In recent weeks, a major South Korean cryptocurrency exchange was fined approximately USD 1.9 million by the national Financial Intelligence Unit (FIU) following a detailed supervisory inspection.

A single lapse did not drive the enforcement action, but by systemic AML and KYC failures across customer onboarding, transaction controls, governance, and risk assessment.

This case is especially relevant because:

• The firm was large, established, and licensed
• Controls existed on paper
• Compliance teams were in place

Yet regulators still concluded that AML safeguards failed in practice.

What Went Wrong

• KYC was incomplete, yet customers were allowed to transact: Thousands of customer profiles contained incomplete or outdated identity information. Even so, customers were permitted to trade and transfer assets, indicating that KYC functioned as a procedural step rather than an access control.
• Regulatory prohibitions were not enforced at system level: The firm processed transactions involving overseas virtual asset service providers that were not locally registered. These transfers were not automatically blocked, exposing a reliance on manual reviews where preventative controls were required.
• New products were launched without AML risk assessment: Certain digital asset services were introduced without conducting formal AML risk assessments. As a result, monitoring scenarios and risk classifications were not updated to reflect the expanded risk exposure.
• Governance and escalation were weak: Compliance issues were identified internally, but escalation lacked substance and senior management challenge was insufficient. Regulators ultimately issued warnings to senior executives, reinforcing expectations of leadership accountability.

The Core Compliance Failure

This enforcement was not about missing policies or inadequate technology. It was about controls that existed but were not enforced.

The firm had KYC procedures, monitoring tools, and compliance staff, yet these measures failed to actively stop prohibited activity. In regulatory terms, this represents ineffective control design and execution.

What Could Have Prevented the Fine?

• KYC should operate as a hard access gate: If identity verification is incomplete, customers should not be able to trade or transfer assets. Allowing activity before KYC completion converts compliance into risk acceptance.
• Prohibited transactions must be prevented, not detected later: Where regulations restrict counterparties or cross-border activity, systems should block such transactions automatically. Manual intervention is not considered an adequate safeguard.
• AML risk assessments must precede product launches: Every new service should trigger a reassessment of inherent AML risk and control adequacy. Innovation without compliance review is now a clear regulatory red flag.
• Escalations must support defensible risk decisions: Escalation notes should clearly explain why activity is acceptable and who approved residual risk. If decisions cannot withstand regulatory scrutiny, they should not be approved.

What AML & KYC Teams Should Take Away

• KYC is a control mechanism, not documentation
• Monitoring must assess behaviour in context, not just alerts
• Governance failures quickly become personal accountability issues
• Crypto firms are now assessed against bank-grade AML standards

Final Thought

This case reinforces a consistent regulatory message: having controls is no longer enough. Regulators are assessing whether controls actively prevent risk, transaction by transaction.

For compliance teams, the question is no longer “Are we compliant?” – but “Would our controls actually stop this?”