Content: |
Point 1
These Directions are adopted pursuant to Article 8, paragraph 1, subparagraph 18 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets.
Point 2
A futures commission merchant (FCM) that will outsource operations to any third party (hereinafter, "outsourcing") shall enter a written agreement and comply with these Directions. However, if the outsourcing involves foreign exchange business, it shall additionally
comply with the relevant rules and regulations set forth by the Central Bank.
The FCMs to which these Directions apply include domestic FCMs and their overseas branches and the Taiwan branches of foreign FCMs.
Point 3
The outsourcing by an FCM of operations involving business items stated in its business license or operations related to customer information shall be limited to the following scope:
1. Data processing: Including information system data entry, processing, and output; the development, monitoring, control, and maintenance of information systems; and logistical support for data processing in connection with conducting business.
2. Safekeeping of documents such as forms, statements, and certificates.
3. Electronic system customer services, including automated voice systems, response to and processing of customer emails, consultation and assistance to electronic system customers, and telephone customer service.
4. Certain internal audit operations. However, these audit operations may not be performed by the CPAs who attest the FCM's financial statements.
5. Other operations approved by the competent authority for outsourcing.
An FCM shall file accurate reports on information including the items, content, and scope of its outsourced operations in the manner prescribed by the competent authority, the Taiwan Futures Exchange Corporation (TAIFEX), the Taipei Exchange (TPEx), or the
Chinese National Futures Association (the "Futures Association").
Point 4
An FCM shall conduct outsourcing operations in accordance with its internal outsourcing rules approved by its board of directors under the premises that outsourcing will not affect the sound operation of the FCM, the interests of customers, or regulatory compliance.
The internal outsourcing rules of a Taiwan branch of a foreign FCM may be approved by an officer authorized by the head office.
The internal outsourcing rules referred to in the preceding paragraph shall specify the following contents:
1. Outsourcing policies and principles, including evaluation of outsourcing decisions, risk management mechanisms, approval hierarchy, and governance structure.
2. Division of authority and responsibility of the unit-in-charge and relevant units regarding the control of outsourced operations.
3. Scope of operations that may be outsourced and outsourcing procedures.
4. Internal operations and procedures for the protection of customer interests.
5. Risk management principles and operating procedures.
6. Internal control principles and operating procedures.
7. Other outsourcing operations and procedures.
An FCM is ultimately responsible for its outsourcing. It shall evaluate the risk level and materiality of outsourced operations and the impact of outsourcing on business operations and customer interests, adopt appropriate management measures under the risk-based
approach, and comply with the following provisions:
1. The board of directors shall be aware of the outsourcing risks and regularly oversee the execution status of outsourced operations.
2. An FCM shall ensure that the unit-in-charge and relevant units have adequate resources, expertise, and authority over the control of outsourced operations.
3. An FCM shall identify, evaluate, and manage outsourcing of operations deemed material, and formulate relevant policies and procedures. It shall formulate enhanced controls and emergency response measures for outsourcing arrangements that may materially impact
the normal operations of the FCM or customer interests.
4. An FCM shall have appropriate due diligence and periodic review procedures in place to ensure that service providers possess the expertise and resources for the execution of outsourced operations, are financially sound, have internal control and information
security management mechanisms, and meet regulatory requirements.
5. An FCM shall ensure that the FCM itself, the competent authority, the Central Bank, or persons designated thereby, the TAIFEX, the TPEx, or the Futures Association can have access to relevant data or reports of service providers and conduct financial examinations
or audits with respect to the outsourced operations, or order service providers to provide relevant data or reports within a prescribed time period.
A Taiwan branch of a foreign FCM may designate its head office or the regional headquarters authorized thereby to be responsible for and handle the matters of applying the provisions of the preceding paragraph. However, the unit-in-charge shall still be handled
by personnel of the foreign FCM's Taiwan branch, and shall fully understand the control of outsourcing activities in Taiwan by the head office or regional headquarters authorized thereby.
