The Financial Technology Law Review: South Korea
Currently, there are no prohibitions or restrictions for certain types of fintech businesses in South Korea, nor is there an existing regulatory regime that specifically regulates cryptocurrency or blockchain. However, fintech businesses are likely to be subject to existing Korean laws and regulations, depending on the specific nature of the business undertaken. For example, certain financial activities of fintech companies may be regulated under existing Korean financial laws such as the Electronic Financial Transaction Act (EFTA).
As to the Korean government's stance, financial regulators and policymakers are generally receptive to fintech innovations and technology driven new entrants to regulated financial services markets in South Korea. The Korean government has identified fintech as one of its 24 key areas to support innovation as a means to spur growth in the Korean financial industry. For example, the Korean government established the Fintech Support Centre that provides guidance on fintech-related projects and an opportunity for fintech start-ups to present their services to financial institutions. The Financial Services Commission (FSC) has announced 24 key projects for 'financial innovation' to be implemented as part of their 2020 business plan, and support for the fintech industry is one of the FSC's key initiatives.
In terms of specific fintech-friendly policies, the Special Act on Support of Innovation of Finance (the Special Act) became effective on 1 April 2019 and introduced the regulatory sandbox scheme in South Korea. The new law introduced expedited confirmation on regulation and relaxed regulatory standards for those financial services designated as 'innovative financial service' by the government. In 2019, a total of 77 companies were designated as providing innovative financial services and accepted in the regulatory sandbox.
Furthermore, the Korean government offers special incentive schemes mainly in the form of tax incentives for tech and fintech businesses or small- and medium-sized (SME) businesses in South Korea. Notably, SME businesses established in certain areas of South Korea that are not highly populated cities can receive 50 per cent corporate tax relief for up to five years on their business income. Also, those companies identified as a 'venture business' by the Korean government, by which many fintech companies may qualify, may receive 50 per cent corporate tax relief even if they are located in highly populated cities in South Korea. For certain R&D costs (including labour costs and material costs), R&D tax deduction may be available as well.
Despite promoting policies conducive to fintech businesses, however, the Korean government has also shown concern for anti-money laundering (AML) and other consumer protection matters. The FSC amended the Anti-Money Laundering Guidelines for Cryptocurrencies (AMLC Guidelines) in 27 June 2018, requiring, among other things, that financial institutions enhance monitoring for accounts of cryptocurrency companies used for operating expenses and share the list of foreign cryptocurrency companies.
The Policy Committee of the National Assembly passed the proposed amendment to the Act on Reporting and Using Specified Financial Transaction Information (Proposed Amendment) that will subject virtual asset service providers (VASP) to AML requirements. The Proposed Amendment is significant in that it would bring the domestic cryptocurrency market, which has not been directly regulated, into the regulatory framework in South Korea.
i Licensing and marketing
Currently, there are no prohibitions or restrictions for certain types of fintech businesses in South Korea. However, fintech businesses providing certain financial services are required to obtain a licence under the relevant Korean financial laws and regulations.
Specifically, the EFTA is the law that regulates electronic financial transactions in South Korea. The EFTA covers the:
- rights and obligations of the parties to an electronic financial transaction;
- provisions to ensure the safety of electronic financial transactions and protection of users; and
- authorisation, registration and specific scope of activities of electronic financial businesses.
Activities listed as 'electronic financial business' under the EFTA include the:
- issuance and management of electronic currency;
- electronic funds transfer services;
- issuance and management of electronic debit payment services;
- issuance and management of electronic prepayment services;
- electronic payment settlement agency services;
- depository service for settlement of transactions; and
- intermediary electronic collection and payment services between payors and payees.
Other than the issuance and management of electronic currency, which needs to be licensed by the FSC, the above types of electronic financial businesses must be registered with the FSC and are supervised by the FSC and the Financial Supervisory Service (FSS).
