South Korea remains the third-largest market for virtual currency, behind the United States and Japan. During the Bitcoin bull run of 2017, an estimated 1 in 3 office workers owned cryptocurrencies.
This crypto gold rush existed alongside limited regulatory oversight which created a fertile breeding ground for exploitation. This is evidenced through numerous controversies including exit scams, exchange hacks, price manipulation, and fake trading volume. Data from the Korean Ministry of Justice indicates that South Koreans lost $2.7 billion USD in cryptocurrency scams between July 2017 and June 2019. The ministry also said it has indicted and detained 132 individuals accused of cryptocurrency fraud and indicted another 288 individuals without detaining them.
In March this year, South Korea’s National Assembly passed an important new legislative amendment to their Financial Information Act that effectively legitimizes virtual asset ownership and trading and aligning the country requirements with international anti-money laundering and counter-terrorism funding (AML/CFT) standards. All Korean Virtual Asset Service Providers (‘VASPs’) must be fully compliant with the Act no later than September 2021.
Whilst formally bringing crypto exchanges into the regulatory fold, these requirements are not without their challenges. All Korean exchanges are now legally required to establish a verified real-name individual account with an authorized Korean bank. The exchange’s designated individual account holder will be responsible for withdrawing and depositing fiat currency between the exchange and the bank by way of a single bank account. South Korea introduced the real-name verification system in January 2018. Although not a requirement, crypto exchanges were encouraged to partner with approved banks to use the system. However, so far, only the largest exchanges — Bithumb, Upbit, Coinone, and Korbit — have been able to use this system, as banks have been reluctant to provide this service to small and medium-sized exchanges. Under the new Act the VASP is required to report their business and real-name bank account before September 2021, or else potentially face a 5-year prison sentence or 50 million Korean Won fine.
In addition, each Korean VASP must apply for an Information Security Management System (ISMS) certificate from the Korea Internet & Security Agency (KISA) in order to do business. To receive ISMS certification, they’ll need to implement new AML/KYC measures such as Recommendation 16 travel rule which requires VASPs to exchange customers’ personally identifiable information.
As crypto exchanges look to build / enhance their AML programme to meet regulatory requirements and also secure banking partnerships, what should they be focusing on?
Know Your Customer:
This goes beyond simply to collation of ID documents - which is just one piece ( arguably the easiest piece) of the puzzle.
Think about proportionality. Perhaps you do not need to collect ID when your customer registers, but only when they start actively trading. The amount of KYC you collect can be tailored to your clients activity and wallet caps included to limit exposure.
VASPs may also consider using some more enhanced data points to better understand their customer such
Transaction monitoring:
Whilst companies are able to apply a risk based approach to the collection of documentation at onboarding, the key to understanding your customers behaviour is to have robust monitoring in place.
The monitoring of both fiat transactions, and the crypto transactions is very important. A customer's transaction profile should be considered by looking at both of these elements.
An increasingly popular request from banks is that they require a look back on the VASPs transactions over a set period of time. This usually forms a report, and is facilitated by the bank by either asking the VASP directly, or requesting this information through a third party blockchain analysis provider.
Governance:
The usual governance applies, however this should also be extended to include an audit and regular reviews of the crypto transaction monitoring systems, as well as a review of the crypto-assets themselves that the VASPs are listing.
Sanctions:
OFAC have now started including cryptocurrency addresses as part of their sanctions regime. This is an extremely important area to focus on, and something that is vital for your transaction monitoring. When liaising with vendors for blockchain analysis, a key question should be around how they deal with sanctioned addresses, and how often those lists are updated.
The newly passed law forces any non-compliant VASPs to either quickly reform their AML/KYC programme or cease their operations. While a handful of the biggest Korean exchanges already comply with most of these measures, there is a real chance that many of the other VASPs that have not adequately considered AML protocols as they have built and scaled, will struggle to implement these new regulations. Some may even be forced to cease operations all together.
FINTRAIL are currently working with crypto exchanges globally to build, scale and test their AML and CTF programmes to not only meet regulatory requirements, but also to secure banking partnerships and help them proactively manage their financial crime risks, thereby helping to strengthen the AML health and wellbeing of the sector.
If you are interested in speaking to the FINTRAIL team about the issues discussed in this article or any other financial crime topic please get in touch via contact@fintrail.co.uk.