AML requirements for covered institutions and individuals
Enforcement and regulation
Which government entities enforce the AML regime and regulate covered institutions and persons in your jurisdiction? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?
As an affiliate of the Financial Services Commission (FSC), the top South Korean financial policy-making entity, the Korea Financial Intelligence Unit (KoFIU) takes the leading role in the AML regime.
The Financial Supervisory Service (FSS), a quasi-governmental entity that supervises and investigates financial institutions at the direction of the FSC, conducts AML supervision and inspection on behalf of KoFIU and has the power to demand sanctions against financial institutions violating AML laws and regulations as well as the officers and employees of those financial institutions.
KoFIU may conduct an annual comprehensive assessment on financial institutions’ compliance with AML obligations and may also require financial institutions to evaluate their own AML regimes (articles 18 and 19 of the Regulation on Anti-Money Laundering and Combating the Financing of Terrorism (the AML/CFT Regulation)). The FSS conducts assessments on each financial sector pursuant to its own plan, but the contents of the KoFIU assessment may be referred to inspection management.
Covered institutions and persons
Which institutions and persons must have AML measures in place?
The Act on Reporting and Using Specified Financial Transaction Information (the Specified Financial Information Act) requires financial institutions to fulfil AML obligations. Such financial institutions include the following:
- the Korea Development Bank;
- the Export–Import Bank of Korea, the Industrial Bank of Korea and banks under the Banking Act;
- investment traders, investment brokers, collective investment entities, trust entities, financial securities companies, merchant banks and transfer agency companies;
- mutual savings banks and the National Federation of Mutual Savings Banks;
- agricultural cooperatives and Nonghyup banks;
- fisheries cooperatives and Suhyup banks;
- credit unions and the National Federation of Credit Unions;
- community credit cooperatives and the National Federation of Community Credit Cooperatives;
- insurance companies, postal service agencies, casino business operators and the Credit Guarantee Fund;
- the Korea Technology Finance Corporation;
- discretionary investment business entities;
- specialised credit financial business companies and venture business investment associations;
- forestry cooperatives and the National Federation thereof;
- financial holding companies;
- small and medium-sized enterprise start-up investment companies and small and medium-sized enterprise start-up investment associations;
- foreign currency exchange service providers;
- Nonghyup Life Insurance Co Ltd and Nonghyup Property and Casualty Insurance Co Ltd;
- small-sum overseas remittance service providers;
- electronic financial business entity under the Electronic Financial Transactions Act;
- a person, the value of whose assets is at least the value stipulated in article 9(7)(i) of the Act on Registration of Credit Business, Etc and Protection of Finance Users among the credit service providers registered under article 3(2)(v) of the Act;
- a person engaged in businesses relating to virtual assets including the sale, purchase, exchange, transfer, storage and management of virtual assets(Virtual Asset Service Provider); and
- subsidiaries of the aforementioned financial institutions.
The scope of financial institutions under The Specified Financial Information Act tends to expand as a new type of technology and payment method emerges.
Do the AML laws applicable in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?
The Specified Financial Information Act, the Regulation on Reporting and Supervision of Specified Financial Transaction Information (the Supervision Regulation) and the AML/CFT Regulation require financial institutions to:
- report transactions that are suspected to be intended for money laundering or terrorist financing;
- report cash transactions over certain daily limits;
- conduct customer due diligence (CDD) (ie, verify client information and the beneficial owner of the entity or organisation);
- in the case of a wire transfer, provide the receiving financial institution with the name and account number of the sending person;
- ensure that their board of directors and officers are responsible for AML and combating the financing of terrorism (AML/CFT) and have the obligation to comply with AML/CFT requirements and to report AML/CFT-related matters;
- offer AML/CFT training to officers and employees once a year or more;
- establish an independent audit system and assess whether the AML programmes are being fully enforced;
- build a risk-based monitoring system for customers as part of the AML compliance programme; and
- retain records pertaining to CDD, financial transactions, currency transaction reports (CTRs) and suspicious transaction reports (STRs) for five years or longer.
The Regulation on Reporting and Supervision of Specified Financial Transaction Information sets guidelines of the aforementioned duties.
