Vara licence application in South Korea: Legal Requirements for Businesses
A foreign exchange, custodian or payment platform targeting South Korean users quickly discovers a structural problem: the jurisdiction that generated some of the world's highest retail crypto volumes runs its own VASP registration regime, entirely separate from the VARA (Virtual Assets Regulatory Authority) framework that governs Dubai. Operating without the right authorisation in South Korea exposes the business to enforcement action, frozen payment rails and the loss of local banking relationships – consequences that are difficult and slow to reverse. This page maps the South Korean VASP registration (virtual asset service provider authorisation) regime, the inbound licensing process, and the cross-border interaction with banking, tax and compliance that every operator must resolve before launch.
The short answer is this: South Korea's regulatory authorisation for digital-asset businesses sits under the Act on Reporting and Using Specified Financial Transaction Information – commonly called the Special Financial Information Act (SFIA) – administered by the Financial Intelligence Unit (FIU) under the Financial Services Commission (FSC). Separately, South Korea has enacted the Virtual Asset User Protection Act, which imposes additional conduct and custody obligations on registered VASPs. Any business offering exchange, custody, transfer or brokerage services to South Korean users must register under the SFIA before commencing operations.
The sections below address the regulated perimeter, the registration process and timeline, AML and Travel Rule obligations, the cross-border banking and tax reality, and the decision framework for an inbound operator.
What is South Korea's crypto regulatory regime, and who must register?
Any entity operating a virtual asset exchange, providing custody, facilitating transfers or brokering virtual asset transactions for South Korean users must register as a VASP with the FIU under the SFIA regime. The obligation turns on the activity directed at the market, not the entity's place of incorporation. A Cayman fund operating an exchange product accessible from Seoul is squarely within scope. The FSC has consistently affirmed that offshore structuring does not displace the SFIA obligation where the service is directed at domestic users.
Registration is granted by the Korea Financial Intelligence Unit (KoFIU) – the operational arm of the FIU. The FIU review sits alongside an independent assessment by an Information Security Management System (ISMS) certifying body: every applicant must hold a valid ISMS certification before the FIU will accept a registration. That certification requirement is substantive. It typically involves a multi-month technical audit of the applicant's security architecture, access controls and incident-response procedures.
Beyond exchange and custody, the Virtual Asset User Protection Act (which entered into force in 2024) extends obligations to deposit segregation, reserve management and prohibited trading practices. Registered VASPs must maintain customer assets in segregated cold-storage arrangements and comply with ongoing disclosure and reporting duties. The two regimes – SFIA registration and User Protection Act compliance – operate in parallel; satisfying one does not discharge the other.
In our licensing practice, operators frequently underestimate the ISMS certification timeline. It is not a paper exercise. Regulators in South Korea expect a functioning, audited security programme, not a policy framework alone.
For a scoped assessment of whether your business model triggers the SFIA registration obligation, the analysis turns on user location, the nature of the service and your entity's current footprint. Map your options with OBOLUS before committing to a South Korean go-to-market plan.
Which inbound operator profiles does South Korea suit?
South Korea suits operators who already have institutional-grade compliance infrastructure and are willing to commit to a full domestic registration – not those seeking a light-touch offshore gateway to Korean retail volume. The market is large, but the regulatory bar is correspondingly high.
A major payment institution or exchange with a strong AML programme, an established banking relationship and the resources to maintain a local compliance function is a realistic applicant. A newly incorporated offshore vehicle without operational history, a real-name bank account arrangement or an ISMS certification in progress is not positioned to register in a workable timeframe.
Consider three operator profiles when assessing the South Korean path.
Profile A – Established exchange expanding from an existing licensed hub (Singapore MAS / MiCA CASP): This operator has the compliance documentation, VASP policies and security audit discipline that the KoFIU review expects. The primary additional burden is the ISMS certification, a local banking arrangement and Korean-language AML/KYC documentation. Timeline to registration, assuming the ISMS is already in progress, is typically a matter of months rather than weeks; the FIU review itself adds further time after the ISMS is issued.
Profile B – Token issuer seeking secondary market liquidity: A token project that wants Korean retail distribution but does not operate its own exchange should assess whether it triggers the SFIA registration as a service provider in its own right. Often, listing on a registered Korean exchange is the practical route, with the operator taking on the registration obligation rather than the issuer.
Profile C – Offshore custodian targeting Korean institutional clients: Institutional custody directed at Korean counterparties attracts both the SFIA registration and the User Protection Act segregation requirements. Without a registered local entity, the business is exposed. Structuring through a VARA-licensed or MiCA-authorised entity does not substitute for South Korean authorisation where the direct counterparty is a Korean person or institution.
How does the South Korea VASP registration process work?
The South Korean VASP registration process proceeds in two parallel streams: the ISMS certification and the KoFIU registration filing, with the certification being a gateway condition to the registration itself.
The first step is engagement with an ISMS-P or ISMS certifying body accredited by the Korea Internet and Security Agency (KISA). The audit covers the applicant's information security management system across technical controls, organisational procedures and physical security. For an exchange, this encompasses trading-system architecture, wallet infrastructure and key-management practices. The audit process is intensive and cannot be compressed simply by adding resources; KISA sets the certification standard and timeline.
