Licentium

Licensing Hub

South Korea

South Korea regulates virtual assets through VASP reporting to KoFIU under the SFTIA, plus the Virtual Asset User Protection Act 2024 enforced by the FSC and FSS, not a single crypto licence.

Available licences

KoFIU VASP Reporting

Reporting under Article 7 of the Specified Financial Transaction Information Act to the Korea Financial Intelligence Unit. Mandatory before operating a virtual asset service in Korea, including for persons intending to operate one. FIU may refuse acceptance for lack of ISMS certification, lack of required real-name verified deposit / withdrawal accounts, recent specified financial-law convictions, or prior cancellation. Validity not exceeding five years; renewal required.

ISMS Certification and Real-Name Account Preconditions

Information Security Management System certification and, where applicable, real-name verified deposit / withdrawal accounts with a Korean bank are statutory preconditions for FIU report acceptance. KRW exchanges typically require real-name accounts; non-KRW VASPs, wallet providers, custodians and transfer-only models may be assessed differently subject to FIU practice and current FSC rulemaking.

VAUPA Operating Compliance

Compliance with the Virtual Asset User Protection Act (in force from 2024-07-19) and its subordinate rules. Includes safe protection of user deposits with banks, segregation of user from proprietary virtual assets, same-kind / same-quantity holding of user assets, at least 80% of user virtual assets in cold wallets, insurance or reserves for hacking / system incidents, abnormal-transaction monitoring, market-manipulation reporting, and FSC / FSS supervisory, inspection and sanction powers.

Capital Markets Act Authorisation (overlay)

Capital Markets Act licensing and offering analysis under Article 4 for tokens that constitute debt, equity, beneficiary, investment-contract, derivatives-linked or depositary-receipt securities. May involve investment brokerage or dealing, investment advisory or management, exchange / market operator issues, custody, disclosure, investor qualification, unfair trading and sanctions. FSC guidance: token form does not create a new securities concept.

Pending: Token-Securities Institutionalisation and Second-Stage Virtual Asset Law

Token-securities institutionalisation amendments to the Electronic Securities Act and Capital Markets Act passed the National Assembly in January 2026 and are scheduled to take effect on 2027-02-04, subject to subordinate-rule preparation and infrastructure construction. Stablecoin-specific issuer rules and the broader second-stage virtual-asset / Digital Asset Basic Act remain in policy discussion as of FSC explanations through March 2026; pending until enacted and commenced.

Detailed overview

South Korea: VASP Reporting, User Protection, and Securities Overlay

South Korea regulates virtual-asset activity through a reporting, AML/CFT, user-protection, and securities-law framework rather than one generic “crypto licence.” The core entry route for a virtual asset service provider is reporting to the Korea Financial Intelligence Unit under the Act on Reporting and Using Specified Financial Transaction Information. Article 7 requires a virtual asset service provider, including a person intending to operate one, to report prescribed information to the Commissioner of the Korea Financial Intelligence Unit. The FIU may refuse acceptance where the applicant has not obtained information-security management system certification, does not use real-name verified deposit and withdrawal accounts where required, has recent specified financial-law convictions, or has had a prior report cancelled within five years. The reporting period is limited to a statutory period not exceeding five years and must be renewed.

The reporting regime is not merely formal. Korean financial institutions must perform customer due diligence, beneficial-owner checks, and VASP-specific checks when the customer is a VASP, including whether the VASP has complied with reporting obligations, whether its report has been accepted or cancelled, and whether it has segregated customer deposits or obtained ISMS certification. Financial institutions must refuse or terminate relationships in specified cases, including where a VASP has failed to report, lacks required ISMS or real-name account arrangements, has not had its report accepted, or has had its report cancelled.

South Korea’s Virtual Asset User Protection Act has been in force since 2024-07-19. The Act and its subordinate rules protect user deposits and virtual assets, prohibit unfair trading practices such as market manipulation, and give the financial authorities supervisory, inspection, and sanction powers over VASPs. FSC materials state that user deposits must be safely held and managed by banks, VASPs must segregate their own virtual assets from user virtual assets and hold the same kind and quantity of user assets, and VASPs must maintain insurance or reserves for incidents such as hacking or system failures.

