulators and policymakers are generally receptive to FinTech innovations and technology-driven new entrants to regulated financial services markets in Korea. The Korean government identified FinTech as one of its 24 key areas to support innovation as a means to spur growth in the Korean financial industry. For example, the Korean government established the FinTech Support Centre, which provides guidance on FinTech-related projects and an opportunity for FinTech startups to present their services to Korean financial institutions.
In terms of specific FinTech-friendly policies, the Special Act on Assistance to Financial Innovation, which became effective on April 1, 2019, introduced a regulatory sandbox scheme in Korea. This new law introduced expedited confirmation on regulation and relaxed regulatory standards for financial services designated as innovative financial services by the Korean government. Pursuant to such policy, as of November 2020, 120 FinTech projects were selected for inclusion in the regulatory sandbox, six of which incorporate blockchain technology.
On August 5, 2020, the Korean government amended its three main data privacy laws: the Personal Information Protection Act (“PIPA”), the Act on the Promotion of the Use of the Information Network and Information Protection (“Network Act”), and the Credit Information Use and Protection Act (“Credit Information Act”). The amended PIPA and Credit Information Act introduces the concept of “pseudonymized data.” Pseudonymized data is defined as personal information, including personal credit information, which has gone through partial deletion or partial or total substitution, such that the information can no longer identify an individual without additional information and such that it cannot identify a specific living individual without using or combining it with additional information to restore it to its original state. As such, pseudonymized data can be utilized without the data subject’s consent if the purpose is for preparing commercial statistics, including market research and industrial studies, and preservation of public records.
Furthermore, the Korean government offers special incentive schemes, mainly in the form of tax incentives for FinTech businesses including small/medium-sized businesses in Korea. Notably, small/medium-sized businesses established in certain areas of Korea that are not located in highly populated cities can receive 50% corporate income tax relief for up to five years. Also companies identified as “venture businesses” by the Korean government, which could include many FinTech companies, may receive 50% corporate tax relief even if they are located in highly populated cities in Korea. For certain R&D costs (including labour costs and material costs), an R&D tax deduction may be available as well.
Despite promoting policies conducive to FinTech businesses, the Korean government has also shown concern for anti-money laundering and other consumer protection matters. The partial amendment of the Korea’s Act on Reporting and Use of Certain Financial Transaction Information (“AML Act”) was promulgated on March 24, 2020 and will be effective on March 25, 2021 (the “Partial Amendment“). Pursuant to the Partial Amendment, anti-money laundering requirements will apply to virtual asset service providers (“VASP”) (e.g., cryptocurrency exchanges and other virtual asset service providers). Under the Partial Amendment, VASPs will be subject to various AML requirements, including suspicious transaction report, currency transaction report and customer due diligence.
Also, Korea’s Online Investment-linked Finance Act (“Online Investment Act”) became effective on August 27, 2020. This is a new legislation on P2P lending that regulates P2P business registration, regulations on sales practices, and measures for consumer protection. The Online Investment Act is intended to promote development of the P2P lending sector and bolster investor protection. Specific P2P investment limits will apply to different types of investors and investment products as set forth below (applicable from May 1, 2021).
• Retail investors: To same borrower, KRW5 million; Total, KRW30 million (KRW10 million for real estate)
• Accredited investors: To same borrower, KRW20 million; Total, KRW100 million
• Corporate investors Professional investors: Credit limit of 40% of the relevant P2P investment
FinTech businesses providing certain financial services are required to obtain a licence under the relevant Korean financial laws and regulations. Specifically, Korea’s Electronic Financial Transaction Act (the “EFTA”) regulates electronic financial transactions in Korea, and the EFTA defines “electronic financial business” to include:
a. issuance and management of electronic currency;
b. electronic funds transfer services;
c. issuance and management of electronic debit payment services;
d. issuance and management of electronic prepayment services;
e. electronic payment settlement agency services;
f. depository service for settlement of transactions; and
g. intermediary electronic collection and payment services between payers and payees.
Other than the issuance and management of electronic currency, which must be licensed by the Korea’s Financial Services Commission (the “FSC”), the above types of electronic financial businesses must be registered with the FSC and are supervised by the FSC and Korea’s Financial Supervisory Service (the “FSS”).
FinTech businesses that do not engage in electronic financial business activities under the EFTA but intend to undertake regulated activities in Korea, such as banking or credit card businesses, should review whether it is required to obtain appropriate authorization (license or registration) from the relevant Korean regulatory authorities such as the FSC or the FSS.
