Understanding KYC and KYB requirements in South Korea
This guide is updated as of October 2025 and reflects current FSC/KoFIU guidance at that time. Regulatory requirements may change without notice, and readers should verify current requirements with relevant authorities.
South Korea is one of Asia’s most advanced and digitally connected financial markets, with a vibrant fintech ecosystem and a demanding regulatory landscape. As the government tightens its focus on anti-money laundering (AML) and counter-terrorist financing (CFT), strict Know Your Customer (KYC) and Know Your Business (KYB) requirements are at the core of financial compliance.
The stakes for non-compliance are high. Regulatory actions from the Financial Services Commission (FSC) and the Korea Financial Intelligence Unit (KoFIU) have led to heavy fines, license suspensions, and, in some cases, criminal prosecution. In the past two years alone, South Korean authorities have significantly ramped up AML enforcement, imposing multi-million dollar penalties for KYC/AML violations.
If you’re launching or expanding financial products in South Korea, you need to understand the country’s AML framework thoroughly. This guide describes the essential KYC and KYB requirements, details who enforces compliance, and shows how to stay audit-ready as you grow.
KYC and KYB compliance: How South Korea differs from the US
South Korea’s approach to KYC and KYB is considerably more prescriptive than the United States. While the US tends to use broad, principle-based standards — leaving much to the interpretation of financial institutions — South Korea sets detailed, statutory rules for every step of customer onboarding, verification, and ongoing due diligence.
Here’s a closer look at how these frameworks compare:
| Category | South Korea | US |
| Statutory foundation | Act on Reporting and Using Specified Financial Transaction Information (“Financial Transaction Reports Act”, FTRA, 특정금융거래정보의 보고 및 이용 등에 관한 법률, ‘특정금융정보법’; last amended 2021) | Bank Secrecy Act (BSA) |
| Implementing regulations | Enforcement Decree (ED-FTRA, ‘특정금융정보법 시행령’; last amended 2023), which outlines how to implement these regulations | FinCEN regulations under BSA |
| Supervisory guidance | Business Regulations on AML and Anti-Terrorism Financing (“AML/CFT Business Regulation,” 자금세탁방지 및 공중협박자금조달금지에 관한 업무규정; last updated in 2024) cover requirements for customer due diligence, risk assessment, record keeping, and internal controls | FinCEN’s regulations for customer due diligence (CDD) |
South Korea’s rules lay out explicit obligations for collecting and verifying identity data, identifying beneficial owners, conducting ongoing monitoring, and reporting suspicious transactions. For fintechs and financial institutions, compliance with these requirements is mandatory.
Unlike the US, where the Bank Secrecy Act (BSA) and FinCEN's CDD Rule leave many specifics to internal risk assessments, South Korea mandates reverification timelines, specifies required documents, and closely regulates remote onboarding and digital ID use. The compliance environment is clear but rigorous, with less flexibility for institutions to determine their own policies.
What are the customer identification requirements in South Korea?
In 1997, South Korea passed the Act on Real Name Financial Transactions and Confidentiality, commonly referred to as the Financial Real Name Act (FRNA, 금융실명법; passed 1997, last amended 2023). This law mandates that all financial transactions be conducted under verified real identities.
Since then, the FTRA and AML/CFT Regulations have outlined additional requirements for KYC. Per the FRNA, the term “real name” refers to the name as it appears in the Resident Registration Card (주민등록증) or the Business Registration Certificate (사업자등록증) (Art. 2.4.).
KYC requirements in South Korea
KYC in South Korea is the process of verifying the identity of your customers to prevent financial crimes. For individuals, you'll need to collect (FTRA Art. 5-2 특정금융거래정보의 보고 및 이용 등에 관한 법률 제5조의2; ED-FTRA Art. 10-4.1.; FRNA Art. 3.1.):
Full legal name (“Real name”)
Identification number
For nationals: Resident Registration Number (주민등록번호), the unique ID number in the Resident Registration Card
For foreign residents: Alien Registration Number (외국인등록번호) in the Alien Registration Card (ARC)
For foreign non-residents: Number on the passport or ID document (ED-FRNA Art. 3-4).
