| Content: |
1.These Directions are set forth to safeguard the interests of consumers and regulate the outsourcing operations of insurance enterprises (referred to as "outsourcing" hereunder).
Insurance enterprises shall include the particulars of these Directions into their internal control procedures drafted pursuant to Article 5, paragraph 1, subparagraph 14 of the Regulations Governing Implementation of Internal Control and Auditing System of
Insurance Enterprises.
2.The outsourcing operations of an insurance enterprise shall not violate any mandatory or prohibitive provisions [of law], public order or good customs, and shall observe the Insurance Act, the Money Laundering Control Act, the Personal Data Protection Act,
the Consumer Protection Act, the Financial Consumer Protection Act, and other applicable laws and regulations.
3.The outsourcing of business items that an insurance enterprise may engage in pursuant to insurance laws and regulations or operations related to customer information by an insurance enterprise, unless otherwise provided by laws or regulations, shall be limited
to the following:
(1) Data entry, processing, output and delivery of information system, development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the insurance enterprise's business.
(2) Conducting checking and investigation relating to insurance contract, consumer opinion survey, and customer follow-up by telephone.
(3) Production, delivery, safekeeping and disposal of forms and documents, such as insurance policy, renewal notice, notice of premium payment, notice of suspension in coverage, proof of annual premium payment and other forms and documents relating to the performance
of insurance contract and lending operations.
(4) Overseas emergency assistance and roadside assistance services in connection with benefits under the insurance contract.
(5) Distribution of consumer publications.
(6) Collection of premiums, principal and interest payments on policy loans, other payments related to insurance contracts, or principal and interest payments on other loans.
(7) Collection of debts.
(8) Electronic customer services, including automated voice systems, phone answering service, answering and processing customer e-mails, and electronic commerce related inquiry service and assistance.
(9) Land registration or real estate management services, and disposal of collateral from the assumption of debts.
(10) Repossessing and auctioning automobiles with overdue payment on a car loan (excluding the determination of the floor price for such auctions).
(11) Valuation, classification, bundling and sale of non-performing loans; provided such outsourcing agreement stipulates that the service providers and their employees involved in the outsourcing agreement shall not engage in any work or provide any consulting
or advisory services which give rise to a conflict of interest with the outsourced services during the term of such outsourcing agreements or during a reasonable period of time after termination/expiry thereof.
(12) Other operations approved by the competent authority for outsourcing.
Except for outsourcing operations stipulated in subparagraph 7 and subparagraph 12 of the preceding paragraph where an insurance enterprise is required to apply to the competent authority for approval pursuant to Point 10 herein, an insurance enterprise shall
file its outsourced operations, content and scope in a manner prescribed by the competent authority with the competent authority or an institution designated by the competent authority for other outsourcing operations stipulated in each subparagraph of the
preceding paragraph.
4.An insurance enterprise shall conduct outsourcing operations in accordance with its internal outsourcing control procedures approved by its board of directors under the premises that outsourcing will not affect the sound operation of the insurance enterprise,
the interests of customers, or regulatory compliance. For branches of foreign insurance enterprises in Taiwan, such approval may be granted by individuals authorized by their head office.
The internal outsourcing control procedures for referred to in the preceding paragraph shall specify the following particulars:
(1) Policies and principles for outsourcing , including evaluation of outsourcing decisions, risk management mechanisms, approval hierarchy and governance structure.
(2) Division of authority and responsibility of unit-in-charge and relevant units regarding the management of outsourced operations.
(3) Scope of operations that may be outsourced and outsourcing procedures.
(4) Internal operation and procedure that assure the protection of customer interests.
(5) Risk management principles and operating procedure.
(6) Internal control principles and operating procedure.
(7) Other outsourcing operations and procedures.
An insurance enterprise shall take the ultimate responsibility for its outsourcing. It shall evaluate the risk level, materiality, and the impact on operations and customer interests for outsourced operations, adopt appropriate management measures based on
the risk-based approach, and comply with the following provisions:
(1) The board of directors shall be aware of the risks associated with outsourcing and regularly supervise the execution status of outsourced operations.
