The Financial Technology Law Review: South Korea
Currently, there are no prohibitions or restrictions for particular types of fintech businesses in South Korea, but fintech businesses may be subject to various Korean laws and regulations, depending on the specific nature and types of the business activities undertaken. For example, certain financial activities and payment-related services of fintech companies may be regulated under existing Korean financial laws and the Electronic Financial Transaction Act (EFTA).
As to the Korean government's stance, financial regulators and policymakers are generally receptive to fintech innovations and technology-driven new entrants to regulated financial services markets in South Korea. The Korean government has identified fintech as one of its 24 key areas to support innovation as a means to spur growth in the Korean financial industry. In particular, the Financial Services Commission (FSC) published the Digital Finance Transformation Plan in July 2020 with the aims to streamline the regulatory regime for various e-money and payment services, ensure stronger protection for digital finance users, build foundations and infrastructure for digital financial transactions, and strengthen data security for stability in the financial system. To implement this Digital Finance Transformation Plan, a proposed amendment to the EFTA (the Proposed Amendment to the EFTA) was submitted to the Korean National Assembly in November 2020 and is expected to be passed in 2021.
Also, the Special Act on Support of Innovation of Finance (the Special Act) effective on 1 April 2019, introduces the regulatory sandbox scheme in South Korea, allows relaxed regulatory standards for those financial services designated as 'innovative financial service' by the government and ensures that such designated financial companies can enjoy the benefit of receiving expedited confirmation by FSC as to which law, regulation or licence would be applicable to such companies. Pursuant to such policy, as of February 2021, 139 FinTech projects were selected for inclusion in the regulatory sandbox, seven of which incorporate blockchain technology.
On 5 August 2020, the three main data privacy laws were amended: the Personal Information Protection Act (PIPA), the Act on the Promotion of the Use of the Information Network and Information Protection (Network Act), and the Credit Information Use and Protection Act (Credit Information Act). The amended PIPA and Credit Information Act introduce the concept of 'pseudonymised data'. Pseudonymised data is defined as personal information, including personal credit information, which has gone through partial deletion or partial or total substitution, such that the information can no longer identify an individual without additional information and such that it cannot identify a specific living individual without using or combining it with additional information to restore it to its original state. As such, pseudonymised data can be utilised without the data subject's consent if the purpose is for preparing commercial statistics, including market research and industrial studies, and preservation of public records.
Furthermore, the Korean government offers special incentive schemes mainly in the form of tax incentives for tech and fintech businesses or small- and medium-sized (SME) businesses. Notably, SME businesses established in certain areas of South Korea that are not highly populated cities can receive 50 per cent corporate tax relief for up to five years on their business income. Also, those companies identified as a 'venture business' by the Korean government, by which many fintech companies may qualify, may receive 50 per cent corporate tax relief even if they are located in highly populated cities in South Korea. For certain R&D costs (including labour costs and material costs), R&D tax deduction may be available as well.
Despite promoting policies conducive to fintech businesses, the Korean government has also shown concern for anti-money laundering (AML) and other consumer protection matters. The partial amendment to Korea's Act on Reporting and Use of Specific Financial Transaction Information was promulgated on 24 March 2020 and is effective from 25 March 2021. Pursuant to this partial amendment, anti-money laundering requirements will apply to virtual asset service providers (VASP) (e.g., cryptocurrency exchanges and other virtual asset service providers). Under this partial amendment, VASPs will be subject to various AML requirements, including suspicious transaction report, cash transaction report and customer due diligence. The partial amendment would lead the domestic cryptocurrency market, which has not been directly regulated, to the regulatory framework in South Korea.
In addition, Korea's Online Investment-linked Finance Act (P2P Act) became effective on 27 August 2020. This new legislation on P2P lending regulates P2P business registration, regulations on sales practices, and measures for consumer protection. The P2P Act is intended to promote the development of the P2P lending sector and bolster investor protection.
i Licensing and marketing
Fintech businesses providing financial services are required to obtain a licence under the relevant Korean financial laws and regulations, depending on the nature and types of their business activities. Also, the EFTA regulates electronic financial transactions in South Korea and provides for licence and registration requirements for certain electronic financial businesses.
