| Legislative: |
5.Amended on 30 July,2024 |
| Content: |
3.The outsourcing of business items that an insurance enterprise may engage in pursuant to insurance laws and regulations or operations related to customer information by an insurance enterprise, unless otherwise provided by laws or regulations, shall
be limited to the following:
(1) Data entry, processing, output and delivery of information system, development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the insurance enterprise's business.
(2) Conducting checking and investigation relating to insurance contract, consumer opinion survey, and customer follow-up by telephone.
(3) Production, delivery, safekeeping and disposal of forms and documents, such as insurance policy, renewal notice, notice of premium payment, notice of suspension in coverage, proof of annual premium payment and other forms and documents relating to the performance
of insurance contract and lending operations.
(4) Overseas emergency assistance and roadside assistance services in connection with benefits under the insurance contract.
(5) Collection of premiums, principal and interest payments on policy loans, other payments related to insurance contracts, or principal and interest payments on other loans.
(6) Collection of debts.
(7) Electronic customer services, including automated voice systems, phone answering service, answering and processing customer e-mails, and electronic commerce related inquiry service and assistance.
(8) Land registration or real estate management services, and disposal of collateral from the assumption of debts.
(9) Repossessing and auctioning automobiles with overdue payment on a car loan (excluding the determination of the floor price for such auctions).
(10) Valuation, classification, bundling and sale of non-performing loans; provided such outsourcing agreement stipulates that the service providers and their employees involved in the outsourcing agreement shall not engage in any work or provide any consulting
or advisory services which give rise to a conflict of interest with the outsourced services during the term of such outsourcing agreements or during a reasonable period of time after termination/expiry thereof.
(11) Other operations approved by the competent authority for outsourcing.
Except for outsourcing operations stipulated in subparagraph 6 and subparagraph 11 of the preceding paragraph where an insurance enterprise is required to apply to the competent authority for approval pursuant to Point 10 herein, an insurance enterprise shall
file its outsourced operations, content and scope in a manner prescribed by the competent authority with the competent authority or an institution designated by the competent authority for other outsourcing operations stipulated in each subparagraph of the
preceding paragraph.
18.An insurance enterprise shall comply with the following rules when its outsourced operations involve cloud services:
(1) The insurance enterprise shall formulate policies and principles for using cloud services, adopt appropriate risk management and control measures, and heed the proper diversification of operations outsourced to cloud service providers.
(2) The insurance enterprise shall take the ultimate responsibility for the supervision of cloud service providers and shall possess the professional skills and resources to supervise the cloud service providers’ execution of outsourced operations. If necessary,
it may request professional third parties to assist in their supervision operation.
(3) The insurance enterprise may appoint an independent third party with expertise in information technology at its sole discretion or together with other insurance enterprises and other financial institutions that outsource to the same cloud service provider
to conduct audits and shall comply with the following rules:
A. Ensure that its audit scope covers important systems and control points related to the operations outsourced to the cloud service provider.
B. Evaluate the eligibility of the third party, and verify that the contents of the audit report produced by the third party are appropriate and meet the relevant international standards of information security and privacy protection.
C.The third party shall conduct audit based on the scope of outsourced operations and produce an audit report.
(4) Where the insurance enterprise transmits and stores customer information at the cloud service provider, it shall adopt customer data encryption, tokenization, or other effective protection measures and establish appropriate encryption and key management
mechanisms.
(5) The insurance enterprise shall retain complete ownership of data outsourced to cloud service providers for processing. The insurance enterprise shall ensure that the cloud service provider does not have the right to access customer data except for the execution
of outsourced operations and that the cloud service provider may not use the data for purposes outside the scope of outsourced operations.
(6) The location for processing and storaging customer data outsourced to a cloud service provider shall be in accordance with the following rules:
A.The insurance enterprise shall retain the right to designate the location for data processing and storage.
B.The data protection regulations in above location shall be no less stringent than the R.O.C. requirements.
C. The storage location of customer data for business information systems deemed material related to natural person customer shall, as a principle, be within the territory of the R.O.C. If such data is stored overseas, except with the approval of the competent
authority, important customer data shall be backed up and retained in the R.O.C. |