In an internal control review of the five major virtual asset exchanges prompted by Bithumb's erroneous bitcoin payout incident, Bithumb and Coinone received failing grades. Bithumb and Coinone failed all four items in the review.
According to the financial sector on the 13th, a joint task force composed of the Financial Services Commission, the Korea Financial Intelligence Unit (FIU), the Financial Supervisory Service, and the Digital Asset eXchange Alliance (DAXA) examined the internal control systems and high-risk transaction management status of the five major exchanges for more than a month starting in mid-Feb. The probe was prompted by Bithumb's erroneous bitcoin payout incident. On Feb. 6, Bithumb planned to pay a total of 620,000 won to 249 event winners, with 2,000–50,000 won each, but mistakenly entered "bitcoin" instead of "won," wrongly paying out 620,000 bitcoins worth 62 trillion won. Bithumb immediately retrieved most of the mistakenly paid bitcoin.
The joint task force reviewed the operation status of internal control systems by dividing it into items such as ▲ periodic checks of internal control status ▲ checks on access rights to tasks ▲ checks on the implementation of job segregation and mandatory leave ▲ checks on the adequacy of advertisements and promotional materials. Bithumb and Coinone failed all four items.
In its report, the joint task force assessed, "They omitted even the basic procedures, such as periodic checks of internal control status (at least once a year) and reporting the results to the board. Poor operations were revealed, including holding the 'internal control committee,' which should convene semiannually to inspect and respond to vulnerabilities such as financial incidents, only once a year in a perfunctory manner."
Coinone also received a failing grade in the review of its risk management system status. It failed all three items: ▲ establishment of risk management standards ▲ appointment of a chief risk officer ▲ establishment of a risk management committee. The joint task force assessed, "Contingency planning for various incidents and other unexpected situations, as well as risk management standards to respond to human error and system defects, were generally absent."
Bithumb failed across the board in the review of high-risk transaction management status. It was found to lack a "multi-approval system" proportional to risks, with cases where a staffer single-handedly changed computer systems or execution proceeded with approval from only one department head. This is directly connected to the staff error that occurred during the process in which the erroneous bitcoin payout took place.
A financial sector official said, "The results of this probe will significantly affect future renewal screenings for virtual asset service providers (VASP)." Upbit and Korbit recently received VASP approval. The authorities have not yet accepted the renewal filings of Bithumb and Coinone.