Custody and security controls are central. The FSC’s implementation materials state that user deposits must be kept at banks, banks pay users directly if a VASP becomes bankrupt, and at least 80% of user virtual assets must be kept in cold wallets under the supervisory regulation.

Travel Rule controls apply to VASP transfers. The Enforcement Decree of the Specified Financial Transaction Information Act, current from 2026-01-02, requires information provision when a VASP transfers virtual assets worth KRW 1 million or more to another VASP, including customer names and virtual-asset addresses, and additional resident-registration, corporate-registration, passport, or alien-registration information when requested. The FSC has also announced proposed 2026 amendments that would expand Travel Rule obligations below KRW 1 million and strengthen rules for transfers involving overseas VASPs and personal wallets, but those implementing amendments were still in notice / rulemaking status as of this session.

Tokens that are securities are regulated under the Financial Investment and Capital Markets Act, not only as virtual assets. Article 4 of the Capital Markets Act defines “securities” and classifies them into debt securities, equity securities, beneficiary certificates, investment contract securities, derivatives-linked securities, and depositary receipts. FSC token-securities guidance states that whether a digital asset is a security is determined under the existing Capital Markets Act, not by creating a new securities concept only for tokens. A token-securities institutionalisation law passed the National Assembly in January 2026 and is scheduled to take effect on 2027-02-04 after subordinate-rule preparation and infrastructure work; it should be treated as future implementation work until the effective provisions and subordinate rules are checked for the specific product.

Stablecoin-specific law remains a transition item. The FSC has stated that the main contents of the second-stage virtual-asset legislation, including stablecoin issuer matters, had not been finalised in official explanations published in December 2025 and January 2026. In March 2026, the Virtual Asset Committee discussed a government review draft for a proposed Digital Asset Basic Act / second-stage virtual-asset law, including stablecoin issuance, exchange ownership dispersion, internal controls, security standards, and no-fault liability, but the FSC described this as policy discussion and legislative coordination, not enacted law.

Regulators: Korea Financial Intelligence Unit for VASP reporting and AML/CFT; Financial Services Commission and Financial Supervisory Service for virtual-asset user protection, supervision, inspection, sanctions, and capital-markets regulation; Financial Supervisory Service may receive delegated review / inspection functions.

Question presented and assumptions

Question presented: What South Korea legal/regulatory entry should be added to the Licentium jurisdiction hub for virtual-asset licensing and market-entry purposes?

Assumptions: The intended hub entry is for firms providing virtual-asset exchange, brokerage, custody, wallet, transfer, token listing, stablecoin, token issuance, tokenised securities, staking, custody, market-making, or related Korea-facing services. No specific facts are supplied about Korean incorporation, office, personnel, bank relationships, Korean-resident users, Korean-language marketing, real-name account eligibility, ISMS certification, custody model, token legal rights, stablecoin redemption claim, securities status, foreign-exchange flows, or whether the activity is carried on outside Korea but has effects in Korea.

Jurisdiction profile

South Korea’s official legislation source for this session is the National Law Information Center, operated by the Ministry of Government Legislation. It provides current consolidated statutes, presidential decrees, enforcement rules, and case-law materials. The National Law Information Center pages used here display in-force dates, law or decree numbers, and amendment status. The same site cautions that automated old-new law comparisons are for reference and that exact amendment contents should be checked against enactment / amendment texts or the Official Gazette.

Administrative materials relied on here are official materials of the Financial Services Commission and Korea Financial Intelligence Unit. The FSC is used for official implementation materials on the Virtual Asset User Protection Act, token-securities policy, stablecoin / second-stage virtual-asset reform status, and rulemaking notices. KoFIU is used for VASP reporting status and reporting-system materials. KoFIU’s official site maintains a “VASP reporting status” channel and, as of the search result opened for this session, listed a reporting-status file current to 2026-04-30 and changed on 2026-05-07.

