| Content: |
Point 1
These Directions are adopted pursuant to Article 8, paragraph 1, subparagraph 18 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets.
Point 2
A securities firm that will outsource operations to any third party (hereinafter, "outsourcing") shall enter a written agreement and comply with these Directions. However, if the outsourcing involves foreign exchange business, it shall additionally comply with
the relevant rules and regulations set forth by the Central Bank.
The securities firms to which these Directions apply include domestic securities firms and their overseas branches and the Taiwan branches of foreign securities firms.
Point 3
The outsourcing by a securities firm of operations involving business items stated in its business license or operations related to customer information shall be limited to the following scope:
1. Data processing: Including information system data entry, processing, and output; the development, monitoring, control, and maintenance of information systems; and logistical support for data processing in connection with conducting business.
2. Safekeeping of documents such as forms, statements, and certificates.
3. E-channel customer services, including automated voice systems, response to and processing of customer e-mails, consultation and assistance to e-channel customers, and telephone customer service specialist service.
4. Certain internal audit operations. However, these audit operations may not be performed by the CPAs who attest the securities firm's financial statements.
5. Other operations approved by the competent authority for outsourcing.
A securities firm shall file accurate reports on information including the items, content, and scope of its outsourced operations in the manner prescribed by the competent authority, the Taiwan Stock Exchange Corporation (TWSE), the Taipei Exchange (TPEx),
or the Taiwan Securities Association (TWSA).
Point 4
A securities firm shall conduct outsourcing operations in accordance with its internal outsourcing rules approved by its board of directors under the premises that outsourcing will not affect the sound operation of the securities firm, the interests of customers,
or regulatory compliance. The internal outsourcing rules of a Taiwan branch of a foreign securities firm may be approved by an officer authorized by the head office.
The internal outsourcing rules referred to in the preceding paragraph shall specify the following contents:
1. Outsourcing policies and principles, including evaluation of outsourcing decisions, risk management mechanisms, approval hierarchy, and governance structure.
2. Division of authority and responsibility of the unit-in-charge and relevant units regarding the control of outsourced operations.
3. Scope of operations that may be outsourced and outsourcing procedures.
4. Internal operations and procedures for the protection of customer interests.
5. Risk management principles and operating procedures.
6. Internal control principles and operating procedures.
7. Other outsourcing operations and procedures.
A securities firm is ultimately responsible for its outsourcing. It shall evaluate the risk level and materiality of outsourced operations and the impact of outsourcing on business operations and customer interests, adopt appropriate management measures under
the risk-based approach, and comply with the following provisions:
1. The board of directors shall be aware of the outsourcing risks and regularly oversee the execution status of outsourced operations.
2. A securities firm shall ensure that the unit-in-charge and relevant units have adequate resources, expertise, and authority over the control of outsourced operations.
3. A securities firm shall identify, evaluate, and manage outsourcing of operations deemed material, and formulate relevant policies and procedures. It shall formulate enhanced controls and emergency response measures for outsourcing arrangements that may materially
impact the normal operations of the securities firm or customer interests.
4. A securities firm shall have appropriate due diligence and periodic review procedures in place to ensure that service providers possess the expertise and resources for the execution of outsourced operations, are financially sound, have internal control and
information security management mechanisms, and meet regulatory requirements.
5. A securities firm shall ensure that the firm itself, the competent authority, and the Central Bank, or persons designated thereby, the TWSE, the TPEx, or the TWSA can have access to relevant data or reports of service providers and conduct financial examinations
or audits with respect to the outsourced operations, or order service providers to provide relevant data or reports within a prescribed time period.
A Taiwan branch of a foreign securities firm may designate its head office or the regional headquarters authorized thereby to be responsible for and handle the matters of applying the provisions of the preceding paragraph. However, the unit-in-charge shall
still be handled by personnel of the foreign securities firm's Taiwan branch office, and shall fully understand the control of outsourcing activities in Taiwan by the head office or regional headquarters authorized thereby.
The term "materiality" in these Directions means any of the following conditions:
1. The outsourced operation cannot be performed or there are concerns regarding information security, and such issues will materially impact business operations of the securities firm.
2. The outsourced operation is involved in a customer data security incident that has a material impact on the interests of the securities firm or customers.
3. The outsourced operation has otherwise had a material impact on the interests of the securities firm or customers.
Point 5
When conducting outsourcing of other operations approved by the competent authority in accordance with Point 3, paragraph 1, subparagraph 5 herein, a securities firm shall submit the following documents to the TWSE, TPEx, or TWSA for them to review and then
forward to the competent authority for approval:
1. Internal outsourcing rules adopted in accordance with paragraph 2 of the preceding point.
2. Meeting minutes containing a resolution of the board of directors, or a letter of consent signed by an officer authorized by the head office in the case of a Taiwan branch of a foreign securities firm.
