SOUTH KOREA: An Introduction to FinTech Legal
SOUTH KOREA: An Introduction to FinTech Legal
I. Overview
Currently, there are no prohibitions or restrictions on specific types of financial technology (FinTech) businesses in Korea, nor an existing Korean regulatory regime that specifically regulates virtual asset business itself (except the AML Act below) or blockchain. However, FinTech businesses are likely to be subject to existing Korean laws and regulations depending on the specific nature of the business undertaken.
Korean financial regulators and policymakers are generally receptive to FinTech innovations and technology-driven new entrants to regulated financial services markets in Korea.
The Special Act on Assistance to Financial Innovation, which became effective on 1 April 2019, introduced a regulatory sandbox scheme in Korea. This new law introduced expedited confirmation of regulation and relaxed regulatory standards for financial services designated as innovative financial services by the Korean Government. Pursuant to such policy, as of October 2022, over 224 FinTech projects were selected for inclusion in the regulatory sandbox.
On 5 August 2020, the Korean government amended its three main data privacy laws: the Personal Information Protection Act (PIPA), the Act on the Promotion of the Use of the Information Network and Information Protection (the Network Act), and the Credit Information Use and Protection Act (the Credit Information Act). The amended PIPA and Credit Information Act introduces the concept of “pseudonymised data.”
Furthermore, the Korean government offers special incentive schemes, mainly in the form of tax incentives, for FinTech businesses, including small/medium-sized businesses in Korea.
Despite promoting policies conducive to FinTech businesses, the Korean government has also expressed its concern for money laundering and consumer protection matters. The partial amendment of Korea’s Act on Reporting and Use of Certain Financial Transaction Information (the AML Act) was promulgated on 24 March 2020 and became effective on 25 March 2021. Pursuant to the AML Act, anti-money laundering requirements apply to virtual asset service providers (VASPs).
The Bank of Korea (BOK) is also reviewing the introduction of the central bank digital currency (CBDC).
On 28 April 2022 the FSC announced the Guideline for New Securities Business, including Fractional Investment to provide guidelines on the emerging fractional investment instruments through FinTech platforms.
II. Regulation
FinTech businesses providing certain financial services are required to obtain a licence under the relevant Korean financial laws and regulations. Specifically, Korea’s Electronic Financial Transaction Act (the EFTA) regulates electronic financial transactions in Korea, and the EFTA defines “electronic financial business” to include:
a. issuance and management of electronic currency;
b. electronic funds transfer services;
c. issuance and management of electronic debit payment services;
d. issuance and management of electronic prepayment services;
e. electronic payment settlement agency services;
f. depository service for the settlement of transactions; and
g. intermediary electronic collection and payment services between payers and payees.
Other than the issuance and management of electronic currency, which must be licensed by Korea’s Financial Services Commission (FSC), the above types of electronic financial businesses must be registered with the FSC and are supervised by the FSC and Korea’s Financial Supervisory Service (FSS).
FinTech businesses that do not engage in electronic financial business activities under the EFTA but intend to undertake regulated activities in Korea, such as banking or credit card businesses, should review whether it is required to obtain appropriate authorisation (licence or registration) from the relevant Korean regulatory authorities such as the FSC or the FSS.
Furthermore, the FSC unveiled its plans to promote digital finance (the Digital Finance Transformation Plan) on 24 July 2020, focusing on improving regulations for the FinTech industry, ensuring strong protection for digital finance users, building foundations and infrastructure to facilitate large volumes of digital financial transactions, and strengthening data security to ensure stability in the financial system. Under the Digital Finance Transaction Plan, the regulatory framework for electronic financial businesses will be streamlined by reorganising the current subsectors into three functional categories. Also, new electronic financial businesses such as My Payment businesses which will carry out payment and transfer orders without actually holding customers’ funds. The amendment of the EFTA that will allow for the implementation of the Digital Finance Transformation Plan was submitted to the Korean National Assembly as of 27 November 2020, and similar amendments of the EFTA are currently pending at the National Assembly.
