| Content: |
Chapter 1 General Principles
Article 1
These regulations are enacted in accordance with Article 51 of Financial Holding Company Act; Paragraph 1, Article 45-1 of Banking Act; Paragraph 1, Article 21 of Credit Cooperatives Act; Article 43 of Act Governing Bills Finance Business; Paragraph 3, Article 42 of Trust Enterprise Act.
Article 2
The "banking business" referred to in these regulations include banking institutions, credit cooperatives, bills and trust business.
Unless otherwise regulated, the internal control and internal audit system for financial and bills and trust business other than banking business shall also be governed by these regulations.
Article 3
A financial holding companies or banking business shall establish internal control and internal audit systems and ensure the on-going and effective operation of the system to promote the sound business operation of financial holding companies (including its subsidiary companies) and the banking business.
Financial holding companies (including its subsidiary companies) and banking business shall organize overall operation strategies, risk management policies and guidelines, draft operation plans, risk management procedure and execution guidelines.
Article 4
The primitive objectives of a financial holding company's internal controls are to promote sound operations and, through joint compliance by the board of directors, management, and all personnel, to reasonably ensure that the following objectives are achieved:
A. Effectiveness and efficiency of operations;
B. Reliability of financial reporting; and
C. Compliance with applicable laws and regulations.
The objective of effectiveness and efficiency of operations referred to in subparagraph 1 of the preceding paragraph includes objectives such as profits, performance, and safeguarding asset security.
The "reliability of financial reporting" referred to in subparagraph 2, paragraph 1 includes the insurance of external financial reports are edited with the General Accepted Accounting Principle (GAAP), and transactivities should obtain appropriate permissions.
Article 5
The internal control system of a financial holding company or a banking business should be supported by the board of directors. If the board has opposite opinions or retain their opinions, these opinions and reasons should be notified clearly in meeting minute and sent, together with the internal control system passed by the board, to the auditor (supervisors or the board of supervisors) or to the audit committee
. The same procedure should be applied if any revisions are needed.
Chapter 2 The Design and Execution of Internal Control System
Article 6
A financial holding company or a banking business should establish an internal audit system, self-inspection system, regulatory compliance system, and risk management system and ensure their on-going and effective operation.
Article 7
The internal control system of a financial holding company (including its subsidiary company) and a banking business shall incorporate the following principles:
A. Management oversight and the control culture:
The board of directors shall have responsibility for approving and periodically reviewing overall business strategies and major policies, and shall be ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained; senior management shall have responsibility for implementing business strategies and policies approved by the board of directors, for developing processes that identify, measure, monitor, and control risks incurred by the financial holding company or its subsidiaries, for setting appropriate internal control policies, and for monitoring their effectiveness and adequacy.
B. Risk recognition and assessment: An effective internal
control system requires that the material risks that could adversely affect the achievement of the overall goals of the financial holding company or its subsidiaries are being recognized and continually being evaluated, and that corresponding measures are being taken to limit relevant risks to a sustainable level.
C. Control activities and segregation of duties: Control activities shall be an integral part of the daily operations of a financial holding company. An appropriate control structure shall be set up, with internal control processes defined at every business level. An effective internal control system requires that there is appropriate segregation of duties and that management and employees are not assigned conflicting responsibilities.
D. Information and communication: A financial holding company (including its subsidiary company) and a banking business shall maintain adequate and comprehensive internal financial, operational and compliance data that shall be reliable, timely, easily accessible and offered in a consistent format, and shall also establish effective channels of communication.
E. Monitoring activities and correcting deficiencies: A financial holding company shall monitor the effectiveness of its internal controls on an ongoing basis. Any identified internal control deficiencies found by the people in managerial level, business operation units, internal audit level, or other internal control level shall be reported in a timely manner to the appropriate management level, and any significant internal control deficiencies identified on the part of the financial holding company or its subsidiaries shall be immediately reported to senior management and the board of directors and be promptly addressed.
Article 8
The internal control system shall cover all business activities, include appropriate policies and procedures as follows, and shall be reviewed and revised in a timely manner:
A. Organizational chart or corporate rules and bylaws, including a clear organizational system, unit functions, scope of operations for each unit, and rules governing authorizations and hierarchical delegation of responsibilities.
B. Related operational guidelines and procedural manuals, including:
(A) Investment guidelines.
(B) Customer data confidentiality.
(C) Regulation on interested party transactivities.
(D) Shares management.