(2) An insurance enterprise shall ensure that the unit-in-charge and relevant units possess adequate resources, expertise and authority to manage outsourced operations.
(3) An insurance enterprise shall identify, evaluate and manage outsourcing of operations deemed material, and formulate relevant procedures and policies. Ensure that enhanced controls and emergency response measures are in place for outsourced operations that
have significant impact on the normal operation or customer interests of the insurance enterprise.
(4) There shall be proper procedures for due diligence and periodic review in place to ensure that the service providers possess professional knowledge and resources for the execution of outsourced operations, are financially sound, have internal control and
information security management mechanisms, and complies with regulatory requirements.
(5) Ensure that the insurance enterprise itself, competent authority or persons designated by them can have access to relevant information or reports regarding the scope of outsourced items from service providers, and conduct financial examination or audit,
or order the service providers to provide relevant information or reports within a prescribed time period.
The provisions of the preceding paragraph apply to branches of foreign insurance enterprises in Taiwan, where their head office or regional head office authorized by the head office may be responsible for and handle related matters. However, the unit-in-charge
shall still be composed of personnel of the branch of a foreign insurance enterprise in Taiwan and ensure a comprehensive understanding of the controls exerted by the head office or regional head office authorized by it over outsourcing activities in Taiwan.
The term “materiality” under these Directions refers to one of the following situations:
(1) Where the outsourced operation cannot be performed or where there are concerns regarding information security, and such issues will have significant impact on business operations of the insurance enterprise.
(2) Where the outsourced operation is involved in a customer data security incident that has a significant impact on the insurance enterprise or the rights and interests of customers.
(3) Where the outsourced operation has otherwise had a significant impact on the insurance enterprise or the rights and interests of customers.
5.The unit-in-charge for outsourcing operations of the insurance enterprise pursuant to subparagraph 2, paragraph 2 of the preceding point shall carry out the following tasks:
(1) Managing outsourced operations in accordance with the internal control procedures for outsourcing set out in accordance with the preceding point.
(2) Supervising the outsourced operations in connection with the protection of customer interests, risk management and internal controls, conducting periodic evaluation, and submitting the findings to the board of directors or personnel authorized by the head
office in the case of a branch of a foreign insurance enterprise in Taiwan; any material irregularity or deficiency shall also be promptly reported to the competent authority.
(3) Supervising the establishment and implementation of internal control and internal audit system by the service providers.
(4) Drafting and executing the measure for selecting service providers, and ensuring that the outsourced operation is a business item that the selected service provider is legally allowed to operate.
(5) Other matters as required by the competent authority.
When outsourcing the collection of debts arising from loans, the unit-in-charge shall check regularly relevant information in the outsourcing service providers and employees registration system created by the Joint Credit Information Center (the "JCIC") and
retain a copy of the inquiry record for future reference as a part of insurance enterprise's internal control activities over outsourcing and supervision of service provider's internal control systems.
6.The internal operations and procedures of an insurance enterprise in connection with the outsourcing operations of an insurance enterprise that assure the protection of customer interests as provided in Point 4, paragraph 2, subparagraph 4 herein shall contain
at least the following:
(1) Where an outsourced operation involves customer information, the customer information shall be handled in accordance with the Personal Data Protection Act and the insurance contract executed by the insurance enterprise and the customer shall include a provision
that requires the insurance enterprise to inform the customer [of the outsourcing]. If the agreement does not include such a provision, the insurance enterprise shall notify its customers in writing or by other appropriate means of the outsourcing activity.
(2) The scope of customer information or information of the applicant, the insured and the beneficiary in the insurance contracts to be provided [to the service provider] and procedural method for transferring such information. With respect to the information
of the beneficiary, only the basic information of the beneficiary stated in the application form, change of beneficiary, benefit payment and other information that has the beneficiary's written consent (to transfer) may be transferred to the service provider
for processing.
