South Korea plans to require cryptocurrency exchanges to bear "no-fault liability," with the Upbit hacking incident serving as the catalyst

The South Korean government is advancing legislation to introduce "no-fault compensation" rules similar to those in the banking sector for major cryptocurrency exchanges. It is reported that the Financial Services Commission (FSC) of South Korea is evaluating a requirement for virtual asset service providers to bear compensation responsibilities in the event of user losses due to hacking attacks or system failures, even if there is no fault on their part. Currently, such mandatory compensation only applies to traditional financial institutions and electronic payment companies.

This policy direction stems from a security incident on the Upbit platform, where approximately 44.5 billion won (about 30.1 million USD) in assets were transferred to an external wallet within 54 minutes, while regulatory authorities were unable to enforce compensation from the platform under existing regulations. South Korean financial regulators have also pointed out that the cryptocurrency trading industry has experienced frequent system failures in recent years. Data shows that from the beginning of 2023 to September of this year, the five major exchanges have experienced 20 system failures, affecting over 900 users, with total losses amounting to about 5 billion won, of which Upbit accounted for 6 incidents with losses of approximately 3 billion won.

The draft also proposes to raise technical security requirements and increase the maximum fines for hacking incidents to 3% of annual revenue, in line with traditional financial institutions, which is higher than the current fixed cap of 5 billion won. Additionally, the Upbit incident has sparked controversy over "delayed reporting." The platform discovered the anomaly at 5 AM but only reported it to regulators at 10:58, leading some lawmakers to question whether it intentionally waited until the merger process with its parent company Dunamu and Naver Financial was completed before disclosing the information. Regulatory authorities are investigating the matter, but severe penalties are expected to be difficult to implement under the current framework.