Further, fintech businesses that do not engage in electronic financial business activities under the EFTA but intend to undertake regulated activities in South Korea, such as banking or credit card businesses, should review whether it is required to obtain appropriate authorisation (licence or registration) from the relevant Korean regulatory authorities such as the FSC or the FSS.
ii Regulatory sandbox
The Special Act, enacted in 31 December 2018 and effective on 1 April 2019, introduced the regulatory sandbox scheme in South Korea. The Special Act introduces the following:
Expedited confirmation on regulation
Under this scheme, a financial company that plans to start a new type of financial business may deem that no regulation on the new business exists if the company does not receive a response from the FSC within 30 days after filing an inquiry to the FSC as to the existence of a regulation on the new business. The FSC may forward the inquiry to other relevant government agencies if they think necessary, but in any case they must provide a response within 30 days.
Designation of innovative financial service
A financial service that is designated 'innovative' by the government may operate free of regulation and without legal grounds for operation for a designated period (this period lasts for up to two years and may be renewed once for up to two years). Financial service providers who believe that their service is clearly distinguishable from pre-existing service in terms of content and methods may ask the government to designate it as an innovative financial service. Upon receiving an application, the Innovative Financial Services Examination Committee, which consists of public officials from the FSC and other relevant government agencies and private experts, will assess various factors, such as whether: the proposed innovative financial services are provided in South Korea; the proposed financial services is truly innovative; and the proposed financial service will likely further the customers' interests.
In addition, if a designated innovative financial service is being operated under a licence required by other financial laws and regulations, the service shall be allowed an exclusive right of operation for two years after designation as an innovative financial service. This means that during the two-year period, no other service provider may provide the same type of financial service.
iii Cross-border issues
Where a fintech business established out of South Korea wishes to access new customers in South Korea, it will need to consider whether it requires authorisation from a Korean regulatory authority. A fintech business established outside of South Korea may be subject to Korean laws and regulations if it carries out regulated activities in South Korea. Where an overseas fintech business performs regulated activities in South Korea, it will need to obtain authorisation from the relevant Korean financial regulatory authority, as discussed in Section II(i) above. Generally, the standard, among others, to determine the applicability of Korean laws to foreign fintech businesses is whether the foreign fintech businesses targeted Korean customers (e.g., Korean website) or allowed payment in Korean won.
Regarding foreign exchange, the Foreign Exchange Transaction Act regulates foreign exchange businesses including the issuance or dealing of foreign exchange and payment, and collection and receipt thereof between South Korea and a foreign country. The Foreign Exchange Transaction Rule (FX Rule) is a subordinate regulation of the Foreign Exchange Transaction Act. The FX Rule was recently amended and became effective on 8 October 2019. The amended FX Rule increased the annual limit for overseas remittance by institutions registered as small-amount remittance operators from US$30,000 to US$50,000 per customer. Also, from 8 October 2019, securities companies and credit card companies may remit funds overseas as long as the amount does not exceed US$5,000 per remittance and US$50,000 per year. In addition, electronic currencies and prepaid electronic payment means issued in South Korea may now be used in foreign jurisdictions to pay for goods or services or be exchanged to foreign currencies.
Digital identity and onboarding
There is no digital identity that is generally recognised in South Korea. However, a certificate of authentication used for the purpose of self-authentication does exist. Certificates of authentication can be issued by an authentication certification institution designated by the government (such as the Korea Financial Telecommunications and Clearing Institute), and such certificates of authentication are typically used for when self-authenticating online. Under the Real Name Financial Transaction Law, verification of real name is necessary in order to conduct financial transactions. Therefore, in principle, financial institutions must onboard by undertaking customer verification procedures offline through a face-to-face method. However, there are exceptions where undertaking customer verification procedures through a non-face-to-face method is permitted. Where customer verification procedures are undertaken through a non-face-to-face method, two of the methods from among (a) to (d) below need to be selected, and it is recommended that the financial company select on its own an additional verification method (either (e) or (f)).
- present a copy of identification card (e.g., submit online a photo or scanned copy of one's identification card);
- video call (e.g., an employee of the financial company compares the picture on the identification card with the customer's face);
- verify upon receiving delivery of credit card (e.g., an employee of the delivery company verifies real name through a voucher);
- use of existing account (e.g., verify the customer's transaction authority for a given account through transfer of small amounts, etc., from an account opened at another financial company);
- use of the verification results of another institution (e.g., verify identity at another institution such as a certification institution, and then use the issued certification of authentication, IPIN, mobile phone number, etc.); and
- verify through other sources of personal information (e.g., compare personal information provided by the customer with information possessed by a credit information agency).