(E) Management of the adoption of the International Financial Reporting Standards (IFRSs) shall apply, Workflow of preparing accounting and financial statements and administration of general affairs, information, and personnel affairs (for a banking business, it should contain regulations for regular transfer and vacation).
(F) Management of operations for disclosing information externally.
(G) Management of financial examination report.
(H) Management of protection of financial consumers.
( I ) Other operational guidelines and operating procedures.
The business regulations and handling guides of a financial holding company shall also include the management and collaborated marketing management of its subsidiary company.
The business regulations and handling guides of a banking business should also include affairs concerning cashier, savings, exchange, loaning, foreign currency, new financial products, and outsourcing task management.
The business regulations and handling guides of a credit cooperative should also include affairs concerning cashier, savings, loaning, exchange, and outsourcing task management.
The business regulations and handling guides of a bills business should also include business such bills, bonds, and new financial products.
The template for the operation guides of a trust business should be stipulated by the trust association of R.O.C with contents specifying business operation procedure, accounting operation procedure, computer operation procedure, personnel management system, and other items. A trust business should establish its operation guidelines based on the reference template and make regular revisions in accordance with the alterations in legal regulations, business items, and business procedure.
The internal control system of a financial holding company and Banking enterprise whose stock is listed on the stock exchange or traded over the counter shall include the Management of the operations of the remuneration committee.
A financial holding company or a banking business should set up the control tasks on their subsidiary companies in their internal control system. If the subsidiary company resides in a foreign country, the mother company should consider the local applicable regulations issued by the government where the subsidiary company is in and the actual nature of its operation in order to supervise the subsidiary company to establish its own internal control system.
For the stipulation, revision, or abolition of all task and management regulations mentioned in the preceding eight paragraphs, it requires the participation of legal compliance, internal audit, and risk management agencies.
Chapter 3 The inspection of internal control system
Section 1 Internal audit
Article 9
The purpose of internal audit is to assist the board of directors and the managerial level to verify and evaluate whether the operation of internal control system works effectively and smoothly and provide appropriate suggestions for revision, which can ensure the on-going performance of effective internal control and serve as the basis of internal control system revisions.
Article 10
A financial holding company or a banking business should set up an internal audit unit that is directly subsidiary to the board of directors, which should perform audit business independently and honestly. The unit is required to report its audit business to the board of directors and supervisors (supervisors, board of supervisors) or audit committee at a minimum period of every six months.
A financial holding company or a banking business should establish a chief auditor system to manage all audit business. The chief auditor should possess sufficient leadership and ability to carry out effective audit work, whose qualification should be equal to the conditions set for the responsible people of each section and has the power as an general co-manager. The auditor is not allowed to take a job that will cause conflicts or limitations to the audit work.
The employment, dismission, or transfer of the chief auditor should obtain over two-thirds of the agreement from the board of directors and report to the competent authority for ratification. The employment, dismission, promotion, bonus and punishment, and assessment of the internal audit personnel should be reported by the chief auditor and verified by the director of the board. However, if the report involves personnel of other management and business units, the chief auditor should consult with the personnel unit first and obtain the agreement from the general manger before sending to the director of the board for further verification.
The regulations in Paragraph 1 to 3 of this article doesn't apply to a company who operates financial and trust business concurrently other than a banking business.
The chief auditor of a financial holding company is allowed to, if required by business, dispatch the internal auditors of a subsidiary company to conduct the internal audit task on the financial holding company or its subsidiary company. The chief auditor should also take up the final responsibility to ensure appropriate and effective internal audit system in the financial holding company or its subsidiary company.
Article 11
When any of the following circumstances applies to a chief auditor in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the chief auditor to make improvements within a specified time limit, or otherwise order the financial holding company to release the auditor general from duty.
A. Has made any improper loan extension, been involved in a material breach of the principles for giving credit, or otherwise engaged in any improper transfer of funds with customers, as established by factual proof.
B. Has abused authority of office, there is evidence showing that he or she has carried out improper activities, or he or she has misused power, in an attempt to seek profits for him or herself or for a third party, or to damage the interest of its belonging financial company (including its subsidiary company) or banking business; and therefore, his or her abuse or misuse of power has thus cause losses for its belonging financial company or its subsidiary company or banking business or a third party. .
C. The auditor disclose, deliver, or publicize all or part of the contents of its financial examination reports to a person not related to such job without the consent from the competent authority.
D. Has failed to notify the competent authority of any significant malpractice that due to poor internal management has occurred in the financial holding company (including its subsidiary company) or the banking business.