Current residential address
Contact information (phone and email)
Additional requirements for foreigners (ED-FTRA Art. 10-4.4.):
Nationality
Location of residence in Korea
Date of birth for non-resident foreigners (AML/CFT Reg., Art. 39(1)2)
If a representative is acting on behalf of the customer, the representative’s authority (e.g., power of attorney) and identity must also be verified (AML/CFT Reg., Art. 38(3)).
KYB requirements in South Korea
KYB in South Korea means verifying the legal existence, ownership structure, and legitimacy of a corporate entity before offering financial services. The goal is to prevent financial crimes like money laundering and tax evasion.
For businesses, you'll need to collect (FTRA Art. 5-2; ED-FTRA Art. 10-4.2.):
Legal entity name
Business registration number (사업자등록번호)
Address of headquarters and branches
Type of business activity; for non-profit organizations, you’ll need to collect the “purpose of its establishment” (ED-FTRA Art. 10-4.3.)
Information about directors, including full legal name, date of birth, and nationality
Ultimate beneficial owners (UBOs) for any natural person with 25%+ ownership or effective control (ED-FTRA Art. 10-5)
If a representative is acting on behalf of the customer, the representative’s authority (e.g., power of attorney) and identity must also be verified (AML/CFT Reg., Art. 38(3)).
All of this data must be verified during onboarding and periodically reviewed thereafter (FTRA Art. 5-2, ED-FTRA, Art. 10-4, 10-6; AML/CFT Reg., Art. 34).
Ultimate beneficial owner (UBO)
When working with legal entities, you must identify ultimate beneficial owners (UBOs). In South Korea, a UBO is anyone with at least 25% of outstanding shares (ED-FTRA Art. 10-5(2)). South Korean law considers UBOs to be the “actual owner” (실제 소유자).
If no one meets this criterion, “fallback” definitions for UBO are: the largest shareholder, the shareholder who appointed the directors, or a person who substantially controls the entity (if different from these shareholders) (ED-FTRA, Art. 10-5(3)). In effect, every entity must have “actual owners” identified.
For these UBOs, you’ll need to collect and verify the following information (ED-FTRA Art. 10-5(2); AML/CFT Reg., Art. 38(1)):
Real name
Nationality (for foreigners)
Gender (for non-resident foreigners)
Date of birth
What are the accepted identity documents in South Korea?
The FRNA provides an official list of acceptable identification documents that financial institutions must use (FRNA Art. 3). Other laws and regulations use the same standards, making it easier to ensure consistency across the sector.
Accepted documents for individuals
The following documents are accepted for KYC (ED-FRNA Art. 4-2, AML/CFT Reg. Art. 38):
Resident Registration Card (주민등록증), including mobile resident registration card
National driver’s license (운전면허증)
Korean or foreign passport (여권)
Alien Registration Card (외국인등록증)
Overseas Korean Resident Registration Card (재외국민등록증)
Accepted documents for businesses
Business registration certificate (사업자등록증)
Certificate of corporate register (법인등기부)
Official document with real company/organization name (법인/단체명) and Tax ID (납세번호)
What are the accepted identity verification methods in South Korea?
When you verify individuals or organizations, you need to confirm their identity with reliable and independent information, like official government documents. You should also understand the reason for the relationship and, for organizations, know their business, governance, and control structure (AML/CFT Reg. Art. 37).
Remote (non-face-to-face) identity verification is now allowed, provided that you’ve implemented proper processes and methods (AML/CFT Reg. Art 35). The FSC has issued several notices that further formalize the accepted remote verification methods; see the notices from 2019, 2020, and 2021 (FSC Guidelines).