The term "materiality" in these Directions means any of the following conditions:
1. The outsourced operation cannot be performed or there are concerns regarding information security, and such issues will materially impact business operations of the FCM.
2. The outsourced operation is involved in a customer data security incident that has a material impact on the interests of the FCM or customers.
3. The outsourced operation has otherwise had a material impact on the interests of the FCM or customers.
Point 5
When conducting outsourcing of other operations approved by the competent authority in accordance with Point 3, paragraph 1, subparagraph 5 herein, an FCM shall submit the following documents to the TAIFEX for it to review and then forward to the competent
authority for approval:
1. Internal outsourcing rules adopted in accordance with paragraph 2 of the preceding point.
2. Meeting minutes containing a resolution of the board of directors, or a letter of consent signed by an officer authorized by the head office in the case of a Taiwan branch of a foreign FCM.
3. Necessity and legal compliance analysis of the outsourcing of business operations, evaluation of risk level and materiality of the outsourced operations and impact of the outsourcing on business and customer interests, due diligence check of service providers,
and outsourcing risk management measures.
4. Operating process.
5. Other matters designated by the competent authority.
After an operation has been designated by the competent authority as eligible for outsourcing according to the preceding paragraph, other FCMs may proceed directly to conduct that outsourcing operation in accordance with their internal outsourcing rules.
Point 6
The unit-in-charge specified in Point 4, paragraph 2, subparagraph 2 herein shall carry out the following tasks:
1. Managing outsourced operations in accordance with the internal outsourcing rules set forth in accordance with Point 4 herein.
2. Supervising the outsourced operations in connection with the protection of customer interests, risk management and internal controls, conducting periodic evaluations and reviews, and submitting the findings to the board of directors or the officer authorized
by the head office in the case of a Taiwan branch of a foreign FCM. If any material irregularities or deficiencies occur, a report shall be filed with the competent authority, Central Bank, TAIFEX, or Futures Association as soon as possible.
3. Supervising the establishment and implementation of internal control and internal audit systems by service providers.
4. Drafting and executing measures for selecting service providers, and ensuring that an outsourced operation is a business item that the selected service provider is legally allowed to operate.
Point 7
The internal operations and procedures for protection of customer interests included in the internal outsourcing rules of an FCM as provided in Point 4, paragraph 2, subparagraph 4 herein shall include the following contents:
1. If operations involve customer information, the agreement executed between the FCM and the customer shall include a provision that requires that the FCM inform the customer of the outsourcing. If the agreement does not include such a provision, the FCM shall
notify its customers of the outsourcing activity and the provisions of the Personal Data Protection Act shall apply.
2. Conditions and scope of customer information to be provided and procedural method for transferring such information.
3. Methods for supervising the use, processing, and control of the aforesaid customer information by the service provider.
4. Procedures and time limits for handling customer disputes in connection of the outsourcing activity. The FCM shall set up a coordination unit that handles customer complaints.
5. Other necessary measures for the protection of customer interests.
An FCM shall be held equally liable to its customer as provided by law if an intentional act or omission or negligence of its outsourcing service provider or an employee thereof results in damage to customer interests.
Point 8
The risk management principles and operating procedures set forth in the internal outsourcing rules of an FCM as provided in Point 4, paragraph 2, subparagraph 5 herein shall include the following content:
1. Establishing a risk and benefit analysis system for outsourcing activity.
2. Establishing procedures or management measures sufficient to identify, measure, monitor, and control risks associated with outsourcing:
A. Evaluating the risk level and materiality of outsourced operations and their degree of impact on business operations.
B. Ensuring that the FCM and the service provider possess adequate expertise and resources.
C. Considering relevant risk factors, evaluating the risk level of outsourced operations, and taking appropriate measures to mitigate risk.
