Crypto License Asia
Get Consultation
Seoul skyline with Lotte World Tower
South Korea · FSC · KoFIU · 2026

South Korea Crypto Licence. FSC VASP & VAUPA

KoFIU VASP registration under SFTRA, VAUPA investor-protection uplift from July 2024, KISA ISMS-P certification, and a real-name bank account that is often the binding constraint.

  1. Home
  2. Crypto Licenses
  3. South Korea
Min-jun Kim, South Korea lead
Min-jun Kim
South Korea lead · 16 years in financial regulation and AML compliance
Reviewed by Wei Ming Tan, Managing Partner · Updated 14 Apr 2026
View profile →
Regulator
FSC · KoFIU · FSS
Min capital
KRW 2–3B (practice)
Timeline
12–30 months
Corp tax
9–24% + 10% surtax
Statute
SFTRA · VAUPA
Entity
Jusik-hoesa (Co., Ltd.)

Overview

South Korea regulates crypto through four layers. The core regime is VASP registration with KoFIU under the Act on Reporting and Use of Specific Financial Transaction Information (SFTRA), in force for crypto since 25 March 2021. Since 19 July 2024, the Virtual Asset User Protection Act (VAUPA) layers on investor-protection duties. From H2 2025 the FSC runs a phased corporate-access pilot. The long-awaited Digital Asset Basic Act (DABA), covering stablecoins and broader licensing, was delayed at end-2025 over a BoK-vs-FSC dispute on issuer eligibility and is expected to resurface in 2026.

Korea has the deepest domestic retail crypto market in APAC but also the most idiosyncratic access path. There is no statutory minimum capital, but the real-name verified deposit-and-withdrawal account with one of four partner banks is the bottleneck. Without it, a VASP cannot operate KRW on- and off-ramp.

Yeouido financial district, Seoul

Market landscape, who is licensed

As of April 2026, KoFIU has accepted reports from 27 VASPs, 18 exchange operators and 9 custody or wallet operators. Only five hold verified real-name KRW accounts, and those five carry virtually all domestic fiat volume. Upbit (Dunamu) with K Bank is the market leader by KRW turnover; Bithumb switched its real-name partner from NH NongHyup to KB Kookmin Bank on 24 March 2025; Coinone has worked with Kakao Bank since November 2022; Korbit is with Shinhan Bank; GOPAX and smaller KRW-facing VASPs cycle through Jeonbuk Bank or KB Kookmin. The remaining 22 VASPs operate crypto-to-crypto only. For a foreign applicant the lesson is straightforward, the target is not the KoFIU report itself but the bank-partner relationship that sits upstream of it.

Regulators and banks

The Financial Services Commission (FSC) is the policy regulator and issues VAUPA rules. The Korea Financial Intelligence Unit (KoFIU), a body within the FSC, receives VASP reports under SFTRA. The Financial Supervisory Service (FSS) handles day-to-day inspection and enforcement. The Korea Internet & Security Agency (KISA) issues the mandatory ISMS or ISMS-P information-security certification. The Bank of Korea holds a policy seat on stablecoin issuance under the pending DABA framework. Four commercial banks currently provide real-name verified KRW accounts to VASPs. Upbit with K Bank, Bithumb with NH, Coinone with Kakao Bank, Korbit with Shinhan. A VASP without a bank partnership is effectively limited to crypto-only operation. Primary statute text is published via the Korea legislation portal.

Track 1. SFTRA VASP registration

SFTRA Article 7 captures any person in the business of: (i) buying or selling virtual assets, (ii) exchanging one virtual asset for another, (iii) transferring virtual assets, (iv) custody or management of virtual assets, or (v) intermediation of any of the above. Registration with KoFIU is mandatory. Core requirements:

  • Report (filing) with KoFIU and obtain a confirmation of acceptance, functionally the licence.
  • ISMS or ISMS-P certification from KISA before the KoFIU filing.
  • Real-name verified deposit-and-withdrawal account with a Korean commercial bank, required for KRW fiat on-ramp.
  • No criminal record of directors and key officers, AML compliance programme, fit-and-proper management.
  • Travel Rule since 25 March 2022 at a KRW 1,000,000 threshold (~USD 700).