Activities listed as 'electronic financial business' under the EFTA are:
- issuance and management of electronic currency;
- electronic funds transfer services;
- issuance and management of electronic debit payment means;
- issuance and management of prepaid electronic payment means (e.g., gift cards and stored value);
- electronic payment settlement agency services (also referred to as payment gateway business);
- depository service for settlement of transactions; and
- intermediary electronic collection and payment services between payors and payees.
The issuance and management of electronic currency requires a business licence from the FSC, while the other types of electronic financial businesses must be registered with the FSC, and they are all subject to supervision and regulation by Korean financial authorities such as the FSC and the Financial Supervisory Service (FSS).
Further, fintech businesses that do not engage in electronic financial business activities under the EFTA but intend to undertake regulated activities in South Korea, such as banking or credit card businesses, need to separately review whether they are required to obtain appropriate authorisation (licence or registration) from the relevant Korean regulatory authorities.
The Proposed Amendment to the EFTA, which was submitted to the National Assembly on 27 November 2020, introduces two new business categories, which are: (1) the 'MyPayment' business, which will deliver a transfer instruction necessary for payment and wire transfer for all of a customer's accounts using a single application without holding the customer's funds; and (2) a comprehensive payment and settlement service provider, which will be able to open and manage customers' payment accounts and provide a one-stop service for various digital financing services including payment and wire transfer services. In addition, seven different types of electronic financial business categories under the current EFTA will be consolidated into three types (i.e., money transfer, payment service and payment gateway). The regulatory level for entry, operation and security will be adjusted based on the risk level of each business type. If approved, the Proposed Amendment to the EFTA will become effective one year after the official promulgation.
ii Regulatory sandbox
A financial company that plans to start a new type of financial business may deem that no regulation on the new business exists if the company does not receive a response from the FSC within 30 days of filing an inquiry to the FSC as to the existence of a regulation on the new business. The FSC may forward the inquiry to other relevant government agencies if they think necessary, but in any case they must provide a response within 30 days.
A financial service that is designated 'innovative' by the government may operate free of regulation and without legal grounds for operation for a designated period (this period lasts for up to two years and may be extended once for up to two years). Financial service providers who believe that their service is clearly distinguishable from pre-existing service in terms of content and methods may ask the government to designate it as an innovative financial service. Upon receiving an application, the Innovative Financial Services Examination Committee, which consists of public officials from the FSC and other relevant government agencies and industry experts, will assess various aspects, such as whether the proposed innovative financial services are provided in South Korea; whether the proposed financial services are truly innovative; and whether the proposed financial service will likely further the customers' interests.
In addition, if a designated innovative financial service is being operated under a licence required by other financial laws and regulations, the service will be allowed an exclusive right of operation for two years after designation as an innovative financial service. This means that during the two-year period, no other service provider may provide the same type of financial service.
iii Cross-border business issues
Where a fintech business established outside South Korea wishes to access new customers in South Korea, it will need to consider whether it requires authorisation from a Korean regulatory authority. A fintech business established outside of South Korea may be subject to Korean laws and regulations if it carries out regulated activities in South Korea or with regard to Korean customers. Where an overseas fintech business performs regulated activities in South Korea or with regard to Korean customers, it will need to obtain authorisation from the relevant Korean financial regulatory authority, as discussed in Section II.i. Generally, the standard to determine the applicability of Korean laws to foreign fintech businesses is, among others, whether the foreign fintech businesses target Korean customers (e.g., Korean website) or allow payment in won.
