What is required to operate a crypto exchange in South Korea?

To operate a crypto exchange in South Korea, companies must: (1) Report to the Financial Services Commission (FSC) as a Virtual Asset Service Provider (VASP) under the Act on Reporting and Using Specified Financial Transaction Information (SFTIA); (2) Obtain ISMS (Information Security Management System) certification from KISA (Korea Internet & Security Agency); and (3) Maintain a real-name bank account with a Korean bank for customer KYC. These requirements were introduced in March 2021.

Can foreign crypto companies enter the South Korean market?

It is extremely difficult for foreign companies to enter the South Korean retail crypto market. The real-name banking requirement effectively requires partnering with a Korean commercial bank (Shinhan, KB Kookmin, NH NongHyup, etc.), and Korean banks are very cautious about crypto partnerships. Most foreign exchanges serve South Korean customers from offshore, which creates regulatory risk.

South Korea Crypto Licence (FSC / VASP)

Overview

South Korea's Three-Track Crypto Requirements

South Korea's crypto regulation is built on three mandatory tracks that must all be satisfied simultaneously. First, ISMS (Information Security Management System) certification from KISA (Korea Internet & Security Agency) — a complete IT security audit that typically takes 3–6 months. Second, a real-name bank account with a licensed Korean bank (Shinhan, KB Kookmin, NH NongHyup, or Woori) to verify customer identity — banks are highly selective. Third, FSC VASP reporting (not a licence, but a mandatory notification) must be filed with the FIU (Financial Intelligence Unit) within Korea's FSC.

The Virtual Asset User Protection Act (VAUPA), effective July 2024, added substantial new obligations: mandatory segregation of customer assets, prohibition of insider trading and market manipulation, 80%+ cold wallet storage requirement, and mandatory insurance or reserve funds. Penalties for non-compliance include criminal sanctions.

South Korea's five major exchanges — Upbit, Bithumb, Coinone, Korbit, and GOPAX — dominate the market and are coordinated through the DAXA (Digital Asset eXchange Alliance) self-regulatory body. New entrants face significant competitive barriers beyond just regulatory requirements.

Real-name banking bottleneck: The biggest practical barrier for foreign crypto firms in South Korea is securing a real-name banking partnership. Korean commercial banks conduct their own due diligence and have been reluctant to onboard new crypto exchanges. Strategic banking relationships must be established before or in parallel with ISMS certification.

Requirements

South Korea VASP Registration — Key Requirements

Entity

Korean corporation required

Korean Co., Ltd. (주식회사, Junsik Hoesa) registered with court registry

ISMS Certification

Mandatory — KISA

Information Security Management System certification; 3–6 month audit process

Real-Name Bank Account

Korean bank partnership required

Shinhan, KB, NH NongHyup, or Woori Bank; bank due diligence is independent

AML/CFT Program

SFTIA compliant

KYC/CDD, transaction monitoring, STR reporting to KoFIU; Travel Rule compliance

Cold Wallet Storage

80%+ in cold wallets

VAUPA requirement; hot wallet limited; 5% hot wallet for daily operations

Asset Segregation

Mandatory (VAUPA 2024)

Customer assets must be segregated from company assets; daily reconciliation

Capital / Reserves

Insurance or reserve fund

Mandatory insurance or reserve for customer asset protection per VAUPA

MLRO / Compliance

Required

AML compliance officer; report suspicious transactions to KoFIU

Process

How to Enter South Korea Crypto Market — Step by Step

1

Incorporate Korean Entity

Incorporate a Korean corporation (주식회사) through a Korean notary and court registry. Establish a genuine physical office in Seoul or other Korean city. Appoint Korean-resident management.

3–4 weeks

2

Obtain ISMS Certification from KISA

Apply for ISMS certification from KISA. The process involves a complete review of IT systems, security controls, and organizational security policies. A KISA-certified auditor conducts on-site assessments. This is typically the longest step.

3–6 months

3

Secure Real-Name Banking Partnership

Approach Korean commercial banks (Shinhan, KB Kookmin, NH NongHyup, Woori Bank) to establish a real-name virtual account system for customer KYC. Banks conduct independent due diligence. This step can be the most challenging for foreign firms.

3–9 months (concurrent)

4

Develop VAUPA-Compliant Infrastructure

Build cold wallet storage (80%+), customer asset segregation systems, AML/CTF program, transaction monitoring, and insurance/reserve fund structures as required by the Virtual Asset User Protection Act (effective July 2024).

3–6 months (concurrent)

5

File FSC VASP Report and Commence Operations

File the VASP report with the Korea Financial Intelligence Unit (KoFIU / FIU Korea) within the FSC. Report includes ISMS certificate, bank account confirmation, AML program, and governance documents. Once confirmed, commence operations with ongoing FSC/FIU reporting obligations.

4–8 weeks after ISMS + banking

FAQ

South Korea Crypto Licence — Common Questions

To operate a crypto exchange in South Korea, companies must: (1) Report to the Financial Services Commission (FSC) as a Virtual Asset Service Provider (VASP) under the Act on Reporting and Using Specified Financial Transaction Information (SFTIA); (2) Obtain ISMS certification from KISA; and (3) Maintain a real-name bank account with a Korean bank for customer KYC. These requirements were introduced in March 2021.

ISMS (Information Security Management System) certification, issued by KISA, is a mandatory prerequisite for VASP reporting in South Korea. It certifies that the exchange meets Korean information security standards. Obtaining ISMS certification typically takes 3–6 months and requires a complete security audit.

It is extremely difficult for foreign companies to enter the South Korean retail crypto market. The real-name banking requirement effectively requires partnering with a Korean commercial bank, and Korean banks are very cautious about crypto partnerships. Most foreign exchanges serve South Korean customers from offshore, which creates regulatory risk.

The Virtual Asset User Protection Act (VAUPA), effective July 2024, is a landmark legislation that mandates segregation of customer assets, prohibition of unfair trading practices (market manipulation, insider trading), and mandatory cold wallet storage for 80%+ of customer crypto assets. It significantly increases exchange obligations and penalties for non-compliance.

DAXA (Digital Asset eXchange Alliance) is South Korea's crypto exchange industry association, comprising the five major licensed exchanges: Upbit, Bithumb, Coinone, Korbit, and GOPAX. DAXA coordinates self-regulation, token listing standards, and industry positions with regulators. New exchanges seeking FSC registration are assessed partly on whether they can meet DAXA-compatible standards.

Compare Asia-Pacific Jurisdictions

Related Asia-Pacific Crypto Jurisdictions

South Korea Crypto Licence: FSC VASP & ISMS 2026

South Korea's Three-Track Crypto Requirements

South Korea VASP Registration — Key Requirements

How to Enter South Korea Crypto Market — Step by Step

South Korea Crypto Licence — Common Questions

Related Asia-Pacific Crypto Jurisdictions