In addition to the foregoing, the Virtual Asset Service Provider is required to establish an internal standard restricting transaction for each of the following acts:
- directly or indirectly brokering or arranging sale or exchange of virtual assets issued by the Virtual Asset Service Provider or affiliated persons;
- trading or exchanging virtual assets through the Virtual Asset Service Provider by executives and employees of such Virtual Asset Service Provider; and
- practically engaging in the sale or exchange of the virtual assets as brokering, arranging or acting as a proxy of the client.
Breach of AML requirements
What constitutes breach of AML duties imposed by the law?
Any failure to report an STR or CTR, failure to conduct CDD or violation of the obligation to preserve records of AML obligation will result in a fine not exceeding 30 million won. If a financial institution violates its obligation of internal control measures; fails to comply with, refuses, interferes with or evades an inspection, order or instruction on financial institutions by the director of KoFIU; or fails to conduct enhanced due diligence, a fine of up to 100 million won will be imposed.
Any financial institution violating AML-related laws or regulations may be subject to administrative sanctions, such as correctional orders, business suspension, warnings and cautions. Also, the FSS will request the financial institution to take one of the following disciplinary actions against officers:
- recommendation for removal;
- suspension of duties for up to six months;
- notice of reprimand;
- notice of caution; or
The institution must also take one of the following disciplinary actions against employees:
- suspension of duties for up to six months;
- reduction of salary;
- reprimand; and
Generally, financial institutions take disciplinary actions as requested by the FSS.
Customer and business partner due diligence
Describe due diligence requirements in your jurisdiction’s AML regime.
Where a customer opens an account or makes a single financial transaction exceeding a certain amount of money (ie, 3 million won for a casino chip transaction, 1 million won for a wire transfer, US$10,000 for a foreign exchange transaction or 15 million won for other financial transactions), each financial institution must verify matters concerning the customer’s identity and the natural person who ultimately governs and controls the customer (ie, the beneficial owner) (article 5-2(1)(i) of the Specified Financial Information Act). That verification is referred to as CDD.
Also, where it is likely for a customer to commit money laundering or terrorist financing, including where it is doubted that the customer is the beneficial owner, the financial institution must further verify the purpose of the financial transaction and the origin of funds for the transaction (article 5-2(1)(ii) of the Specified Financial Information Act).
As for virtual asset business customers, the filing of the report on information related to those customers, the acceptance of the filing and the ex officio cancellation thereof must be additionally verified.
Where it is not possible to verify the identity of a customer because he or she refuses to provide information for identification, the financial institution must reject new transactions (such as opening a new bank account) with the customer, and if there is any transactional relationship between the customer and the financial institution, the financial institution must terminate the transaction (paragraphs 4 and 5 of article 5-2 of the Specified Financial Information Act).
Financial institutions must conduct CDD again for customers who have completed the CDD process in any of the following cases (paragraphs 2 and 3 of article 25 of the AML/CFT Regulation):
- when a transaction with a high risk of money laundering, etc, takes place;
- when the standards of customer identification data have changed significantly;
- when there has been a material change in the operation method of accounts; or
- when the financial institution becomes aware that customer information has not been fully provided.
For the purpose of CDD, a financial institution must identify the matters of the beneficial owner (article 5-2(1)(i)(b) of the Specified Financial Information Act). In particular, where a customer is a corporation or an organisation, the beneficial owner must be:
- a person who owns at least 25 per cent of the issued and outstanding voting shares of the relevant corporation or organisation or other investment stakes;
- if the financial institution is unable to verify the identity of such person, it must recognise as the beneficial owner, and verify the identity information of, a shareholder who holds the largest portion of shares or other investment stakes; a shareholder who has appointed a majority of representatives, managing partners, executives, etc; or a person who substantially controls the relevant corporation or organisation; or
- where the financial institution is unable to verify the identity information of those listed in (2), it must recognise as the beneficial owner, and verify the identity information of, the representative of the corporation or organisation (article 5-2(1)(i)(b) of the Specified Financial Information Act and article 10-5(2) of the Enforcement Decree of the Specified Financial Information Act).
In addition, where at least 25 per cent of, or the largest portion of, the issued and outstanding shares of the relevant corporation or organisation or other investment stakes are held by another corporation or organisation, then a financial institution may recognise as the beneficial owner, and verify the identity information of, those who may exercise dominant influence over important managerial matters of that other corporation or organisation and who fall under (1), (2) or (3) with respect to the latter corporation or organisation (article 10-5(3) of the Enforcement Decree of the Specified Financial Information Act).