(3) Methods for supervising the use, processing and control of aforesaid customer information by the service provider and management mechanism.
(4) Procedure and time limit for handling customer dispute in connection of the outsourcing activity; the insurance enterprise shall set up a coordination unit that handles customer complaints.
(5) Other necessary actions for the protection of customer interests.
An insurance enterprise shall be held equally responsible for its customer as provided by law if an intentional act or negligence of its outsourcing service provider or the employee of the service provider results in damage to customer interests.
7.The risk management principles and operating procedures in connection with the outsourcing operations of an insurance enterprise set out pursuant to Point 4, paragraph 2, subparagraph 5 herein shall contain at least the following:
(1) Establishing a risk and benefit analysis system for the outsourcing operations.
(2) Establishing procedures and management measures sufficient to identify, measure, monitor and control risks associated with outsourcing:
A. Evaluating the risk level and materiality of outsourced operations and their impact on business.
B. Ensuring that the insurance enterprise and the service provider possess adequate expertise and resources.
C.Considering relevant risk factors, evaluating the risk level of outsourced operations and taking appropriate measures to mitigate risk.
D. Evaluating risk levels periodically and ensuring update of risk levels.
E. Conducting regular or unscheduled testing or drills based on different risk scenarios for material outsourced operations.
(3) Establishing an emergency response plan and transfer mechanism in case of termination of an outsourcing agreement.
(4) Other matters as required by the competent authority.
8.The internal control principles and operating procedures in connection with outsourcing operations of an insurance enterprise set out pursuant to Point 4, paragraph 2, subparagraph 6 herein shall contain at least the following:
(1) Drawing up and implementing the operating procedure for supervising and managing the scope of outsourcing.
(2) Incorporating the operating procedure in the preceding subparagraph in the overall internal control and internal audit systems of the insurance enterprise.
(3) The outsourcing of collection of premiums, principal and interest payments on policy loans, and other payments related to insurance contracts pursuant to Point 3, paragraph 1, subparagraph 6 herein shall be carried out according to the following rules:
A. The service provider that collects automobile insurance premiums shall deliver the premium payments collected to the insurer within one month from the date of collection.
B. Insurance brokers and agents shall directly deliver the premium payments collected in accordance with Article 40, paragraph 1 of the Regulations Governing Insurance Brokers and Article 40, paragraph 1 of the Regulations Governing Insurance Agents.
C. The insurance enterprise shall follow the self-regulatory rules drawn up by the insurance association with regard to the scope of payment collection that may be outsourced and the qualifications of the service provider.
(4) Supervising the establishment and implementation of internal control and internal audit system by the service provider.
(5) Other matters as required by the competent authority.
9.An insurance enterprise's outsourcing agreement shall specify at least the following:
(1) The scope of outsourcing and the responsibilities of service provider.
(2) A provision requiring the service provider to comply with Point 2 herein.
(3) Management of employees of the service provider assigned to the insurance enterprise, including employee recruitment, promotion, performance reviews, and discipline.
(4) The service provider is required to carry out internal controls and internal audits in accordance with its standard operating procedures established under the supervision of the insurance enterprise.
(5) Unless with written authorization of the insurance enterprise, the service provider shall not use the name of the insurance enterprise in the course of handling the outsourced items, nor shall the service provider make untruthful advertising.
(6) Material events that would lead to the termination of outsourcing agreement with the service provider, including a provision on termination or revocation of the agreement if so instructed by the competent authority.
(7) The service provider agrees to let the competent authority access relevant data or reports and conduct financial examination with respect to the outsourced items, or provide relevant data or reports within a prescribed time period under the order of the
competent authority.
(8) Consumer protection, including the confidentiality of customer data and adoption of security measures.
(9) The service provider is required to carry out consumer protection and risk management in accordance with its standard operating procedures established under the supervision of the insurance enterprise.
(10) Consumer dispute resolution mechanism, including the timetable and procedure for handling dispute and remedial measures.
