Crypto Law Profile
South Korea’s AML/CFT statute requires VASPs to report/register with KoFIU, meet ISMS and real-name account conditions where applicable, and comply with CDD, STR and travel-rule duties.
The Act on Reporting and Using Specified Financial Transaction Information is South Korea’s core anti-money laundering and counter-terrorist financing statute for specified financial transaction information and a key legal basis for the Korea Financial Intelligence Unit. For crypto, the Act’s virtual asset service provider registration regime was added through the 2020 amendment, Act No. 17113, and became operative on March 25, 2021. As of June 6, 2026, the core VASP AML registration regime is in force, while a later 2026 amendment is scheduled to tighten entry rules from August 20, 2026.
The regime places virtual asset service providers inside South Korea’s AML/CFT reporting framework. The Act treats a VASP as a covered financial company category and connects virtual asset transactions to the statute’s reporting, customer due diligence, recordkeeping, and supervisory architecture. Its purpose is not to create a general crypto market conduct code; it is primarily an AML/CFT statute designed to support reporting and use of specified financial transaction information.
The regime reshaped market access for Korean-facing crypto exchanges, wallet providers, custody providers, and other covered virtual asset businesses. Existing VASPs were given a six-month transition period after the March 25, 2021 effective date, ending September 24, 2021. The FSC later reported that 42 VASPs filed registration reports by the deadline, with KoFIU and the Financial Supervisory Service reviewing whether applicants were prepared to comply with AML duties.
For Korean users and counterparties, the regime created a public-law distinction between registered and unregistered VASPs. The FSC and KoFIU have stated that VASPs operating without filing after the deadline may be treated as illegal operators, and the statute provides criminal penalties for operating virtual asset transactions without filing a report. The regime should be read together with South Korea’s separate Act on the Protection of Virtual Asset Users, which took effect in 2024 and added user-asset protection, unfair-trading, inspection, and sanctions powers beyond the AML-centered framework.
The operative text remains in force as a non-U.S. national statute. A 2024 subordinate-rule update strengthened reporting by requiring VASPs to report compliance-system details and major-shareholder status, introduced differentiated change-reporting periods, and added grounds for suspending registration review when related criminal, inspection, or investigative matters are pending.
Act No. 21358, promulgated on February 19, 2026 and scheduled to take effect on August 20, 2026, will further expand entry screening. The amendment adds a statutory definition of major shareholders, extends disqualification checks to major shareholders, adds financial condition, social credibility, organizational, staffing, IT, and internal-control review factors, and authorizes KoFIU to attach conditions when accepting a VASP report. Existing registered VASPs must re-report under the amended Article 7 within three months after the amendment takes effect.
This profile summarizes the legal-reference status of the South Korean VASP AML registration regime and should not be read as legal, tax, investment, or compliance advice. Editors should verify the post again around August 20, 2026, when Act No. 21358 is scheduled to enter into force.
VASPs, including intended operators, must report company identity and prescribed business details to KoFIU; changes require reporting.
KoFIU may reject reports where ISMS certification, real-name account use, fitness criteria, or prior cancellation conditions are not met.
Registered VASPs are subject to AML duties including CDD, suspicious transaction reporting, travel rule duties, inspection and supervision.
The VASP chapter applies to offshore VASP activity where transactions have domestic effect, including services targeting Korean users.
Operating virtual asset transactions without filing a report may trigger criminal penalties of up to five years imprisonment or KRW50 million fine.
Act No.21358 adds major-shareholder, financial condition, social credibility, capacity and conditional-approval review factors from Aug.20,2026.
Act No.17113 added VASP definitions, reporting rules, customer checks and penalties.
FSC said VASP AML duties and registration rules took effect from Mar.25,2021.
Existing VASPs had six months to file registration reports with KoFIU.
FSC reported 42 VASPs had filed registration reports by the Sep.24 deadline.
Subordinate regulation added compliance-system and major-shareholder reporting details.
Act No.21358 was promulgated and scheduled to take effect on Aug.20,2026.
Financial Services Commission, Financial Supervisory Service, Korea Financial Intelligence Unit
Virtual assets
Profile focuses on the VASP AML registration layer under the Financial Transaction Reports Act, not the separate Virtual Asset User Protection Act market-conduct regime. Status verified June 6, 2026.