3. Necessity and legal compliance analysis of the outsourcing of business operations, evaluation of risk level and materiality of the outsourced operations and impact of the outsourcing on business and customer interests, due diligence check of service providers,
and outsourcing risk management measures.
4. Operating process.
5. Other matters designated by the competent authority.
After an operation has been designated by the competent authority as eligible for outsourcing according to the preceding paragraph, other securities firms may proceed directly to conduct that outsourcing operation in accordance with their internal outsourcing
rules.
Point 6
The unit-in-charge specified in Point 4, paragraph 2, subparagraph 2 herein shall carry out the following tasks:
1. Managing outsourced operations in accordance with the internal outsourcing rules set forth in accordance with Point 4 herein.
2. Supervising the outsourced operations in connection with the protection of customer interests, risk management and internal controls, conducting periodic evaluations and reviews, and submitting the findings to the board of directors or the officer authorized
by the head office in the case of a Taiwan branch of a foreign securities firm. If any material irregularities or deficiencies occur, a report shall be filed with the competent authority, Central Bank, TWSE, TPEx, or TWSA as soon as possible.
3. Supervising the establishment and implementation of internal control and internal audit systems by service providers.
4. Drafting and executing measures for selecting service providers, and ensuring that an outsourced operation is a business item that the selected service provider is legally allowed to operate.
Point 7
The internal operations and procedures for protection of customer interests included in the internal outsourcing rules of a securities firm as provided in Point 4, paragraph 2, subparagraph 4 herein shall include the following contents:
1. If operations involve customer information, the agreement executed between the securities firm and the customer shall include a provision that requires that the securities firm inform the customer of the outsourcing. If the agreement does not include such
a provision, the securities firm shall notify its customers of the outsourcing activity and the provisions of the Personal Data Protection Act shall apply.
2. Conditions and scope of customer information to be provided and procedural method for transferring such information.
3. Methods for supervising the use, processing, and control of the aforesaid customer information by the service provider.
4. Procedures and time limits for handling customer disputes in connection of the outsourcing activity. The securities firm shall set up a coordination unit that handles customer complaints.
5. Other necessary measures for the protection of customer interests.
A securities firm shall be held equally liable to its customer as provided by law if an intentional act or omission or negligence of its outsourcing service provider or an employee thereof results in damage to customer interests.
Point 8
The risk management principles and operating procedures set forth in the internal outsourcing rules of a securities firm as provided in Point 4, paragraph 2, subparagraph 5 herein shall include the following content:
1. Establishing a risk and benefit analysis system for outsourcing activity.
2. Establishing procedures or management measures sufficient to identify, measure, monitor, and control risks associated with outsourcing:
A. Evaluating the risk level and materiality of outsourced operations and their degree of impact on business operations.
B. Ensuring that the securities firm and the service provider possess adequate expertise and resources.
C. Considering relevant risk factors, evaluating the risk level of outsourced operations, and taking appropriate measures to mitigate risk.
D. Evaluating risk levels periodically and ensuring updating of risk levels.
E. Conducting regular or unscheduled testing or drills based on different risk scenarios for material outsourcing.
3. Establishing an emergency response plan and transfer mechanisms for the termination of an outsourcing arrangement.
Point 9
The internal control principles and operating procedures set forth in the internal outsourcing rules of a securities firm as provided in Point 4, paragraph 2, subparagraph 6 herein shall include the following contents:
1. Drawing up and implementing the operating procedures for supervising and managing the scope of outsourcing.
2. Incorporating the operating procedures in the preceding subparagraph into the overall internal control and internal audit systems of the securities firm for implementation.
3. Supervising the establishment and implementation of internal control and internal audit systems by the service provider.
Point 10
A securities firm's outsourcing agreement shall specify the following contents:
1. The scope of outsourcing and the authorities and responsibilities of the service provider.
2. A provision requiring the service provider to comply with Point 15 herein.
3. Protection of consumer rights and interests, including the confidentiality of customer data and adoption of security measures.
4. The service provider is required to carry out consumer protection, risk management, internal control, and internal audit in accordance with the standard operating procedures established under the supervision of the securities firm.
5. Consumer dispute resolution mechanisms, including the timetable and procedure for handling disputes, and remedial measures.
6. Management of a service provider's employees, including employee recruitment, promotion, performance reviews, and discipline.
7. Material events that lead to the termination of an outsourcing agreement with the service provider, including a provision on termination or revocation of the agreement if so instructed by the competent authority.
8. The service provider agrees to allow the competent authority, Central Bank, TWSE, TPEx, and TWSA to access relevant data or reports and conduct financial examination or auditing with respect to the outsourced items, or provide relevant data or reports within
a prescribed time period pursuant to an order thereby.