Track 2. VAUPA (in force 19 July 2024)

VAUPA applies to all SFTRA-registered VASPs and layers on investor-protection duties:

  • Segregate ≥80% of user virtual assets in cold storage (stricter than the earlier SFTRA 70%).
  • Keep user KRW deposits at a Korean bank, separate from VASP funds.
  • Maintain insurance or reserves covering hacking and system-failure losses.
  • Daily reconciliation of user assets; hold an own matching quantity of user coins for liability backing.
  • Market-abuse prohibitions, no insider trading, no use of non-public information, no market manipulation. Criminal liability (imprisonment and/or fines) for breaches.

2026 operational amendments, kill switch and 5-minute reconciliation

In the first quarter of 2026 the FSC tightened SFTRA implementation rules following a Bithumb reconciliation incident. Three changes matter for any VASP planning market entry. First, user-asset reconciliation moves from the earlier daily cycle to a real-time check every 5 minutes, with an automated kill switch that halts transactions if a discrepancy is detected. Second, external audits of VASP asset segregation and cold-storage ratios step up from quarterly to monthly, with expanded public-disclosure requirements on holdings. Third, the KoFIU fit-and-proper review now extends to controlling shareholders, not only executives and directors, and KoFIU can examine a company's financial condition, internal controls, legal track record and the credibility of its filings before confirming acceptance. Existing SFTRA-registered VASPs have a transition window during 2026 to upgrade technology; new applicants will be expected to demonstrate 5-minute reconciliation and kill-switch logic at the ISMS-P audit stage.

Phase 2, corporate access to VA markets

On 13 February 2025 the FSC published its Phased Corporate Access roadmap. Phase 1 from H1 2025 permitted non-profit corporations and VASPs themselves to sell VA for operational purposes (e.g., realising donated crypto, liquidating customer fees). Phase 2 from H2 2025 pilots listed corporations and registered professional investors trading VA, with financial-sector companies excluded. Second-stage legislative work to expand investor-protection and market-conduct rules continues through 2026.

Track 4. Digital Asset Basic Act (DABA)

DABA passed key legislative steps in 2025 but final enactment was delayed at end-2025 over a disagreement between the Bank of Korea (wants bank-only stablecoin issuance with ≥51% bank ownership) and the FSC (wants broader eligibility including non-bank issuers). On 8 April 2026 the National Assembly advanced a revised DABA package that proposes a 100% or greater reserve requirement for stablecoin issuers, with reserves held at banks or FSC-approved institutions and redemption at par. The revised draft also introduces integrated rules for token issuance and disclosure, a dedicated registration track for digital-asset businesses beyond SFTRA and clearer token classification. Final text and commencement date are not yet fixed, structures intended for stablecoin issuance should still be ring-fenced so that either a bank-majority or a broader-eligibility final text can be accommodated without restructuring.

2026 planning note

Korea market-entry work in 2026 should assume SFTRA + VAUPA are the live regime and that DABA will add a parallel stablecoin issuer track sometime during the year. Structures intended for stablecoin issuance should be ring-fenced so that either a bank-majority or a broader-eligibility final text can be accommodated without restructuring.