Concurrently, the applicant must establish a real-name verification account arrangement with a licensed Korean bank. Under the SFIA, a registered VASP must channel customer deposits and withdrawals through accounts verified by an FSC-regulated bank. In practice, securing a banking partner willing to provide real-name account services is among the most commercially difficult steps of the process. Korean banks apply their own AML and reputational risk screens independently of the FIU, and not all operators qualify. We have observed that applicants without an existing track record in a recognised licensed jurisdiction face significantly greater difficulty at this step.
Once the ISMS certification is in hand and a banking arrangement is confirmed, the entity files a VASP registration report with KoFIU. The filing must include the entity's AML/CFT policies, officer and beneficial-owner declarations, and documentation evidencing the ISMS certification and banking arrangement. KoFIU may request supplementary information during its review. A deficient filing resets the review clock.
In a recent licensing matter, a payments company with an existing MAS licence sought to extend its operations into South Korea. The ISMS audit identified gaps in the wallet-custody architecture that required remediation before certification could proceed. We coordinated the technical and legal workstreams in parallel, avoiding a sequential delay that would have extended the go-to-market timeline by several months.
If your registration filing has stalled – at the ISMS stage, the banking step or the KoFIU review – a second read of the structural gaps can identify the route forward. Contact OBOLUS at info@oboluslaw.com or map your options here.
What are the AML and Travel Rule obligations for South Korean VASPs?
South Korea has fully implemented the Travel Rule (the obligation, derived from the FATF Recommendation 15 framework, to pass originator and beneficiary identification data with every qualifying virtual asset transfer) through the SFIA regime. Registered VASPs must collect, verify and transmit counterparty information on transfers meeting the applicable threshold, and must refuse transfers from unregistered counterparties that cannot demonstrate Travel Rule compliance.
FATF Recommendation 15 forms the international baseline, and Korea's FIU has adopted its requirements directly into the domestic VASP registration framework. The Travel Rule data threshold – the minimum transfer value that triggers the obligation – is set domestically; operators should confirm the current figure with KoFIU rather than relying on any published approximation.
Customer due diligence under the SFIA requires real-name verification for all domestic users. The real-name account system means that a Korean user's exchange account must be linked to a verified bank account in the same name. Pseudonymous or anonymous accounts are not permitted for domestic VASP services. For an inbound operator, this directly constrains the onboarding architecture: the business must integrate with the Korean banking system, not merely maintain a global KYC database.
Suspicious transaction reporting runs to KoFIU. VASPs must maintain AML compliance officers and submit STRs within the timeframe the FIU specifies. The User Protection Act adds a supplementary layer: VASPs must monitor for abnormal trading patterns and report market-manipulation concerns to the FSC.
Operators we advise with multi-jurisdiction VASP programmes regularly find that the Korean Travel Rule implementation is among the stricter ones, particularly on the threshold for counterparty due diligence at unhosted wallets. Building the compliance infrastructure to satisfy KoFIU's expectations from the outset is materially cheaper than retrofitting it after registration.
How does South Korean banking and tax interact with the VASP licence?
The real-name account requirement creates a structural dependency on Korean bank cooperation that no amount of offshore structuring can remove. A VASP that cannot obtain a real-name account arrangement cannot lawfully serve Korean retail users, regardless of its licensing status elsewhere. The FSC has signalled that this requirement is a feature, not a gap – it creates a direct link between the financial system and every registered VASP's customer activity.
Tax treatment of virtual asset income in South Korea has been subject to sustained legislative development. Korea's tax authority has brought virtual asset gains within the income tax regime, and withholding and reporting obligations apply to registered VASPs as payment intermediaries. The applicable regime for a foreign entity operating through a Korean registered subsidiary differs from that applicable to a direct cross-border service, and the distinction has banking consequences: a Korean subsidiary will hold its own tax identification and banking relationships, while a direct cross-border service may trigger withholding at the bank level.
For operators domiciled in a jurisdiction with a tax treaty with Korea, the treaty provisions may affect the characterisation of service fees and the applicable withholding rate. The interaction between the VASP registration, the corporate tax position and the banking structure should be mapped before the entity is established, not after. We regularly advise on this tri-layer mapping – licence, tax and banking – as a single integrated workstream rather than three separate questions.
Note also that Korea's Foreign Exchange Transactions Act governs the movement of funds across the border. A VASP facilitating fiat on/off-ramp services for Korean users must ensure its cross-border payment flows comply with the applicable foreign exchange reporting and approval regime. Allied counsel in the relevant jurisdiction can advise on the current requirements in detail.
What are the most common mistakes operators make when applying?
Underestimating the ISMS certification timeline is the most structurally damaging mistake. An operator that files a business plan, hires compliance staff and approaches KoFIU before the ISMS audit is complete will find that no filing is possible. The clock does not start until the certification is in hand.
