Virtual Assets

1. Virtual Asset

A virtual asset service provider must keep customer deposits and virtual assets strictly separate, must deposit the deposits with a credible management institution such as a bank, and must keep at least 80% of customer virtual assets in a cold wallet (a storage device isolated from the internet).

In addition, an obligation to take out insurance or to set aside reserves in preparation for hacking or computer-system failures has been newly established.

▶Content of the Obligations

Similar to the Financial Investment Services and Capital Markets Act, market manipulation, false representation, insider trading, and fraudulent trading are regulated.

Exchanges have a duty to continuously monitor abnormal transactions and to report signs of unfair trading to the financial authorities, and a violation results in severe criminal punishment and penalty surcharges.

▶Main Penalty Levels

Companies operating NFT projects, P2E (Play to Earn), virtual asset investment associations, and the like are subject to the same punishment if they are involved in leaking insider information, participating in market manipulation, or false promotion.

The Financial Supervisory Service directly inspects exchanges for their compliance with user protection duties, insurance enrollment, cold wallet storage ratios, and abnormal transaction monitoring systems, and if violations are found, it may impose business suspension, corrective orders, and penalty surcharges.

▶Concurrent Self-Regulation

When a company handles or operates virtual assets or engages in a related business, it must review whether it complies with the laws and regulations that apply.

▶Checking applicable laws: becoming familiar with the latest laws and guidelines, such as the Virtual Asset User Protection Act, the Act on Reporting and Use of Specific Financial Transaction Information, anti-money laundering (AML) regulations, and the guidelines of the Financial Services Commission and the Financial Supervisory Service

▶Whether business reporting and registration are completed: reviewing compliance with the virtual asset service provider reporting system and the registration status of providers subject to reporting

▶Establishing internal policies: whether internal guidelines and procedures for virtual asset trading and management have been established

▶Verification of exchanges and partners: reviewing the reporting or licensing status and reliability of virtual asset exchanges and affiliated partners

▶Response measures: conducting regular legal reviews and the latest regulatory training in cooperation with the legal team, and strengthening the compliance monitoring system

This reviews the legal and financial risks that may arise from failing to perform duties related to protecting virtual asset user assets.

▶Whether the duty of separate custody is performed: confirming whether the company's virtual assets and users' virtual assets are kept separately

▶Review of the deposit management system: the safe management of user deposits and the status of entrustment to a trusted management institution (a bank)

▶Insurance enrollment and reserve accumulation: whether insurance has been taken out and sufficient reserves accumulated to prepare for hacking and system failure incidents

▶Protection of user information: whether a user register is prepared and managed and personal information protection regulations are complied with

▶Response measures: strengthening the deposit management and separate custody system, regularly checking the insurance enrollment status, and cooperating with the chief privacy officer (CPO)

It is necessary to review the legal liability and reputational risk arising from unfair trading practices that may occur in the virtual asset market, such as market manipulation, insider trading, and fictitious trading.

▶Building a market surveillance system: whether an abnormal transaction monitoring system is operated and whether the financial authorities' guidelines are complied with

▶Procedures for reporting suspected unfair trading: whether an internal reporting system and measures to protect reporters are in place

▶Preserving transaction records and ensuring transparency: whether all transaction records are preserved and can be submitted to the financial authorities when necessary

▶Preparing for investigations by the financial authorities: establishing a system to respond to unfair trading investigations and sanctions

▶Response measures: strengthening internal controls, responding and reporting immediately when an abnormal transaction occurs, and reinforcing employee training

This reviews the risk of failing to comply with customer due diligence duties for the prevention of money laundering and terrorist financing.

▶Whether KYC procedures are performed: whether a customer identity verification and risk assessment system is operated

▶Suspicious transaction reporting system: reviewing the procedures and system for reporting to the Korea Financial Intelligence Unit (FIU) when a suspicious transaction occurs

▶Employee training and internal controls: whether regular training on anti-money laundering and internal audits are conducted

▶Coordination with cooperating institutions: establishing a cooperation system with the financial authorities and investigative agencies

▶Response measures: designating an AML team or officer, and strengthening the introduction of related systems and training

Given the nature of virtual assets, it is necessary to manage the risk of legal and financial losses arising from hacking, cyberattacks, and personal information leaks.

▶Review of the security system status: the cold wallet (offline wallet) storage ratio and whether a security infrastructure is operated to prepare for hacking

▶Internal security policy: whether security controls such as access right management, password policies, and multi-factor authentication are implemented

▶Compliance with the Personal Information Protection Act: reviewing the personal information processing policy, the guarantee of data subjects' rights, and the level of data encryption

▶Preparing an incident response manual: establishing a system of response and reporting procedures when a security incident occurs

▶Response measures: introducing the latest security technology, conducting periodic mock hacking and security audits, and designating a personal information protection officer

This reviews the legal risks arising from the drafting of contracts related to virtual assets and from the occurrence of disputes.

▶Review of terms of service and contracts: ensuring the legal adequacy of contracts and terms related to virtual asset trading and custody

▶Establishing dispute resolution procedures: clarifying the procedures for conciliation, arbitration, and litigation when a dispute occurs

▶Review of provisions related to unfair trading and consumer protection: strengthening user protection and clarifying where responsibility lies

▶System for responding to changes in relevant laws: regularly reviewing contracts and terms following amendments to statutes

▶Response measures: using professional legal advice, adopting standard terms, and conducting dispute prevention training

It is also necessary to review the internal control system that manages and supervises whether the company's overall virtual asset operations conform to laws and regulations.

▶Operating a compliance organization: whether a dedicated team is established and its role clarified

▶Regular review and reporting system: whether internal audits, risk assessments, and reporting to management are conducted

▶Reflecting updates to laws and policies: a system for revising and supplementing internal policies in line with the latest regulatory and legal changes

▶Training and raising awareness: regular training for officers and employees and reinforcing risk awareness

▶Response measures: building a systematic internal control system, cooperating with outside experts, and spreading a company-wide risk management culture