High-level application checklist (VASP)

  1. Incorporate a Korean jusik-hoesa (Co., Ltd.) with local directors and a representative director.
  2. Hire a Chief Information Security Officer, Chief AML Officer and compliance team resident in Korea.
  3. Build IT infrastructure compliant with ISMS/ISMS-P, network segregation, cold-wallet architecture for ≥80% user assets, privileged-access controls, logging.
  4. Operate on that infrastructure for at least two months to generate audit evidence, then apply to KISA for ISMS or ISMS-P certification.
  5. Obtain a real-name verified deposit-and-withdrawal account from a Korean commercial bank (KRW-facing VASPs only).
  6. AML/CFT programme. KYC, EDD, transaction monitoring, SAR filing to KoFIU; Travel Rule at KRW 1M threshold.
  7. VAUPA operational controls, cold-storage ratio, user-asset segregation, insurance or reserve, daily reconciliation, market-abuse surveillance.
  8. Fit-and-proper self-declaration for controlling shareholders, directors and senior management.
  9. Business plan, 3-year P&L, governance and risk policies.
  10. File the VASP report with KoFIU and respond to clarification rounds.
  11. Post-registration, annual ISMS re-certification, regular FSS/KoFIU inspections, VAUPA reporting.

Process and timeline

StageVASP registration
Incorporate Korean entity, hire compliance and infosec team2–4 months
Build ISMS-P-compliant infrastructure and run 2-month operating history6–9 months
KISA ISMS / ISMS-P certification audit cycle3–6 months
Secure real-name bank partnership (if KRW-facing)3–12 months (often binding)
KoFIU report review after filing3 months statutory + extensions
End-to-end12–24 months crypto-only · 18–30 months KRW-facing

Taxation

  • Corporate income tax, 9% on the first KRW 200M, 19% up to KRW 20B, 21% up to KRW 300B, 24% above, plus a 10% local surtax on the national CIT.
  • VAT, 10% standard rate; virtual-asset transfers are VAT-exempt under National Tax Service interpretations.
  • Individual crypto-gains tax, a 20% rate (plus 2% local) on gains exceeding KRW 2.5M per year has been repeatedly postponed; effective-from date currently pushed to 2027.
  • Withholding on non-residents, crypto-gains withholding rules for non-resident individuals at VASP level (22% of gain or 11% of proceeds, whichever is lower); scope and timing aligned with the individual-gains tax effectiveness date.
  • Corporate crypto holdings, mark-to-market (fair value) under K-IFRS where applicable; no special exemption equivalent to Japan.

FAQ

What is the minimum capital for a Korea VASP?

No fixed statutory minimum. KoFIU and banks expect KRW 2–3 billion (~USD 1.5–2.3M) in operating capital for credible exchange applications. Custody-only or OTC-only applicants can be lower.

How long does Korea VASP registration take?

12 to 24 months for crypto-only, 18 to 30 months if KRW fiat on-ramp is required. The real-name bank partnership is the binding constraint.

Is ISMS-P certification mandatory?

Yes. ISMS or ISMS-P from KISA is a prerequisite to the KoFIU filing. The certification requires at least two months of operating history on compliant infrastructure and a 3–6 month audit.

Can I operate without a real-name bank account?

Yes, but only for crypto-to-crypto operations. You cannot accept or return KRW without a real-name account from a Korean commercial bank.

How does Korea compare with Japan and Hong Kong?

Japan is longer and more stable. Hong Kong is institutional-grade with clearer capital thresholds. Korea wins on domestic retail volume but has the hardest banking path.

How much does ISMS-P certification cost?

KISA does not publish a public fee schedule. For VASP-scale firms, market observation is KRW 30–150 million (USD ~23K–115K) for initial certification plus annual surveillance, with 3-year validity. The audit cycle takes 3 to 6 months after at least two months of operating history.

Which Korean banks issue real-name VASP accounts?

Only five exchanges hold verified real-name KRW accounts as of April 2026: Upbit with K Bank, Bithumb with KB Kookmin Bank (switched from NH NongHyup on 24 March 2025), Coinone with Kakao Bank (since November 2022), Korbit with Shinhan Bank, and smaller names such as GOPAX with Jeonbuk Bank or KB Kookmin.

What user-protection rules does VAUPA impose?