Furthermore, the FSC unveiled its plans to promote digital finance (“Digital Finance Transformation Plan”) on July 24, 2020 focusing on improving regulations for the FinTech industry, ensuring strong protection for digital finance users, building foundations and infrastructure to facilitate large volumes of digital financial transactions, and strengthening data security to ensure stability in the financial system. Under the Digital Finance Transaction Plan, the regulatory framework for electronic financial businesses will be streamlined by reorganizing the current subsectors into three functional categories. Also, new electronic financial businesses such as (i) MyPayment businesses which will carry out payment and transfer orders without actually holding customers’ funds and (ii) one-stop payment service providers designated by the FSC to issue and manage customers’ payment accounts while enabling them to provide multiple digital financial services. The revisions to the EFTA that will allow for the implementation of the Digital Finance Transformation Plan are expected to be submitted to the Korean National Assembly in the near future.
There are no laws or regulations that specifically regulate transactions involving cryptocurrencies in Korea. However, Korean regulators tend to apply existing relevant Korean laws such as the Financial Investment Services and Capital Markets Act (the “FSCMA”) and the Criminal Act to cryptocurrency-related transactions. The FSCMA defines securities as “financial investment products for which investors do not owe any obligation to pay anything in addition to the money or any other valuables paid at the time of acquiring such instruments.” Securities are categorized into six classes under the FSCMA: debt securities, equity securities, beneficiary certificates, investment contract, derivatives-linked securities, and depositary receipts. Cryptocurrency could likely fall under the FSCMA’s definition of debt security, equity security or investment contract depending on the specific facts and circumstances involved.
As with other financial companies, VASPs will be subject to various AML requirements, including suspicious transaction report, currency transaction report and customer due diligence. VASPs will also be required to set up in good faith an internal control system to fulfil such AML requirements and to separately manage transaction details of its customers. Moreover, a VASP is required to file a VASP Report to the Financial Intelligence Unit (“FIU”) after satisfying prescribed requirements, including information security management system (ISMS) certification, and engagement in financial transactions with a bank deposit account that confirms the identity of the account holder (real-name account). The FIU may refuse to accept a VASP Report from VASPs if there are grounds for non-acceptance (filing a VASP Report is a de facto approval process). Once the Partial Amendment becomes effective, there is a six-month grace period for existing VASPs to file a VASP Report to the FIU.
Subsequently, on November 3, 2020, the FSC published the Enforcement Decree of the Partial Amendment (the “Enforcement Decree”), which will be effective as of March 25, 2021. The Enforcement Decree (i) defined that the scope of VASPs subject to regulatory oversight will be limited to cryptocurrency exchanges, custody service providers and wallet service providers, and (ii) the implementation of the “travel rule” (i.e., the obligation of a VASP to provide information regarding the transfer to the recipient when transferring virtual asset) will be deferred until March 25, 2022, with the threshold set at KRW100 million.
The FSC amended the Anti-Money Laundering Guidelines for Cryptocurrencies (“AML Guidelines”) in June 2018, requiring, among others, that financial institutions enhance monitoring for accounts of cryptocurrency companies used for operating expenses and file lists of foreign cryptocurrency companies. However, as the Partial Amendment is introduced, we would need to monitor whether the current AML Guidelines will still apply as is or be amended.
There are no Korean tax laws that explicitly regulate cryptocurrencies. Some accounting firms have interpreted cryptocurrencies as “intangible assets” for Korean accounting treatment. Korea’s National Tax Service (“NTS”) has called for the need to develop accounting standards for cryptocurrencies. Korea’s Ministry of Economy and Finance has announced that plans for the taxation of cryptocurrencies are being developed, but no decisions have been made. The NTS published its preliminary assessment of taxing cryptocurrencies, which is not an official policy but does represent the only published position or research on cryptocurrency taxation by the government. The NTS’s assessment noted that cryptocurrencies tend to be hybrid products that may have characteristics of, among others, fiat currency, securities and goods. Based on this determination, the NTS has made a preliminary assessment of taxation on cryptocurrencies under the existing laws as follows:
• Corporate Income Tax (11%-27.5%): Theoretically taxable under current law
• Corporate or Individual VAT (10%): Undecided
• (Individual) Income Tax (6.6%-46.2%): Theoretically taxable under current law
• Capital Gains Tax (6.6%-46.2%): Undecided, but for retail investors, levying Capital Gains Tax is advisable
• Inheritance and Gift Tax (10%-50%): Theoretically taxable under current law
In addition, the NTS has noted that to increase transaction transparency and to prevent tax avoidance, strengthening the regulation of cryptocurrencies is required. The NTS mentioned the introduction of a registration requirement for cryptocurrency exchanges, the implementation of the Real Name Verification System, and the imposition of anti-money laundering requirements and reporting requirements on cryptocurrency exchanges as examples of possibly regulatory improvements.
