SOUTH KOREA: An Introduction to FinTech Legal

I. Overview 

Currently there are no prohibitions or restrictions on specific types of financial technology (FinTech) businesses in Korea nor an existing Korean regulatory regime that specifically regulates virtual asset business itself (except the amended AML Act below) or blockchain. However, FinTech businesses are likely to be subject to existing Korean laws and regulations depending on the specific nature of the business undertaken.

Korean financial regulators and policymakers are generally receptive to FinTech innovations and technology-driven new entrants to regulated financial services markets in Korea. The Korean government identified FinTech as one of its 24 key areas to support innovation as a means to spur growth in the Korean financial industry. For example, the Korean government established the FinTech Support Centre, which provides guidance on FinTech-related projects and an opportunity for FinTech start-ups to present their services to Korean financial institutions.

In terms of specific FinTech-friendly policies, the Special Act on Assistance to Financial Innovation, which became effective on April 1, 2019, introduced a regulatory sandbox scheme in Korea. This new law introduced expedited confirmation on regulation and relaxed regulatory standards for financial services designated as innovative financial services by the Korean Government. Pursuant to such policy, as of November 2021, over 183 FinTech projects were selected for inclusion in the regulatory sandbox and 132 of them are expected to be launched until the end of this year.

On August 5, 2020, the Korean government amended its three main data privacy laws: the Personal Information Protection Act (PIPA), the Act on the Promotion of the Use of the Information Network and Information Protection (the Network Act), and the Credit Information Use and Protection Act (the Credit Information Act). The amended PIPA and Credit Information Act introduces the concept of “pseudonymised data.” Pseudonymised data is defined as personal information, including personal credit information, which has gone through partial deletion or partial or total substitution, such that the information can no longer identify an individual without additional information and such that it cannot identify a specific living individual without using or combining it with additional information to restore it to its original state. As such, pseudonymised data can be utilised without the data subject’s consent if the purpose is for preparing commercial statistics, including market research and industrial studies, and preservation of public records.

Furthermore, the Korean government offers special incentive schemes, mainly in the form of tax incentives for FinTech businesses including small/medium-sized businesses in Korea. Notably, small/medium-sized businesses established in certain areas of Korea that are not located in highly populated cities can receive 50% corporate income tax relief for up to five years. Also companies identified as “venture businesses” by the Korean government, which could include many FinTech companies, may receive 50% corporate tax relief even if they are located in highly populated cities in Korea. For certain R&D costs (including labour costs and material costs), an R&D tax deduction may be available as well.

Despite promoting policies conducive to FinTech businesses, the Korean government has also shown concern for anti-money laundering and other consumer protection matters. The partial amendment of Korea’s Act on Reporting and Use of Certain Financial Transaction Information (the AML Act) was promulgated on March 24, 2020, which has taken effect as of March 25, 2021. Pursuant to the AML Act, anti-money laundering requirements apply to virtual asset service providers (VASPs), e.g., virtual asset exchanges and other virtual asset service providers. Under the AML Act, VASPs are subject to various AML requirements, including suspicious transaction report, currency transaction report and customer due diligence.

Also, Korea’s Online Investment-linked Finance Act (the Online Investment Act) became effective on August 27, 2020. This is new legislation on P2P lending that regulates P2P business registration, regulations on sales practices, and measures for consumer protection. The Online Investment Act is intended to promote development of the P2P lending sector and bolster investor protection. Specific P2P investment limits will apply to different types of investors and investment products as set forth below.

• Retail investors: To same borrower, Korean won (KRW) 5 million; total, KRW30 million (KRW10 million for real estate)

• Accredited investors: To same borrower, KRW20 million; total, KRW100 million

• Corporate investors/Professional investors: Credit limit of 40% of the relevant P2P investment

The Bank of Korea (BOK), is also reviewing the introduction of the central bank digital currency (CBDC). Recently, the BOK engaged Ground X, the operator of the blockchain platform called Klaytn, through a public bid process, to establish a trial environment based on the distributed ledger technology in cooperation with the BOK and test whether the development, issuance and redemption of a CBDC would be feasible.

In 2019, the FSC proposed its plan to establish an open banking system that would grant FinTech firms access to banks’ payment network. In 2021, open banking services are now available from banks, FinTech firms, mutual finance firms, savings banks, securities firms, credit card companies and the Korea Post. With 23 open banking participating FinTech firms making available their data about customers’ prepaid deposit balances for open banking, open banking users may access information about their prepaid deposit accounts from mobile applications of major banks or any other open banking offering financial institutions beginning from July 30, 2021.