Digital markets, payment services and funding
Under Korean laws, businesses related to financial investment products such as collective investment businesses are fundamentally regulated by the Financial Investment Services and Capital Markets Act (FSCMA), with regulations differing for each specific type of business.
The FSCMA regulates securities-type crowdfunding, and in order to conduct securities-type crowdfunding, registration needs to be made as an 'online small-sized investment broker' with the FSC in accordance with the FSCMA.
Crowdfunding was introduced in 2016 for the financing of start-ups and venture businesses. There are, however, certain restrictions in the issuance of equity for crowdfunding under the FSCMA. Namely, a single company can raise funds up to 1.5 billion Korean won per year through crowdfunding. To raise funds that exceed 1.5 Korean billion won, conventional means of financing should be utilised. Moreover, under the FSCMA, the issuance of equity for crowdfunding is permitted for non-listed SMEs with less than seven years of business operations.
In 10 April 2018, the Enforcement Decree of the FSCMA was amended to increase the limit for an ordinary investor to invest in crowdfunding from 5 million Korean won to 10 million Korean won per year with an issuer of equity. In addition, the amended Enforcement Decree of the FSCMA allowed social enterprises, which are companies certified by the Ministry of Employment and Labour that seek to improve financial, social and environmental well-being through commercial activities (e.g., providing employment opportunities to disadvantaged groups or making contributions to the local society) to raise funds through crowdfunding.
ii Crowd-lending and P2P lending
The Act on Online-linked Financing (P2P Act), which was enacted on 26 November 2019 to govern P2P lending, will become effective on 27 August 2020. The Presidential Decree of the P2P Act was published on 28 January 2020 and will be open for public comment until 9 March 2020. The major provisions of the P2P Act and the Presidential Decree are described below:
- a person who intends to provide P2P lending service shall have at least 500 million Korean won of equity capital, adequate human resources and physical facilities, and register with the FSC;
- P2P lending businesses shall charge fees only at rates announced on their online platforms;
- principal investing by P2P lending service providers permitted only when more than 80 per cent of investments for P2P loan balance have been raised;
- P2P lending to the same borrower will be limited to 7 per cent of the P2P loan balance or 7 billion Korean won. For P2P lending operators whose loan balance is below 30 billion Korean won, the lending cap to the same borrower will be set at 210 million Korean won;
- individual investors may lend up to 5 million Korean won to the same borrower for a total of 50 million Korean won per year. Accredited investors may lend up to 20 million Korean won to the same borrower for up to 100 million Korean won per year; and
- a central registry will be set up to manage and maintain up-to-date information about online P2P financing transactions, such as information about borrowers and investors, and will also manage limits on loans and investments.
iii Loans or financings on a secondary market
In the case of securities acquired through crowdfunding, it is obligatory to deposit at a securities depository or make a safety deposit, and for a period of six months, transfer cannot be made other than to professional investors and persons specified under the FSCMA.
For rights to acquire principal and interest obtained through P2P lending, in principle, transfer is possible depending on the method of bond transfer. However, there are cases where a P2P lending business restricts transfer through its terms and conditions.
If a right that is acquired through investment is deemed a security under the FSCMA owing to the possibility of transfer, risk of loss of principal, etc., the issuer of such bond and the broker business must obtain financial investment business licences in accordance with the FSMCA and will be strictly regulated with regards to issuance and distribution of securities. Therefore, caution needs to be exercised to prevent being deemed a security.
iv Payment licence
In order to run a payment service, registration needs to be made as a payment gateway (PG) with the FSC.
Upon registering as a PG, obligations under the EFTA are applied, and the PG is subject to supervision and inspection by the FSS.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no existing regulatory regime or statute that specifically regulates cryptocurrency or blockchain businesses in South Korea. However, the Korean regulators are likely to apply or enforce existing Korean laws and regulations for cryptocurrencies.