Case law is available through the National Law Information Center case-law repository. One Supreme Court decision is relied on for the VASP-business threshold: Supreme Court 2024-12-12, 2024Do10710. Because it is a Supreme Court judgment and the disposition states the appeal was dismissed, subsequent history ends there for that proceeding. No later-treatment citator search beyond official case-law access was treated as comprehensive, and no broader case-law proposition depends on unverified later treatment.

Hierarchy used here: statutes are controlling; presidential decrees, enforcement regulations, and formally issued supervisory regulations are binding within delegated authority; FSC / KoFIU press releases, notices, manuals, policy explanations, and consultation materials are official administrative materials but are not treated as statutes unless they reproduce or implement binding law; Korean original text controls. English renderings in this session are unofficial unless otherwise stated.

Executive summary

  • South Korea’s core virtual-asset market-entry route is VASP reporting to KoFIU under Article 7 of the Specified Financial Transaction Information Act; the FIU may refuse acceptance for lack of ISMS certification, lack of required real-name verified deposit / withdrawal accounts, specified legal disqualifications, or prior cancellation.
  • The VASP report is time-limited: Article 7 states that the report validity period is within a range not exceeding five years, and a VASP continuing the same business after expiry must renew the report.
  • Korean financial institutions must perform VASP-specific AML checks and must refuse or terminate transactions in specified cases, including unreported VASPs, non-accepted reports, and cancelled reports.
  • The Specified Financial Transaction Information Act applies to VASP financial transactions performed outside Korea where the effects occur in Korea. This creates Korea-nexus risk for offshore operators serving or affecting Korea.
  • Travel Rule obligations currently apply to VASP-to-VASP transfers of virtual assets worth KRW 1 million or more, requiring sender / recipient names and virtual-asset addresses, with additional identity data when requested.
  • The Virtual Asset User Protection Act has been in force since 2024-07-19 and adds user-asset protection, unfair-trading regulation, and FSC/FSS supervisory, inspection, and sanction powers.
  • VASPs must protect user assets: FSC implementation materials state that deposits are held by banks, user and proprietary virtual assets must be segregated, VASPs must hold the same kind and quantity of user virtual assets, and insurance or reserves are required for hacking / system incidents.
  • The Supreme Court has held that ordinary self-account exchange use is generally not VASP activity, but repeated virtual-asset transactions for unspecified multiple customers or users for compensation are generally VASP activity.
  • Tokens that are securities require Capital Markets Act analysis. FSC guidance states that token form does not create a new securities concept, because securities are already defined in Article 4 of the Capital Markets Act.
  • Stablecoin-specific and broader second-stage virtual-asset legislation had not been finalised as of official FSC explanations in December 2025 / January 2026, and March 2026 materials describe ongoing committee discussion rather than enacted stablecoin law.

Analysis by issue

Market-entry route: VASP reporting, not a generic crypto licence

Conclusion: South Korea should be presented as a VASP-reporting and user-protection jurisdiction, not a generic “crypto licence” jurisdiction.

Rule: Article 7 of the Specified Financial Transaction Information Act provides that a virtual asset service provider, including a person intending to operate one, must report prescribed matters to the Commissioner of the Korea Financial Intelligence Unit. The report must include the business name, representative name, place of business, contact details, and other prescribed matters. KoFIU public-facing materials also warn that unreported VASP operation is illegal and that new VASPs must first meet the requirements and report to FIU before operating.

Application: The website should use language such as “KoFIU VASP reporting / acceptance” rather than “Korean crypto licence” or “exchange licence.” A firm that buys, sells, exchanges, transfers, stores, manages, brokers, intermediates, or acts for others in relation to virtual assets must be mapped against the VASP perimeter. The practical gating requirements include ISMS certification, real-name verified account arrangements where applicable, management and legal-disqualification checks, FIU reporting, and ongoing AML/CFT controls.

Limitations / counterarguments: “Reporting” is not light-touch deregulation. FIU may refuse acceptance, cancel reporting, order suspension, and publish reporting status. Also, a tokenised securities platform or stablecoin issuer may fall under other financial laws, not only the VASP reporting regime.