For remote onboarding, you must combine at least two of the following five techniques (FSC Guidelines):
In-person ID verification with a scanned copy
Real-time video call to check liveness and likeness with the ID
Verification against trusted third-party database (e.g., e-signature certificate authority, credit bureau)
Micro-transaction from a pre-existing Korean bank account (often KRW 1)
Other methods equivalent to the above, subject to regulatory approval (e.g., facial biometrics matched to the ID photo, secure digital IDs)
In addition, the Enforcement Decree of Electronic Financial Transaction Act permits identity verification using mobile phones (ED-EFTA, Art. 6).
What are the customer due diligence (CDD) requirements in South Korea?
South Korea requires a risk-based, multistep customer due diligence (CDD) process for all financial institutions and fintechs. You must perform CDD in the following situations (FTRA Art. 5-2):
When establishing a new business relationship
For any occasional or one-time transactions of KRW 10 million or more (ED-FTRA Art. 8-2)
Whenever there is a suspicion of money laundering or terrorist financing, or if there are doubts about previously verified customer information
All customers must also be screened against both the national and international financial sanctions lists, the United Nations Security Council list, and foreign PEPs lists (FTRA Art. 5-2; AML/CFT Reg. Art 43).
The depth and frequency of CDD should be calibrated according to each customer’s risk level, as defined by the institution’s risk-based approach and reviewed regularly (ED-FTRA, Art. 10-6; AML/CFT Reg, Art. 19).
Simplified CDD is allowed for low-risk customers, such as public institutions or KOSPI-listed companies, if justified by the financial institution’s internal risk assessment framework (AML/CFT Reg Art. 30). It’s also permitted for certain low-risk products, such as pension or severance payments and certain insurance plans (AML/CFT Reg Art. 31).
If a customer refuses or is unable to provide information for due diligence, you must terminate the business relationship and file a suspicious transaction report (AML/CFT Reg., Art. 44).
What’s required for enhanced due diligence (EDD)?
Once your customer’s identity has been verified, you must classify them according to the risk categories you’ve defined in your internal risk assessment policy. While you define the specific criteria and categories, additional regulations provide explicit guidance for what’s considered high-risk (AML/CFT Reg., Arts. 29-31, 40):
High-risk countries, including those listed by FATF or other international organizations (e.g., World Bank, OECD, IMF) as higher-risk or non-compliant
High-risk customers, including foreign politically exposed persons (PEPs) or their relatives and close associates (RCAs), non-residents, precious metal brokers, sanctioned individuals, or cash-heavy businesses (e.g., casino operators, foreign exchange brokers)
High-risk products or services, such as foreign exchange services and certificates of deposit (CDs)
For customers classified as high-risk, EDD is always required. At minimum, you must collect and verify the following additional information (Art. 42(2)):
For individuals: Profession (or business type for sole proprietors)
For businesses: Basic information, including the type of business, listing information, founding date, and website or email
Purpose of business or transactions
Source of funds
If deemed necessary, South Korea’s regulations recommend collecting more information like expected transaction frequency and volume, financial information, number of employees, and key suppliers (Art. 42(3)). You must get senior management approval for this additional information and expect to conduct ongoing monitoring (Art. 62-63).
Is ongoing monitoring required in South Korea?
You're required to monitor customers throughout the relationship, not just at onboarding. At a minimum, you’re required to conduct risk assessments every year (Art. 18-19). In particular, you must (AML/CFT Reg., Art. 34):
Ensure customer information remains current
Respond to any changes in risk throughout the customer life cycle
Set a reverification period
In addition to periodic reviews, you must update records immediately after any trigger event, such as new suspicion of money laundering, a significant change in transaction patterns, or a notification of sanctions list changes (Art. 78).
What do I need to report to regulators in South Korea?
South Korea mandates strict and prompt regulatory reporting for transactions and customer activities that may present money laundering or terrorist financing risks. KoFIU publishes more detailed guidelines in the Regulations on Reporting and Monitoring of Specified Financial Transaction Information ("Reporting Regulation").