Regarding foreign exchange, the Foreign Exchange Transaction Act regulates foreign exchange businesses including the issuance or dealing of foreign exchange and payment, and collection and receipt thereof between South Korea and a foreign country. The Foreign Exchange Transaction Regulation (FX Regulation) is a subordinate regulation of the Foreign Exchange Transaction Act. Under the current FX Regulation, the annual limit for overseas remittance by an institution registered as small-amount remittance operators is US$50,000 per customer. Also, securities companies and credit card companies may remit funds overseas for their customers as long as the amount does not exceed US$5,000 per remittance and US$50,000 per year, for each customer. In addition, electronic currencies and prepaid electronic payment means issued in South Korea may now be used in foreign jurisdictions to pay for goods or services or be exchanged for foreign currencies.
Digital identity and onboarding
There is no digital identity that is generally recognised in South Korea. However, a certificate of authentication used for the purpose of self-authentication does exist. Certificates of authentication can be issued by an authentication certification institution designated by the government (such as the Korea Financial Telecommunications and Clearing Institute), and such certificates of authentication are typically used for when self-authenticating online. Under the Real Name Financial Transaction Law, verification of real name is necessary to conduct financial transactions. Therefore, in principle, financial institutions must onboard by undertaking customer verification procedures offline through a face-to-face method. However, there are exceptions where undertaking customer verification procedures through a non-face-to-face method is permitted. Where customer verification procedures are undertaken through a non-face-to-face method, two of the methods from among (a) to (d) below need to be selected, and it is recommended that the financial company select on its own an additional verification method (either (e) or (f)).
- present a copy of identification card (e.g., submit online a photo or scanned copy of one's identification card);
- video call (e.g., an employee of the financial company compares the picture on the identification card with the customer's face);
- verify upon receiving delivery of credit card (e.g., an employee of the delivery company verifies real name through a voucher);
- use of existing account (e.g., verify the customer's transaction authority for a given account through transfer of small amounts, etc., from an account opened at another financial company);
- use of the verification results of another institution (e.g., verify identity at another institution such as a certification institution, and then use the issued certification of authentication, IPIN, mobile phone number, etc.); and
- verify through other sources of personal information (e.g., compare personal information provided by the customer with information possessed by a credit information agency).
Digital markets, payment services and funding
Under Korean law, businesses related to financial investment products such as brokerage, dealing, and collective investment businesses are in principle regulated by the Financial Investment Services and Capital Markets Act (FSCMA), with regulations differing for each specific type of business.
The FSCMA regulates securities-type crowdfunding, and to conduct securities-type crowdfunding, registration needs to be made as an 'online small-sized investment broker' with the FSC in accordance with the FSCMA.
Crowdfunding was introduced in 2016 for the financing of start-ups and venture businesses. There are, however, certain restrictions in the issuance of equity for crowdfunding under the FSCMA. Namely, a company can raise funds up to 3 billion won per year through crowdfunding. Also, online small-sized investment brokers are only allowed to advertise crowdfunding investments through their website.
In addition, the Enforcement Decree of the FSCMA expands the scope of business types permitted to raise funds through crowdfunding. For instance, it allows social enterprises, which are companies certified by the Ministry of Employment and Labour that seek to improve financial, social and environmental well-being through commercial activities (e.g., providing employment opportunities to disadvantaged groups or making contributions to the local community) to raise funds through crowdfunding. However, it does not allow financial, insurance, real estate and entertainment business types to raise funds through crowdfunding. Also, pursuant to the Enforcement Decree of the FSCMA, the limit for an ordinary investor to invest in crowdfunding is 10 million won per year for a single issuer.
ii Crowd-lending and P2P lending
The P2P Act became effective on 27 August 2020. Specific P2P investment limits will apply to different types of investors and investment products as set out below (applicable from 1 May 2021):
- Retail investors: 5 million won for lending to a single borrower; 30 million won (10 million won for real estate) in total;
- Accredited investors: 20 million won for lending to a single borrower; 100 million won in total; and
- Corporate or professional investors: credit limit of 40 per cent of the relevant P2P investment.