II. Regulation 

FinTech businesses providing certain financial services are required to obtain a licence under the relevant Korean financial laws and regulations. Specifically, Korea’s Electronic Financial Transaction Act (the EFTA) regulates electronic financial transactions in Korea, and the EFTA defines “electronic financial business” to include:

a. issuance and management of electronic currency;

b. electronic funds transfer services;

c. issuance and management of electronic debit payment services;

d. issuance and management of electronic prepayment services;

e. electronic payment settlement agency services;

f. depository service for settlement of transactions; and

g. intermediary electronic collection and payment services between payers and payees.

Other than the issuance and management of electronic currency, which must be licensed by Korea’s Financial Services Commission (FSC), the above types of electronic financial businesses must be registered with the FSC and are supervised by the FSC and Korea’s Financial Supervisory Service (FSS).

FinTech businesses that do not engage in electronic financial business activities under the EFTA but intend to undertake regulated activities in Korea, such as banking or credit card businesses, should review whether it is required to obtain appropriate authorisation (licence or registration) from the relevant Korean regulatory authorities such as the FSC or the FSS.

Furthermore, the FSC unveiled its plans to promote digital finance (the Digital Finance Transformation Plan) on July 24, 2020, focusing on improving regulations for the FinTech industry, ensuring strong protection for digital finance users, building foundations and infrastructure to facilitate large volumes of digital financial transactions, and strengthening data security to ensure stability in the financial system. Under the Digital Finance Transaction Plan, the regulatory framework for electronic financial businesses will be streamlined by reorganising the current subsectors into three functional categories. Also, new electronic financial businesses such as (i) My Payment businesses which will carry out payment and transfer orders without actually holding customers’ funds and (ii) one-stop payment service providers designated by the FSC to issue and manage customers’ payment accounts while enabling them to provide multiple digital financial services. The amendment of the EFTA that will allow for the implementation of the Digital Finance Transformation Plan was submitted to the Korean National Assembly as of November 27, 2020, and is currently pending at the National Assembly.

III. Virtual Assets 

There are no laws or regulations that specifically regulate transactions involving virtual assets in Korea. However, Korean regulators tend to apply existing relevant Korean laws such as the Financial Investment Services and Capital Markets Act (FSCMA) and the Criminal Act to virtual asset-related transactions. The FSCMA defines securities as “financial investment products for which investors do not owe any obligation to pay anything in addition to the money or any other valuables paid at the time of acquiring such instruments.” Securities are categorised into six classes under the FSCMA: debt securities, equity securities, beneficiary certificates, investment contracts, derivatives-linked securities, and depositary receipts. Virtual assets could likely fall under the FSCMA’s definition of a debt security, equity security or investment contract depending on the specific facts and circumstances involved. According to various news articles, the FSC is currently assessing whether certain virtual assets may be deemed as “security tokens” and thus become subject to the FSCMA.

As with other financial companies, VASPs will be subject to various AML requirements, including suspicious transaction report, currency transaction report and customer due diligence. VASPs will also be required to set up in good faith an internal control system to fulfil such AML requirements and to separately manage transaction details of its customers. Moreover, a VASP is required to file a VASP Report to the Korean Financial Intelligence Unit (KoFIU) after satisfying prescribed requirements, including information security management system (ISMS) certification, and engagement in financial transactions with a bank deposit account that confirms the identity of the account holder (real-name account). The KoFIU may refuse to accept a VASP Report from VASPs if there are grounds for non-acceptance (filing a VASP Report is a de facto approval process). The six-month grace period for existing VASPs to file a VASP report expired in September 2021 and numerous major VASPs completed their filings.

The FSC amended the Anti-Money Laundering Guidelines for Virtual Assets (AML Guidelines) in June 2018, requiring, among others, that financial institutions enhance monitoring for accounts of virtual asset companies used for operating expenses and file lists of foreign virtual asset companies, which has been extended to December 31, 2021.

The AML Act requires VASPs to register with the KoFIU as the law equally applies to foreign VASPs that conduct activities outside Korea but have domestic consequences within Korea. The financial regulators issued a statement on July 22, 2021 that any foreign virtual asset exchanges (i) providing transactions and payment services in KRW, (ii) offering Korean language service on their platforms or websites and/or (iii) implementing marketing activities targeting Korean users, including those being conducted online (such as YouTube, blog, or other social media platforms which may be accessible by Korean users) would be deemed as “doing business in Korea” and, as a result, must file a VASP Report with the KoFIU in accordance with the AML Act.

The government introduced the conflict of interest rule for virtual asset service providers through a revision to the Enforcement Decree of the Act on Reporting and Using Specified Financial Transaction Information, which became effective as of October 5, 2021. The conflict of interest rule prohibits (i) VASPs from trading virtual assets issued by their own platforms or by other specially related entities, provided, however, that the foregoing shall not apply to the virtual assets issued by the VASPs or its related parties prior to the effective date until six months elapse from the effective date, and (ii) restricts operators and staff members of VASPs from trading virtual assets on their own. VASPs are required to set up internal standards regarding the conflict of interest rule within one month from the effective date. A failure to implement the rule may be subject to suspension of business or up to KRW100 million in fine.