E. Has failed to disclose in an internal audit report any significant deficiency identified in the financial and business operations of the financial holding company (including its subsidiary company) or the banking business.
F. Has issued a fraudulent internal audit report on internal audit findings.
G. As a result of obviously insufficient staffing or staffing operations by obviously incompetent internal auditors in the financial holding company (including its subsidiary company) or banking business, has failed to identify a serious deficiency in financial and business operations.
H. Has failed to follow the instructions of the competent authority in conducting audit work or in providing relevant information.
I. Has otherwise committed any act that impairs the reputation or interests of the financial holding company (including its subsidiary company) or the banking business.
Article 12
A financial holding company or a banking business shall, after having regard to its investment scale, business condition (the number of its branches and amount of business), management needs, and relevant provisions of acts and regulations, staff competent persons in an appropriate number as full-time internal auditors who shall perform their duties in a detached, independent, objective, and impartial manner.
An internal auditor of a financial holding company or a banking business shall meet the following qualification requirements:
A. Have no less than two(2) years of experience in financial examination; or have graduated from a junior college, college, or university or passed a senior civil service examination or an examination equivalent to senior civil service examination and have no less than two(2) years of experience in financial operations; or have no less than five (5) years of experience in financial operations. A person is deemed as meeting such requirements if he or she has worked as a professional, such as an auditor in an accounting firm, or a programmer or system analyst in a computer company for no less than two(2) years, and has received no less than three(3) months of training in financial operations and administration. However, the number of this type of auditor cannot exceed one-third of the total auditors.
B. Free of any record of demerit or more serious from employer in the last three(3) years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of another person, and the demerit has been offset by other merits; and
C. If a lead auditor, have no less than three(3) years of experience in auditing or financial examination, or have no less than one(1) year of experience in auditing and no less than five(5) years of experience in financial business.
The financial holding company or the banking business shall examine at all time whether the internal auditors have violated the regulations in the preceding two paragraphs. If the auditor has violated the rules, the company should order the auditor to make improvement within two(2) months and should be transferred to other job if he or she fails to make such improvement.
Article 13
The internal auditors of a financial holding company or a banking business shall perform their duties in good faith, and may not do any of the following:
A. Conceal or make false or inappropriate disclosures of any of the financial holding company's or the banking business's business activities, financial reporting, or compliance with acts and regulations that they know to directly cause damage to any interested party.
B. Act beyond the scope of audit functions or engage in other improper activities, or externally disclose any acquired information, attempt to profit therefrom, or otherwise use the information against the interest of the financial holding company (including its subsidiary company) or a banking business.
C. Cause losses to the financial holding company (including its subsidiary company) or the banking business or harm the interests of its stakeholders due to negligence.
D. Conduct audit work within one(1) year to the department where the auditor used to work at.
E. Fail to recuse himself or herself from auditing of cases or business within the scope of his or her past duties or matters in which he or she has a personal interest.
F. Accept any improper entertainment or gift or other improper benefit provided by its employees or customers of the same financial holding company (including its subsidiary company) or the banking business.
G. Fail to audit matters that the competent authority has instructed to him or her to audit or to provide relevant information.
H. Any other violation of an act or regulation, or practice prohibited by the competent authority.
The financial holding company or the banking business should examine at all time whether the internal auditors have violated the regulations in the preceding two paragraphs. If the auditor has violated the rules, the company should order the auditor to make improvement within one(1) month and should be transferred to other job if he or she fails to make such improvement.
Article 14
The internal audit unit shall undertake the following tasks:
A. Plan the organization structure, size and duty of the internal audit unit. Prepare internal audit working manuals and working papers, which shall at least include assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide recommendations for improvement.
B. Monitor the formulation of rules and procedures for self-inspection and assessments of the internal control system by business and management units, and the implementation of periodic self-inspection by each unit.
C. Formulate annual audit plans and, based on the business risk profile of and implementation of internal audits by each subsidiary or department, determine audit plans targeted at each individual subsidiary or department.
For the purpose of self-inspecting its internal control system, a financial holding company (including its subsidiary companies) or a banking business shall see to it that all of its internal departments and subsidiaries carry out self-inspection, and have its internal audit unit review the self-inspection reports of each department and subsidiary (including its subsidiary companies if it is a financial holding company); such self-inspection, together with the reports on the correction of any deficiencies and irregularities discovered in the internal control system by the internal audit unit, shall serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall efficacy of the internal control system and to issue internal control system statements.