In addition, a person who intends to provide a P2P lending service must have at least 500 million won of equity capital, adequate human resources and physical facilities, and register with the FSC. Principal investing by P2P lending-service providers will be permitted only when more than 80 per cent of investments for P2P loan balance have been raised, and a central registry will be set up to manage and maintain up-to-date information about online P2P financing transactions, such as information about borrowers and investors, and will also manage limits on loans and investments.
iii Loans or financing on a secondary market
In the case of securities acquired through crowdfunding, it is required to deposit at a securities depository or make a safety deposit, and for a period of six months, transfer cannot be made other than to professional investors and persons specified under the FSCMA.
For rights to acquire loan claims obtained through P2P lending, in principle, it is possible to transfer such loan claims only to (1) professional investors; or (2) corporate and accredited investors, or retail investors who have invested for more than five times during the last three years, if they are aware of the risk of loss and low possibility of distribution in respect of such rights to acquire loan claims.
If a loan claim that is acquired through investment is deemed a security under the FSCMA – for example because of transferability – the issuer of such security (i.e., loan claims) and the broker must obtain financial investment business licences pursuant to the FSMCA and will be strictly regulated with regard to the issuance and distribution of such securities.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no existing regulatory regime or statute that specifically regulates cryptocurrency or blockchain businesses in South Korea. However, the Korean regulators are likely to apply existing Korean laws such as the FSCMA and the Criminal Code to cryptocurrency-related transactions. For example, the FSCMA defines securities as 'financial investment products for which investors do not owe any obligation to pay anything in addition to the money or any other valuables paid at the time of acquiring such instruments'. Securities are categorised into six classes under the FSCMA: debt securities, equity securities, beneficiary securities, investment contract, derivatives-linked securities and depositary receipts. Cryptocurrency would likely fall under the FSCMA's definition of debt security, equity security or investment contract depending on the specific facts and circumstances involved.
Although there are no laws or regulations that specifically regulate transactions involving cryptocurrencies in Korea, the Korean government continues to raise concerns for anti-money laundering and other consumer protection matters. The partial amendment of the Act on Reporting and Use of Specific Financial Transaction Information (Partial Amendment to the AML Act) was promulgated on 24 March 2020 and will be effective on 25 March 2021. Pursuant to the Partial Amendment to the AML Act, anti-money laundering requirements will apply to VASPs (e.g., cryptocurrency exchanges and other virtual asset service providers). Under the Partial Amendment to the AML Act, VASPs will be subject to various AML requirements, including suspicious transaction report, cash transaction report and customer due diligence. The key provisions in the Partial Amendment to the AML Act are set out below.
Reporting requirements for VASPs
VASPs professionally engaged in the (1) sale and purchase of virtual assets, (2) exchange of virtual assets, (3) mediation or arrangement of (1) and (2), and (4) storage or management of virtual assets must report the company name, the representative's name, the location of the business place, and contact information to the Commissioner of the Korean Financial Intelligence Unit (KOFIU). This is the agency responsible for implementing and enforcing anti-money laundering and combating the financing of terrorism laws in Korea. The report must be made in advance and be accepted by the KOFIU. The KOFIU may refuse to accept a VASP report if there are grounds for non-acceptance (i.e., filing a VASP report is a de facto approval process). Once the Partial Amendment to the AML Act becomes effective, there is a six-month grace period for existing VASPs to file a VASP Report to the KOFIU. Failure to report will result in criminal punishment, imprisonment of up to five years or a fine of up to 50 million won.
AML requirements for VASPs
As with other financial institutions, VASPs will be subject to various AML requirements, including suspicious transaction report (STR), cash transaction report (CTR), and customer due diligence (CDD), and will be required to set up an internal control system to fulfil such requirements in good faith and to separately manage transaction details by customer.