Reporting conditions, validity, and FIU powers

Conclusion: KoFIU reporting is substantive, time-limited, and subject to refusal, cancellation, suspension, public disclosure, and FSS delegation.

Rule: FIU may refuse VASP report acceptance where the applicant has not obtained ISMS certification; does not conduct financial transactions through real-name verified deposit / withdrawal accounts, subject to FIU exceptions; has recent specified financial-law convictions; or has had a prior report or change report cancelled within five years. FIU may cancel a report or change report ex officio in specified circumstances, may order all or part of the business suspended for up to six months, may publish information about VASP reporting and FIU measures, and may delegate prescribed reporting-related work to the Financial Supervisory Service. Article 7 also states that the reporting validity period is within a period not exceeding five years, and that a VASP continuing the same activity after expiry must renew the report.

Application: A Korea entry should flag that applicants need operational readiness before filing. A serious filing should include ISMS certification or applicable pre-certification strategy, real-name account arrangements where required, AML/CFT governance, internal controls, customer due diligence, Travel Rule systems, sanctions controls, STR procedures, responsible management, IT-security materials, outsourcing controls, and proof that disqualifying events do not apply.

Limitations / counterarguments: The exact real-name account requirement and exceptions are fact-sensitive and depend on business model and FIU practice. A non-KRW VASP, wallet provider, custodian, or transfer-only model may not be assessed identically to a KRW exchange. Current and future amendments should be checked before filing because FSC issued 2026 rulemaking notices to tighten entry standards and related AML controls.

AML/CFT, customer due diligence, financial-institution onboarding, and Travel Rule

Conclusion: VASP operation in South Korea requires both direct AML/CFT controls and bank / financial-institution due diligence readiness.

Rule: Article 5-2 requires financial companies to perform customer identification and beneficial-owner checks, and to implement risk-sensitive checks where money-laundering or terrorist-financing risk exists. Where the customer is a VASP, the financial company must verify matters including the VASP’s report / change-report obligations, whether the report has been accepted, whether a report was cancelled, and whether customer deposits are segregated or ISMS certification has been obtained. Financial companies must refuse or terminate transactions where CDD cannot be performed, where a VASP has failed to report, where required ISMS / real-name-account conditions are not met, where a report has not been accepted, or where a report has been cancelled.

For Travel Rule controls, Article 10-10 of the Enforcement Decree requires information provision where a VASP transfers virtual assets worth KRW 1 million or more to another VASP. The transferring VASP must provide the receiving VASP with the sending and receiving customers’ names and virtual-asset addresses, and must provide additional identity-number information within three business days if requested by FIU or the receiving VASP.

Application: A Korean VASP applicant should be prepared to satisfy both regulator expectations and bank onboarding expectations. In practice, the firm should document customer identification, beneficial-owner verification, STR triggers, sanctions screening, transaction monitoring, Travel Rule message capture and transmission, VASP counterparty due diligence, wallet-risk controls, internal AML reporting lines, independent testing, and record retention. For bank-facing operations, it should be able to show deposit segregation, ISMS certification, FIU reporting status, and real-name account mechanics.

Limitations / counterarguments: The current decree threshold is KRW 1 million for VASP-to-VASP transfers. FSC 2026 rulemaking materials propose expansion below KRW 1 million and enhanced rules for overseas VASPs and personal wallets, but the FSC notice states that the decree / supervisory-regulation amendments were under notice from 2026-03-30 to 2026-05-11, with completion expected later; those proposed provisions should not be treated as already operative unless final promulgation is checked.

Territorial reach and offshore operators

Conclusion: Offshore structuring does not remove Korea risk where VASP financial transactions outside Korea have effects in Korea.

Rule: Article 6 states that the VASP chapter applies to VASPs, and that the Act also applies to VASP financial transactions performed outside Korea where their effects occur in Korea.

Application: A non-Korean exchange, broker, custodian, transfer service, arbitrage desk, wallet provider, OTC operator, or market-making / payment arrangement should be reviewed if it targets Korean customers, supports Korean-resident onboarding, uses Korean-language solicitation, handles KRW rails, interacts with Korean VASPs, or produces effects in Korea. Korean nexus should be addressed before concluding that foreign incorporation avoids FIU reporting or AML/CFT requirements.