Article 15
A banking business shall conduct a routine audit at least annually, and a special audit on its and all its subsidiaries' operation, finance, asset quality and information departments; a special audit at least annually on other management departments; a routine audit at least annually on its all business centers, foreign business units and foreign subsidiary companies. The auditing method for a foreign office can be replaced with a report auditing or adjust the auditing frequency flexibly.
The contents of the routine audit or the special audit, which is performed by the audit unit of a banking business to its business unit, should cover whether there are improper marketing activities when dealing with trust business, financial management, and the sale of financial products; whether the contents of the products are clearly disclosed; whether the risks are well notified; whether the contract is fair and other obligations are performed appropriately following the law or self-regulatory guidelines.
The internal auditing unit of a financial holding company shall conduct a routine audit at least annually; a special audit on its finance, risk management, and compliance with applicable acts and regulations at least semiannually; where the routine business has covered the scope of the special audit and its audit results reveal no significant deficiency, and it expressly states such in the internal audit report, it is not required to conduct a special audit for that current half-year.
The internal audit unit should include the execution status of the regulatory compliance system into the routine audit or special audit of the business and management units.
Article 16
A financial holding company or a banking business shall formulate annual audit plans and, based on the business risk profile of and implementation of internal audits by each subsidiary, determine audit plans targeted at each individual subsidiary.
The internal audit unit of a financial holding company or a banking business, except those foreign branches of a banking business and other business ratified by the competent authority, conduct a target audit on its subsidiaries' finance, risk management, and compliance with applicable acts and regulations at least semiannually and incorporate the audit results into its annual audit project.
All subsidiaries shall submit to the financial holding company or the banking business their board meeting minutes, CPA audit reports, examination reports issued by the financial examination agency, and other relevant materials, and, for subsidiaries having established an internal audit unit, audit plans and reports on significant deficiencies identified in internal audit reports and the status of improvements thereof; the mother company shall review such documents and monitor the implementation of improvements by each subsidiary.
The chief auditor of a financial holding company or a banking business shall periodically evaluate the efficacy of the internal control activities of a subsidiary as set forth in the preceding paragraph and, after having reported to the board of directors, send the evaluation results to the relevant subsidiary's board of directors for their reference in personnel evaluations.
Article 17
A financial holding company or the banking business shall disclose at least the following information in its internal audit report for routine business audits.
A. Audit scope; summary commentary; financial status; capital adequacy; operation performance; asset quality; management of shares; management of the operation of board of directors; compliance with major acts, regulations, and rules; internal controls; interested party transactions; the control and internal management of all business tasks; protection and management of customers' data; information management; management of customer data confidentiality; protection measures of consumers and investors and the results of self-inspection, and the evaluation to above matters.
B. Opinions for the major illegal errors or faults in all departments, and the suggestions for punishment for employees fail to fullfill their duties.
C. The exmination comments or faults listed by the financial examination agency, accountants, internal audit unit (including the internal audit unit of the mother company), and self-inspection people, and the improvement status of items that enlisted as 'need further improvement' by the internal control statement.
The record of the results in working papers shall be preserved together with the self-inspection or internal audit reports and relevant materials for no less than five(5) years.
Article 18
Where a financial holding company or a banking business makes any concealment of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or the results of implementation of improvement of any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the internal audit unit (including the internal audit unit of parent company) otherwise conceals any audit findings, and where such concealment constitutes significant malpractice, the personnel involved shall be held responsible for negligence in their duties. A financial holding company (including its subsidiaries) or a banking business shall commend an internal auditor who identifies any significant malpractice or negligence and thereby averts material loss to the company.
When a significant deficiency or malpractice arises within the management or business departments of a financial holding company or a banking business, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in an internal audit report.
Article 19
The internal audit report of a financial holding company or a banking business shall be delivered to the supervisors (supervisors, board of supervisors) for review and, within two(2) months following completion of the audit, submitted to the competent authority by letter. The audit report shall also be delivered to the independent directors if such positions are set up by the financial holding company or the banking business.
Article 20
Before assuming the following post, the person should enroll in the following trainings held by the institutes recognized by the competent authority and obtain completion certificate from them:
A. When acting as an internal auditor for the first time, the auditor should participate in the audit training course, computer audit training course or billing audit training course for no less than sixty (60) hours. The auditor should also pass the exam and obtain the completion certificate.