Expanded CDD on financial companies
In addition to the existing CDD items, a financial company must ensure that a VASP has satisfied requirements for acceptance of report and the requirement to separately manage deposits from customers and its own property, among others. Furthermore, a financial company must refuse or terminate transactions with the VASP if it does not have a valid report, an ISMS (information security management system) certification, a real name deposit and withdrawal account, or is otherwise unqualified.
On 3 November 2020, the FSC published the Enforcement Decree of the Partial Amendment to the AML Act, which would be effective as of 25 March 2021. The Enforcement Decree states that the scope of VASPs subject to regulatory oversight will be limited to cryptocurrency exchanges, custody service providers and wallet service providers and that the implementation of the 'travel rule' (i.e., the obligation of a VASP to provide information regarding the transfer to the recipient when transferring virtual asset) will be deferred until 25 March 2022, with the threshold set at 100 million won.
ii Initial coin offerings
In September 2017, the FSC issued a press release prohibiting ICOs in South Korea, but no laws or regulations have yet to been enacted to enforce this prohibition of ICOs. Subsequently, on 31 January 2019, the Korean government announced the result of its monitoring of the ICO practice in South Korea and its proposed approach in regulating ICOs. In this announcement, the Korean government stated that they identified companies bypassing the government's prohibition on ICOs by performing ICOs through paper companies in foreign jurisdictions (such as Singapore) while raising funds from domestic investors. The Korean government announced that this practice substantively constitutes domestic ICOs albeit in the form of a foreign ICO. Moreover, the Korean government stated that domestic investors were at significant risk as a result of this practice because the companies performing the ICOs did not disclose substantial information for the investors to make an informed decision.
In addition, the Korean government also deemed that certain ICO projects may violate the FSCMA if an ICO project involves issuance and transaction of P2P collateralised loan tokens; sale of cryptocurrencies investment funds; or operation of unauthorised financial investment business by providing investment services with ICO tokens.
Considering that ICOs pose high investment risks and lack a global regulatory framework, the Korean government announced that it will take a conservative approach in legalising ICOs. Through a press release on 3 November 2020 regarding the Enforcement Decree to the Partial Amendment to the AML Act, the FSC reiterated that the Partial Amendment to the AML Act and the Enforcement Decree are designed to impose AML requirements on VASPs in accordance with the FATF recommendations. Such laws and regulations are not intended to adopt virtual assets into Korea's financial regulatory regimes and the FSC still maintains its stance on the de facto prohibition of ICOs to protect investors.
Other new business models
'Robo-adviser' is an automated online asset management service that uses IT technologies such as AI to provide optimised and personalised portfolios for investors. It provides services at substantially lower fees than that of existing asset management services, and future development is anticipated in terms of convenience and low cost. Financial institutions in South Korea have, in some respects, either implemented robo-advisers or are preparing to do so.
Depending on the type of service provided, registration needs to be made as an investment advisory business or a discretionary investment management service in accordance with the FSCMA.
To promote the robo-adviser industry, the relevant regulations under the FSCMA have been amended to:
- lower the shareholders' equity needed for non-face-to-face discretionary investment management services that utilise robo-advisers from 4 billion won to 1.5 billion won in order to facilitate the entry of fintech businesses into the robo-advisory industry;
- allow robo-advisers to directly manage fund assets; and
- allow asset managers to delegate robo-advisers with the management of funds and discretionary assets.
ii MyData Business
The Credit Information Act was amended in February 2020 to introduce a new business called the 'Personal Credit Information Management Business' (MyData Business), which provides information principals with services such as a comprehensive inquiry of their own financial information, recommendation of optimal financial investment, and advice on financial products. MyData Business is a business that provides professional support to the individual who is the information principal for managing and using efficiently his or her own information, so as to fully exercise the right to data portability.