9. The service provider shall not use the name of the outsourcing securities firm in the course of handling the outsourced items, nor shall the service provider use untruthful advertising or charge the customers any fees.
10. The service provider is required to inform the securities firm if the outsourced operation involves any material irregularities or deficiencies.
11. Other matters of agreement.
In the outsourcing agreement, the securities firm shall prohibit the service provider from subcontracting any outsourced operation unless with the securities firm's written consent. The outsourcing agreement shall specify the scope, limitations, or conditions
for subcontracting by the service provider. The provisions of this Point shall be applied mutatis mutandis in the execution of the subcontracting agreement between the service provider and its subcontractor.
If any existing outsourcing agreement or sub-contracting agreement does not conform to the provisions of these Directions, the securities firm may continue its outsourcing activity under the existing agreement until it expires. However, if such agreement does
not have an expiration date, the nonconformities shall be remedied within 1 year from the date these Directions are issued and enforced, or else the agreement will expire automatically.
Point 11
A securities firm that plans to outsource operations to overseas service providers shall comply with the following provisions:
1. It shall fully understand and grasp the use, processing, and control of customer information by the service provider.
2. Furnish the service provider with only necessary customer information that is directly related to the outsourced operations.
3. Require the service provider to observe the following particulars:
A. The securities firm's customer data shall be used and processed only by the authorized persons of the service provider within the scope of the outsourced operations.
B. The securities firm's customer data shall be clearly segregated from the data of the service provider and of other institutions.
C. The securities firm's customer data processed by the service provider shall be readily provided when needed to the competent authority, TWSE, TPEx, TWSA, and the securities firm.
4. The securities firm shall adopt a risk-based approach to conduct regular and unscheduled audits and to monitor the use, processing, and control of customer information by the service provider. External auditors may be engaged to conduct relevant audits.
A Taiwan branch of a foreign securities firm may designate the auditing unit of its head office or authorized regional headquarters to handle audit matters. The auditing units shall provide the relevant audit reports to the Taiwan branch of the foreign securities
firm.
5. When the foreign competent securities authority where the service provider is located requests for provision of information of Taiwan customers, the securities firm shall inform and obtain consent from the Taiwan competent authority in advance before such
information may be provided.
If a Taiwan branch of a foreign securities firm outsources operations to its head office or overseas branches to accommodate its internal division of work, the outsourcing shall be handled in accordance with the preceding paragraph.
Point 12
If any outsourcing arrangement by a securities firm will involve offshore processing of any natural person customer business information system deemed material, the securities firm shall submit the following documents to the TWSE, TPEx, or TWSA for review and
subsequent forwarding to the competent authority for approval:
1. The internal outsourcing rules adopted in accordance with Point 4, paragraph 2.
2. Meeting minutes containing a resolution of the board of directors, or a letter of consent signed by an officer authorized by the head office in the case of a Taiwan branch of a foreign securities firm.
3. Necessity and legal compliance analysis of the outsourcing of business operations, including an evaluation of the service provider's compliance with the customer data protection laws and regulations of Taiwan.
4. Outsourcing plan, which shall include the following contents:
A. Risk assessment and management mechanisms:
a. Evaluation of the risk level and materiality of the outsourced operations and the impact on business operations and customers interests.
b. Due diligence check of the service provider to ensure the reliability and legal compliance of the services provided; the reliability check shall include analysis of business continuity, substitutability, and concentration.
c. Description showing adequate expertise and resources to monitor the service provider's execution of the outsourced operations.
d. Day-to-day monitoring plans and implementation units.
B. Description of customer information protection measures and whether customer consents have been obtained to ensure the quality of outsourced services and the protection of customer interests.
C. Information security and management:
a. Description of data security management measures, data transmission and segregation, and data ownership.
b. Description of management policies with regard to the locations of data storage, including assessment of legal, political, and economic stability at the data processing and storage locations, and description of data backup and data accessibility at any
time.
D. Emergency response plans, including operational contingency plans that address circumstances in which the service provider is unable to provide service or the service is disrupted.
5. Letter of consent or outsourcing agreement signed by the service provider, agreeing that when necessary a person designated by the securities firm may carry out auditing of the outsourced activities. An aforesaid designated person also may be assigned by
the Taiwan competent authority at the expense of the securities firm.
6. A statement issued by the service provider certifying that it has not had any occurrence of incidents such as employee fraud, information security breach, or other incidents damaging customer interests or undermining sound operations in the last 3 years.
When conducting outsourcing under the preceding paragraph, a securities firm shall comply with the following provisions in addition to the preceding point:
1. It shall ensure that the use, processing and management of customer information by the service provider comply with Taiwan's Personal Data Protection Act, retain complete audit trails, and include these compliance matter in key audit items.
2. It shall periodically evaluate cost-benefit and the reasonableness of expense allocation within the group and submit the report to the board of directors for approval.
