South Korea Virtual Asset Regulation: VAUPA and FSC Framework

Overview

South Korea operates one of the world’s largest retail cryptocurrency markets by volume — domestic exchange volumes frequently exceed those of the United States on a per-capita basis. This market depth has driven significant regulatory attention, culminating in the Virtual Asset User Protection Act (VAUPA) which took effect on July 19, 2024.

VAUPA represents a material shift in South Korea’s regulatory approach: from the Special Financial Information Act (SFIA) framework (2021), which required KYC and AML compliance for crypto exchanges registered with the Financial Intelligence Unit (KoFIU), to a comprehensive investor protection statute with operational requirements comparable to those applied to traditional securities exchanges.

For tokenized securities specifically, South Korea’s Financial Investment Services and Capital Markets Act (FISA) applies, with the Financial Services Commission (FSC) and Financial Supervisory Service (FSS) as the responsible regulators — creating a dual-framework that compliance officers must navigate depending on asset classification.

Primary Regulators: FSC and FSS

The Financial Services Commission (FSC) sets financial policy and regulation in South Korea, including virtual asset policy and FISA securities regulation. The Financial Supervisory Service (FSS) conducts day-to-day supervision and enforcement. KoFIU (Korea Financial Intelligence Unit) within the FSC administers AML/CFT registration for virtual asset service providers.

Special Financial Information Act (SFIA): Registration Foundation

South Korea’s foundational virtual asset regulatory structure derives from the Act on Reporting and Use of Specific Financial Transaction Information (SFIA, amended March 2021). Under the SFIA:

• Virtual asset service providers must register with KoFIU before commencing operations
• Registration requires: an Information Security Management System (ISMS) certification (issued by Korea Internet & Security Agency, KISA), a real-name bank account for KRW-linked transactions (provided by one of the handful of banks that have agreed to provide such accounts — KB Kookmin, Shinhan, Woori, Nonghyup, and K Bank), AML compliance framework, and fit-and-proper assessment of major shareholders and managers

The real-name bank account requirement has been the most operationally significant barrier for new entrants: domestic exchanges must partner with a willing bank, and banks have been selective — limiting the number of new SFIA registrations among exchange operators.

As of 2024, five exchanges hold KoFIU registrations with full won-linked trading accounts (Upbit, Bithumb, Coinone, Korbit, and GOPAX). A larger number of exchanges hold registrations for crypto-to-crypto trading only.

VAUPA: Virtual Asset User Protection Act

The Virtual Asset User Protection Act (VAUPA), effective July 19, 2024, establishes substantive investor protection requirements for registered VASPs:

Mandatory Customer Asset Segregation

VASPs must segregate customer virtual assets and funds from their corporate assets. Specifically:

• Customer deposits (KRW) must be held in accounts separate from the VASP’s operational accounts, with a licensed bank or trust company
• Customer virtual assets must be held in dedicated wallets, with at least 80% in cold storage (offline, hardware-secured)
• VASPs must maintain records of individual customer asset positions and must be able to return customer assets on demand

Insurance and Reserve Requirements

VASPs must maintain:

• Insurance or compensation reserves covering potential losses from hacking, operational failures, or theft. The FSC has specified that insurance must cover losses attributable to the VASP’s own negligence or system failures; minimum coverage amounts are set by FSC regulation
• Financial reserves sufficient to compensate customers in the event of loss events not covered by insurance

The insurance requirement is significant: it forces VASPs to engage the insurance market for crypto-specific coverage, creating a market for novel insurance products and imposing an ongoing cost that smaller VASPs may struggle to absorb.

Market Manipulation Prohibition

VAUPA explicitly prohibits market manipulation, fraudulent transactions, and unfair trading practices in virtual asset markets — including:

• Creating artificial trading volumes (wash trading)
• Price manipulation through coordinated buy/sell activity
• Front-running or insider trading based on material non-public information about VASP listings or delistings
• Spreading false information to affect virtual asset prices

The FSC has authority to impose penalties (fines and criminal sanctions) for VAUPA violations, significantly raising the legal risk profile of market manipulation in Korean crypto markets.

Disclosure Requirements

VASPs must disclose:

• Material information about listed virtual assets — including project changes, security incidents, and smart contract updates — that could affect asset value
• Listing and delisting criteria, applied consistently
• Fee structures, including maker/taker fees and withdrawal fees
• Reserve and insurance status

Tokenized Securities Under FISA

Tokens constituting securities under FISA — defined by investment purpose and profit-sharing characteristics — are regulated under the full FISA securities framework, supervised by the FSC and FSS:

• Issuance: Public issuance of tokenized securities requires FSC registration or applicable exemption (private placement to professional investors)
• Dealing: Entities dealing in FISA-regulated security tokens require investment business licenses from the FSC
• Security Token Offering (STO) pilot: The FSC launched a regulatory sandbox for STO in 2022, with several licensed proof-of-concept offerings. A comprehensive STO regulatory framework has been under development, expected to include licensed STO platforms and secondary market rules

The STO framework, when finalized, will operate alongside VAUPA’s VASP regime — security tokens traded on licensed STO platforms will be subject to FISA; non-security virtual assets will be subject to SFIA/VAUPA.

AML/KYC Requirements

South Korean VASPs are subject to:

• SFIA AML obligations: CDD at onboarding, transaction monitoring, STR reporting to KoFIU, record retention
• Travel Rule: South Korea implemented the FATF Travel Rule for VASPs from March 2022, with a threshold of KRW 1,000,000 (approximately USD 750). VASPs must collect and transmit originator/beneficiary information for virtual asset transfers at or above this threshold. The Korea VASP Travel Rule system uses Interoperability standards coordinated through industry associations
• Real-name verification: All KRW-depositing customers must be verified against real-name bank account records — a structural KYC mechanism unique to South Korea’s banking-linked exchange model

Compliance Checklist: South Korea Tokenization Operations

• Register with KoFIU under the Special Financial Information Act (SFIA); obtain ISMS certification from KISA; secure real-name bank account partnership
• Comply with VAUPA requirements: implement customer asset segregation (80%+ cold storage for virtual assets; KRW in segregated bank accounts)
• Obtain VAUPA-required insurance coverage for virtual asset losses; ensure coverage meets FSC minimum requirements
• Implement market manipulation prohibition compliance: surveillance systems, trading controls, conflict of interest policies
• Implement VAUPA disclosure requirements: material information disclosure, fee transparency, listing/delisting criteria
• Implement FATF Travel Rule above KRW 1,000,000 threshold
• Implement SFIA AML program: CDD, transaction monitoring, KoFIU STR reporting
• For security tokens: assess FISA classification and obtain appropriate investment business license; engage FSC STO sandbox if applicable
• Establish South Korean legal entity; appoint locally-resident compliance officer approved by FSC
• Monitor FSC’s STO regulatory framework development for tokenized securities market entry timing

Authority References

• SFC Hong Kong — APAC virtual asset regulatory comparison
• MAS Singapore — Regional digital asset standards
• BIS — East Asian digital asset regulation

For APAC VASP licensing comparison across South Korea, Japan, Singapore, and Hong Kong, see the Licensing Matrix. For VAUPA and SFIA definitions, see the Regulatory Encyclopedia. For South Korean exchange platform analysis, see Platform Benchmarks.