For example, in an initial coin offering (ICO), if tokens are classified as 'securities' under Korean law, the tokens will then be subject to the offering restrictions in South Korea under the FSCMA. Or, even if tokens are not classified as securities, if the marketing of the tokens in an ICO raises funds from the public with a promise to return the original investment amount, or an amount exceeding such investment in the future, the ICO could be regulated by the Act on the Regulation of Conducting Fundraising Business without Permission.
The Korean government has taken steps towards introducing potential cryptocurrency and ICO regulations, of which key developments are discussed below.
In 2017, South Korea experienced a dramatic increase in the volume of cryptocurrency trading where the trading volume for a 24-hour period in the Korean cryptocurrency exchanges averaged up to 8 trillion Korean won.
In response to this high volume of cryptocurrency trading, in September 2017, the Korean government formed an intergovernmental task force to create and implement cryptocurrency regulations. The government agencies that participated in this task force were the Ministry of Strategy and Finance, the Ministry of Justice, the FSC and other relevant regulatory authorities. In the 'Government Announcement on Cryptocurrency' released in December 2017, the Korean government announced that it will take measures to curb the recent speculation in the cryptocurrency market.
As a part of such measures, on January 30, 2018, the Korean Financial Intelligence Unit (FIU) announced the AMLC Guidelines, enforceable for financial institutions that transact with cryptocurrency companies. Notable requirements of the AMLC Guidelines are as follows:
- real-name verification is required for payment and receipt to cryptocurrency companies-
- users are only allowed to make payment to and receive payment from a cryptocurrency company's bank account using their own real-name verified account that has been opened under the same bank as the cryptocurrency company; and
- financial institutions may decline transactions with cryptocurrency companies that make payments to or receive payments from its users that do not use real-name verified bank accounts;
- customer due diligence -
- financial institutions must put in place a process to check whether a customer is a cryptocurrency company; and
- financial institutions must verify, through on-site due diligence, certain additional information pertaining to cryptocurrency companies (including whether the cryptocurrency company is maintaining separate transaction records for each customer) at least every six months; and
- suspicious activity reports -
- financial institutions must appoint dedicated staff for monitoring suspicious transactions of cryptocurrency companies and their users; and
- financial institutions must establish stronger transaction monitoring rules for suspicious activities of cryptocurrency companies.
In April 2018, the FSC conducted a monitoring of compliance with the AMLC Guidelines. Based on the monitoring, the FSC amended the AMLC Guidelines on 27 June 2018. The latter became effective on 10 July 2018 and will remain effective until July 2020. The key requirements of the amended AMLC Guidelines are as follows:
- financial institutions shall enhance monitoring for accounts of cryptocurrency companies that are used for operating expenses, and conduct enhanced customer due diligence if it identifies a suspicious transaction;
- financial institutions shall share the list of foreign cryptocurrency companies; and
- if a financial institution refuses to transact with a certain cryptocurrency company, the financial institution shall specify the timing and grounds for its refusal.
The Policy Committee of the National Assembly passed the proposed amendment on 25 November 2019. Thereafter, the Legislation and Judiciary Committee would review the proposed amendment and then send it to the plenary session of the National Assembly2 for resolution.3 However, as of the date of this analysis, it is not clear whether the proposed amendment will pass the plenary session before the General Election of the National Assembly on 15 April 2020, when members of the National Assembly are newly elected. If the proposed amendment does not so pass the plenary session by then, the proposed amendment will need to go through the legislative procedures of the National Assembly de novo. The key provisions in the proposed amendment are set out below.
Reporting requirements for VASPs
VASPs professionally engaged in the (1) sale and purchase of virtual assets, (2) exchange of virtual assets, (3) mediation or arrangement of (1) and (2), and (4) storage or management of virtual assets must report the company name, the representative's name, the location of the business place, and contact information to the Commissioner of the FIU in advance and have the report accepted by the FIU. Failure to report will result in criminal punishment by imprisonment of up to five years or a fine of up to 50 million Korean won.
AML requirements for VASPs
As with other financial institutions, VASPs will be subject to various AML requirements, including suspicious transaction report (STR), currency transaction report (CTR), and customer due diligence (CDD), and will be required to set up an internal control system to fulfil such requirements in good faith and to separately manage transaction details by customer.
