Hello, I’m Attorney Kim Gwang-sik of Cheongchul Law Firm.

Anti-money laundering (AML) regulations for virtual asset business operators have now gone beyond a mere internal control issue and have become a core regulatory area directly tied to business continuity. In particular, the obligation under the Special Financial Transactions Act to prohibit transactions with unreported virtual asset business operators is one of the most sensitive issues for domestic exchanges. Until now, there has been considerable practical uncertainty not so much about the fact that “the duty exists,” but about “what level of measures must be taken to avoid sanctions.”

Against this backdrop, on April 9, 2026, the Seoul Administrative Court ruled in favor of Dunamu, the operator of Upbit, in a lawsuit seeking to overturn a partial business suspension order filed against the Financial Intelligence Unit (FIU). While the court did not deny the existence of the obligation to prohibit transactions with unreported virtual asset business operators, it found that, at least with respect to the transaction area below KRW 1 million at issue in this case, the regulations and enforcement standards at the time were not sufficiently clear, and that considering Dunamu had taken certain blocking measures, it was difficult to find intent or gross negligence.

Rather than meaning that “AML obligations for virtual asset business operators have been weakened,” this ruling should be understood as a case showing that, if regulators want to justify severe disciplinary action, they must more strictly prove the violation and the requirements for sanctions. Today, let’s calmly organize the key issues and practical implications of this ruling.

[Question]

What does the first-instance ruling in favor of Dunamu, the operator of Upbit, in its lawsuit to overturn the FIU’s partial business suspension order mean, and what should virtual asset business operators pay the most attention to in practice?

[Answer]

1. The scope of the case and the violations the FIU took issue with

The first point to clarify in this case is that the direct subject of the first-instance ruling was only the three-month partial business suspension order. Based on the results of a comprehensive inspection on February 25, 2025, the FIU notified Dunamu of a three-month partial suspension restricting the transfer of virtual assets for newly registered customers during the business suspension period, with the measure applying from March 7, 2025 to June 6, 2025. Along with that measure, it also notified disciplinary sanctions against executives and employees, including a reprimand for the CEO, and dismissal of the compliance officer and reporting officer. Later, in November 2025, the FIU decided on a total fine of KRW 35.2 billion based on approximately 8.6 million violations of the Special Financial Transactions Act, including breaches of customer due diligence obligations and other violations. The April 9, 2026 ruling did not directly overturn that entire fine. In other words, this ruling should be understood only as a first-instance determination on the legality of the partial business suspension order.

The violations the FIU identified at the time were by no means minor. Dunamu was specifically cited as having facilitated 44,948 virtual asset transfer transactions with 19 overseas unreported virtual asset business operators, and, in addition, violations of customer due diligence obligations, transaction restriction obligations, suspicious transaction reporting obligations, and risk assessment obligations related to new services were also pointed out. However, what the court focused on in this lawsuit was not the mere “existence” of those obligations, but whether the requirements for imposing a partial business suspension order based on those violations had been sufficiently proven.

2. The actual response measures Dunamu took, as seen by the court

The most important legal point in this ruling is that the court distinguished between the existence of a duty and the establishment of a sanctionable violation. According to media reports, the panel found that from 2022 to 2024, regulations requiring the complete blocking of transactions with unreported virtual asset business operators for transactions of KRW 1 million or more were relatively clear. By contrast, for transactions below KRW 1 million, the court found it difficult to say that there were sufficiently clear standards or enforcement guidelines at the time showing exactly what kind of blocking measures a business operator had to implement and to what extent. Ultimately, the court took the view that while the transaction prohibition duty exists, to immediately justify a severe disciplinary action on the basis of a violation of that duty, a clearer regulatory structure and fault attributable to the violation must be proven.

Another key issue was what actual response measures Dunamu had taken. According to the reports, the court took into account that Dunamu had been obtaining written commitments from customers regarding transactions below KRW 1 million and had been using transaction monitoring to retrospectively block transactions with counterparties later identified as unreported operators. The panel did not go so far as to say those measures were fully sufficient, but it appears to have found it difficult to conclude that Dunamu had left the issue unmanaged without any control system or had intentionally allowed the transactions. In other words, even if some transactions ultimately became problematic, the court found that this alone could not immediately establish the operator’s intent or gross negligence.

3. The “operational record” of internal controls has become even more important in practice

In future similar cases, it is likely to become very important not just whether “violating transactions occurred,” but what control system the operator was actually operating at that time. Pre-blocking policies, customer commitment procedures, the use of chain analysis solutions, abnormal transaction detection, records of transaction blocking, internal reporting and decision-making documents, and internal review records concerning regulatory interpretation may all become key evidence in future sanction disputes. This case also appears to have been influenced by the fact that Dunamu did not win because it was “perfect,” but because it had continued to take certain responsive measures during a period when there was a regulatory gap or unclear standards.

However, it may be risky to overinterpret this ruling. First, the court did not deny the AML obligations under the Special Financial Transactions Act itself. Second, it did not declare that Dunamu’s overall internal control system was sufficient or appropriate. Rather, while finding that the measures could not be said to be sufficient, it held that those circumstances alone did not immediately establish intent, gross negligence, or satisfaction of the sanction requirements. Third, immediately after the ruling, the FIU stated that transactions with unreported virtual asset business operators themselves are a serious problem that undermines the AML framework and publicly announced that it would appeal at once. Accordingly, this matter has not yet been conclusively settled, and there remains room for the appellate court to reach a different conclusion.

This first-instance ruling in the Upbit case is significant because it is the first full-fledged court decision in relation to FIU sanctions against domestic virtual asset business operators. However, its conclusion is not a rejection of regulation, but rather that, to justify a sanction, the establishment of the violation, the degree of fault, and the clarity of the regulatory framework at the time must be proven more strictly. In particular, it showed that in areas where the practical boundaries were unclear, such as transactions below KRW 1 million, the decisive factor may be what preventive and blocking measures the operator actually designed and operated.

Therefore, virtual asset business operators and related platform operators should not treat this ruling as just another victory headline, but as an opportunity to re-examine their own AML systems. They should verify whether they have an “explainable later” control framework, including criteria for selecting counterparties, blocking logic for unreported operators, commitment procedures, monitoring systems, log retention, internal reporting lines, and documentation of regulatory interpretations. After all, in future disputes, not only the existence of a violation but also the extent to which the operator took reasonable and concrete responses at the relevant time is likely to determine the outcome.

Because virtual asset regulation is an area where the Special Financial Transactions Act, AML practice, sanction procedures, and administrative litigation are all intertwined, preemptive design is far more important than post-incident response. Cheongchul Law Firm provides tailored legal advice to help exchanges and platform operators reduce sanction risks and design internal control systems that can actually be defended in real disputes amid the evolving virtual asset regulatory environment. If you need assistance responding to sanctions or improving your internal controls, we recommend seeking a consultation before the matter escalates.