South Korea Plans to Require CEXs to Assume "No-Fault Liability," Upbit Hack Incident Serves as Catalyst

**December 7 (South Korea) — The South Korean government is pushing ahead with legislation to introduce a banking-style "no-fault compensation" rule for major cryptocurrency exchanges.** The Financial Services Commission (FSC) reportedly is evaluating a requirement that virtual asset service providers (VASPs) would be liable to compensate users even if not at fault for losses from hacking attacks or system outages. Currently, this mandatory compensation applies only to traditional financial institutions and electronic payment firms. The push stems from a November 27 Upbit exchange security incident: roughly 44.5 billion Korean won (≈$30.1 million) in assets were transferred to an external wallet in 54 minutes. Existing rules barred regulators from forcing Upbit to compensate users. Korean financial watchdogs also cited frequent crypto industry system failures in recent years. Data shows 20 total system outages across the top five exchanges from 2023 to September this year, affecting over 900 users with cumulative losses of ~5 billion Korean won. Upbit accounted for six incidents (≈3 billion won in losses). The draft also proposes raising technical security standards and hiking hack-related fines to 3% of annual revenue (matching traditional finance) — exceeding the current 5 billion won fixed cap. Upbit also faces "delayed reporting" controversy: it detected the anomaly at 5 a.m. but notified regulators only at 10:58 a.m. Some lawmakers queried if Upbit waited to disclose until parent Dunamu completed its merger with Naver Financial. Regulators are investigating, but strict penalties may be hard to impose under current rules.