South Korea Tightens the Net on Crypto Firms as Regulators Move to Close AML Gaps

Key Takeaways

• Ownership Comes Into Sharper Focus: Expanded scrutiny of CEOs, controlling shareholders, and corporate ownership structures aims to reduce opacity in VASP registration.
• Small Transactions Lose Their Shield: The travel rule will extend below KRW1,000,000, capturing a majority of domestic crypto transfers.
• Cross-Border Activity Faces Tighter Oversight: Transfers of KRW10 million or more to overseas providers must be reported regardless of risk level.
• Compliance Becomes Operational: Firms must demonstrate real internal controls, systems, and staffing to support AML and user protection.
• Due Diligence Gets Deeper: Verification of customer data accuracy and enhanced checks for higher-risk activity become standard expectations.

Deep Dive

South Korea’s Financial Services Commission is tightening oversight of the crypto sector, proposing a set of rule changes that read less like a wholesale rewrite and more like a deliberate effort to close the gaps regulators believe have been quietly undermining the system.

The proposal focuses on two pressure points that will feel familiar to compliance teams. First, who is actually behind a firm. Second, what happens in the vast volume of smaller transactions that rarely attract attention but collectively carry risk.

On the entry side, the Commission is widening the lens on ownership and control. Registration would no longer hinge on a narrow definition of shareholders. Instead, scrutiny would extend to the largest shareholder, the CEO, and controlling interests, and where ownership runs through a corporate entity, the executives behind it. It is a clear attempt to pull back the curtain on layered structures that can obscure accountability.

That shift is paired with stricter expectations around financial soundness and credibility. Firms and their key stakeholders would need to show a debt ratio at or below 200 percent, demonstrate a clean track record free of recent defaults, and avoid ties to institutions that have collapsed or lost their licenses. Executives themselves would also need to meet governance standards already embedded in South Korea’s broader financial regulatory framework. None of this is particularly radical in isolation, but taken together it narrows the pathway into the market and raises the cost of entry for weaker players.

Where the proposal becomes more consequential is in how it tackles transaction monitoring. The expansion of the “travel rule” is doing much of the heavy lifting here. Currently, the requirement to transmit sender and recipient information applies only to domestic virtual asset transfers above about $770 (KRW1,000,000). Under the new rules, that threshold effectively disappears. Smaller transactions (many of which have sat outside the core AML perimeter) would now fall within scope. Regulators have been explicit about why this matters. Roughly 60 percent of domestic transfers between VASPs fall below that level. What was once a compliance blind spot becomes visible overnight.

There is also a subtle recalibration of responsibility. It will no longer be enough for the sender to carry the burden of information sharing. Recipients will be required to secure that data as well, reinforcing a more distributed model of accountability across the transaction chain.

Cross-border flows are treated with a similar mix of openness and control. Transfers between domestic platforms and overseas VASPs or wallet providers will still be permitted, but only under defined conditions such as interactions with low-risk counterparties or transactions where the sender and recipient are the same entity. High-risk transactions remain prohibited.

At the same time, any transfer of about $7,700 (KRW10 million) or more to an overseas provider will trigger mandatory reporting to the Korea Financial Intelligence Unit, regardless of how the transaction is classified from a risk perspective. The message is clear. International flows are not being shut down, but they are being brought into sharper focus.

The proposal also nudges customer due diligence into more substantive territory. Identifying a customer is no longer enough. Firms will be expected to verify the accuracy of that information, and to apply more rigorous checks where higher-risk individuals or products are involved. It is an incremental change on paper, but one that pushes firms toward deeper validation rather than surface-level compliance.

Even the treatment of individuals reflects this broader tightening. Sanctions imposed on former employees of VASPs would be communicated through the Financial Supervisory Service, extending visibility beyond active roles and signaling that accountability does not end when someone exits the organization.

The proposal is now open for comment through May 11, with implementation targeted for August 20, 2026, pending legislative approval. For firms operating in or looking to enter South Korea’s virtual asset market, the direction is difficult to misread. Regulators are less concerned with dramatic new rules than with making existing ones harder to sidestep, whether through ownership structures, transaction size, or operational gaps.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.