A second common failure is approaching Korean banks too late in the process. Banks conduct their own eligibility assessments on VASP applicants. That assessment takes time, and banks are under no obligation to approve a real-name account. Operators who wait until the KoFIU filing stage to open bank conversations regularly find the banking step becomes the critical-path blocker.
A third error is assuming that the SFIA registration covers the User Protection Act obligations automatically. It does not. The two regimes are distinct. A registered VASP that has not implemented the segregated custody architecture, the reserve management procedures and the market-surveillance reporting required by the User Protection Act is compliant with one regime and non-compliant with the other. Enforcement risk runs on both tracks.
A common assumption is that a single offshore VASP registration – a BVI or Cayman vehicle, or even a MiCA-authorised entity – is sufficient to serve South Korean users. It is not. South Korea's SFIA registration obligation applies based on the activity directed at the Korean market. The FIU's approach to offshore service providers has become progressively more assertive, and the FSC has the authority to block access for unregistered foreign operators.
We have also seen operators structure holding companies and operational subsidiaries without considering how the real-name account requirement maps to the Korean entity. The bank account must be held by the registered VASP entity itself. A holding-company account in a parent jurisdiction does not satisfy the requirement.
How does South Korea interact with other VASP-licensed jurisdictions?
South Korea does not participate in the mutual recognition or passporting arrangements that exist within the EU under MiCA or within DIFC-ADGM. A MiCA-authorised CASP has passporting rights across the EU/EEA. It has no recognition in South Korea. Each jurisdiction requires its own authorisation.
This matters for operators managing multi-jurisdiction VASP programmes. A Korean registration is additive to, not a substitute for, licences in the EU, Singapore, Hong Kong or the UAE. Conversely, a Korean registration does not discharge obligations in other markets where Korean-domiciled funds flow.
For a business that is already registered with the Monetary Authority of Singapore under the Payment Services Act, the South Korean process will be more tractable – the MAS compliance infrastructure maps closely onto what KoFIU expects – but still requires the ISMS certification, the Korean bank arrangement and a separate KoFIU filing. The two registrations do not merge.
There is also a corporate structuring question at the intersection of Korea and the UAE. Some operators use a VARA-licensed Dubai entity for their global exchange business while establishing a separate Korean entity for the Korean market. The two entities must each satisfy their respective regimes independently. Intra-group transactions – liquidity provision, technology services, intellectual property licensing – must be structured at arm's length and with attention to Korean transfer-pricing requirements.
In our cross-border practice, the most structurally efficient approach for a business entering Korea from an established licensed hub is to build the Korean entity as a wholly owned subsidiary of the licensed parent, maintain a direct compliance-reporting line between the Korean CCO and the group MLRO, and ensure that the Korean ISMS certification scope covers the shared technology infrastructure rather than treating the Korean entity as an isolated system.
Related at OBOLUS
- Licensing and registration for digital-asset businesses – the full scope of OBOLUS's licensing practice across 70+ jurisdictions.
- Crypto exchange licensing for institutional clients – exchange-specific licensing strategy, application management and regulatory engagement.
- Sanctions screening for crypto – institutional clients – Travel Rule implementation and sanctions compliance programme design.
FAQ
How long does a crypto licence take to obtain?
In South Korea, the timeline is driven primarily by the ISMS certification audit, which typically runs across several months before the KoFIU registration filing is even possible. The FIU review adds further time after the filing. Globally, timelines vary considerably by jurisdiction and licence category: some registrations in smaller hubs are completed in a matter of weeks, while major licences in Singapore, Hong Kong or under MiCA can run to a year or more. An accurate timeline estimate requires mapping your specific entity structure, existing compliance infrastructure and target jurisdiction.
Which jurisdiction is best for licensing my crypto business?
There is no single best jurisdiction. The right choice depends on your user base, the services you offer, your banking requirements, your tax position and your capital availability. South Korea is the right answer if you are targeting Korean users at scale. For a global exchange, a primary licence in a passporting or recognised hub – Singapore, an EU member state under MiCA, Dubai under VARA – combined with market-specific registrations in key markets is the more common architecture. We map the full stack before you commit to any entity structure.
Do I need a separate custody licence?
In South Korea, custody is a regulated virtual asset service under the SFIA, and the User Protection Act imposes specific segregation and reserve requirements on custodial activity. A VASP registered for exchange services that also holds customer assets must comply with both the registration obligations and the User Protection Act custody requirements. Whether a separately licensed custody entity is necessary depends on the corporate structure and the nature of the custody services provided. In other jurisdictions – notably Singapore under the Payment Services Act and Hong Kong under the SFC VATP regime – custody and exchange activities carry distinct licence or regulatory requirements.
About OBOLUS
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the whole of our practice. We map the licence, banking and tax stack across operating, custody and payment layers before you commit – saving operators from structural errors that are expensive to unwind after launch. We work alongside forensic partners to convert on-chain evidence into court-ready disclosure applications where recovery is needed. To discuss your situation, contact info@oboluslaw.com.
By Aisha Tan, Licensing and Jurisdictions Analyst – specialising in inbound operator licensing strategy for the Asia-Pacific and Gulf digital-asset markets, with a particular focus on South Korea, Singapore and the UAE.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.