Limitations / counterarguments: The statute does not itself answer every cross-border fact pattern. The result may depend on Korean-user solicitation, customer location, transaction effects, Korean bank involvement, wallet-control location, operational roles, exchange membership, foreign-exchange flows, and whether the relevant activity is VASP activity, securities activity, or another regulated financial service.

VASP-business threshold: self-account trading versus customer-facing compensated activity

Conclusion: Ordinary self-account exchange use is generally not VASP activity, but repeated compensated transactions for unspecified customers or users generally are VASP activity.

Rule: The Supreme Court held that, to determine whether a person is a VASP carrying on virtual-asset transactions as a business under the prior version of the Specified Financial Transaction Information Act, the court should assess whether the person continuously and repeatedly conducted the listed virtual-asset activities for profit, considering transaction purpose, type, scale, frequency, period, manner, and other circumstances according to social norms. The Court further stated that an ordinary exchange user repeatedly buying or exchanging virtual assets solely for the user’s own account and benefit is generally not a VASP, absent special circumstances, while a person repeatedly conducting virtual-asset transactions for the convenience of unspecified multiple customers or users and receiving consideration is generally a VASP.

Application: A proprietary trader using its own capital and exchange account may not be a VASP on that fact alone. By contrast, a business that receives funds from others, buys or sells virtual assets for them, transfers assets to wallets specified by others, performs arbitrage for customers, receives commissions, or provides custody / transfer services is materially closer to VASP activity. This is especially important for OTC desks, payment agents, hosted wallet providers, arbitrage structures, brokers, concierge trading, and “informal” customer-transfer services.

Limitations / counterarguments: The case applied prior statutory text, though its reasoning remains useful for the business-threshold concept. The analysis should be refreshed if amended statutory definitions or new second-stage digital-asset legislation change the VASP perimeter.

Virtual Asset User Protection Act: custody, deposits, unfair trading, supervision, and sanctions

Conclusion: Since 2024-07-19, Korea’s VASP framework includes user-asset protection and market-integrity obligations beyond AML reporting.

Rule: The Virtual Asset User Protection Act is shown in the National Law Information Center as in force from 2024-07-19. FSC implementation materials state that the Act’s main content includes safe protection of user deposits and virtual assets, investigation and punishment of market manipulation and other unfair trading, and financial-authority supervision, inspection, and sanction powers over VASPs. FSC materials further state that user deposits are held and managed by banks; VASPs must segregate their own virtual assets from user virtual assets and actually hold the same kind and quantity of user virtual assets; and VASPs must maintain insurance or reserves for hacking, system failure, and similar incidents.

The FSC’s decree implementation materials state that user deposits are held at banks, banks pay users directly if a VASP becomes bankrupt, and at least 80% of user virtual assets must be kept offline in cold wallets under the supervisory regulation. FSC materials also state that exchanges must monitor abnormal transactions, notify the authorities where unfair trading is suspected, and that unfair-trading violations can lead to criminal penalties and administrative monetary sanctions.

Application: A hub entry should not stop at FIU reporting. A Korean VASP must be ready for deposit-management agreements with banks, customer-asset segregation, same-kind / same-quantity holdings, cold-wallet ratios, insurance or reserve arrangements, incident response, abnormal-transaction monitoring, market-abuse reporting, and inspection readiness. Token listing, market surveillance, and exchange controls should be treated as regulatory issues, not purely business-policy issues.

Limitations / counterarguments: Detailed operational requirements are in the Act, Enforcement Decree, supervisory regulation, and related FSS / FSC materials. For a concrete applicant, the cold-wallet calculation, insurance / reserve amount, abnormal-transaction monitoring model, and customer-deposit treatment should be checked against current subordinate rules and guidance.

Tokenised securities and Capital Markets Act overlay

Conclusion: Tokens that are securities or investment products are not treated solely as virtual assets. They require Capital Markets Act classification and licensing / offering analysis.

