Overview
South Korea regulates crypto through four layers. The core regime is VASP registration with KoFIU under the Act on Reporting and Use of Specific Financial Transaction Information (SFTRA), in force for crypto since 25 March 2021. Since 19 July 2024, the Virtual Asset User Protection Act (VAUPA) layers on investor-protection duties. From H2 2025 the FSC runs a phased corporate-access pilot. The long-awaited Digital Asset Basic Act (DABA) — covering stablecoins and broader licensing — was delayed at end-2025 over a BoK-vs-FSC dispute on issuer eligibility and is expected to resurface in 2026.
Korea has the deepest domestic retail crypto market in APAC but also the most idiosyncratic access path. There is no statutory minimum capital, but the real-name verified deposit-and-withdrawal account with one of four partner banks is the bottleneck. Without it, a VASP cannot operate KRW on- and off-ramp.
Regulators and banks
The Financial Services Commission (FSC) is the policy regulator and issues VAUPA rules. The Korea Financial Intelligence Unit (KoFIU), a body within the FSC, receives VASP reports under SFTRA. The Financial Supervisory Service (FSS) handles day-to-day inspection and enforcement. The Korea Internet & Security Agency (KISA) issues the mandatory ISMS or ISMS-P information-security certification. Four commercial banks currently provide real-name verified KRW accounts to VASPs — Upbit with K Bank, Bithumb with NH, Coinone with Kakao Bank, Korbit with Shinhan. A VASP without a bank partnership is effectively limited to crypto-only operation.
Track 1 — SFTRA VASP registration
SFTRA Article 7 captures any person in the business of: (i) buying or selling virtual assets, (ii) exchanging one virtual asset for another, (iii) transferring virtual assets, (iv) custody or management of virtual assets, or (v) intermediation of any of the above. Registration with KoFIU is mandatory. Core requirements:
- Report (filing) with KoFIU and obtain a confirmation of acceptance — functionally the licence.
- ISMS or ISMS-P certification from KISA before the KoFIU filing.
- Real-name verified deposit-and-withdrawal account with a Korean commercial bank, required for KRW fiat on-ramp.
- No criminal record of directors and key officers, AML compliance programme, fit-and-proper management.
- Travel Rule since 25 March 2022 at a KRW 1,000,000 threshold (~USD 700).
Track 2 — VAUPA (in force 19 July 2024)
VAUPA applies to all SFTRA-registered VASPs and layers on investor-protection duties:
- Segregate ≥80% of user virtual assets in cold storage (stricter than the earlier SFTRA 70%).
- Keep user KRW deposits at a Korean bank, separate from VASP funds.
- Maintain insurance or reserves covering hacking and system-failure losses.
- Daily reconciliation of user assets; hold an own matching quantity of user coins for liability backing.
- Market-abuse prohibitions — no insider trading, no use of non-public information, no market manipulation. Criminal liability (imprisonment and/or fines) for breaches.
Phase 2 — corporate access to VA markets
On 13 February 2025 the FSC published its Phased Corporate Access roadmap. Phase 1 from H1 2025 permitted non-profit corporations and VASPs themselves to sell VA for operational purposes (e.g., realising donated crypto, liquidating customer fees). Phase 2 from H2 2025 pilots listed corporations and registered professional investors trading VA, with financial-sector companies excluded. Second-stage legislative work to expand investor-protection and market-conduct rules continues through 2026.
Track 4 — Digital Asset Basic Act (DABA)
DABA passed key legislative steps in 2025 but final enactment was delayed at end-2025 over a disagreement between the Bank of Korea (wants bank-only stablecoin issuance with ≥51% bank ownership) and the FSC (wants broader eligibility including non-bank issuers). The bill is expected to introduce a dedicated stablecoin issuer licence with reserve, governance and redemption requirements; broader VASP licensing beyond SFTRA; and clearer token classification. Specific capital thresholds should not yet be cited until enactment.
Korea market-entry work in 2026 should assume SFTRA + VAUPA are the live regime and that DABA will add a parallel stablecoin issuer track sometime during the year. Structures intended for stablecoin issuance should be ring-fenced so that either a bank-majority or a broader-eligibility final text can be accommodated without restructuring.
High-level application checklist (VASP)
- Incorporate a Korean jusik-hoesa (Co., Ltd.) with local directors and a representative director.
- Hire a Chief Information Security Officer, Chief AML Officer and compliance team resident in Korea.
- Build IT infrastructure compliant with ISMS/ISMS-P — network segregation, cold-wallet architecture for ≥80% user assets, privileged-access controls, logging.
- Operate on that infrastructure for at least two months to generate audit evidence, then apply to KISA for ISMS or ISMS-P certification.
- Obtain a real-name verified deposit-and-withdrawal account from a Korean commercial bank (KRW-facing VASPs only).
- AML/CFT programme — KYC, EDD, transaction monitoring, SAR filing to KoFIU; Travel Rule at KRW 1M threshold.
- VAUPA operational controls — cold-storage ratio, user-asset segregation, insurance or reserve, daily reconciliation, market-abuse surveillance.
- Fit-and-proper self-declaration for controlling shareholders, directors and senior management.
- Business plan, 3-year P&L, governance and risk policies.
- File the VASP report with KoFIU and respond to clarification rounds.
- Post-registration — annual ISMS re-certification, regular FSS/KoFIU inspections, VAUPA reporting.
Process and timeline
| Stage | VASP registration |
|---|---|
| Incorporate Korean entity, hire compliance and infosec team | 2–4 months |
| Build ISMS-P-compliant infrastructure and run 2-month operating history | 6–9 months |
| KISA ISMS / ISMS-P certification audit cycle | 3–6 months |
| Secure real-name bank partnership (if KRW-facing) | 3–12 months (often binding) |
| KoFIU report review after filing | 3 months statutory + extensions |
| End-to-end | 12–24 months crypto-only · 18–30 months KRW-facing |
Taxation
- Corporate income tax — 9% on the first KRW 200M, 19% up to KRW 20B, 21% up to KRW 300B, 24% above, plus a 10% local surtax on the national CIT.
- VAT — 10% standard rate; virtual-asset transfers are VAT-exempt under NTS interpretations.
- Individual crypto-gains tax — a 20% rate (plus 2% local) on gains exceeding KRW 2.5M per year has been repeatedly postponed; effective-from date currently pushed to 2027.
- Withholding on non-residents — crypto-gains withholding rules for non-resident individuals at VASP level (22% of gain or 11% of proceeds, whichever is lower); scope and timing aligned with the individual-gains tax effectiveness date.
- Corporate crypto holdings — mark-to-market (fair value) under K-IFRS where applicable; no special exemption equivalent to Japan.
FAQ
What is the minimum capital for a Korea VASP?
No fixed statutory minimum. KoFIU and banks expect KRW 2–3 billion (~USD 1.5–2.3M) in operating capital for credible exchange applications. Custody-only or OTC-only applicants can be lower.
How long does Korea VASP registration take?
12 to 24 months for crypto-only, 18 to 30 months if KRW fiat on-ramp is required. The real-name bank partnership is the binding constraint.
Is ISMS-P certification mandatory?
Yes. ISMS or ISMS-P from KISA is a prerequisite to the KoFIU filing. The certification requires at least two months of operating history on compliant infrastructure and a 3–6 month audit.
Can I operate without a real-name bank account?
Yes, but only for crypto-to-crypto operations. You cannot accept or return KRW without a real-name account from a Korean commercial bank.