Expanded CDD on financial companies
In addition to the existing CDD items, a financial company must ensure that a VASP has satisfied requirements for acceptance of report and the requirement to separately manage deposits from customers and its own property, among others. Furthermore, a financial company must refuse or terminate transactions with the VASP if it does not have a valid report, an ISMS (information security management system) certification, a real name deposit and withdrawal account, or is otherwise unqualified.
ii Initial coin offerings
In September 2017, the FSC issued a press release prohibiting ICOs in South Korea, but no laws or regulations have yet to been enacted to enforce this prohibition of ICOs. Subsequently, on 31 January 2019, the Korean government announced the result of its monitoring of the ICO practice in South Korea and its proposed approach in regulating ICOs. In this announcement, the Korean government stated that they identified companies bypassing the government's prohibition on ICOs by performing ICOs through paper companies in foreign jurisdictions (such as Singapore) while raising funds from domestic investors. The Korean government announced that such practice substantively constitutes domestic ICOs albeit in the form of a foreign ICO. Moreover, the Korean government stated that domestic investors were at significant risk due to such practice because the companies performing the ICOs did not disclose substantial information for the investors to make an informed decision.
In addition, the Korean government also deemed that certain ICO projects may violate the FSCMA if an ICO project involves issuance and transaction of P2P collateralised loan tokens; sale of cryptocurrencies investment funds; or operation of unauthorised financial investment business by providing investment services with ICO tokens.
Considering that ICO poses high investment risks and lacks a global regulatory framework, the Korean government announced that it will take a conservative approach in legalising ICOs. In the same vein, the Korean government maintained an equivocal position as to whether it will publish an ICO guideline, saying that the government's issuance of such guideline may give the market a wrong impression that the government officially approved domestic ICOs.
Other new business models
'Robo-adviser', is a derivation of the words robot and adviser, is an automated online asset management service that uses IT technologies such as AI to provide appropriate personalised portfolios for investors. It provides services at substantially lower fees than that of existing asset management services, and future development is anticipated in terms of convenience and low cost. Financial institutions in South Korea have, in some respects, either implemented robo-advisers or are preparing to do so.
Depending on the type of service provided, registration needs to be made as an investment advisory business or a discretionary investment management service in accordance with the FSCMA.
To promote the robo-adviser industry, the FSC recently announced a proposed amendment relating to robo-advisers that would:
- lower the shareholders' equity needed for non-face-to-face discretionary investment management services that utilise robo-advisers from 4 billion Korean won to 1.5 billion Korean won in order to facilitate the entry of fintech businesses other than existing financial institutions into the robo-advisory industry;
- allow robo-advisers to manage fund assets; and
- allow not only asset managers but also robo-advisers to be consigned with and manage funds and discretionary assets.
ii My Data Businesses
The amendment of the Use and Protection of Credit Information Act (the Credit Information Act) was followed by the introduction of 'Personal Credit Information Management Businesses' (My Data Businesses), which provide information principals with services such as comprehensive inquiry of their own data, recommendation of optimal financial products, and advice on financial products. My Data Businesses are businesses that provide professional support for the individual who is the information principal to efficiently manage and use his or her own information.
My Data Businesses integrate and search one's credit information, analyse financial statuses, and provide personalised financial consulting. Furthermore, My Data Businesses can provide services that present a list of accessible financial products for each individual consumer given, among others, his or her credit situation or financial status, and compare in detail prices and benefits of each product to recommend financial products optimised for each individual.
Intellectual property and data protection
i Intellectual property
In South Korea, innovations and inventions can be protected by IP rights such as patents, utility models, designs, copyrights and trade secrets. Korean law explicitly provides for the protection of patents under the Patent Act, utility models under the Utility Model Act, designs under the Design Protection Act, copyrights including copyrights in computer software under the Copyright Act and trade secrets under the Unfair Competition Prevention Act (UCPA).
Under current Korean Intellectual Property Office (KIPO) practice, fintech inventions relating to software or business methods that include only abstract ideas or mental steps do not qualify as inventions. However, under KIPO's 'Examination Guidelines for Computer-related Inventions', business methods can be patented if the inventions are properly claimed so as to define physical means to achieve a specific purpose that has practical application in the industry. Further, although software per se is not patentable at this time, computer-readable media for implementing software is patentable subject matter.