(11) The service provider shall promptly inform the insurance enterprise if the outsourced operation involves any material irregularity or deficiency.
(12) Other agreements.
The provisions of subparagraphs 8 through 10 of the preceding paragraph do not apply, provided the outsourcing agreement does not involve the interests or personal information of consumers.
In the outsourcing agreement, the insurance enterprise shall prohibit the service provider from subcontracting the outsourced operation unless with the insurance enterprise's written consent. The outsourcing agreement shall specify the scope, limitations or
conditions for subcontracting by the service provider. The provisions in this point shall apply to the subcontracting agreement between the service provider and its subcontractor.
Where the outsourcing agreement or the subcontracting agreement does not conform to the provisions in these Directions, the insurance enterprise may continue its outsourcing activity under the existing agreement until it expires.
10.When conducting outsourcing operations under Point 3, paragraph 1, subparagraph 7 or other operations approved by the competent authority for outsourcing under Point 3, paragraph 1, subparagraph 12, the insurance enterprise shall apply to the competent authority
for approval by submitting the following documents:
(1) The internal control procedures for outsourcing set out in accordance with Point 4, paragraph 2.
(2) Meeting minutes containing resolutions of the board of directors; for branches of foreign insurance enterprises in Taiwan, a letter of consent signed by an personnel authorized by the head office.
(3) The Analysis of necessity and compliance of outsourcing on business operations, evaluation of the risk level, materiality, and the impact on operations and customer for outsourced operations, due diligence of service providers, and outsourcing risk management
measures.
(4) Outsourcing process.
(5) Regulatory compliance statement.
(6) Review form concerning the qualifications of the service provider.
(7) Other documents as required by the competent authority.
After an insurance enterprise applies for approval of “other operations approved by the competent authority for outsourcing” as provided in Point 3, paragraph 1, subparagraph 12 and obtains approval by the competent authority that the operations be eligible
for outsourcing, other insurance enterprises may conduct such outsourcing operations in accordance with their internal control procedures for outsourcing.
An insurance enterprise that outsources debt collection operations shall draw up conduct practices and collection letters in the outsourced collection process according to the samples prepared by the Non-Life Insurance Association of the Republic of China (referred
to as the "Non-Life Insurance Association" hereunder) and Life Insurance Association of the Republic of China (referred to as the "Life Insurance Association" hereunder) , and have its legal counsel review the collection letters to make sure they do not violate
these Directions or other relevant laws and regulations before submitting the collection letters to the competent authority for recordation.
11.Before applying for approving the outsourcing of its debt collection operation, an insurance enterprise shall make sure in advance that the appointed service provider meets the following qualification requirements:
(1) The service provider shall be one of the following:
A.A company that has registered in accordance with the Company Act or the Business Registration Act and has obtained a company or business registration certificate issued by the competent authority which indicates that "providing money claim management services
to insurance enterprises" falls within its scope of business.
B.A lawfully established law office.
C.A lawfully established certified public accountant office.
(2) The service provider does not incur accumulated loss or its loss does not exceed one third of its paid-in capital. The preceding provision does not apply if the service provider has incurred loss exceeding one third of its paid-in capital, but has completed
the capital increase formalities according to applicable regulations.
(3) The collection personnel of the service provider has completed the training course or passed the examination on collection given by Non-Life/Life Insurance Association or an institution sanctioned by such association and received a credential therefor,
and is free of the following situations:
A. Has been convicted of a crime of violence under the “Criminal Code”, the “Organized Crime Act”, or the “Guns, Ammunition and Knives Control Act”, or is wanted for a crime of violence in an ongoing case.
B. Has been adjudicated bankrupt, and has not had rights and privileges reinstated.
C. Has been denied service by the bills clearing house and the sanction has not expired, or has some other poor credit record that is still open.
D. Is legally incompetent or has limited legal capacity or is subject to an order of the commencement of assistance that order has not been revoked yet.
E. Has left his or her job for violation of these Directions or other laws and regulations, and the employer financial institution or insurance enterprise has reported the matter to the JCIC.