High-risk categories of customers, business partners and transactions
Do the AML rules applicable in your jurisdiction require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified? What level of due diligence is expected in relation to customers assessed to be high risk?
In connection with a risk-based approach, article 17 of the AML/CFT Regulation states that financial institutions must establish and operate measures to assess the risks of money laundering and terrorist financing (ML/TF) before providing new financial products and services to prevent those products and services from being abused for ML/TF purposes.
Also, financial institutions must identify and assess the risks of ML/TF and use that information for CDD, and, when identifying and assessing the ML/TF risks, must consider country risks, customer types, and product and service risks (article 28 of the AML/CFT Regulation).
Customers, products or services with high ML/TF risks are referred to as the high-risk category of ML/TF, and financial institutions must take appropriate measures to conduct enhanced due diligence for that high-risk category (article 55 of the AML/CFT Regulation). Therefore, in the case of customers in such high-risk category, financial institutions must further verify the purpose of the financial transaction and the origin of funds for transaction in addition to general CDD (article 5-2(1)(ii) of the Specified Financial Information Act).
Types of high-risk category include the following (article 30(3) of the AML/CFT Regulation):
- customers from the total asset management service group who are deemed necessary to identify additional information by a financial institution;
- politically exposed persons (PEPs) in foreign countries;
- non-resident customers;
- casino operators, mortgage lenders, money changers, etc, who are involved in a large volume of cash (or cash-equivalent) transactions;
- dealers in precious metals and stones;
- customers who are restricted from financial transaction as designated by the FSC with regard to terrorist financing;
- customers on the terrorist list issued by the United Nations;
- legal persons or organisations separately established to operate and manage trusted individual assets; and
- companies with nominal shareholders or bearer shares.
Types of high-risk products and services include the following (article 31(3) of the AML/CFT Regulation):
- certificates of deposit (in bearer form);
- correspondent banking services;
- non-face-to-face transactions with a high risk of money laundering, etc; and
- other products and services that the government and supervisory authorities consider as high risk.
Financial institutions must conduct enhanced due diligence as to foreign PEPs, their family members and those closely related to them (article 67 of the AML/CFT Regulation) and must constantly monitor whether their customers constitute PEPs (article 68 of the AML/CFT Regulation).
Correspondent banks must establish and operate procedures and control measures necessary for preventing and mitigating the ML/TF risks related to correspondent banking services when entering into correspondent arrangements. Correspondent banks are prohibited from entering into or continuing correspondent arrangements with banks that have no physical presence or have been established in a country or jurisdiction where supervision is not available (ie, shell banks) (article 58 of the AML/CFT Regulation).
Record-keeping and reporting requirements
Describe the record-keeping and reporting requirements for covered institutions and persons.
A financial institution must file STRs to the Commissioner of KoFIU without delay where:
- any reasonable grounds exist to suspect that an asset that has been given in relation to any financial transaction is illegal;
- any reasonable grounds exist to suspect that the other party to a financial transaction engages in ML/TF, such as engaging in illegal financial transactions in the name of another person; or
- any employee of a financial institution reports to the competent investigation agency after knowing that any property accepted in connection with a financial transaction constitutes criminal proceeds or funds for terrorism or weapons of mass destruction proliferation (article 4(1) of the Specified Financial Information Act).
The types of suspicious transactions are not specified by law, but KoFIU provides financial institutions with a guide to the types of transactions involving higher ML/TF risks, such as large amounts for cash transactions that have neither obvious economic rationality nor legitimate purposes and financial transactions conducted through accounts opened in others’ names, to help them determine whether a financial transaction constitutes a suspicious transaction (article 8 of the Specified Financial Information Act). In consideration of the number of trading partners and transactions of the customer, the number of branches where the customer had any transactions, the duration of the trading period as well as the aforementioned guide, financial institutions must determine whether a financial transaction should be filed as an STR (article 4 of the Supervision Regulation).
Where the sum of amounts paid or received from one-day financial transactions in the name of the same person is not less than 10 million won, financial institutions must file CTRs on such fact with the Commissioner of KoFIU within 30 days (article 4-2(1) of the Specified Financial Information Act).