There are several bills pending before the National Assembly seeking to regulate the use of blockchain technologies and virtual assets. Most are focused on implementing measures to protect virtual asset investors while some consider fostering the development of blockchain technology in general. Meanwhile, as Korea's financial supervisory authority is reviewing the FATF's Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers announced in October 2021, it is necessary to continuously monitor any changes in the legislation/policies related to virtual assets.

The non-fungible token (NFT) market has also expanded particularly in the art industry, including via numerous digital art market platform. There are no rules that are directly applicable to NFTs. However, the financial regulatory authorities indicated that existing laws and regulations such as the FSCMA or the AML Act could be applied depending on the nature of the NFT concerned.

Until the amendment of tax laws in December 2020, there was no Korean tax law that expressly regulated virtual assets. The majority opinion was that income tax, which is the enumerated principle, is not taxable due to unclear grounds for taxation, corporate income tax based on the comprehensive principle is taxable on corporate income, and under the Inheritance Tax and Gift Tax Act, inheritance tax and gift tax is also comprehensively taxable.

The amended tax law, which was promulgated in December 2020 and is scheduled to take effect on January 1, 2022, clearly sets forth the taxation method for income accruing from virtual assets owned by individual and corporate investors, as well as the detailed basis for valuation of virtual asset trading income and reporting of foreign virtual assets. Meanwhile, the Value-added Tax Act does not provide for the taxation of virtual assets and the specific method of taxation. However, according to the VAT rulings, if virtual assets are traded or used as a means of payment, VAT will not be levied.

Below are the major amendments to tax laws related to virtual assets:

Taxation under the Income Tax Act (in the case of an individual investor)

Under the amended Income Tax Act, "virtual asset income" generated from the transfer or lending of virtual assets after January 1, 2022 is subject to taxation as other income (Article 21 of the Income Tax Act). The income of the virtual assets is calculated by deducting the necessary expenses from the transfer price. However, if the income from virtual assets is KRW2.5 million or less per year, income tax shall not be imposed.

The tax amount will be calculated by multiplying the income amount calculated as above by the tax rate of 22% (including local tax rate).

Taxation under the Corporate Tax Act (in the case of a corporate investor)

In the past, there was no disagreement that corporate income tax may be imposed on capital gains on virtual assets. The amended Corporate Tax Act further provides a detailed valuation method for virtual assets. In other words, since January 2020, virtual assets have been defined as assets and liabilities subject to valuation, such as inventory and securities, and are to be valued by the FIFO method (Articles 73 and 77 of the Enforcement Decree of the Corporate Tax Act).

Obligation to report foreign virtual asset transaction account under the Adjustment of International Taxes Act (in the case of a resident or domestic corporation)

According to the Adjustment of International Taxes Act, overseas Virtual Asset Accounts and VASPs have been newly added to the scope of the overseas financial account reporting system. Therefore, if the balance of the foreign financial account exceeds KRW500 million, a resident or domestic corporation holding the foreign financial account shall report the information on the foreign financial account to the National Tax Service (NTS) from June 1 to June 30 of the following year.

In addition, the NTS has noted that to increase transaction transparency and to prevent tax avoidance, strengthening the regulation of virtual assets is required. The NTS mentioned the introduction of a registration requirement for virtual asset exchanges, the implementation of the Real Name Verification System, and the imposition of anti-money laundering requirements and reporting requirements on virtual asset exchanges as examples of possibly regulatory improvements.

IV. Initial Coin Offerings 

In September 2017, the FSC issued a press release prohibiting initial coin offerings (ICOs) in Korea, but no laws or regulations have yet to been enacted to enforce this prohibition. Subsequently, in January 2019, the Korean government announced the result of its monitoring of the ICO practice in Korea and its proposed approach in regulating ICOs. In this announcement, the Korean government stated that they identified companies bypassing the government’s prohibition on ICOs by performing ICOs through paper companies in foreign jurisdictions (such as Singapore) while raising funds from domestic investors. The Korean government announced that such practice substantively constitutes domestic ICOs, albeit in the form of a foreign ICO. Moreover, the Korean government stated that domestic investors were at significant risk due to such practice, because the companies performing the ICOs did not disclose substantial information for the investors to make an informed decision.

In addition, the Korean government also deemed that certain ICO projects may violate the FSCMA in case an ICO project involves (i) issuance and transaction of P2P collateralised loan tokens, (ii) sale of virtual assets investment funds, or (iii) operation of unauthorised financial investment business by providing investment services with ICO tokens.