(4) If the collection personnel of the service provider has not completed the training course or passed the examination on collection given by Non-Life/Life Insurance Association or an institution sanctioned by such association and has not received a credential
therefor, said personnel shall remedy the situation within two months after taking the post.
(5) The responsible person of the service provider shall be free of the situations described in the subparagraph 1 to subparagraph 11, paragraph 1, Article 3 of the Regulations Governing Qualification Requirement and Concurrent Serving Restrictions and Matters
for Compliance by the Responsible Persons of Insurance Enterprises, and shall issue a statement therefor.
(6) A service provider shall be equipped with complete computer facilities necessary for the handling of outsourced items, and the telephones of its relevant personnel shall come with a recording system where the recording may be accessed instantly in coordination
with the computer system for the purposes of audit or verification in case of a dispute. All phone conversations and field visits of the collection personnel shall be recorded with a copy made and retained for at least six months. The service provider shall
not delete or alter its audio recordings.
12.An insurance enterprise shall conduct regular and unscheduled audit and supervision of the debt collection operation of its service provider to ensure compliance with the following provisions:
(1) A debt collector shall not use violence, intimidation, coercion, verbal abuse, harassment, sham, or false, deceptive or misleading representation against the debtor or any third party, or engage in other illicit debt collection practices that invade the
privacy of the debtor.
(2) A debtor collector shall not use harassing means that disrupts the regular living conditions, schooling, work, business or the life of others in the debt collection process.
(3) A debt collector may engage in debt collection from 7:00AM to 10:00PM, unless it is otherwise agreed by the debtor.
(4) A service provider shall not harass with or collect debts from third parties in any means.
(5) A debt collector communicating with a third party for the purpose of acquiring the location information about the debtor shall identify himself and state that his purpose is to obtain contact information of the debtor. If so requested by said third party,
the debt collector shall identify the outsourcing insurance enterprise, and the name of his employer. A debtor collection shall also present a letter of authorization when making field visit.
(6) The service provider or its employees shall not collect payment or any fees from the debtor or any third party for the debt collection work, unless the service provider is collecting withheld salary under a court order for an action in which the service
provider is a litigation agent on behalf of the insurance enterprise and has the consent of the insurance enterprise to collect the withheld salary of debtor.
(7) The service provider personnel shall wear ID badge in field visits and record the entire conservation with the debtor or related parties in the course of a visit. Unless with the consent of the debtor, the service provider personnel may not at his own discretion
enter the residence of the debtor by any means.
Any of the following practices is deemed a false, deceptive or misleading representation mentioned in subparagraph 1 of the preceding paragraph:
(1) False representation or implication that nonpayment of debt will result in the arrest, detainment or other criminal disposition against the debtor.
(2) Informing the debtor that his property will be seized while such property is not subject to seizure according to law.
(3) Collecting fees from the debtor other than the amount of debt owed or collecting fees not claimable under the law.
(4) False representation that nonpayment of debt will result in a court action of arrest, garnishment, seizure or auction.
Any of the following practices is deemed as using harassing means that disrupts the regular living conditions, work, business or the life of others mentioned in subparagraph 2 of paragraph 1 hereof:
(1) Repeatedly or during non-collection hours using telephone, fax, text message, e-mail or other communication means, or visiting the debtor's residence, school, work, or business location or other places to collect debt.
(2) Using post cards for collection or using any language, symbols or other means on the envelope of collection letter that could reveal the debt situation or other private information of the debtor to third parties. The preceding provision does not apply to
the name of company.
(3) Using bulletin, signboards or other similar methods that reveals the debt situation or other private information of the debtor to third parties.
13.The outsourcing agreement on debt collection operation entered by an insurance enterprise and a collection agency shall contain at least the following in addition to complying with the provisions in Point 10 herein:
(1) The work guidelines of the service provider shall include conduct and practices prohibited as provided in the preceding point and standards for dismissing or punishing violating employees.
(2) Subcontracting the debt collection work by service provider is prohibited.
