I. BACKGROUND
1. Progress of Amendments to the Act on Reporting and Using Specified Financial Transaction Information
An amendment to the Act on Reporting and Using Specified Financial Transaction Information (hereinafter, the “Act on Specified Financial Information”), the main purpose of which is to strengthen entry regulations for virtual asset service providers, was passed at the plenary session of the National Assembly on January 29, 2026, and promulgated on February 19, 2026 (effective date: August 20, 2026).
Under the previous version of the Act, the review of reporting applications for virtual asset service providers was limited to verifying the criminal records of only the representative and executives. Consequently, it was consistently noted that there was a lack of legal basis for reviewing key factors, such as the eligibility of major shareholders, the financial soundness of the virtual asset service provider, and the adequacy of its internal control system. In response, the amended Act introduced a review of the eligibility of major shareholders, significantly expanded the grounds for reporting denial, and broadened the scope of laws subject to criminal record review. This expansion includes the Monopoly Regulation and Fair Trade Act, the Punishment of Tax Offenses Act, and the Act on Aggravated Punishment of Specific Economic Crimes, among others. In addition, in order to address evasion of sanctions through retirement, a new legal basis was established for notifying sanction measures against former executives and employees. For further details on this matter, please refer to our firm’s newsletter dated December 5, 2025 (Key Considerations Regarding Unregistered Virtual Asset Service Providers).
However, the amended Act on Specified Financial Information delegates many core matters, such as the specific scope of major shareholders, the criteria for sound financial condition and social credibility, and the requirements for organization and personnel, to the Enforcement Decree and supervisory regulations. Accordingly, the substantive details of the regulatory framework will only become clear once the subordinate legislation is finalized.
2. Significance of the Legislative Notice of the Proposed Amendments to the Enforcement Decree and Supervisory Regulations
Against this background, the Financial Services Commission prepared proposed amendments to the Enforcement Decree and the Supervisory Regulations on March 30, 2026, and initiated a legislative notice thereof (public comment period: March 30, 2026 to May 11, 2026).
The contents of the proposed amendments consist of two main pillars. First, the specification of the detailed matters delegated by the amended Act on Specified Financial Information (including the scope of major shareholders, standards for financial soundness and social credibility, and requirements for organization and personnel). Second, a substantial strengthening of anti-money laundering obligations with respect to virtual asset transfer transactions (including expanding the travel rule and introducing regulations governing overseas transactions).
According to the addenda to the amended Act on Specified Financial Information, even virtual asset service providers who have already completed their reporting are required to file a new report in accordance with the amended provisions within three months of the effective date (August 20, 2026). Considering that the Enforcement Decree and Supervisory Regulations are expected to be finalized in July and applied from August 20, virtual asset service providers need to understand the amendments and commence preparations from now. Business operators who deem revisions to the regulatory framework necessary may submit their comments during the public comment period.
II. KEY CONTENTS OF THE PROPOSED AMENDMENTS
1. Strengthening of Entry Regulations for Virtual Asset Service Providers
(1) Specification of the Scope of Major Shareholders Subject to Review
The amended Act on Specified Financial Information expands the scope of persons subject to review to include major shareholders - beyond the previously reviewed representatives and officers with criminal records. This includes shareholders who are specially related parties of the largest shareholder, and where the largest shareholder is a corporation, those who effectively exercise influence over its key management matters, as prescribed by the Enforcement Decree. The Act delegates the detailed scope of such major shareholders to the Enforcement Decree (Article 7(1)2-2), and the proposed amendments to the Enforcement Decree specify the scope of major shareholders subject to review as follows (Articles 4 and 10-11).
First, in the case of the largest shareholder, specially related shareholders are included, and where the largest shareholder is a corporation, the largest shareholder of that corporation (including any person who effectively exercises control, if different) as well as its representative are additionally included as reportable major shareholders. Second, major shareholders include those who, individually or pursuant to an agreement or contract, have appointed a majority of the representative directors or directors, as well as those who exercise a dominant influence over key decision-making such as management strategy or organizational changes (as designated by notice of the head of the Korea Financial Intelligence Unit). Third, specially related persons are defined as those set forth in each subparagraph of Article 3(1) of the Enforcement Decree of the Act on Corporate Governance of Financial Companies.