Here are the main required reports:
| Requirement (English) | Requirement (Korean) | Trigger threshold | Legal basis |
| Suspicious Transaction Report (STR) | 의심거래보고 | File within 3 business days, whenever there are reasonable grounds to suspect money laundering or terrorist financing, regardless of transaction amount. | FTRA Art. 4; Reporting Regulation Art. 3 |
| Currency Transaction Report (CTR) | 고액현금거래보고 | File electronically and automatically, for any cash transaction ≥ KRW 10 million (~USD 7,200) per customer, per day. You must also notify the customer of the fact that CTR has been submitted within 10 days of filing, using the official formats permitted by KoFIU. | FTRA Art. 4-2, ED-FTRA Art. 8-2, FTRA Art. 10-2(1) |
| Travel Rule | 송금인 및 수취인 정보전달 의무 (트래블룰) | Applies to all cross-border and virtual asset transfers ≥ KRW 1 million (~USD 750). KYC/KYB information of the originator and recipient must be retained. | ED-FTRA, Arts. 10-3, 10-10 |
| Foreign exchange transactions | 외국환거래보고 | Transactions ≥ USD 10,000 must be compiled and reported to KoFIU by the 10th of the following month. | ED-FTRA, Art. 11 |
Requirements for KYC record retention in South Korea
All data related to AML/CTF must be kept for at least five years after the end of the business relationship or one-off transaction (FTRA, Art. 5-4; ED-FTRA, Art.13-3; AML/CFT Reg. Arts. 80, 84). This includes customer identification information, CDD/EDD files, transaction monitoring data, STRs/CTRs, and any other AML records.
For transfers above KRW 1 million for domestic and USD 1,000 for international, you must provide the following information to the receiving institution and retain the records (FTRA 5-4, ED-FTRA 10-8):
Names and account numbers of the originator and recipient
Originator’s identification number (e.g., Resident Registration Number, or RRN)
Sensitive identification data, such as RRN, must be protected, redacted, or encrypted in accordance with the Personal Information Protection Act (PIPA) and related regulations (PIPA Art. 24).
Who are South Korea’s financial regulators, and what do they regulate?
The main regulatory bodies for AML/CTF are:
Financial Services Commission (FSC, 금융위원회): South Korea’s primary financial regulator is responsible for policymaking and overall supervision of the financial sector. That includes financial institutions, fintechs, crypto, insurance, securities, and asset management companies.
Korea Financial Intelligence Unit (KoFIU, 금융정보분석원): Housed within the FSC, KoFIU is South Korea’s financial intelligence unit. It issues AML/CFT regulations, analyzes suspicious transaction and large cash transaction reports (STR and CTR), and coordinates intelligence sharing with law enforcement agencies and international FIUs.
Financial Supervisory Service (FSS, 금융감독원): Supervisory agency within the FSC that conducts inspections and enforcement.
South Korea has a centralized AML/CFT framework that applies across sectors. However, it is still important to check for sector-specific regulators and their rules for details. For example, the Insurance Business Act requires KYC at both onboarding and claim payouts, and FTRA calls on VASPs to record wallet addresses in transaction monitoring (ED-FTRA Art. 10-10).
What are the main regulations in South Korea that fintechs should pay attention to?
If you plan to offer financial services, you must understand and comply with these key statutes and regulations:
Financial Transaction Reports Act (특정금융거래정보의 보고 및 이용 등에 관한 법률, 특정금융정보법, FTRA): First passed in 2001 and last updated in 2021, FTRA is the cornerstone AML law. It details STR/CTR obligations, KYC/KYB requirements, CDD/EDD processes, and the legal basis for all reporting, monitoring, and record-keeping. Its corresponding Enforcement Decree (last updated 2023) operationalizes the law.