(3) The service provider shall report the handling of debt collections or customer complaints to the outsourcing insurance enterprise regularly or as needed; when there are situations where the service provider or its employees violate applicable laws and regulations
in its internal management or collection operation, the service provider shall immediately report the event to the insurance enterprise.
(4) When recruiting personnel for the purpose of providing outsourcing service for the collection of debts arising from loans, the service provider shall obtain the written consent of the employee permitting the outsourcing insurance enterprise and JCIC to
collect, process and use their personal data.
(5) When providing outsourcing service for the collection of debts arising from loans, the service provider shall provide the insurance enterprise with information of departed employee who leaves job due to violation of any subparagraph under Point 12, paragraph
1 herein for posting with JCIC. The posted information shall include:
A. Basic data of the departed employee.
B. Date of departure.
C. Reasons for departure.
(6) When outsourcing the collection of debts arising from loans to a service provider, an insurance enterprise shall submit the basic information of said service provider to JCIC. The service provider shall agree that the outsourcing insurance enterprise may
submit the information on termination of outsourcing agreement due to violation of these Directions herein or other laws and regulations by the service provider to JCIC for posting. The posted information shall include:
A. Basic information of the service provider.
B. Date of agreement execution and date of its termination.
C. Reasons for violation of these Directions herein or other laws and regulations.
14.An insurance enterprise shall comply with the following provisions in outsourcing its debt collection operation:
(1) The insurance enterprise shall heed the complaints made by the debtor or any third party regarding the practices of outsourced service provider in the collection of debt arising from loans and check the relevant information in the outsourcing service providers
and employees registration system created by the JCIC in a regular and timely manner; when there are material incidents which require the service provider to dismiss unfit employee pursuant to the outsourcing agreement or which require the insurance enterprise
to terminate the outsourcing agreement with the service provider, the insurance enterprise shall take actions in accordance with these Directions herein and the outsourcing agreement.
(2) If the service provider or any of its employees that provides outsourcing service for the collection of debts arising from loans, has been reported to the JCIC by other insurance enterprises pursuant to Point 13, subparagraphs 5 and 6 herein, but the incident
is not significant enough to constitute grounds for termination of the outsourcing agreement, the insurance enterprise shall step up the frequency and scope of audits of the service provider.
(3) Where the service provider has engaged in practice that violates a subparagraph under Point 12, paragraph 1 herein and makes it unacceptable to the debtor and the debtor contacts the insurance enterprise directly to negotiate the settlement of debt, the
insurance enterprise shall accept the request of the debtor and actively handle the matter.
(4) Where the insurance enterprise finds that its service provider or any of its employees resorts to violence, coercion or intimation in the collection process, it shall report the matter to law enforcement agency.
(5) The insurance enterprise shall not give its service provider information on people who do not have legal obligation to discharge debt.
(6) Prior to outsourcing its collection operations to a service provider, the insurance enterprise shall send the debtors a written notice, informing them of the name of service provider, amount of debt owed, the duration of retention of audio recordings of
collection procedures, the telephone number (of the insurance enterprise) for making a complaint, and practices prohibited as provided in the subparagraphs under Point 12, paragraph 1 herein.
(7) The insurance enterprise shall make public the basic information of its service provider at its business places and on its website to make it convenient for debtors to check the relevant information of the collection agency.
15.Where the service provider providing debt collection service for an insurance enterprise is referred to the law enforcement agency due to alleged use of violence in the collection process, the insurance enterprise may terminate its outsourcing agreement
in view of the severity of the case, and must terminate the outsourcing immediately provided the service provider is indicted.
Where an insurance enterprise violates these Directions herein in the outsourcing of its debt collection operation, the competent authority may, depending on the severity of the case, order the insurance enterprise to make improvement within a given time period,
or suspend or revoke the permission allowing the insurance enterprise to outsource its debt collection operation.