Graphical user interfaces of fintech software may be protected by design registrations under the Design Protection Act. For example, images represented on a display portion of a product such as a display panel can be registered and protected as a design. Copyright protection is also possible upon creation of an original computer program without formal registration requirements. Although a copyright registration is not a prerequisite for copyright protection or enforcement, it provides certain advantageous statutory presumptions in enforcing the copyright. The source code of fintech software may be protected as a trade secret under the UCPA. The UCPA defines a trade secret to mean information of a technical or managerial nature that is useful for business activities, is generally unknown to the public, possesses independent economic value and is maintained as a secret.
Ownership of IP rights such as patents, utility models, and designs initially belong to the person who created such rights. Such person may transfer his or her IP ownership right to another party through an agreement. However, transfer of an IP right, other than through inheritance or other general succession, is not effective in South Korea against third parties unless it is recorded at KIPO.
In the context of an employer-employee relationship, there are two ways for the employer to obtain ownership rights to in-service inventions of its employees. First, the employer may enter into a pre-invention assignment agreement with an employee with a provision that the employee agrees to assign any and all future in-service inventions to the employer. Second, the employer may adopt an employment rule such as an invention remuneration policy that expressly provides for employee-inventors to assign any and all future in-service inventions to the employer and the employer to provide remuneration to such employee-inventors. In either case, if the employer chooses to acquire the ownership right to an in-service invention pursuant to the agreement or employment rule, the employee is entitled to 'reasonable compensation' from the employer.
Ownership of copyright initially belongs to the actual author or authors of a given work. In the context of an employer-employee or work-for-hire relationship, however, an employing legal entity, organisation, or person may be deemed to be the author of a work with ownership of copyright in the work. Under the Copyright Act, such employer is deemed to have copyright ownership of a work if the work is created by an employee within the scope of employment and made public (computer programs do not need to be made public), subject to the employer's supervision, and there is no separate or particular contract or employment regulation providing that the status of the author of, or ownership of copyright in, the work-for-hire should belong to the employee.
For IP rights such as patents, utility models, and designs, the party enforcing an IP right should own the registered rights in South Korea. For copyrights, works by foreigners, such as the source code of fintech software, are entitled to protection under treaties to which South Korea has acceded. However, the Copyright Act provides exceptions to favourable treatment of foreigners' copyrights under such treaties. In particular, the Copyright Act provides that even if the copyright protection period for foreigners' copyrights may be in force and entitled to protection under the Copyright Act, if the copyright protection period granted in the country of their origin has already expired, South Korea will not recognise the copyright protection period.
IP rights including patents, utility models, and designs are a type of property right and thus, owners of IP rights may exploit or monetise them for their benefit. For example, an IP owner may assign or sell his or her IP right to another person or entity and receive payment in return. An IP right may also be pledged as collateral for a loan or investment from another person or entity. Further, an IP right may be licensed through an exclusive or non-exclusive agreement for royalties or may be licensed to another party in a cross-licence agreement. If an IP right is jointly owned, a joint owner may license the IP right only with the consent of all the other joint owners, but each owner may still freely practise the jointly owned IP.
IP-related licences may be subject to governmental review under certain circumstances. For example, under the Fair Trade Law, the Fair Trade Commission has released the Guidelines on the Unfair Exercise of IP Rights (the IP Guidelines), for examining licence agreements. If a provision of a licence agreement violates one of the standards set forth in the IP Guidelines, a court may find such provision to be null and void as being contrary to Korean public policy.
ii Personal data
In South Korea, the protection and regulation of personal data is primarily governed by the Personal Information Protection Act (PIPA). The PIPA is the overarching personal data protection law in South Korea that may apply to fintech businesses operating in South Korea. The PIPA prescribes detailed measures for each of the stages involved in the processing of personal data such as collection and use, provision to a third party, outsourcing and destruction. The PIPA must be followed by all personal information processing entities, which are defined as all persons, organisations, corporations and governmental agencies that process personal data for business purposes. Under the PIPA, data subjects must be informed of, and provide their consent to the following matters before their personal data is collected or used:
- the purpose of the collection and use;
- the items of personal information that will be collected;
- the duration of the possession and use of the personal information; and
- disclosure that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result from such refusal.