MyData Business integrates and searches a person's credit information, analyses financial status, and provides personalised financial consulting. Furthermore, MyData Business can provide services that present a list of accessible financial products for each individual consumer given, among others, his or her credit situation or financial status, and can compare in detail prices and benefits of each product to recommend financial products optimised for each individual. As of 27 January 2021, the FSC granted MyData business licences to 28 firms, which include five banks, six credit finance businesses, one financial investment firm, one mutual finance business, one savings bank and 14 fintech companies.
Intellectual property and data protection
i Intellectual property
In South Korea, innovations and inventions can be protected by IP rights such as patents, utility models, designs, copyrights and trade secrets. Korean law explicitly provides for the protection of patents under the Patent Act, utility models under the Utility Model Act, designs under the Design Protection Act, copyrights including copyrights in computer software under the Copyright Act and trade secrets under the Unfair Competition Prevention Act (UCPA).
Under current Korean Intellectual Property Office (KIPO) practice, fintech inventions relating to software or business methods that include only abstract ideas or mental steps do not qualify as inventions. However, under KIPO's 'Examination Guidelines for Computer-related Inventions', business methods can be patented if the inventions are properly claimed so as to define physical means to achieve a specific purpose that has practical application in the industry. Further, although software per se is not patentable at this time, computer-readable media for implementing software is patentable subject matter.
Graphical user interfaces of fintech software may be protected by design registrations under the Design Protection Act. For example, images represented on a display portion of a product such as a display panel can be registered and protected as a design. Copyright protection is also possible upon creation of an original computer program without formal registration requirements. Although a copyright registration is not a prerequisite for copyright protection or enforcement, it provides certain advantageous statutory presumptions in enforcing the copyright. The source code of fintech software may be protected as a trade secret under the UCPA. The UCPA defines a trade secret to mean information of a technical or managerial nature that is useful for business activities, is generally unknown to the public, possesses independent economic value and is maintained as a secret.
Ownership of IP rights such as patents, utility models, and designs initially belong to the person who created such rights. Such person may transfer his or her IP ownership right to another party through an agreement. However, transfer of an IP right, other than through inheritance or other general succession, is not effective in South Korea against third parties unless it is recorded at KIPO.
In the context of an employer–employee relationship, there are two ways for the employer to obtain ownership rights to in-service inventions of its employees. First, the employer may enter into a pre-invention assignment agreement with an employee with a provision that the employee agrees to assign any and all future in-service inventions to the employer. Second, the employer may adopt an employment rule such as an invention remuneration policy that expressly provides for employee-inventors to assign any and all future in-service inventions to the employer and the employer to provide remuneration to such employee-inventors. In either case, if the employer chooses to acquire the ownership right to an in-service invention pursuant to the agreement or employment rule, the employee is entitled to 'reasonable compensation' from the employer.
Ownership of copyright initially belongs to the actual author or authors of a given work. In the context of an employer-employee or work-for-hire relationship, however, an employing legal entity, organisation, or person may be deemed to be the author of a work with ownership of copyright in the work. Under the Copyright Act, such employer is deemed to have copyright ownership of a work if the work is created by an employee within the scope of employment and made public (computer programs do not need to be made public), subject to the employer's supervision, and there is no separate or particular contract or employment regulation providing that the status of the author of, or ownership of copyright in, the work-for-hire should belong to the employee.
For IP rights such as patents, utility models, and designs, the party enforcing an IP right should own the registered rights in South Korea. For copyrights, works by foreigners – such as the source code of fintech software – are entitled to protection under treaties to which South Korea has acceded. However, the Copyright Act provides exceptions to favourable treatment of foreigners' copyrights under such treaties. In particular, the Copyright Act provides that even if the copyright protection period for foreigners' copyrights may be in force and the foreigners are entitled to protection under the Copyright Act, if the copyright protection period granted in the country of their origin has already expired, it will not be recognised by South Korea.