16.When outsourcing an operation involving business information systems deemed material related to the data of natural person customer to overseas, an insurance enterprise shall submit the following documents to the competent authority for approval:
(1) The internal control procedures for outsourcing established pursuant to Point 4, paragraph 2 herein.
(2) Meeting minutes containing resolutions of the board of directors; for branches of foreign insurance enterprises in Taiwan, a letter of consent signed by an personnel authorized by the head office.
(3) The analysis of necessity and compliance of outsourcing on business operations, including evaluation of compliance with consumer data protection related regulations by the service provider.
(4) An outsourcing plan, which shall contain:
A.Risk assessment and management mechanisms:
a.Evaluation of the risk level, materiality, and the impact on business operations and customer rights and interests for outsourced operations.
b.Due diligence of the service provider to ensure the reliability and compliance of the services provided; the reliability check shall include analysis of business continuity, substitutability, and concentration.
c.Description of having professional skills and resources to monitor the execution of outsourced operation by the service provider.
d.Plan and implementation unit for routine monitoring mechanism.
B.Description of customer data protection measures and whether customer consents have been obtained to ensure the quality of outsourcing service and protection of consumer rights and interests.
C.Information security and management:
a.Description of data security management measures, data transmission and segregation, and data ownership.
b.The management policies with regard to the location of data storage, including the description of assessment of legal, political, and economic stability of data processing and storage locations, and description of data backup and data can be accessed at any
time.
D.Emergency response plan, including a business contingency plan in case the service provider is unable to provide services or there is service interruption.
(5) A letter of consent from the service provider or outsourcing agreement , agreeing that where necessary, a person designated by the insurance enterprise may examine the outsourced items; the aforementioned designated person may also be assigned by the competent
authority in Taiwan at the expense of the insurance enterprise.
(6) A statement from the service provider that it has been free of incident of employee fraud, information or communication security breach or other incidents that result in damage to the interests of customers or adversely affect sound operations of the company
for the last three years.
When conducting outsourcing under the preceding paragraph, an insurance enterprise shall comply with the following provisions in addition to the provisions of Point 17:
(1) Ensure the compliance of the use, processing and control of natural person customer information by the service provider with relevant regulations under Personal Data Protection Act, retain complete audit trails and shall include the compliance matters in
the key audit items.
(2) Periodically evaluate cost benefit and the reasonableness of expense allocation within the group, and submit the report thereon to its board of directors for approval.
(3) The standards for security testing of information system shall not be inferior to those set forth by the competent authority, the Non-life Insurance Association and the Life Insurance Association.
(4) Conduct at least one routine audit and one special audit annually. The audit report on cross-border outsourcing for the year shall be submitted to the board of directors within four months after the end of each year. The aforementioned audits may be performed
by an independent third party specializing in information technology.
(5)Establish a business contingency plan in case the service provider is unable to provide service or there is service interruption.
(6)Specify in the outsourcing agreement the situations where the outsourced operation is transferred to another service provider or back to the insurance enterprise, and original service provider’s obligations regarding system relocation and data processing,
and service provider’s liability for damages in case of service interruption.
The branch of a foreign insurance enterprise in Taiwan that outsources its operations to its head office or other overseas branches for internal division of labor purpose shall apply for approval in accordance with paragraph 1.
17.An insurance enterprise that plans to outsource its operations to offshore service providers shall comply with the following provisions:
(1) Fully understand and grasp the use, processing and control of customer information by the service provider.
(2) Furnish only necessary customer information that is directly related to the outsourced items to the service provider.
(3) Require the service provider to observe the following:
A.The customer information of the insurance enterprise shall only be used and processed within the scope of outsourced items by authorized persons of the service provider.
B.The customer information of the insurance enterprise shall be clearly segregated from those of the service provider and other outsourcing institutions.
C.The customer information of the insurance enterprise processed by the service provider shall be readily provided to the competent authority and the insurance enterprise when needed.
(4) Conduct regular and unscheduled audits and supervision of the use, processing and control of customer information by the service provider based on a risk-based approach; relevant audit matters may be assigned to external auditors. The branch of a foreign
insurance enterprise in Taiwan may designate the auditing unit of its head office or regional head office authorized by the head office to handle the matters and the auditing unit shall provide the branch in Taiwan with an audit report.