Considering that ICOs pose high investment risks and lack a global regulatory framework, the Korean government announced that it would take a conservative approach in legalising ICOs. Furthermore, through a press release on November 3, 2020 regarding the Enforcement Decree, the FSC reiterated that the Partial Amendment and the Enforcement Decree are designed to impose AML requirements on VASPs in accordance with the FATF recommendations. Such laws and regulations are not intended to adopt virtual assets into Korea’s financial regulatory regimes and the FSC still maintains its stance on the de facto prohibition of ICOs to protect investors.

V. Personal Information Protection 

The amendments to the PIPA, Network Act, and Credit Information Act became effective on August 5, 2020 (the Amendments). The Amendments (i) define personal information, pseudonymised data and anonymised data, (ii) enact detailed provisions on the processing of pseudonymised data, (iii) establish the Personal Information Protection Commission (the PIPC) as the central data privacy regulatory authority, (iv) transfer all privacy provisions under the Network Act relating to online service providers to the PIPA, (v) clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also applies to all commercial companies, and (vi) grant the PIPC the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act.

In Korea, the protection and regulation of personal information is primarily governed by the PIPA. The PIPA is the overarching personal information protection law in Korea that may apply to FinTech businesses operating in Korea. The PIPA prescribes detailed measures for each of the stages involved in the processing of personal information such as collection and use, provision to a third party, outsourcing and destruction. The PIPA must be followed by all personal information processing entities, which are defined as all persons, organisations, corporations and governmental agencies that process personal information for business purposes. Under the PIPA, data subjects must be informed and provide their consent before their personal information is collected or used.

In addition, there are various sector-specific privacy laws such as the Credit Information Act that complement the PIPA (since the privacy-related provisions of the Network Act were transferred to the PIPA, the PIPA now applies to personal information collected online and offline). The Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities. The Network Act regulates the transmission of commercial advertisements by any electronic transmission medium, including telemarketing, email and SMS.

The PIPC is responsible for enforcing the PIPA, and the FSC and the FSS are responsible for enforcing the Credit Information Act. Each of these regulatory agencies can make requests for information and conduct inspections at the premises of data controllers to ensure they are compliant with the respective privacy laws. In addition, once a violation of a relevant privacy law is confirmed, each of these respective regulatory agencies can impose administrative penalties, such as corrective orders and fines, and, as necessary, refer the case for criminal prosecution. Criminal sanctions can be imposed following an investigation by the police or prosecutor’s office, either on its own initiative or upon a referral by the relevant regulatory authority.

As for the applicability of these laws to overseas entities, the PIPA applies to all personal information processing entities regardless of whether they are located overseas. Further, the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in Korea. Although the PIPA and the Credit Information Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have measures to ensure compliance by overseas entities with these laws.

VI. Cybersecurity 

The main statutes in the context of cybersecurity that apply to FinTech businesses is the PIPA and the Credit Information Act. The PIPA and the Credit Information Act prescribe detailed technical security and administrative requirements for cybersecurity such as: (i) the establishment and implementation of an internal management plan for the secure processing of personal (credit) information, (ii) installation and operation of an access restriction system for preventing illegal access to and leakage of personal (credit) information, and (iii) the application of encryption technology to enable secure storage and transfer of personal (credit) information.

Further, the EFTA criminalises certain types of cyber activities that may apply to FinTech businesses operating in Korea. The EFTA criminalises cyber activities that: (a) intrude on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing or leaking data that is saved in such infrastructures, and (b) destroy data, or deploy a computer virus, logic bomb or program such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures. The Network Act imposes criminal punishment on (i) a person who intrudes an information and communications network without legitimate access authority, and (ii) a person who causes disruption to an information and communications network by sending a large amount of signals or data for the purpose of interfering with the stable operation of the information and communications network or causing the network to process an illegal order. In the event of any such infringement, a company shall report such an infringement to the relevant government authority in accordance with the EFTA and/or the Network Act.

VII. Conclusion 

In Korea’s recent FinTech environment, a variety of industries have been established, and the related market is developing rapidly. As explained above, Korea’s financial supervisory authorities have announced various policies to promote the FinTech industry in Korea. Although the Korean government has shown hesitance in endorsing or institutionalising virtual assets and has repeatedly warned investors about the potential dangers of investing in them, it has expressed interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans. It is necessary to continuously monitor whether there are any changes to the Korean legislation/policy on virtual assets due to the influence of the FATF's October 2021 guideline. The pending bills and enacted regulations explained above should be closely monitored, as they may provide a more coherent framework for the regulation of virtual assets and other FinTech-related issues.

Authors: Jung Min LEE, Joon Young KIM, Gye-Jeong KIM and Sue Seung Hyun Lee