South Korea Expands Customer-Due-Diligence Rules to Tackle Fraud and Money Laundering in Non-Bank Lending

A major regulatory development in South Korea underscores the increasingly complex intersection between financial fraud and money laundering. The government’s recent approval of an amendment to the Enforcement Decree under the Financial Services Commission (FSC) marks a significant policy shift, requiring specialised credit finance entities and consumer credit firms to apply stringent customer-due-diligence (CDD) measures when managing loan services. While this reform is presented as a safeguard against rising fraud losses, it carries deeper anti-money-laundering and counter-terrorist-financing (AML/CFT) implications across the lending landscape.

Under the amended Enforcement Decree of the Special Act on the Prevention of Loss Caused by Telecommunications-based Financial Fraud and Refund for Loss, specialised credit finance companies and consumer credit businesses with assets of KRW 50 billion or more must now conduct full CDD checks when issuing loans—whether by phone, mobile application, video call, or in-person. Lenders exclusively engaged in “new-tech financing” are exempt from the rule. The revision follows earlier measures introduced in March aimed at curbing voice-phishing, or “vishing,” scams, and will take effect six months after promulgation.

The amendment addresses a growing risk in which stolen personal information is used to obtain credit or loans in a victim’s name, generating fraudulent liabilities and illicit fund flows. Financial institutions in South Korea are already obligated under AML regulations to identify and verify customers, determine beneficial ownership, and assess the purpose and source of funds. Extending these responsibilities to non-bank lenders closes a critical gap in the country’s AML perimeter.

When fraudsters exploit stolen identities to obtain consumer loans, the proceeds—often deposited into accounts under their control—may quickly be spent, transferred abroad, or returned as seemingly legitimate repayments. Defaults on such fraudulent loans further obscure the origin of funds and complicate recovery. In more severe cases, unethical lenders may bypass identification protocols altogether, allowing their platforms to become “money-laundering factories.”

Voice-phishing scams have become one of South Korea’s most pervasive financial crimes. Victims are tricked into downloading spyware or revealing banking credentials, which criminals then use to secure loans and funnel proceeds through digital channels. According to recent reports, voice-phishing incidents caused over USD 146 million in losses in 2023, a 35 percent increase from the previous year. These schemes often exploit the non-bank credit sector as an unregulated route for laundering fraud-derived funds. Without universal CDD enforcement, illicit proceeds can circulate undetected within the financial system or flow across borders.

For AML professionals, the regulatory implications are substantial. The inclusion of specialised credit finance and consumer-credit firms within the CDD framework broadens the scope of entities subject to AML oversight. These institutions will now need to strengthen identity verification, improve monitoring of borrower activity, and refine risk-assessment models. Non-compliance carries serious consequences, including administrative fines of up to KRW 10 million and potential compensation to victims of fraud.

This reform also presents a strategic opportunity for compliance teams to revisit their onboarding processes, enhance digital verification for remote loan origination, and recalibrate transaction-monitoring systems. Firms will need to develop refined risk scores that detect identity discrepancies, rapid loan disbursements following suspicious calls, or repeated applications under slightly altered credentials. Coordinating AML operations with IT and fraud-prevention functions will be crucial to embedding behavioural analytics and real-time alerts across systems.

The regulatory change reinforces that loan origination sits squarely within AML territory. Beyond assessing creditworthiness, lenders must now evaluate loans for potential laundering typologies—such as large unsecured loans issued following account compromise, or repayments made through third-party accounts. AML frameworks should treat consumer-credit flows as possible entry points for illicit money, particularly when linked to identity fraud.

From a structural standpoint, this reform signifies a broader evolution in South Korea’s AML regime, extending its reach beyond banks and major financial institutions to the wider lending sector. Consumer-credit and specialised credit-finance firms that previously operated under limited supervision are now directly accountable for AML compliance. The FSC’s decision recognises that criminals often exploit regulatory blind spots, including non-bank credit services, to conceal illegal proceeds.

For the lending industry, these enhanced CDD obligations may increase compliance costs, slow down onboarding, and create additional operational burdens, particularly for smaller firms without sophisticated compliance infrastructure. However, the long-term benefits—strengthened market integrity, reduced fraud exposure, and improved consumer trust—are expected to outweigh the transitional challenges. From an AML-CFT standpoint, the new rules significantly improve the system’s ability to detect “fraud-facilitated laundering” within consumer credit.

Corporates in the fintech and “new-tech financing” space remain exempt for now under a statutory carve-out, but this exemption may prove temporary. As fraud and identity-theft techniques evolve, the regulatory perimeter is likely to expand to encompass new lending and finance models.

For compliance and AML/CFT professionals, several strategic steps are now imperative. Onboarding procedures must be updated to include full CDD—identity verification, beneficial-ownership checks, and inquiries into the source and purpose of funds. Remote-loan origination via mobile, telephone, or video must include multi-factor authentication, device fingerprinting, and cross-verification with trusted databases. Monitoring systems should detect unusual loan behaviour, including rapid successive loans under a single identity, repayments through unrelated accounts, or immediate fund transfers abroad. Fraud-detection units and AML teams must coordinate closely, sharing alerts related to vishing or spyware incidents to map fraudulent loan flows. Suspicious activity involving stolen identities should be reported promptly, with the understanding that such cases represent the initial stage of a potential laundering process.

Staff training should be expanded to cover red-flag scenarios in credit issuance, call-centre operations, and mobile-loan workflows, reinforcing awareness that loan disbursements can act as “front door” laundering channels.

This regulatory overhaul represents a turning point in South Korea’s approach to financial crime. By bringing non-bank lenders within the AML regime, the government has acknowledged that fraud and money laundering are increasingly intertwined threats. Complaints about vishing and identity theft can no longer be treated solely as consumer-protection matters—they are integral to the detection, disruption, and tracing of illicit financial flows. For AML practitioners worldwide, the message is unambiguous: when a borrower’s identity is hijacked and a loan is issued, the transaction may signify the start of a laundering process rather than a simple fraud case. The convergence of fraud prevention and AML has become a central priority in both regulatory strategy and operational compliance.

By fLEXI tEAM