(5) Inform the competent authority in the R.O.C of the reasons and obtain consent in advance, when the competent authority of the jurisdiction where the service provider is located requests the provision of customer data in the R.O.C.
The branch of a foreign insurance enterprise in Taiwan that outsources its operations to its head office or other overseas branches for internal division of labor purpose shall handle the matters in accordance with the preceding paragraph.
18.An insurance enterprise shall comply with the following rules when its outsourced operations involve cloud services:
(1) The insurance enterprise shall formulate policies and principles for using cloud services, adopt appropriate risk management and control measures, and heed the proper diversification of operations outsourced to cloud service providers.
(2) The insurance enterprise shall take the ultimate responsibility for the supervision of cloud service providers and shall possess the professional skills and resources to supervise the cloud service providers’ execution of outsourced operations. If necessary,
it may request professional third parties to assist in their supervision operation.
(3) The insurance enterprise may appoint an independent third party with expertise in information technology at its sole discretion or together with other insurance enterprises that outsource to the same cloud service provider to conduct audits and shall comply
with the following rules:
A. Ensure that its audit scope covers important systems and control points related to the operations outsourced to the cloud service provider.
B. Evaluate the eligibility of the third party, and verify that the contents of the audit report produced by the third party are appropriate and meet the relevant international standards of information security and privacy protection.
C.The third party shall conduct audit based on the scope of outsourced operations and produce an audit report.
(4) Where the insurance enterprise transmits and stores customer information at the cloud service provider, it shall adopt customer data encryption, tokenization, or other effective protection measures and establish appropriate encryption and key management
mechanisms.
(5) The insurance enterprise shall retain complete ownership of data outsourced to cloud service providers for processing. The insurance enterprise shall ensure that the cloud service provider does not have the right to access customer data except for the execution
of outsourced operations and that the cloud service provider may not use the data for purposes outside the scope of outsourced operations.
(6) The location for processing and storaging customer data outsourced to a cloud service provider shall be in accordance with the following rules:
A.The insurance enterprise shall retain the right to designate the location for data processing and storage.
B.The data protection regulations in above location shall be no less stringent than the R.O.C. requirements.
C. The storage location of customer data for business information systems deemed material related to natural person customer shall, as a principle, be within the territory of the R.O.C. If such data is stored overseas, except with the approval of the competent
authority, important customer data shall be backed up and retained in the R.O.C.
19.The provisions of the preceding three points do not apply to the outsourcing of the following operations:
(1)Where the insurance enterprise mandates an offshore institution to operate and manage its funds in compliance with the Insurance Act, relevant laws and regulations and self-regulatory rules.
(2)Where the insurance enterprise engages an offshore institution to assist in the handling of claims, emergency rescue, investigation or assessment.
(3)Where the insurance enterprise outsources the part of the operations of its branches abroad that comply with the local regulations and do not involve the personal data of customers in Taiwan.
(4)Where the insurance enterprise outsources the development and maintenance of its onshore information system to an offshore institution.
20.The competent authority or appropriate institutions or persons commissioned by the competent authority may audit the outsourcing operations of an insurance enterprise at the expense of said insurance enterprise.
If a service provider violates any provision of these Directions or other regulations, the competent authority may, in view of the severity of violation, notify the insurance enterprise to terminate the outsourcing per the outsourcing agreement, require the
insurance enterprise to make improvements within a given period of time, or temporarily suspend the outsourcing until improvements made by the service provider are confirmed.
21.If the outsourcing operations of an insurance enterprise violate these Directions, the competent authority may mete out appropriate disciplinary action pursuant to the Insurance Act in view of the severity of violation.
22.Unless it is otherwise stipulated in these Directions, insurance enterprises shall rectify their existing outsourcing activities that do not comply with the provisions herein within one year from the date of its promulgation and implementation. |