In addition, the Credit Information Act complements the PIPA. The Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities.
On 9 January 2020, the National Assembly passed the amendments to South Korea's three main data privacy laws (Amendments): PIPA, the Act on the Promotion of the Use of the Information Network and Information Protection (Network Act), and the Credit Information Act.
The Amendments (1) clearly distinguish between personal data, pseudonymised data and anonymised data, and enact detailed provisions on the processing of pseudonymised data, (2) transform the Personal Information Protection Commission (PIPC) into the central data privacy regulatory authority, (3) transfer to the PIPA all privacy provisions in the previous Network Act relating to online service providers, and (4) clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also applies to all commercial companies and grant the PIPC the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act. The effective date for the Amendments is 5 August 2020.
The Ministry of the Interior and Safety, the Korean Communications Commission and the Ministry of Science and ICT, and the FSC and the FSS used to be the responsible regulatory agencies for enforcing the PIPA, the Network Act and the Credit Information Act, respectively. With the Amendments passed on 9 January 2020, all enforcement of privacy regulations will be centralised through the PIPC. In addition, once a violation of a relevant privacy law is confirmed, the PIPC can impose administrative penalties, such as corrective orders and fines, and, as necessary, refer the case for criminal prosecution. Criminal sanctions can be imposed following an investigation by the police or prosecutor's office, either on its own initiative or upon a referral by the relevant regulatory authority.
As for the applicability of these laws to overseas entities, the PIPA applies to all personal information processing entities regardless of whether they are located overseas, and the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in South Korea. Although the PIPA and the Credit Information Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have promoted to or ensured compliance by overseas entities with these privacy laws.
The main statute in the context of cybersecurity that applies to fintech businesses is the PIPA. It prescribes detailed technical security and administrative requirements for cybersecurity such as:
- the establishment and implementation of an internal management plan for the secure processing of personal information;
- installation and operation of an access restriction system for preventing illegal access to and leakage of personal information; and
- the application of encryption technology to enable secure storage and transfer of personal information.
Further, the EFTA criminalises certain types of cyber activities that may apply to fintech businesses operating in South Korea. The EFTA criminalises cyber activities that:
- intrude on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing or leaking data that is saved in such infrastructures; and
- destroy data, or deploy a computer virus, logic bomb or programme such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures.
iv Open banking system
The FSC launched a pilot programme for the 'Open Banking System' in the banking sector on 30 October 2019, which expanded to fintech firms on 18 December 2019. The open banking system enables bank customers to choose any mobile banking application to manage all their accounts in a single application without having to use separate applications for different banks. The FSC stated that the government, to provide a legal basis, will revise the EFTA to expand the service scope and function of the open banking system.
Based on the FSC's roadmap, the transition to open banking system will be in three phases:
- Phase 1 will rely on banks' voluntary agreement to an open banking system that would enable customers to use a single application to access their accounts at different banks.
- Phase 2 will require an amendment to be made to the EFTA to include the open banking system. The FSC is aiming to amend the EFTA by the second half of 2020.
- Phase 3 will establish the regime in which fintech firms gain direct access to the financial payment system. To be eligible for such direct access, fintech payment service providers will have to meet certain requirements of financial soundness and digital capabilities.
Year in review
Over the past three years, notable amendments were made to financial laws that may impact fintech businesses operating in South Korea. The landmark legislation was the amendments to the three main privacy laws of South Korea: the PIPA, the Network Act and the Credit Information Act. Among the areas of change, the amendments introduced the concept of pseudonymised data and allowed the use of pseudonymised data without the consent of individuals. In addition, in April 2018, the Enforcement Decree of the FSCMA was amended to increase the limit for ordinary investors' investment in crowdfunding by 100,000 Korean won. As a result, an ordinary investor may now invest 5 million Korean won per year for an issuer of equity. Also, the amended FX Rule became effective on 8 October 2019 that increased the annual limit for overseas remittance by institutions registered as small-amount remittance operators from US$30,000 to US$50,000. Further, securities companies and credit card companies may remit funds overseas as long as the amount does not exceed US$5,000 per remittance and US$50,000 per year. In addition, electronic currencies and prepaid electronic payment means issued in South Korea may now be used in foreign jurisdictions to pay for goods or services or be exchanged to foreign currencies.