In particular, under the first item, not only specially related persons of the largest shareholder but also the largest shareholder and the representative of a corporate largest shareholder are subject to review, thereby subjecting the governance structure of virtual asset service providers to a significantly enhanced level of scrutiny.
(2) Specification of Requirements for Sound Financial Condition and Social Credibility
The requirements for sound financial condition and social credibility delegated under Article 7(3)5 of the amended Act on Specified Financial Information have been specified in detail in the Attached Table of the Enforcement Decree, for each of virtual asset service providers, executives and representatives, and major shareholders, as follows (Article 10-12(4) of the proposed Enforcement Decree).
|
Review Subject
|
Key Requirements
|
|
Virtual Asset Service Provider
|
Debt ratio not exceeding 200 percent (user deposits deducted from total liabilities); no default in the past three years; no history of designation as an insolvent financial institution or business license revocation in the past five years; lapse of a certain period following administrative sanctions
|
|
Executives and Representatives
|
Must satisfy the requirements under Article 5(1) of the Act on Corporate Governance of Financial Companies (minors, bankrupts, persons who have not passed five years since completion of imprisonment without labor, etc. are disqualified)
|
|
Major Shareholder (Domestic Corporation)
|
Debt ratio not exceeding of 200 percent or less (while the statutory upper limit under the Enforcement Decree is 300% or less, this has been tightened to 200% under the supervisory regulations) (where affiliated with a large business group subject to cross-shareholding restrictions or a main obligor group, the same standard applies to the relevant group); no default in the past five years; must not be a major shareholder or related party of an insolvent financial institution
※ In cases where the degree of violation is minor, the head of the Financial Intelligence Unit may grant an exception
|
|
Major Shareholder (Domestic Individual)
|
Must satisfy the requirements under Article 5(1) of the Act on Corporate Governance of Financial Companies + credit order requirements applicable to domestic corporations
|
|
Major Shareholder (Foreign Corporation)
|
Investment-grade ratings from an internationally recognized credit rating agency, or satisfaction of the financial soundness standards of the competent supervisory authority of its home jurisdiction + credit order requirements applicable to domestic corporations
|
|
Major shareholder (Institutional Private Collective Investment Scheme or Special Purpose Investment Company).
|
The applicable requirements are applied on a look-through basis to the relevant category, including the general partner, limited partners holding at least 30% equity (excluding those that do not exercise de facto influence), and limited partners that effectively exercise control: domestic corporation requirements apply to domestic corporations, domestic individual requirements apply to domestic individuals, and in the case of foreign corporations, the debt ratio, creditworthiness, and investment-grade rating requirements must be satisfied.
|
(3) Introduction of Requirements for Organization, Personnel, and Internal Control Systems
The Enforcement Decree provides that any person who fails to establish qualified personnel with expertise and soundness, IT infrastructure and communication means, security facilities, backup facilities for business continuity, and an internal control system to ensure compliance with applicable laws and regulations related to virtual assets shall be subject to denial of reporting (Article 10-12(6) of the proposed Enforcement Decree).
The proposed amendments to the Supervisory Regulations further specify these noteworthy requirements. Specifically, at least four personnel dedicated to anti-money laundering functions must be secured, and a board of directors, a representative director, a compliance officer, and a reporting officer must be established, along with an independent audit system. With respect to IT infrastructure, systems with verified stability and performance, as well as appropriate information processing systems, are required.
(4) Expansion of Laws Subject to Criminal Record Review
The proposed amendments to the Enforcement Decree expand the scope of laws subject to criminal record review to include the Act on Special Cases Concerning Prevention of Illegal Trafficking in Narcotics, the Monopoly Regulation and Fair Trade Act, the Punishment of Tax Offenses Act, and the Act on Aggravated Punishment of Specific Economic Crimes (Article 10-12(3) of the proposed Enforcement Decree).
2. Delegation of Authority to Notify Sanction Measures Against Retired Personnel
A portion of the authority to notify sanction measures against retired executives and employees under Article 15-3 of the amended Act on Specified Financial Information (including reprimand warnings, cautionary warnings, and cautions for executives, and all sanctions for employees) is delegated to entrusted inspection institutions such as the Financial Supervisory Service (Article 15(4) of the proposed Enforcement Decree).