III. Virtual Assets
There are no laws or regulations that specifically regulate transactions involving virtual assets in Korea. However, Korean regulators tend to apply existing relevant Korean laws such as the Financial Investment Services and Capital Markets Act (FSCMA) and the Criminal Act to virtual asset-related transactions. The FSCMA defines securities as “financial investment products for which investors do not owe any obligation to pay anything in addition to the money or any other valuables paid at the time of acquiring such instruments.” Securities are categorised into six classes under the FSCMA: debt securities, equity securities, beneficiary certificates, investment contracts, derivatives-linked securities, and depositary receipts. Virtual assets could likely fall under the FSCMA’s definition of security depending on the specific facts and circumstances involved. According to various news articles, the FSC is currently assessing whether certain virtual assets may be deemed as “security tokens” and thus become subject to the FSCMA.
As with other financial companies, VASPs will be subject to various AML requirements, including suspicious transaction report, currency transaction report and customer due diligence. VASPs will also be required to set up in good faith an internal control system to fulfil such AML requirements and to separately manage transaction details of its customers. Moreover, a VASP is required to file a VASP Report to the Korean Financial Intelligence Unit (KoFIU) after satisfying prescribed requirements, including information security management system (ISMS) certification, and engagement in financial transactions with a bank deposit account that confirms the identity of the account holder (real-name account).
The AML Act requires VASPs to register with the KoFIU as the law equally applies to foreign VASPs that conduct activities outside Korea but have domestic consequences within Korea. The financial regulators issued a statement on 22 July 2021 that any foreign virtual asset exchanges (i) providing transactions and payment services in KRW, (ii) offering Korean language service on their platforms or websites, and/or (iii) implementing marketing activities targeting Korean users, including those being conducted online (such as YouTube, blog, or other social media platforms which may be accessible by Korean users) would be deemed as “doing business in Korea” and, as a result, must file a VASP Report with the KoFIU in accordance with the AML Act.
The KoFIU announced on 19 August 2022 that it had notified 16 unregistered offshore VASPs to the investigative authority for engaging in business activities targeting Korean customers without obtaining the VASP Report.
The government introduced the conflict of interest rule for virtual asset service providers through a revision to the Enforcement Decree of the Act on Reporting and Using Specified Financial Transaction Information, which became effective as of 5 October 2021. The conflict of interest rule prohibits (i) VASPs from trading virtual assets issued by their own platforms or by other specially related entities, provided, however, that the foregoing shall not apply to the virtual assets issued by the VASPs or its related parties prior to the effective date until six months elapse from the effective date; and (ii) restricts operators and staff members of VASPs from trading virtual assets on their own. VASPs are required to set up internal standards regarding the conflict of interest rule. A failure to implement the rule may be subject to suspension of a business or up to KRW100 million in fine.
There are several bills pending before the National Assembly seeking to regulate the use of blockchain technologies and virtual assets. Most are focused on implementing measures to protect virtual asset investors, while some consider fostering the development of blockchain technology in general. Meanwhile, as Korea's financial supervisory authority is reviewing the bills it is necessary to continuously monitor any changes in the legislation/policies related to virtual assets.
The non-fungible token (NFT) market has also expanded particularly in the art and game industry, including via numerous digital art market platforms and overseas gaming platforms. There are no rules that are directly applicable to NFTs. However, the financial regulatory authorities indicated that existing laws and regulations such as the FSCMA or the AML Act could be applied depending on the nature of the NFT concerned.
Due to the emerging fractional investment instruments through FinTech platforms, on 28 April 2022 the FSC announced the Guideline for New Securities Business, including Fractional Investment, which is an innovative fractional investment methodology that broadens access to investment products that the retail investors were not able to gain easy access or assets with low liquidity, by enabling investors to make small fractional investments in various assets or related rights. This Guideline sets out the criteria to determine whether the fractional investment product is a security under the FSCMA and discusses issues to consider when dealing with security-type fractional investment products.