B. An internal auditor with leadership duty should participate in the internal auditor leader train course for no less than nineteen (19) hours.
C. The chief auditor and official, deputy managers should participate in audit manager training course for no less than twelve (12) hours.
Internal auditors (including the official, deputy managers and chief auditor) of a financial holding company (including its subsidiary companies) or a banking business (including the parent company) each year shall attend a finance-related professional training held by a competent authority-designated institution or by the financial holding company or a subsidiary thereof. For the minimum number of training hours, the total hour should be no less than twenty(20) for the official, deputy managers and chief auditors; no less than thirty(30) for the other internal auditors. If an auditor has obtained an international internal auditor certificate within the current year, the certificate can be transferred to the training hours.
The total hour of a finance-related professional training held by a competent authority-designated institution shall not be less than half of the training hours in the preceding paragraph.
For an auditor stationed overseas, the training hours can be recognized by enrolling with a financial training institute established by the local regulations and acts.
The financial holding company or the banking business should organize self-inspection programs for every year and continue proper training courses for auditors in accordance with the nature of each department.
A financial holding company or a banking business shall verify that its internal auditors meet the qualification requirements set forth herein. The verification documentation and records for such purpose shall be kept on file for future reference.
Article 21
A financial holding company or a banking business shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation the information on the name, age, educational background, experience, seniority, and training of its internal auditors by the end of January each year.
When preparing the basic information of internal auditors, the financial holding company or the banking business should verify whether these auditors have met the requirements stipulated in Paragraph 2, Article 12 and Article 20. If the auditor fails to meet the requirements, it should be improved within two(2) months, if not, the auditor should be re-assigned to another job.
Article 22
A financial holding company shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation its next year's audit plan by the end of each fiscal year and a report on the execution of its preceding year's annual audit plan within two(2) months from the end of each fiscal year.
By the end of each accounting year, the financial holding company or the banking business shall deliver a written audit plan for the next year to the supervisors (supervisors, board of supervisors) or the audit committee for examination and compilation. If the company doesn't have an audit committee, the report shall be delivered to the independent directors for comments. The annual audit plan and changes thereof shall be approved by the board of directors.
The contents of audit plan mentioned in the preceding paragraph shall at least include: an explanation of the audit plan, annual audit points, units that will receive the audit, nature of audit (routine audit or special audit), and whether the frequency of audit comply with the regulation of the competent authority. If the audit is a special audit, then it is necessary to notify the range of audit.
Article 23
A financial holding company or a banking business shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation its improvements of deficiencies and irregularities identified in the internal control system during the preceding year's internal auditing, within five(5) months from the end of each fiscal year.
Article 24
For a banking business, officers at various levels with the authority to approve business and transactions shall meet any of the requirements below prior to taking office:
A. Have served as auditors in the internal audit unit and worked for over one(1) year with actual auditing affairs.
B. Have enrolled in the audit training course or computer audit training course held by a competent authority-designated institution and passed the exam and obtained the completion certificate.
C. Obtaining the qualification certificates in banking business internal control and internal audit exam held by a competent authority-designated institution. The contents of the exam should be similar to the contents mentioned in the preceding paragraph.
For the heads of individual levels at foreign business units that have authorization in business or transactions, they are allowed to enroll in professional audit training held by a foreign professional institute or obtain a similar certificate from a foreign institute to replace the certificate mentioned in Paragraph 1.
When acting as the manager of a local business unit, the manager should meet the conditions listed in Paragraph 1, besides, if the manager qualifies the conditions in Subparagraph 2 or 3 of Paragraph 1, the manager should participate in more than four(4) times of audit practices with the internal audit unit before actually assuming the post or within six(6) months after assuming the post. Each practice should be responsible for as least one(1) item, practicing at least four(4) items, write a report on the practice, and send to the chief auditor for verification. The chief auditor should present a certificate and keep the report for further reference.
For the heads of individual levels in the banks of a foreign bank in Taiwan, if they are responsible for tasks involving the authorization in business or transactions, and they have finished the internal audit trainings requirement by the bank, when the training is higher than the requirements listed in Paragraph 1, then they can be exempt for the regulations in this article.
Section 2 The Examination of self-inspection and Statement for Internal Control System
Article 25
The banking business should establish a self-inspection system. The bank shall conduct a self-inspection on all business, financial, asset safekeeping, information, and foreign business units at least semiannually; a special self-inspection at least every month. However, if the company has conducted a routine self-inspection, an internal audint unit (including the internal audint unit of the mother company) has conducted a routine business audit, a financial examination agency has conducted a routine business audit or self-evaluation on affairs concerning compliance with applicable acts and regulations in that month, a special self-inspection can be exempted in that month.