Financial institutions must maintain records pertaining to compliance with AML obligations, including CDD requirements, the filing of STRs and CTRs and the provision of information on the transferor and transferee for any wire transfer, for at least five years from ‘the date the financial transaction has ended’. ‘The date the financial transaction has ended’ refers to:
- in the case of a general financial transaction, the date on which all debit or credit relationships between the customer and the financial institution was terminated;
- in the case of transactions in the derivatives market, the date on which the transaction was terminated upon the occurrence of any triggering event for termination (if the customer holds the account, then the date on which the account is closed); and
- in the case of a casino where casino chips are exchanged with cash or cheques, the date on which all debts arising from casino transactions between the casino operator and the customer are settled (article 5-4 of Specified Financial Information Act).
The Commissioner of KoFIU, the Commissioner of the FSS, etc, may, when necessary for supervision or inspection of financial institutions, make a request for financial transaction information and the STR- or CTR-related information to the head of the relevant financial institution. In those cases, any request for information must be limited to the minimum extent necessary (article 15(7) of the Specified Financial Information Act).
Financial institutions are not obliged to file STRs and CTRs to investigative authorities. However, the Commissioner of KoFIU may provide investigative authorities with STR- and CTR-related information if deemed necessary to investigate specific criminal cases (article 11 of the Specified Financial Information Act).
Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.
Article 12(1) of the Specified Financial Information Act states that the regulations on the protection of credit information do not apply to STRs (article 4), CTRs (article 4-2), provisions of wire transfer information between financial institutions (article 5-3), notification of data of foreign exchange transactions (article 9), provisions of materials to investigative entities by KoFIU (article 10), information exchange with foreign financial information analysis institutions (article 11), requests for materials from financial institutions (article 13) and requests for materials in supervision and inspection (article 15(7)) thereunder.
Resolutions and sanctions
What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?
The key sanctions under the Specified Financial Information Act are shown in the table below.
South Korea does not allow plea bargaining, settlement agreements, prosecutorial discretion, regulatory action or similar means instead of trial.
|Where a financial institution files a false report on STRs and CTRs and where any employee of a financial institution who intends to file or has filed an STR divulges such fact to the other party and the parties related thereto (article 17 of the Specified Financial Information Act)||Imprisonment with labour for up to one year or a fine of up to 10 million won, or both|
|Where the representative of a corporation, or an agent or employee of, or other persons employed by the corporation or an individual commits any violation under article 17 in conducting the business affair of the corporation or the individual||Not only will the offender be punished, but the corporation or individual will also be punished by a fine under the relevant provisions amounting to fines of up to 10 million won (joint penalty provisions under article 19 of the Specified Financial Information Act)|
Where a financial institution fails to:
Administrative fines of up to 30 million won
|Where a financial institution fails to:
||Administrative fines of up to 100 million won|
|Where the Commissioner of KoFIU inspects a financial transaction and then finds that the relevant financial institution has violated the Specified Financial Information Act or any order or direction thereunder||Correctional order, warning, caution or disciplinary actions against the relevant officers and employees|
|Where a financial institution fails to implement a correctional order for a violation or receives a warning three times or more||Suspension of business in part or in entirety for up to six months|
Limitation periods for AML enforcement
What are the limitation periods governing AML matters?
Although there are provisions as to the limitation period of AML crimes, domestic AML laws do not specify that liabilities for AML issues are waived after a certain period.
Do your jurisdiction’s AML laws have extraterritorial reach?
As a branch or agency of a foreign bank with authorisation for banking business in Korea is deemed as a bank under the Banking Act (article 59(1) of the Banking Act), such branch or agency is subject to the Specified Financial Information Act. Therefore, such branch or agency is required to fulfil AML/CFT obligations, like domestic financial institutions, under the Specified Financial Information Act.
The Specified Financial Information Act also applies to overseas branches of Korean financial institutions. Financial institutions must supervise their overseas branches or subsidiaries and ensure that they fulfil AML/CFT obligations (article 27 of the AML/CFT Regulation). However, any payment or receipt of cash by such overseas branches is not subject to the CTR obligation. Also, where such overseas branches are unable to file STRs or conduct CDD owing to local statutes, the relevant financial institution must notify the Commissioner of KoFIU of that fact.