IV. Initial Coin Offerings
In September 2017, the FSC issued a press release prohibiting initial coin offerings (“ICOs”) in Korea, but no laws or regulations have yet to been enacted to enforce this prohibition of ICOs. Subsequently, in January 2019, the Korean government announced the result of its monitoring of the ICO practice in Korea and its proposed approach in regulating ICOs. In this announcement, the Korean government stated that they identified companies bypassing the government’s prohibition on ICOs by performing ICOs through paper companies in foreign jurisdictions (such as Singapore) while raising funds from domestic investors. The Korean government announced that such practice substantively constitutes domestic ICOs, albeit in the form of a foreign ICO. Moreover, the Korean government stated that domestic investors were at significant risk due to such practice, because the companies performing the ICOs did not disclose substantial information for the investors to make an informed decision.
In addition, the Korean government also deemed that certain ICO projects may violate the FSCMA in case an ICO project involves (i) issuance and transaction of P2P collateralized loan tokens, (ii) sale of cryptocurrencies investment funds, or (iii) operation of unauthorized financial investment business by providing investment services with ICO tokens.
Considering that ICOs pose high investment risks and lack a global regulatory framework, the Korean government announced that it will take a conservative approach in legalizing ICOs. Furthermore, through a press release on November 3, 2020 regarding the Enforcement Decree, the FSC reiterated that the Partial Amendment and the Enforcement Decree are designed to impose AML requirements on VASPs in accordance with the FATF recommendations. Such laws and regulations are not intended to adopt virtual assets into Korea’s financial regulatory regimes and the FSC still maintains its stance on the de facto prohibition of ICOs to protect investors.
V. Personal Data Protection
The amendments to the PIPA, Network Act, and Credit Information Act became effective on August 5, 2020 (the “Amendments”). The Amendments (i) define personal data, pseudonymized data and anonymized data, (ii) enact detailed provisions on the processing of pseudonymized data, (iii) establish the Personal Information Protection Commission (the "PIPC") as the central data privacy regulatory authority, (iv) transfer all privacy provisions in under the Network Act relating to online service providers to the PIPA, (v) clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also applies to all commercial companies, and (vi) grant the PIPC the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act.
In Korea, the protection and regulation of personal data is primarily governed by the PIPA. The PIPA is the overarching personal data protection law in Korea that may apply to FinTech businesses operating in Korea. The PIPA prescribes detailed measures for each of the stages involved in the processing of personal data such as collection and use, provision to a third party, outsourcing and destruction. The PIPA must be followed by all personal information processing entities, which are defined as all persons, organizations, corporations and governmental agencies that process personal data for business purposes. Under the PIPA, data subjects must be informed and provide their consent before their personal data is collected or used.
In addition, there are various sector-specific privacy laws such as the Credit Information Act that complement the PIPA (since the privacy-related provisions of the Network Act were transferred to the PIPA, the PIPA now applies to personal data collected online and offline). The Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities. The Network Act regulates the transmission of commercial advertisements by any electronic transmission medium, including telemarketing, email and SMS.
The PIPC is responsible for enforcing the PIPA, and the FSC and the FSS are responsible for enforcing the Credit Information Act. Each of these regulatory agencies can make requests for information and conduct inspections at the premises of data controllers to ensure they are compliant with the respective privacy laws. In addition, once a violation of a relevant privacy law is confirmed, each of these respective regulatory agencies can impose administrative penalties, such as corrective orders and fines, and, as necessary, refer the case for criminal prosecution. Criminal sanctions can be imposed following an investigation by the police or prosecutor’s office, either on its own initiative or upon a referral by the relevant regulatory authority.
As for the applicability of these laws to overseas entities, the PIPA applies to all personal information processing entities regardless of whether they are located overseas. Further, the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in Korea. Although the PIPA and the Credit Information Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have measures to ensure compliance by overseas entities with these laws.
The main statutes in the context of cybersecurity that apply to FinTech businesses is the PIPA. The PIPA prescribes detailed technical security and administrative requirements for cybersecurity such as: (i) the establishment and implementation of an internal management plan for the secure processing of personal information, (ii) installation and operation of an access restriction system for preventing illegal access to and leakage of personal information, and (iii) the application of encryption technology to enable secure storage and transfer of personal information.
Further, the EFTA criminalizes certain types of cyber activities that may apply to FinTech businesses operating in Korea. The EFTA criminalizes cyber activities that: (a) intrude on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing or leaking data that is saved in such infrastructures, and (b) destroy data, or deploy a computer virus, logic bomb or program such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures.
In Korea’s recent FinTech environment, a variety of industries have been established, and the related market is developing rapidly. As explained above, Korea’s financial supervisory authorities have recently announced various policies to promote the FinTech industry in Korea. Although the Korean government has shown hesitance in endorsing or institutionalizing cryptocurrencies and has repeatedly warned investors about the potential dangers of investing in them, it has expressed interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans. The pending bills and enacted regulations explained above should be closely monitored, as they may provide a more coherent framework for the regulation of cryptocurrencies and other FinTech-related issues.
Authors: Jung Min LEE, Joon Young KIM and Samuel YIM