South Korea plans to require CEXs to bear "no-fault liability for damages," with the Upbit hacking incident serving as the trigger.

According to Mars Finance, on December 7th, the South Korean government is pushing forward legislation to introduce a "no-fault compensation" rule similar to that in the banking industry for major cryptocurrency trading platforms. It is understood that the South Korean Financial Services Commission (FSC) is evaluating requiring virtual asset service providers to bear liability for user losses caused by hacking attacks or system failures, even if they are not at fault. Currently, such mandatory compensation only applies to traditional financial institutions and electronic payment companies. This policy move stems from the security incident on the Upbit platform on November 27th, in which approximately 44.5 billion won (about US$30.1 million) in assets were transferred to external wallets within 54 minutes, and regulators cannot force the platform to compensate under current regulations. The South Korean financial regulator also pointed out that the cryptocurrency trading industry has experienced frequent system failures in recent years. Data shows that from 2023 to September of this year, the five major trading platforms experienced a total of 20 system failures, affecting more than 900 users and resulting in a cumulative loss of approximately 5 billion won. Upbit accounted for 6 of these failures, with losses amounting to approximately 3 billion won. The draft also proposes to raise technical security requirements and increase the maximum fine for hacking incidents to 3% of annual revenue, the same as traditional financial institutions, higher than the current fixed cap of 5 billion won. Furthermore, the Upbit incident has sparked controversy over "delayed reporting." The platform detected the anomaly at 5:00 AM but only reported it to regulators at 10:58 AM, leading some lawmakers to question whether it intentionally waited until the merger process between its parent company Dunamu and Naver Financial was completed before disclosing the information. Regulators are investigating the matter, but under the current framework, it is expected that severe penalties will be difficult to enforce.