3. The standards for information system security testing shall be no less rigorous than the requirements set forth by the competent authority, TWSE, TPEx, or TWSA.
4. It shall conduct one routine audit and one special audit at least annually. The offshore outsourcing audit reports for the current year shall be submitted to the board of directors within 4 months after the end of each year. The aforementioned audits may
be performed by an independent third party specializing in information technology.
5. It shall establish operational contingency plans that address circumstances in which the service provider is unable to provide the service or the service is disrupted.
6. It shall specify in the outsourcing agreement, with respect to any circumstance in which an outsourced service is transferred to another service provider or transferred back to the securities firm, the service provider's obligations regarding system migration
and handling of data, as well as the service provider's liability for damages in case of service disruption.
If a Taiwan branch of a foreign securities firm outsources operations to its head office or overseas branches to accommodate its internal division of work, the outsourcing shall be handled in accordance with paragraph 1.
Point 13
A securities firm shall comply with the following rules when its outsourced operations involve cloud-based services:
1. It shall formulate policies and principles for using cloud-based services, adopt appropriate risk control measures, and heed the proper diversification of operations outsourcing to cloud service providers.
2. The securities firm is ultimately responsible for the monitoring of cloud service providers and it shall have the expertise and resources to supervise the cloud service providers' execution of outsourced operations. It may also request professional third
parties to assist in monitoring operations as needed.
3. The securities firm may appoint an independent third party with expertise in information technology at its sole discretion or in conjunction with other securities firms that outsource to the same cloud service provider to conduct audits, subject to the following
requirements:
A. The securities firm shall ensure that the audit scope includes important systems and control measures related to the operations outsourced to the cloud service provider.
B. The securities firm shall evaluate the suitability of the third party and verify that the contents of an audit report submitted by a third party meet the relevant international standards of information security and privacy protection.
C. The third party shall conduct the auditing based on the scope of the operations outsourced by the securities firm and issue an audit report.
4. When the securities firm transmits and stores customer data at a cloud service provider, it shall adopt customer data encryption, tokenization, or other effective protection measures and it shall also establish appropriate encryption key management mechanisms.
5. The securities firm shall retain complete ownership of data outsourced to cloud service providers for processing. The securities firm shall ensure that the cloud service provider does not have the authority to access customer data except for the execution
of the outsourced operations and it may not use the data for purposes outside the scope of the outsourced operations.
6. With respect to customer data processing by cloud service providers and the data storage locations, the following rules shall be observed:
A. The securities firm must retain the right to designate the location for the processing and storage of the data.
B. The local data protection laws and regulations at the offshore location shall be no less rigorous than the requirements in Taiwan.
C. The customer data involving natural person customer business information systems deemed material shall be stored in a location within Taiwan in principle. If located offshore, backups of important data of customers shall be retained in Taiwan unless otherwise
approved by the competent authority.
Point 14
When a securities firm outsources the following operations, the preceding three points shall not apply:
1. When it outsources the operations of its foreign branches.
2. When it outsources the development and maintenance of onshore information systems to offshore institutions.
Point 15
When outsourcing operations, a securities firm shall not violate any mandatory or prohibitive provisions, public order or good morals, and there shall not be any adverse impact on its business operations, management, or the interests of its customers. A securities
firm shall also ensure that the Securities and Exchange Act, Money Laundering Control Act, Personal Data Protection Act, Financial Consumer Protection Act, and other applicable laws and regulations are complied with.
When outsourcing operations, a securities firm shall vigorously observe applicable laws and regulations and the business rules or self-regulatory agreements set forth by the TWSE, TPEx, and TWSA.
Point 16
The competent authority, Central Bank, TWSE, TPEx, and TWSA may access relevant data or reports and conduct financial examination or auditing on the outsourced operations of a securities firm.
If a service provider violates these Directions or other laws and regulations, the competent authority may, depending on the severity of the case, instruct the outsourcing securities firm to terminate the outsourcing arrangement pursuant to the outsourcing
agreement, request the service provider to make improvement within a given period of time, or suspend the outsourcing arrangement until improvement made by the service provider is confirmed.
Point 17
For the matters required to be reported to the competent authority for approval under Point 5, paragraph 1 and Point 12, paragraph 1 herein, a securities firm that has entered into a contract with the TWSE for use of the centralized securities market shall
first submit the matters to the TWSE; if a securities firm has only entered into a contract for trading securities on the TPEx, it shall first submit the matters to the TPEx; if a securities firm has not entered into either of those contracts, it shall first
submit the matters to the TWSA, respectively, for review and forwarding to the competent authority for approval.
Point 18
Unless otherwise provided in these Directions, a securities firm shall bring its existing outsourcing activities that do not conform to the provisions herein into compliance with these Directions within 1 year following the issuance and implementation these
Directions. |