All departments and the subsidiaries of a financial holding company should conduct a self-inspection on internal control system at least annually; a legal compliance self-inspection at least semiannually.
For the self-inspection affairs mentioned in the preceding two paragraphs, the head of the unit should assign a person of another duty to conduct the audit and be kept secret.
The results of self-inspections mentioned in paragragh 1 and 2 shall be made as working papers and shall be preserved together with the self-inspection or internal audit reports and relevant materials for no less than five(5) years.
Article 26
The internal audit unit (including the internal audit unit of the mother company) shall continually conduct follow-up reviews on any examination opinions or audit deficiencies brought up by the financial examination authority, CPA, or internal audit unit, and on matters specified in the internal control system statement as requiring stronger improvement efforts, and submit a written report on the implementation of improvement of deficiencies to the board of directors, together with a copy to the supervisors (supervisors, the board of supervisors), and list these as an important factor in the relevant department's performance evaluations.
The major points of audit task for a financial holding company or a banking business should be prescribed by the competent authority.
Article 27
A financial holding company or a banking business shall supervise all departments (for the financial holding company, including its subsidiaries) to carefully assess and review the status of the operation of its internal control system, and, separately for self-inspection results and internal audit reports, submit internal control system statements jointly signed and issued by the chairperson, general manger, chief auditor, and compliance officer (as per attachment) to the board of directors for approval, and subsequently within three (3) months from the end of each fiscal year disclose the information contained therein on the company's website and publish the same on a website designated by the competent authority.
The internal control system statement under the preceding paragraph shall be duly published in the annual report, stock issue prospectuses, and other prospectuses.
The regulations in Paragraph 1 are not applicable to the banking business taken over by the competent authority.
Section 3 The Audit of a Banking Business by an Accountant
Article 28
If the annual financial report of a banking business is audited and certified by an accountant, the business should also delegate the accountant to conduct a audit on its internal control system. The accountant should also comment on the correctness of the report submitted to the competent authority for the banking business, the execution status of internal control system and regulatory compliance system, and the appropriateness of policies for loan loss reserves.
The audit fees for the accountant should be negotiated by the banking business and the accountant. The business should pay the accountant as negotiated.
The regulations in Paragraph 1 are not applicable to the banking business taken over by the competent authority.
Article 29
When necessary, the competent authority is allowed to invite the banking business and its delegated accountant to conduct further discussion concerning the affairs of such audit. If the competent authority finds the delegated accountant is not competent for the audit affairs delegated by the business, the authority should demand the banking business to alter the delegation to another accountant for another audit.
Article 30
When an accountant conducts audit affairs following the regulations of Article 28, the accountant should inform the competent authority immediately when the following conditions are found:
A. During the process of audit, the business fails to provide the required reports, certificates, books of accounts, and meeting minutes for the accountant, or refuses to make further explanation on the queries submitted by the accountant, or there are other objective environment restrictions to cause the accountant unable to continue his or her audit work.
B. When there are severe false, forged data, or missing in its accounting or other records.
C. Its assets are insufficient to pay its debts or its financial condition is worsened.
D. There is evidence indicating that its transactions will cause great damage to the bank's net asset.
If an audited banking business has conditions listed in Paragraph 2 to 4, the accountant should submit in advance a summary report to the competent authority based on the auditing results.
Article 31
When a banking business delegates an accountant to conduct the audit affairs listed in Article 28, the business should provide the accountant audit report of last year to the competent authority by the end of April in each year for future reference. The report should at least entail the range, basis, procedure, and results of the audit.
When a credit cooperative conducts such affair following the preceding paragraph, the report should be submitted and transferred by the finance deparment of municipality or the finance bureau of county (city) government.
When the competent authority has queries concerning the contents of the audit report, the accountant should provide relating information and explanation based on facts.
Section 4 legal compliance System
Article 32
A financial holding company or a banking business shall set up a compliance unit under the president to take charge of the planning, management, and execution of the regulatory compliance system. Another high level manager shall also be assigned to act as the chief compliance officer for the head office to conduct the compliance affairs. The officer should make a report to the board of directors, supervisors (supervisors, board of supervisors) or the audit committee at least semiannually.