The P2P Act will govern P2P lending services in South Korea and become effective on 27 August 2020. Under the P2P Act, all P2P lenders are required to have equity capital worth at least 500 million Korean won and qualify as financial companies, and then file a registration with the FSC. In addition, the P2P Act permits financial companies and P2P lenders to invest in P2P lending not in excess of a certain percentage of P2P loans, and sets forth lending limits, investment limits and matters to be notified for protecting P2P investors and borrowers.
Furthermore, on 21 November 2019, a subcommittee of the National Assembly's National Policy Committee passed a resolution on the Proposed Amendment. The Proposed Amendment is pending to pass the plenary session of the National Assembly. As for its position on ICOs, on 31 January 2019, the Korean government announced the result of its monitoring of the ICO practice in South Korea and its proposed approach in regulating ICOs. In this announcement, the government stated that they identified companies bypassing the prohibition on ICOs by performing ICOs through paper companies in foreign jurisdictions (such as Singapore) while raising funds from domestic investors. The government also deemed that certain ICO projects may violate the FSCMA. Considering that ICOs are high-risk investments and lack global regulatory framework, the Korean government announced that it will take a conservative approach in legitimising ICOs. In the same vein, the Korean government maintained an equivocal position as to whether it will publish an ICO guideline, saying that the issuance of such guideline may give the market a wrong impression that the government has officially approved domestic ICOs.
Meanwhile, measures have been taken to promote fintech innovations in the financial services market in South Korea. The Special Act introduced the expedited confirmation on regulation and designation of innovative financial services.
Since the enactment of the Special Act, a total of 77 companies were designated as innovative financial services in 2019 and are currently operating in the regulatory sandbox.
Outlook and conclusions
Recently, South Korea's fintech environment has seen a variety of industries being established, and its related market is developing rapidly. Further, South Korea's financial supervisory authorities have recently announced various policies to promote fintech. The fintech industry is anticipated to continue to grow quantitatively and qualitatively in 2020 as a result of various innovative financial services being accepted into the regulatory sandbox after the Special Act became effective on 1 April 2019.
Furthermore, there are two internet-only banks in South Korea, K-Bank and Kakao Bank, that received authorisation from the FSC and are currently in operation. In December 2019, the FSC granted a pre-authorisation to TOSS Bank, a subsidiary of a major fintech company called TOSS (Viva Republica), to become the third internet-only bank in South Korea.
Separately, the government conceptually differentiates cryptocurrency from blockchain technology. The government recognises the innovative nature of blockchain technology and its potential impact on the Korean economy. Although it has shown hesitation in endorsing or institutionalising cryptocurrencies and has repeatedly warned investors about the potential dangers of investing in them, it has expressed interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans. Furthermore, while the central government appears to be uneasy about cryptocurrencies, some local governments have shown interest in issuing their own cryptocurrencies.
1 Jung Min Lee and Joon Young Kim are senior attorneys and Samuel Yim is a senior foreign attorney at Kim & Chang.
2 The National Assembly is the legislative body of South Korea, which is equivalent to the US Congress.
3 South Korea is a member state in the Financial Action Task Force (FATF), a global multinational organisation that was created to establish international standards for AML and combating the financing of terrorism (CFT) and require other member states to comply with such standards. Following a plenary meeting held in February 2018 where the FATF discussed the risk of money laundering and financing of terrorism using virtual assets and countermeasures, in October 2018, the FATF resolved to include AML and CFT requirements for VASPs in the FATF Recommendation. The FATF published the Interpretive Note with details in June 2019 and plans to monitor the implementation status of Member States at around June 2020. In order to comply with the FATF Recommendation, the Korean legislature has drafted the proposed amendment for resolution by the National Assembly.