≥80% of user virtual assets in cold storage, KRW deposits segregated at a Korean bank, insurance or reserves against hacking and system-failure losses, daily reconciliation of user assets, and an own matching quantity of user coins for liability backing. Market-abuse prohibitions mirror securities-law standards.

What compliance staff must a Korean VASP hire?

A Chief Information Security Officer, a Chief AML Officer and a compliance team resident in Korea, alongside local directors and a representative director of the jusik-hoesa. Fit-and-proper declarations are required for controlling shareholders, directors and senior management.

How does Korea's Travel Rule work?

The Travel Rule has been in force since 25 March 2022 at a KRW 1,000,000 threshold (~USD 700). VASPs must exchange originator and beneficiary information for transfers at or above that threshold and file SARs to KoFIU, a lower threshold than most APAC jurisdictions.

What are the VAUPA penalties for market abuse?

Market manipulation and fraudulent transactions, minimum 1 year imprisonment or 3–5× profit gained or loss avoided. Insider trading of tokens issued by the VASP or related parties, up to 10 years imprisonment or 3–5× profit gained or loss avoided. The FSC may also impose an administrative fine of up to 2× profit gained or loss avoided.

Can foreigners register or use Korean crypto exchanges?

Foreign individuals can hold accounts at Korean VASPs only if they obtain a Korean real-name bank account, which requires residency and a Korean Alien Registration Number. Foreign-owned companies can apply to become VASPs by incorporating a Korean jusik-hoesa with a Korean-resident representative director, CISO and AML officer; the KoFIU file is then evaluated on the same SFTRA and VAUPA criteria as a domestic applicant. Cross-border VASPs that target Korean users without a local entity fall under KoFIU jurisdiction and face site-blocking.

Are ICOs and NFTs regulated in Korea?

ICOs have been administratively prohibited in Korea since September 2017 and no formal authorisation route has been created; issuers typically use overseas vehicles and restrict Korean investors. Under DABA, the 8 April 2026 draft introduces integrated rules for token issuance and disclosure that would finally open a domestic regime. NFTs are assessed by the FSC on a case-by-case basis, payment-like or investment-contract NFTs are treated as virtual assets under SFTRA or as securities under the Capital Markets Act; collectible or one-of-a-kind NFTs typically fall outside the VASP regime.

What is the new 5-minute reconciliation and kill-switch rule?

Following a Bithumb reconciliation incident, the FSC amended SFTRA implementation rules in Q1 2026 to require real-time reconciliation of user assets every 5 minutes and an automated kill switch that halts transactions on discrepancy. External audits step up from quarterly to monthly, disclosure requirements on holdings expand, and KoFIU fit-and-proper review extends to controlling shareholders. New applicants will need to demonstrate 5-minute reconciliation and kill-switch logic at the KISA ISMS-P audit.

How is corporate and crypto-gains tax structured?

CIT is progressive, 9% on the first KRW 200M, 19% up to KRW 20B, 21% up to KRW 300B, 24% above, plus a 10% local surtax. VA transfers are VAT-exempt. The 20% individual crypto-gains tax (plus 2% local) on gains above KRW 2.5M p.a. is postponed to 2027. Unlike Japan, corporate crypto holdings are mark-to-market under K-IFRS with no special exemption.

Keep reading

Related jurisdictions, services and guides

Cross-border

Japan JFSA CAESP & EPISP

Korea's regional counterpart. JVCEA navigation, EPISP stablecoin intermediary regime.

 Service

AML/KYC programme design

Travel Rule implementation at KRW 1M threshold, SAR workflow, SFTRA-aligned KYC.

 Cross-border

Hong Kong SFC VATP

Institutional alternative with clearer capital thresholds and banking path.
Korea licensing

Scope the ISMS-P, VAUPA and banking path first.

A 30-minute call with Min-jun Kim, our Seoul lead. Map the VASP file against KISA audit, bank-partner review and VAUPA uplift in one go.

Request consultation Meet Min-jun