Until the tax law amendment in December 2020 there was no Korean tax law that expressly regulated virtual assets. In the absence of such express regulation, the majority opinion was that income tax could not be imposed on virtual asset income under the enumeration principle (ie, only those items of income specifically enumerated in the law are subject to income tax), as such income was not clearly stated as taxable income within the Income Tax Law. However, corporate income tax, gift tax, and inheritance tax could potentially apply to such income under the principle of comprehensive taxation under the Corporate Income Tax Law and the Inheritance and Gift Tax Law (ie, any increase in net assets of the corporation/donee/inheritor can be taxed).
The amended tax law, which was promulgated in December 2020 and is scheduled to be effective on 1 January 2023, clearly sets forth the taxation method for income accruing from virtual assets owned by individual and corporate investors, as well as the detailed basis for valuation of virtual asset trading income and reporting of foreign virtual assets. (Note that the effective date may be deferred to 1 January 2025 according to the proposed tax law amendments currently under review by the National Assembly.) Meanwhile, the Value Added Tax Law does not expressly provide for the taxation of virtual assets and nor a specific method of taxation with respect to virtual assets. However, according to VAT rulings, virtual assets are not subject to VAT in general.
Below are the major amendments to tax laws related to virtual assets:
Taxation under the Income Tax Law (in the case of individual investors)
Under the amended Income Tax Law, "virtual asset income" generated from the transfer or lending of virtual assets after 1 January 2023 is subject to taxation as other income (Article 21 of the Income Tax Law). The amount of virtual asset income is calculated by deducting the necessary expenses from the transfer price and is subject to income tax only to the extent such an amount exceeds KRW2.5 million in a given year.
The tax amount will be calculated by multiplying the income amount determined as above by the tax rate of 22% (including local tax rate).
Taxation under the Corporate Income Tax Law (in the case of corporate investors)
In the past, there was no disagreement that corporate income tax may be imposed on capital gains on virtual assets. The amended Corporate Income Tax Law further provides a detailed valuation method for virtual assets. In other words, since January 2022 virtual assets have been defined as assets and liabilities subject to valuation, such as inventory and securities, and are to be valued under the FIFO method (Articles 73 and 77 of the Enforcement Decree of the Corporate Income Tax Law).
Obligation to report foreign virtual asset transaction account under the International Tax Coordination Law (in the case of a resident or a domestic corporation)
Under the International Tax Coordination Law, overseas Virtual Asset Accounts and VASPs have been newly included in the scope of the overseas financial account reporting system. Therefore, if the balance of a resident or domestic corporation’s foreign financial account exceeds KRW500 million, such resident or domestic corporation holding the foreign financial account must report information regarding the foreign financial account to the National Tax Service (NTS) from 1 June to 30 June of the following year.
In addition, the NTS has noted that strengthening the regulation regarding virtual assets is necessary to increase transaction transparency and prevent tax avoidance. The NTS mentioned the introduction of a registration requirement for virtual asset exchanges, the implementation of the Real Name Verification System, and the imposition of anti-money laundering requirements and reporting requirements on virtual asset exchanges as examples of regulatory improvements that can be made.
IV. Initial Coin Offerings
In September 2017 the FSC issued a press release prohibiting initial coin offerings (ICOs) in Korea, but no laws or regulations have yet to be enacted to enforce this prohibition. Subsequently, in January 2019 the Korean government announced the result of its monitoring of the ICO practice in Korea and its proposed approach to regulating ICOs. In addition, the Korean government also deemed that certain ICO projects may violate the FSCMA in case an ICO project involves (i) issuance and transaction of P2P collateralised loan tokens, (ii) sale of virtual assets investment funds, or (iii) operation of unauthorised financial investment business by providing investment services with ICO tokens.
With the recent presidential election, the regulatory landscape began its transition. President Yoon’s campaign agenda included enacting a new law for digital assets called the ‘Framework Act on Digital Assets’. The ‘110 National Agenda of the Yoon Administration’ announced in May 2022 reiterated that the plan to enact an overarching act on digital assets to govern non-security tokens is a priority and that the FSCMA would regulate security tokens.
V. Personal Information Protection
The amendments to the PIPA, Network Act, and Credit Information Act became effective on 5 August 2020 (the Amendments). The Amendments (i) define personal information, pseudonymised data and anonymised data, (ii) enact detailed provisions on the processing of pseudonymised data, (iii) establish the Personal Information Protection Commission (the PIPC) as the central data privacy regulatory authority, (iv) transfer all privacy provisions under the Network Act relating to online service providers to the PIPA, (v) clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also applies to all commercial companies, and (vi) grant the PIPC the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act.