3. Strengthening of Anti-Money Laundering Obligations for Virtual Asset Transfer Transactions
The provisions below (Articles 10-10 and 10-20 of the proposed Enforcement Decree) will take effect on January 1, 2027, unlike the entry regulations (effective August 20, 2026). This is understood as intended to provide business operators with time to upgrade their systems.
(1) Full Expansion of the Scope of Application of the Travel Rule
Under the current law, the obligation to provide information (travel rule) applied only to transfers of virtual assets of KRW 1 million or more between domestic virtual asset service providers. This obligation is expanded to cover all transfer transactions regardless of the value or quantity of the virtual assets (Article 10-10, Subparagraph 1 of the proposed Enforcement Decree). Currently, approximately 60 percent of transfer transactions between domestic virtual asset service providers involve amounts below KRW 1 million (based on the number of transactions in the second half of 2025). This measure is intended to prevent the circumvention of the travel rule through transactions below the threshold amount.
In addition, phased obligations are imposed on receiving virtual asset service providers (Article 10-20, Subparagraph 6 of the proposed Enforcement Decree). They must receive information on the originator and beneficiary from the sending service provider, request such information if it is not provided, and refuse the transaction if the information is not provided despite such request.
(2) Risk-Based Differentiated Regulation for Transactions with Overseas Virtual Asset Service Providers and Personal Wallets
Where a domestic virtual asset service provider engages in transfer transactions with an overseas virtual asset service provider, a framework is introduced under which the anti-money laundering measures of the relevant foreign service provider are assessed. Transactions are then permitted on a differentiated basis depending on the results of such assessment (Article 10-20, Subparagraph 7 of the proposed Enforcement Decree; and Article 28-2 of the proposed Supervisory Regulations). However, the specific criteria for classifying low-risk and high-risk categories set out in the table below (such as compliance with FATF recommendations and licensing requirements) are prescribed under the Supervisory Regulations and will take effect from February 1, 2027, which is later than the general effective date of the Enforcement Decree (January 1, 2027).
|
Risk Level
|
Assessment Criteria
|
Permissibility of Transaction
|
|
Low Risk
|
Located in a country implementing FATF recommendations; compliance with obligations comparable to domestic standards, including customer due diligence, suspicious transaction reporting, and the travel rule; compliance with licensing requirements
|
Permitted (subject to provision of sender and recipient information)
|
|
High Risk
|
Located in a country designated as high-risk by the FATF, or failure to comply with licensing requirements
|
Prohibited in full
|
|
Others
|
Not falling within the low-risk or high-risk categories
|
Permitted only where the originator and beneficiary are the same person
|
|
Personal Wallet
|
Unhosted personal wallet
|
Permitted only where the originator and beneficiary are the same person; prohibited where there is a risk of money laundering
|
Transfer transactions with overseas virtual asset service providers and personal wallets in the amount of KRW 10 million or more shall be deemed suspicious transactions and must be reported to the Financial Intelligence Unit, regardless of the risk level. This threshold amount (KRW 10 million) is prescribed under the Supervisory Regulations and will take effect on August 20, 2027 (Addenda, Article 1, Subparagraph 2 of the Supervisory Regulations).
4. Clarification of Customer Due Diligence Obligations
“Measures taken with reasonable care” expressly include verification of the accuracy of customer due diligence information (Article 10-2(2) of the proposed Enforcement Decree). In addition, where a customer or a financial product is assessed as high-risk based on risk assessments conducted by financial institutions or the government, enhanced due diligence (EDD) must be conducted prior to engaging in financial transactions (Article 10-2(4) of the proposed Enforcement Decree; and Article 23-2 of the proposed Supervisory Regulations).
III. IMPLICATIONS
1. Scope of Disqualification Grounds for Major Shareholders: Necessity for Exception
While the proposed amendments to the Enforcement Decree specify the requirements for financial soundness and social credibility requirements of major shareholders, they do not appear to provide any separate exception with respect to the disqualification grounds based on criminal records or the like under Article 7(3)3 of the amended Act on Specified Financial Information.