The chief compliance officer at a financial holding company or the head office of a banking business may not hold internal posts other than that of chief legal officer. However the preceding provision does not apply to credit cooperatives if it is otherwise provided by the competent authority.
The chief compliance officer at a financial holding company or the head office of a banking institution shall meet the qualification requirements set out respectively in Article 6 of the Regulations Governing Qualification Requirements for the Promoter or Responsible Persons of Financial Holding Companies and Concurrent Serving Restrictions and Matters for Compliance by the Responsible Persons of a Financial Holding Company and in Article 5 of the Regulations Governing Qualification Requirements and Concurrent Serving Restrictions and Matters for Compliance by the Responsible Persons of Banks, and the post of chief compliance officer shall be comparable to that of vice president.
The financial holding company or the head office of the banking business, domestic and foreign business units, information department, capital safekeeping department, and other management departments should assign personnel to act as the chief compliance officer to take charge of related affairs.
The chief compliance officer and personnel of the compliance unit of a financial holding company and the head office of a banking business shall attend at least fifteen (15) hours of training a year offered by institutes recognized by the competent authority or held internally by the financial holding company (including its subsidiaries) or the banking business (including its parent company), and the training courses shall cover at least the latest regulatory amendments, new businesses or new financial products launched.
Financial holding companies and banking businesses should file the list of head office chief compliance officer and personnel of compliance unit and their training records with the competent authority via an online information system.
Article 33
The head office and branches of a banking business should establish counseling and communication channels for compliance matters to keep employees informed of rules and regulations, swiftly clarify any questions of the employees on compliance matters, and ensure regulatory compliance.
The compliance unit of a financial holding company or banking business should analyze the causes of significant deficiency or malpractice in compliance matters within respective departments and propose recommendations for improvement. The report produced thereof shall be signed off by the president and then submitted to the board of directors for approval.
Article 34
A compliance unit should conduct the following tasks:
A. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of compliance matters.
B. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
C. Before a banking business introduces a new product or service, or applies to the competent authority for approval to offer a new business, the chief compliance officer shall issue and sign an opinion statement undertaking that the new product, service or business complies with applicable regulations and internal rules.
D. Drafting rules and procedures for evaluating regulatory compliance and overseeing the periodic implementation of self-evaluation by respective units; assessing the compliance self-evaluation operations of respective units and producing a report thereon, which, after being signed off by the president, will be used as reference in the performance evaluation of the unit.
E. Providing pertinent regulatory training to employees.
The internal audit unit may draft the rules and procedures for evaluation of compliance by its subordinate units and perform self-evaluation of compliance by its subordinate units, to which the provisions in Subparagraph D of the preceding paragraph do not apply.
If a banking business has a foreign branch, the compliance unit should monitor the foreign branch to follow the local legal regulations.
A financial holding company or banking business should perform self-evaluation of compliance at least semiannually. The results should be sent to the compliance unit for further reference. The head of a unit should designate a specific person to conduct the self-evaluation affair in each unit.
The self-evaluation draft and information for the preceding affairs should be kept at least five (5) years.
Section 5 Risk Management Mechanism
Article 35
A financial holding company or a banking business shall formulate adequate risk management policies and procedures and establish operationally independent and effective risk management mechanisms, by which to assess and monitor the respective risk-bearing capacity, and current status of risks already incurred, and to determine their compliance with the risk response strategies and risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner.
Article 36
A financial holding company or a banking business shall establish an independent risk management task force and regularly furnish risk management reports to the board of directors; upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable acts and regulations, it shall take immediate and adequate countermeasures and submit a report to the board of directors.
For a credit cooperative, the establishment of the independent risk management task force mentioned in the preceding paragraph can be replaced by a designated management unit in its headquarters.
Article 37
The risk management mechanisms of a financial holding company shall include the following matters:
A. Monitoring the capital adequacy of the financial holding company and of all subsidiaries based on their respective business scale, credit, market, and operational risks, and future business trends.
B. Adopting adequate long- and short-term financing principles and guidelines, and establishing management mechanisms for measuring and monitoring the liquidity positions of the financial holding company and of all subsidiaries, by which to measure, monitor, and manage the liquidity risks of the financial holding company and of all subsidiaries.
C. Drafting the overall plan for anti-money laundering and combating financing of terrorism, including policy and procedure for sharing information within the group for the purpose of preventing money laundering and combating financing of terrorism.
D. Making various investment allocations after having considered the overall risk exposure, equity capital, and characteristics of liabilities of the financial holding company, and establishing various measures to manage investment risks.