Rule: Article 4 of the Capital Markets Act defines securities as financial investment products meeting the statutory definition and classifies securities into debt securities, equity securities, beneficiary certificates, investment contract securities, derivatives-linked securities, and depositary receipts. FSC token-securities guidance states that examples do not expand or narrow the concept of securities and do not create a new securities concept applicable only to token form, because Article 4 of the Capital Markets Act already defines which rights are securities. The same FSC material gives examples of higher securities likelihood, including rights to equity participation, dividends, residual assets, or allocation of business performance proceeds to investors.

Application: Tokenised debt, equity, fund interests, fractional investments, revenue-sharing tokens, profit-participation tokens, real-world-asset investment products, derivative-like tokens, and investment contract tokens should be analysed under the Capital Markets Act. Required analysis may include securities offering / registration, investment brokerage or dealing, investment advisory or management, trading venue / exchange issues, custody, disclosure, investor qualification, unfair trading, and sanctions.

Limitations / counterarguments: A token’s securities status depends on substance, not label. Utility, payment, governance, NFT, or asset-reference language is not decisive. Review token rights, issuer obligations, investor profit expectations, pooling, managerial efforts of others, redemption, transferability, marketing, and whether holders receive economic exposure to a common enterprise or underlying asset.

Token-securities reform and future effective date

Conclusion: Korea’s token-securities framework is moving toward implementation, but the key institutionalisation changes should be treated as future-law / transition items until the 2027 effective date and subordinate rules are checked.

Rule: FSC’s 2026-03-04 release states that the token-securities institutionalisation law, consisting of amendments to the Electronic Securities Act and Capital Markets Act, passed the National Assembly in January 2026 and is scheduled to take effect on 2027-02-04 after subordinate-rule preparation and infrastructure construction. FSC states that the consultative body will work on technical / infrastructure, issuance, distribution, and settlement design, including digital financial standards, issuance rules, OTC exchange authorisation policy, distribution disclosure, transaction limits, settlement stability, and unfair-trading prevention.

Application: The website should include a “future implementation” note. Current tokenised securities should still be analysed under the current Capital Markets Act and existing FSC guidance. For products intended to launch after 2027-02-04, counsel should check the final amended Act, subordinate decrees, supervisory regulations, registration / authorisation procedures, KSD infrastructure rules, and any transitional provisions.

Limitations / counterarguments: FSC policy releases are official administrative materials, not the operative statutory text. The enacted text and subordinate rules may alter details of issuance, account-management institutions, OTC brokerage, settlement, disclosure, and investor-protection obligations.

Stablecoins and second-stage virtual-asset legislation

Conclusion: As of this session, stablecoin-specific licensing was a policy-development area, not a finalised standalone stablecoin issuer regime.

Rule: On 2025-12-19, FSC stated that the main contents of the second-stage virtual-asset law had not yet been determined. On 2026-01-07, FSC specifically stated that main contents such as stablecoin issuer shareholder composition had not yet been determined. On 2026-03-04, FSC reported that the Virtual Asset Committee discussed a government review draft for a proposed Digital Asset Basic Act / second-stage virtual-asset law, including digital-operator regulation, exchange internal controls, security standards, no-fault liability, bank-centred stablecoin issuance, and exchange ownership dispersion, and that FSC would proceed with self-regulation improvements and party-government legislative discussions.

Application: A South Korea hub entry should not claim that a Korean stablecoin issuer licence is already live unless final legislation is verified. A stablecoin project should instead be screened under current law for VASP activity, payment / electronic finance regulation, banking, securities, foreign exchange, AML/CFT, consumer-protection, custody, and marketing issues. A KRW-referenced stablecoin, foreign stablecoin distribution, stablecoin custody, stablecoin exchange listing, or payment-use stablecoin will require a fact-specific perimeter analysis.

Limitations / counterarguments: Stablecoin classification depends on redemption rights, issuer identity, reserve assets, fiat reference, KRW link, transferability, whether the token is used for payment, whether yield is paid, whether holders have a claim against the issuer, whether intermediaries hold customer assets, and whether the arrangement falls under payment, banking, securities, foreign-exchange, or VASP rules.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started