In Korea the PIPA is the overarching personal information protection law in Korea that may apply to FinTech businesses operating in Korea. The PIPA prescribes detailed measures for each of the stages involved in the processing of personal information such as collection and use, provision to a third party, outsourcing, and destruction. The PIPA must be followed by all personal information processing entities, which are defined as all persons, organisations, corporations, and governmental agencies that process personal information for business purposes. Under the PIPA, data subjects must be informed and provide their consent before their personal information is collected or used.
In addition, there are various sector-specific privacy laws such as the Credit Information Act that complement the PIPA (since the privacy-related provisions of the Network Act were transferred to the PIPA, the PIPA now applies to personal information collected online and offline). The Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities. The Network Act regulates the transmission of commercial advertisements by any electronic transmission medium, including telemarketing, email and SMS.
The PIPC is responsible for enforcing the PIPA, and the FSC and the FSS are responsible for enforcing the Credit Information Act. Each of these regulatory agencies can make requests for information and conduct inspections at the premises of data controllers to ensure they are compliant with the respective privacy laws.
As for the applicability of these laws to overseas entities, the PIPA applies to all personal information processing entities regardless of whether they are located overseas. Further, the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in Korea. Although the PIPA and the Credit Information Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have measures to ensure compliance by overseas entities with these laws.
Further, the Korean government amended the Enforcement Decree of the PIPA on 19 July 2022 (effective as of 20 October 2022) to implement various methods for the destruction of personal information in consideration of the development of new technologies such as blockchain, etc, so that if it is substantially difficult to permanently delete personal information in the form of electronic files due to its technical characteristics, such electronic files may be treated as information that can no longer identify an individual and restored.
VI. Cybersecurity
The main statutes in the context of cybersecurity that apply to FinTech businesses are the PIPA and the Credit Information Act. The PIPA and the Credit Information Act prescribe detailed technical security and administrative requirements for cybersecurity such as (i) the establishment and implementation of an internal management plan for the secure processing of personal (credit) information, (ii) the installation and operation of an access restriction system for preventing illegal access to and leakage of personal (credit) information, and (iii) the application of encryption technology to enable secure storage and transfer of personal (credit) information.
Further, the EFTA criminalises certain types of cyber activities that may apply to FinTech businesses operating in Korea. The EFTA criminalises cyber activities that: (a) intrude on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing, or leaking data that is saved in such infrastructures, and (b) destroy data, or deploy a computer virus, logic bomb or program such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures. The Network Act imposes criminal punishment on (i) a person who intrudes on an information and communications network without legitimate access authority, and (ii) a person who causes disruption to an information and communications network by sending a large amount of signals or data for the purpose of interfering with the stable operation of the information and communications network or causing the network to process an illegal order. In the event of any such infringement, a company shall report such an infringement to the relevant government authority in accordance with the EFTA and/or the Network Act.
VII. Conclusion
In Korea’s recent FinTech environment a variety of industries have been established, and the related market is developing rapidly. As explained above, Korea’s financial supervisory authorities have announced various policies to promote the FinTech industry in Korea. The Korean government has shown hesitance in endorsing or institutionalising virtual assets and has repeatedly warned investors about the potential dangers of investing in them. It has expressed interest in fostering, promoting, and investing in blockchain technology as part of its strategic and economic plans. Since the recent change to President Yoon’s administration, there have been moves to institutionalise virtual assets, but up to now, the government has closely monitored regulations on virtual assets in major foreign countries and is preparing for such regulations/systems. It is necessary to continuously monitor whether there are any changes to the Korean legislation/policy on virtual assets due to the legislative activities related to the Framework Act on Digital Assets. The pending bills and enacted regulations explained above should be closely monitored, as they may provide a more coherent framework for the regulation of virtual assets and other FinTech-related issues.
Authors: Gye-Jeong KIM, Sung Yun KANG, and Sue Seung Hyun LEE