IP rights including patents, utility models, and designs are a type of property right and thus, owners of IP rights may exploit or monetise them for their benefit. For example, an IP owner may assign or sell his or her IP right to another person or entity and receive payment in return. An IP right may also be pledged as collateral for a loan or investment from another person or entity. Further, an IP right may be licensed through an exclusive or non-exclusive agreement for royalties or may be licensed to another party in a cross-licence agreement. If an IP right is jointly owned, a joint owner may license the IP right only with the consent of all the other joint owners, but each owner may still freely practise the jointly owned IP.
IP-related licences may be subject to governmental review under certain circumstances. For example, under the Fair Trade Law, the Fair Trade Commission has released the Guidelines on the Unfair Exercise of IP Rights (the IP Guidelines), for examining licence agreements. If a provision of a licence agreement violates one of the standards set forth in the IP Guidelines, a court may find such provision to be null and void as being contrary to Korean public policy.
ii Personal data
In South Korea, the protection and regulation of personal data is primarily governed by the PIPA. The PIPA is the overarching personal data protection law in South Korea that may apply to fintech businesses operating in South Korea. The PIPA prescribes detailed measures for each of the stages involved in the processing of personal data such as collection and use, provision to a third party, outsourcing and destruction. The PIPA must be followed by all personal information processing entities, which are defined as all persons, organisations, corporations and governmental agencies that process personal data for business purposes. Under the PIPA, personal information processing entities must inform data subjects of, and obtain their consent to, the following matters before their personal data is collected or used:
- the purpose of the collection and use;
- the items of personal information that will be collected;
- the duration of the possession and use of the personal information; and
- disclosure that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result from such refusal.
In addition, the Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities.
The PIPA, the Network Act, and the Credit Information Act were all amended, taking effect as from 5 August 2020.
The amendments are:
- define personal data, pseudonymised data and anonymised data and include detailed provisions on the processing of pseudonymised data;
- establish the Personal Information Protection Commission (PIPC) as the central data privacy regulatory authority;
- transfer all privacy provisions in the previous Network Act relating to online service providers to the PIPA;
- clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also applies to all commercial companies; and
- grant the PIPC the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act.
The Ministry of the Interior and Safety, the Korean Communications Commission and the Ministry of Science and ICT, and the FSC and the FSS used to be the responsible regulatory agencies for enforcing the PIPA, the Network Act and the Credit Information Act, respectively. With the amendments to the PIPA, the Network Act and the Credit Information Act passed on February 2020, the enforcement of privacy regulations have been generally centralised through the PIPC (excluding enforcement towards financial institutions regulated by the FSC). In addition, once a violation of a relevant privacy law has been confirmed, the PIPC can impose administrative penalties, such as corrective orders and fines, and, as necessary, refer the case for criminal prosecution. Criminal sanctions can be imposed following an investigation by the police or prosecutor's office, either on its own initiative or upon a referral by the relevant regulatory authority.
As for the applicability of these laws to overseas entities, the PIPA applies to all personal information processing entities regardless of whether they are located overseas, and the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in South Korea. Although the PIPA and the Credit Information Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have promoted to or ensured compliance by overseas entities with these privacy laws.
The primary statute in the context of cybersecurity that applies to fintech businesses is the PIPA. It prescribes detailed technical security and administrative requirements for cybersecurity such as:
- the establishment and implementation of an internal management plan for the secure processing of personal information;
- installation and operation of an access restriction system to prevent illegal access to and leakage of personal information; and
- the application of encryption technology to enable secure storage and transfer of personal information.