AML/CFT Business Regulation (자금세탁방지 및 공중협박자금조달금지에 관한 업무규정): KoFIU’s regulation prescribes further practical details for AML/CFT (last updated in 2024). KoFIU also has a separate rulebook on STR/CTRs.
Financial Real Name Act and its Enforcement Decree (금융실명거래 및 비밀보장에 관한 법률, FRNA): FRNA establishes the “real-name” account requirements and specifies the list of approved ID documents for both individuals and businesses.
Proceeds of Crime Act and its Enforcement Decree (POCA, 2001; last updated 2022): This law criminalizes money laundering and allows for the confiscation of illicit proceeds. POCA also imposes imprisonment or fines on anyone who helps disguise criminal proceeds (Art. 3). This law is a cornerstone for criminal enforcement against money laundering.
Act on Prohibition of Financing for Offenses of Public Intimidation and its Enforcement Decree (PFOPIA, 2007; last updated 2016): This law is also known as the “Act on Prohibition Against the Financing of Terrorism and Proliferation of Weapons of Mass Destruction.” It implements international sanctions and allows immediate freezing of assets linked to terrorism.
For electronic finance and digital businesses, South Korea requires additional practices. For example:
Electronic Financial Transaction Act (2006; last updated 2020) and its corresponding Enforcement Decree (last updated 2024) and Business Regulations: This discusses remote identity verification and permits the documents and methods discussed above.
Electronic Signature Act (2020; last updated 2021) and its corresponding Enforcement Decree (last updated 2023): Recognizes the legal effect of accredited digital certificates and electronic signatures.
To find the latest regulations and guidelines, visit KoFIU and FSC.
FAQs
Does South Korea allow remote or digital (eKYC) verification?
Toggle description visibility
Yes, South Korea allows non-face-to-face (digital) real-name verification. The Financial Services Commission (FSC) revised its guideline in December 2019 to expand eKYC to corporations and foreigners (FSC press release, "FSC Reforms Non-Face-to-Face Customer ID Guidelines for Corporations and Foreigners").
Beginning March 21, 2025, banks now accept the mobile foreigner residence card for account opening and transactions (MOJ (Ministry of Justice) Notice, FSC Notice via Korea.net).
What ID documents are accepted for foreigners in South Korea?
Toggle description visibility
The foreigner residence card (plastic or mobile) is a valid ID for banking (FSC and MOIS (Ministry of the Interior and Safety) Notice, MOJ Notice). Recognized identifiers include passports (e.g., in Virtual Asset Service Provider transfer obligations) alongside alien registration numbers (ED-FTRA, Art. 10-10(3)–(4)). You can open securities accounts using passport numbers (FSC press release, June 5, 2023).
How does the Travel Rule apply to crypto and cross-border transfers in South Korea?
Toggle description visibility
The Travel Rule applies specifically for VASP-to-VASP transfers. For transfers ≥ KRW 1,000,000, you must transmit originator/beneficiary names and wallet addresses. You must also provide Resident Registration Number, passport number, or alien registration number within three business days upon request (ED-FTRA, Art. 10-10(1)–(4)).
Wire transfers have different requirements. Wire-transfer thresholds are KRW 1,000,000 (domestic) and USD 1,000 (cross-border). Travel Rule enforcement began March 25, 2022 (ED-FTRA, Art. 10-8; FSC notice).
How do I file a CTR in South Korea?
Toggle description visibility
You must file a Currency Transaction Report (CTR) to the Korea Financial Intelligence Unit (KoFIU) when the cash paid or received reaches KRW 10,000,000 in a day per customer name. You should exclude individual amounts ≤ KRW 1,000,000 from aggregation (ED-FTRA, Art. 8-2(1)–(4)).
You can report this electronically using KoFIU's form, which includes:
Name and location of reporter
Date and place
Counterparty information
Transaction details
Korea allows for reporting via an intermediary (ED-FTRA, Art. 8-6(1), 8-7(2)).