Due to their anonymity or pseudonymity, digital assets are perceived as entailing the risks of money laundering and financing terrorism. In October 2018, the Financial Action Task Force (FATF) adopted changes to its recommendations on financial activities involving digital assets, adding the definitions “virtual asset” (VA) and “virtual asset service provider” (VASP). 
Since then, the FATF has adopted a risk-based approach to VA activities or operations and VASPs. This new approach includes the supervision of VASPs to ensure compliance in the areas of licensing and registration and preventive measures such as customer due diligence, transaction reporting and record-keeping. It also includes monitoring VASPs to combat money laundering and the financing of terrorism. Doing so enhances the effectiveness of sanctions and other enforcement measures, as well as international cooperation. VASPs, therefore, have the same full set of obligations as financial institutions.
Related: FATF draft guidance targets DeFi with compliance
VASP regulation in South Korea
In line with the guidance issued by the FATF recommending a risk-based approach toward the regulation of virtual assets and VASPs, Korea’s Anti-Money Laundering-related law, the Act on Reporting and Using Specified Financial Transaction Information, was recently amended and went into effect on March 25, 2021. Under the amended act, VASPs are required to register their business with the Korea Financial Intelligence Unit (KoFIU) prior to the commencement of their business operations, and existing businesses that qualify as VASPs are required to complete such registration within six months — i.e., by Sept. 24, 2021.
Also, upon registration, VASPs will be subject to various AML obligations, such as verifying the identity of their customers and filing reports on suspicious transactions. The financial authorities will conduct inspections of VASPs and supervise their compliance with AML obligations from the time of their business registration.
Related: South Korea faces strict crypto regulation and fears of centralization
Under the act, VASPs are defined as virtual asset trading service providers, virtual asset safekeeping and administration service providers and virtual asset digital wallet service providers that are engaged in the purchase/sale, exchange or transfer, or safekeeping/administration of virtual assets, or intermediation and brokerage of some virtual asset transactions.
Korea Financial Intelligence Unit
The amended act also provides that any offshore activity outside South Korea that has domestic effects or consequences shall be subject to the act. Accordingly, the KoFIU has sent out notices to 27 offshore VASPs with business operations “targeting users in Korea” regarding their obligation to register with the KoFIU by Sept. 24. Whether the business operations of non-Korean VASPs are regarded as “targeting users in Korea” is likely to be a fact-specific determination based on factors such as whether they provide Korean-language translation service on their platforms, whether they perform advertising and marketing activities targeting Koreans, and whether they provide transactions and payment services in the Korean won.
What is notable is that offshore VASPs that have not received any notice from the KoFIU but have business operations targeting users in Korea are also required to register with the KoFIU or otherwise suspend their business operations targeting users in Korea starting Sept. 25.
If the offshore VASPs that are subject to the registration requirement fail to register with the KoFIU, their operation will be regarded as illegal business activities effective Sept. 25. The KoFIU announced that it would take action, such as blocking access to such VASPs’ websites, and those VASPs shall cease their business operations targeting users in Korea effective Sept. 25.
If they continue to operate their business without registering, exchange operators will be subject to up to five years of imprisonment or a maximum fine of approximately $43,500, as prescribed by the act. The KoFIU stated that they would also file charges with investigative authorities, including prosecutors and the police, against unregistered offshore VASPs and actively seek other ways, such as close cooperation with non-domestic financial intelligence units and international judicial mutual assistance, in criminal matters.
Related: South Koreans flock to crypto amid a heavy-handed regulation approach
In this case, there is a possibility that users will incur damages by using services provided by unregistered VASPs because they may not be able to withdraw their funds or virtual assets. Hence, users are advised to check the business registration status of the relevant VASPs (that target users in Korea), request information about their resident registration numbers and take proactive actions, such as withdrawal of their funds or virtual assets, if necessary, to prevent any possible damages.
South Korea’s Financial Services Commission
Then, what requirements should VASPs meet when they register with the KoFIU? Among other requirements, they need to obtain an Information Security Management Systems (ISMS) certification from the Korea Internet and Security Agency (KISA), and they should also use real-name accounts opened at a bank for money remittance between the VASPs and their users unless the VASPs do not receive money from their users and there’s no exchange of money for virtual assets. As of July 22, the Financial Services Commission — the financial authority in Korea — has confirmed that no offshore VASPs have, as yet, obtained an ISMS certification.
Separately, the FSC announced on July 28 the result of comprehensive inspections conducted on the legitimacy of deposit accounts held by VASPs. As of the end of June, it was found that 79 VASPs had 94 deposit accounts, 14 of which were found to be linked to fraudulent or fictitious account activities. Financial institutions are expected to suspend the accounts linked to fraudulent or fictitious activities.
Making use of the suspicious transaction reports, the KoFIU will relay any cases connected to money laundering or other illicit activities to the appropriate law enforcement agencies. The FSC also said that financial authorities will continue to closely monitor deposit accounts held by VASPs until the registration deadline of Sept. 24.
Related: South Korea’s small crypto exchanges face increasing regulatory heat
Offshore VASPs should consider whether they fall within the scope of the offshore VASPs subject to the registration requirement under the amended act (i.e., whether they may be deemed to be targeting users in Korea) by checking their current marketing and distribution channels, settlement currencies and translation service, etc. Also, offshore VASPs that intend to actively market their service to users in Korea after Sept. 24 should, among other things, consider their business structure and check the requirements for registration with the KoFIU.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Chloe Lee is a lawyer qualified to practice law in Korea. She is a partner at the Banking and Finance Group and Digital Finance Team of Lee & Ko, one of Korea’s premier law firms, with over 780 professionals. Chloe graduated from Seoul National University School of Law and earned an LL.M. in law and technology at UC Berkeley School of Law.