E. Establishing uniform assessment methodologies for rating and classifying the quality of assets of the financial holding company and of all subsidiaries, calculating and controlling large risk exposures of the financial holding company and its subsidiaries, carrying out periodic reviews, and faithfully setting aside allowances or reserves for loss.
F. Building information security mechanisms and contingency plans with respect to business exchanges, transactions, or other activities between the financial holding company and its subsidiaries and between its subsidiaries.
Article 38
The risk management mechanism of a banking business shall include the following principles:
A. Monitoring the capital adequacy based on its business scale, credit, market, and operational risks, and future business trends.
B. Establishing management mechanisms for measuring and monitoring the liquidity positions of the banking business, by which to measure, monitor, and manage the liquidity risks.
C. Establishing a management mechanism for identifying, measuring and monitoring risks associated with money laundering and financing of terrorism, and drafting standard operating procedures for complying with anti-money laundering related regulations to reduce the risk of money laundering and financing of terrorism.
D. Making various investment allocations after having considered the overall risk exposure, equity capital, and characteristics of liabilities, and establishing various measures to manage investment risks.
E. Establishing uniform assessment methodologies for rating and classifying the quality of assets, calculating and controlling large risk exposures, carrying out periodic reviews, and faithfully setting aside allowances or reserves for loss.
F. Building information security mechanisms and contingency plans with respect to business, transactions, and information exchanges or other activities.
Chapter 4 Supplementary Principles
Article 39
To secure the confidentiality level of the financial examination report of a financial holding company or a banking business, unless consented by the law or the competent authority, the responsible person or the employee are not allowed to read or disclose, deliver, publicize all or part of the contents of the report to another person irrelevant of the performing of the task.
The financial holding company or the banking business should follow the provisions of the competent authority to prescribe the relating internal management regulations and business procedures of the financial examination reports and submit them to the board of directors for consent.
Article 40
A financial holding company or a banking business shall set out in its internal control system penalties for violations of these Regulations or its internal control system rules by managers and relevant personnel.
Article 41
The subsidiary company of a financial holding company referred to in these regulations should be defined as in Article 4 of the Financial Holding Company Act; the subsidiary company of a banking business should follow the provisions of Paragraph 3 of Article 5 of Regulations Governing Establishment of Internal Control Systems by Public Companies.
Article 42
The internal auditors and compliance officer of a financial holding company or a banking business shall immediately prepare a report for submission, with a notice to the independent directors and supervisors (supervisors, board of supervisors) or the auditing commission and report to the competent authority, when their recommendations for improvements regarding significant deficiencies or noncompliance identified in internal controls are not accepted by management and as a result the financial holding company or the banking business might incur a material loss.
Article 43
The competent authority will set forth formats specified in the Rules herein.
Article 44
When a credit cooperative submit relating materials to the competent authority as regulated in these regulations, the cooperative should also report to the finance department of municipality or the finance bureau of county (city) government.
Article 45
The branch of a foreign bank in Taiwan shall carry out internal control and audit in compliance with the Rules herein. However, if the internal control and audit systems of a branch in Taiwan are prescribed based on regulations with higher or equivalent standards for internal control and audit establishment, then the branch is allowed to report its situation to the competent authority for future reference and conduct such systems after a comparison report on the details of the standards that bank adopts and our system, which should also be signed by the responsible person of the branch.
If the headquarters of the branch bank in Taiwan has altered its internal control and auditing systems, which might also apply to the branch in Taiwan, the revisions should be immediately explained and compared to domestic regulations and send to the competent authority for future reference after signed by the responsible person in Taiwan.
If the branch of a foreign bank in Taiwan violates the internal control and audit system accepted by the competent authority in accordance with three preceding paragraphs hereof, it shall be deemed as violating the Rules herein.
Article 46
Financial holding companies and banking businesses that do not meet the provisions in Article 32 or Subparagraph C or D, Paragraph 1 of Article 34 shall make adjustment to become compliant within six (6) months after the promulgation of the amended Regulations on August 8, 2014.
Article 47
The Rules herein shall be in force on the date of promulgation.
The 2nd March 2012 amendments, except Article 8, paragraph 1, subparagraph 2 item 5, the credit cooperatives shall enter into force from 1st January 2014, and Article 8, paragraph 1 subparagraph 2 item 8 shall enter into force from 30 December 2012, shall enter into force three months after the date of issuance.
|