In practice, where a major shareholder is a corporation, it is not uncommon for the corporation to be subject to fines under joint penal provisions for unlawful acts committed by its officers or employees. In light of the fact that the amended Act on Specified Financial Information significantly expands the scope of laws subject to criminal history review, the absence of any separate exceptions to disqualification grounds may give rise to practical issues in the course of assessing the eligibility of major shareholders. In this regard, virtual asset service providers should, in advance, review whether any disqualification grounds apply, including those arising from the criminal history of their major shareholders (particularly corporate shareholders). It is also noteworthy that the Attached Table 1 of the Enforcement Decree includes a proviso “allowing the head of the Financial Intelligence Unit to grant exceptions where the degree of violation, etc. is minor” with respect to the social credibility requirements of domestic corporate major shareholders. However, this pertains to the requirements for financial soundness and social credibility (Article 7(3)5 of the Act) and constitutes a separate provision from the disqualification grounds based on criminal records (Article 7(3)3 of the same Act), hence its application is limited.
2. Re-Reporting and Transitional Measures: Considerations in Case of Changes in Major Shareholders
Virtual asset service providers that have already completed their reporting are required to file a new report in accordance with the amended provisions within three months (by November 20, 2026) from the effective date (August 20, 2026). Where a person becomes subject to the criminal record requirements (Article 7(3)3) and the requirements for sound financial condition and social credibility (Article 7(3)5) due to causes arising prior to the enforcement of the Act, the previous provisions shall apply until the relevant representative, executive, or major shareholder is replaced. Accordingly, it is unlikely that an immediate denial of reporting will be imposed with respect to existing major shareholders.
However, a different approach applies where there is a change in major shareholders after the enforcement of the Act. In such cases, it is interpreted that the amended disqualification provisions will apply in full to newly acquiring major shareholders, including causes arising prior to the enforcement of the Act. Therefore, when pursuing transactions involving changes in governance structure, such as capital raising or M&A, it is essential to conduct a prior review as to whether prospective major shareholders fall within any disqualification grounds.
3. Organizational and Personnel Requirements: Burden on Small-Scale Operators
The requirements under the Supervisory Regulations, including securing at least four personnel dedicated to anti-money laundering functions, appointing a compliance officer and a reporting officer, and establishing an independent audit system, must be satisfied by August 20, 2026. As recruitment of personnel and restructuring of internal organizations require a considerable amount of time, small-scale virtual asset service providers need to promptly establish and commence implementation of personnel acquisition plans. Failure to meet these requirements may constitute grounds for denial of reporting.
4. Travel Rule System Upgrades: Preparation for Implementation in 2027
The expansion of the Travel Rule and the regulation of cross-border transactions are expected to be implemented in phases throughout 2027, and substantial effort and cost will likely be required to upgrade systems, including establishing a risk assessment framework for overseas counterparties, enhancing transaction monitoring, and integrating suspicious transaction reporting systems. In particular, developing a system capable of assessing the level of compliance with FATF recommendations by overseas service providers and reflecting such assessments in real time in determining whether transactions are permitted requires substantial review from the design stage. Early preparation is therefore strongly recommended.
IV. FUTURE TIMELINE
|
Date
|
Description
|
|
March 30, 2026
|
Commencement of legislative notice of the proposed amendments to the Enforcement Decree and advance notice of changes to the Supervisory Regulations
|
|
May 11, 2026
|
End of public comment period – deadline for submission of comments
|
|
July 2026
|
Finalization of the Enforcement Decree and Supervisory Regulations following review by the Regulatory Reform Committee and the Ministry of Government Legislation, and deliberation by the State Council
|
|
August 20, 2026
|
Enforcement of the amended Act on Specified Financial Information – application of strengthened entry regulations
|
|
November 20, 2026
|
Deadline for re-reporting by existing virtual asset service providers (three months from the effective date)
|
|
January 1, 2027
|
Full expansion of the travel rule and implementation of regulations governing overseas transactions (with detailed standards under the Enforcement Decree and Supervisory Regulations to be implemented in phases on February 1, 2027, and August 20, 2027)
|
* * *
Bae, Kim & Lee LLC, based on its expertise in the Act on Specified Financial Information and regulations relating to virtual assets, provides support with respect to reporting by virtual asset service providers, regulatory compliance, and submission of opinions during legislative notice procedures.