South Korea skyline of Seoul showing conflict between KYC verification and privacy laws

Upcoming South Korea KYC Verification May Be in Conflict With Privacy Laws

The South Korean government is set to implement mandatory know-your-customer (KYC) verification regulations for cryptocurrency exchanges in March, but the new requirements may be in violation of existing privacy laws.

The new KYC verification scheme would require businesses that are “virtual asset services providers” (primarily crypto markets) to verify the real names of account holders against a piece of information such as the resident registration number (RRN), the country’s rough equivalent of social security numbers. RRNs are issued with national IDs and are used as an identifier for tax and other purposes. The trouble with the new requirements is that they conflict with the terms of the existing Personal Information Protection Act, which stipulates that local businesses cannot legally request customer RRNs.

KYC verification may be illegal

South Korea has been working to end semi-anonymous cryptocurrency trading for over a year now, passing the new KYC verification requirement in March as part of a package of Anti-Money Laundering (AML) measures and stronger data privacy laws. The country’s traders to date have been able to use “honeycomb” or “hive” accounts that route customer transactions through the exchange’s corporate accounts to obscure trader identities.

At the moment, the honeycomb account services are something of a boutique offering. The four largest crypto exchanges in the country (Upbit, Coinwon, Bithumb and Korbit) all voluntarily switched to requiring that real names be attached to accounts within the past year, though they do not presently ask customers to verify their identity with an RRN. Some of these smaller exchanges may be forced out of the market should the new KYC verification regulations be upheld.

The new KYC verification regulations call for fines of up to the equivalent of $42,000 for violations, and can even result in prison time of up to five years in cases of intentional and flagrant incidents. However, 2013 amendments to the Personal Information Protection Act privacy laws also say that businesses cannot collect or use RRNs even if the data subject consents to it. The 2013 rules state that businesses can be fined up to the equivalent of $27,000 for doing so, and also allows for fines of up to $450,000 if RRNs are exposed in a data breach. There is also some provision for “disciplinary action” against senior executives that violate these privacy laws.

This would appear to create a no-win situation for the crypto exchanges, and one that is likely to be addressed with further revision to the KYC verification legislation. The only question is in which direction it will go. One possibility is the creation of exemptions to the privacy laws for crypto markets; the legal possibility to do this is already baked into the existing law, though it is tricky as these exemptions are meant for exceptional circumstances such as banks handling particularly large financial transactions.

Shoehorning the crypto exchanges into the KYC verification system with exemptions created for financial institutions also creates the added legal complication of the exchanges now being regarded by the law as such an institution, which would then subject them to further regulations.

The country’s Financial Information Analysis Institute made a special note of this possibility, stating that the fact that crypto exchanges do not have real-world locations means that they should be categorized as if they were a mail-order retail business rather than a bank.

Some legal experts believe that an entirely new set of exemptions will have to be crafted to make the situation work and prevent crypto exchanges from being forced out of business. This is all unfolding in a crypto market in South Korea that has not been doing well as of late. Even the largest of the exchanges are struggling; Bithumb, which has at times been the world’s largest exchange, is reportedly up for sale and Coinbit was raided by police in September in a market manipulation investigation.

Implications of South Korea’s improved data privacy laws

In addition to PIPA the country is governed by two additional data privacy laws: the Act on the Promotion of Information and Communications Network Utilization and Information Protection and the Act on the Use and Protection of Credit Information. All of these laws were revised in early 2020 with a focus on stronger regulation of data processing (including the passage of the KYC verification requirements). In brief, these new requirements will mean that crypto exchanges that collect RRNs in the country will be subject to even stricter regulations in terms of keeping personal data safe and private; this remains true even if the exchanges are classified as retail outlets rather than banks.

Trouble with the new #KYC requirements is that they conflict with the terms of the existing #privacy law, which stipulates that local businesses cannot request customer RRNs. #respectdataClick to Tweet

The country has been a cryptocurrency leader since 2017, something that was a driving force in passing these new privacy laws. Crypto interest in the country is very high due to a combination of factors, among them the appeal of having an entirely internet-based asset due to the constant tensions with North Korea and a lack of opportunities for upward mobility among younger workers.