Further, the EFTA criminalises the following types of cyber activities:
- act of intruding on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing or leaking data that is saved in such infrastructures; and
- destruction of data, or deployment of a computer virus, logic bomb or program such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures.
iv Open banking system
The FSC launched a pilot programme for the 'Open Banking System' in the banking sector on 30 October 2019, which expanded to fintech firms on 18 December 2019. The open banking system enables bank customers to choose any mobile banking application to manage all their accounts in a single application without having to use separate applications for different banks. The FSC stated that the government will revise the EFTA to expand the service scope and function of the open banking system. Based on the FSC's roadmap, the transition to open banking system will be in three phases:
- Phase 1 will rely on banks' voluntary agreement to an open banking system that would enable customers to use a single application to access their accounts at different banks;
- Phase 2 will require an amendment to the EFTA to include the open banking system. The FSC is aiming to amend the EFTA by the second half of 2021; and
- Phase 3 will establish the regime in which fintech firms gain direct access to the financial payment system. To be eligible for such direct access, fintech payment service providers will have to meet certain requirements of financial soundness and digital capabilities.
Year in review
Over the past 18 months, notable amendments were made to financial laws that may impact fintech businesses operating in South Korea. The landmark legislation was that of the amendments to the three main privacy laws of South Korea: the PIPA, the Network Act and the Credit Information Act. Among the areas of change, the amendments introduced the concept of pseudonymised data and allow the use of pseudonymised data without the consent of data subjects. In addition, the amended FX Rule became effective on 8 October 2019 that increased the annual limit for overseas remittance by institutions registered as small-amount remittance operators from US$30,000 to US$50,000. Further, securities companies and credit card companies may remit funds overseas as long as the amount does not exceed US$5,000 per remittance and US$50,000 per year, for each customer. Also, pursuant to the amended FX Rule, electronic currencies and prepaid electronic payment means issued in South Korea may now be used in foreign jurisdictions to pay for goods or services or be exchanged for foreign currencies.
Furthermore, measures have been taken to promote fintech innovations and the digital transformation in the financial services market in South Korea. The Proposed Amendment to the EFTA, which was submitted to the National Assembly on 27 November 2020, is expected to be approved early in 2021. The Proposed Amendment to the EFTA will introduce two new licences (MyPayment and the comprehensive payment and service provider) and the existing seven types of electronic finance business regime will be consolidated into three types: fund transfer, payment service and payment gateway. The amended Credit Information Act has introduced MyData Business, which provides information principals with services such as comprehensive inquiry of their own financial information, recommendation of optimal financial investment, and advice on financial products. In addition, the Special Act introduced the expedited confirmation on regulation and designation of innovative financial services. As of November 2020, 120 FinTech projects were selected for inclusion in the regulatory sandbox, six of which incorporate blockchain technology.
Meanwhile, the financial regulators have been trying to protect financial consumers and to prevent money laundering. The FSC's press release clarifies that the Partial Amendment to the AML Act and the Enforcement Decree to the Partial Amendment to the AML Act are designed to impose AML requirements on VASPs in accordance with the FATF recommendations, and that such laws and regulations are not intended to adopt virtual assets into Korea's financial regulatory regimes. The FSC still maintains its stance on the de facto prohibition of ICOs to protect investors.
Outlook and conclusions
South Korea's recent fintech environment has seen a variety of industries being newly created and transformed, and its related market is developing rapidly. Further, South Korea's financial supervisory authorities have recently announced various policies to promote innovation and digital transformation in the financial industry and also recently stated that they will introduce a digital sandbox through which fintech start-ups can have opportunities to virtually test their new business ideas or establish a comprehensive fintech support system by working on a legislation focused on nurturing fintechs. In the meantime, they are also keen to improve rules on data privacy to enhance consumer rights to data ownership and ensure that consumers are thoroughly informed of the risks of data transfer in 2021.
In respect of cryptocurrencies, although the government has shown hesitation in endorsing or institutionalising cryptocurrencies and has repeatedly warned investors about the potential dangers of investing in them, it recognises the innovative nature of blockchain technology and its potential impact on the Korean economy and has expressed interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans. Furthermore, while the central government appears to be uneasy about cryptocurrencies, some local governments have shown interest in issuing their own cryptocurrencies.
1 Jung Min Lee and Joon Young Kim are senior attorneys and Ik Hwan Cho is a senior foreign attorney at Kim & Chang.