South Korea Moves to Push Bank-Level ‘No-Fault’ Liability on Exchanges After Upbit $30M Hack
South Korea is reportedly planning to introduce a new rule that will make major crypto exchanges compensate their customers for hacks and outages in the same way banks must do. The move is in response to last month’s Upbit hack that drained the exchange of $30.1 million.
South Korea to Treat Exchanges Like Banks
South Korea is shifting to bank-level liability requirements for crypto exchanges in the wake of a $30.1 million hack at Upbit last month. Reports from the Korea Times suggest that the Financial Services Commission (FSC) is drafting rules to treat major crypto platforms with the same regulatory rigor as traditional financial institutions.
Under the “no-fault” rule considered by the FSC, crypto exchanges will be made to cover losses incurred by users due to hacking or system failures, regardless of whether it was their fault. This rule is similar to how banks and electronic payment companies are regulated under the electronic financial transactions law in the country.
The push comes after an Upbit breach on November 27 in which more than 104 billion Solana-based tokens worth 44.5 billion won ($36M) were moved to external wallets within 54 minutes. In spite of the incident, the exchange received minimal penalties as the current laws do not give the regulators authority to order compensation.
Regulators Raise Concerns Over Breaches on Crypto Exchanges
While South Korean investigators have pointed to North Korea’s Lazarus Group as potential perpetrators of the Upbit hack, there has been a string of attacks on exchanges. The recent meltdown and hacks of major crypto exchanges, headquartered in South Korea, have become a subject of concern and attention by regulators.
The Financial Supervisory Service (FSS) data indicate that the five largest exchanges, i.e., Upbit, Bithumb, Coinone, Korbit, and Gopax, reported 20 system failures between 2023 and September this year. Over 900 customers lost approximately 5 billion won total, and Upbit was responsible for 6 incidents, more than 600 affected users, and 3 billion won in losses ($2.04+M).
In the existing legislation, the authorities are not allowed to mandate user compensation, and the exchange has received minimal fines. This is why the latest Upbit exchange hack is the trigger for the push for crypto exchanges to be treated like banks in South Korea.
Delayed reporting has also been an issue raised following the Upbit case. The hack was discovered at approximately 5 a.m. but not announced to the FSS until 10.58 a.m., when a planned merger between Upbit operator Dunamu and Naver Financial was finalized.
Legislators are now looking at tougher IT security, systems, staffing standards, and stricter sanctions. One of the suggestions would be the imposition of fines up to 3 percent of the annual revenue of an exchange in case of a hack, which would substitute the existing 5 billion won limit.
Governor of FSS, Lee Chan-jin, stated that the hack cannot be disregarded, yet he also acknowledged that the existing oversight regulation does not give the agency sufficient power to enforce harsh punishments.