D. Evaluating risk levels periodically and ensuring updating of risk levels.
E. Conducting regular or unscheduled testing or drills based on different risk scenarios for material outsourcing.
3. Establishing an emergency response plan and transfer mechanisms for the termination of an outsourcing arrangement.
Point 9
The internal control principles and operating procedures set forth in the internal outsourcing rules of an FCM as provided in Point 4, paragraph 2, subparagraph 6 herein shall include the following contents:
1. Drawing up and implementing the operating procedures for supervising and managing the scope of outsourcing.
2. Incorporating the operating procedures in the preceding subparagraph into the overall internal control and internal audit systems of the FCM for implementation.
3. Supervising the establishment and implementation of internal control and internal audit systems by the service provider.
Point 10
An FCM's outsourcing agreement shall specify the following contents:
1. The scope of outsourcing and the authorities and responsibilities of the service provider.
2. A provision requiring the service provider to comply with Point 15 herein.
3. Protection of consumer rights and interests, including the confidentiality of customer data and adoption of security measures.
4. The service provider is required to carry out consumer protection, risk management, internal control, and internal audit in accordance with the standard operating procedures established under the supervision of the FCM.
5. Consumer dispute resolution mechanisms, including the timetable and procedure for handling disputes, and remedial measures.
6. Management of a service provider's employees, including employee recruitment, promotion, performance reviews, and discipline.
7. Material events that lead to the termination of an outsourcing agreement with the service provider, including a provision on termination or revocation of the agreement if so instructed by the competent authority.
8. The service provider agrees to allow the competent authority, Central Bank, TAIFEX, TPEx, and Futures Association to access relevant data or reports and conduct financial examination or auditing with respect to the outsourced items, or provide relevant data
or reports within a prescribed time period pursuant to an order thereby.
9. The service provider shall not use the name of the outsourcing FCM in the course of handling the outsourced items, nor shall the service provider use untruthful advertising or charge the customers any fees.
10. The service provider is required to inform the FCM if the outsourced operation involves any material irregularities or deficiencies.
11. Other matters of agreement.
In the outsourcing agreement, the FCM shall prohibit the service provider from subcontracting any outsourced operation unless with the FCM's written consent. The outsourcing agreement shall specify the scope, limitations, or conditions for subcontracting by
the service provider. The provisions of this Point shall be applied mutatis mutandis in the execution of the subcontracting agreement between the service provider and its subcontractor.
If any existing outsourcing agreement or sub-contracting agreement does not conform to the provisions of these Directions, the FCM may continue its outsourcing activity under the existing agreement until it expires. However, if such agreement does not have
an expiration date, the nonconformities shall be remedied within one year from the date these Directions are issued and enforced, or else the agreement will expire automatically.
Point 11
An FCM that plans to outsource operations to overseas service providers shall comply with the following provisions:
1. It shall fully understand and grasp the use, processing, and control of customer information by the service provider.
2. Furnish the service provider with only necessary customer information that is directly related to the outsourced operations.
3. Require the service provider to observe the following particulars:
A. The FCM's customer data shall be used and processed only by the authorized persons of the service provider within the scope of the outsourced operations.
B. The FCM's customer data shall be clearly segregated from the data of the service provider and of other institutions.
C. The FCM's customer data processed by the service provider shall be readily provided when needed to the competent authority, the TAIFEX, the TPEx, the Futures Association, and the FCM.
4. The FCM shall adopt a risk-based approach to conduct regular and unscheduled audits and to monitor the use, processing, and control of customer information by the service provider. External auditors may be engaged to conduct relevant audits. A Taiwan branch
of a foreign FCM may designate the auditing unit of its head office or authorized regional headquarters to handle audit matters. The auditing units shall provide the relevant audit reports to the Taiwan branch of the foreign FCM.
5. When the foreign competent futures authority where the service provider is located requests for provision of information of Taiwan customers, the FCM shall inform and obtain consent from the Taiwan competent authority in advance before such information may
be provided.
If a Taiwan branch of a foreign FCM outsources operations to its head office or overseas branches to accommodate its internal division of work, the outsourcing shall be handled in accordance with the preceding paragraph.
Point 12
If any outsourcing arrangement by an FCM will involve offshore processing of any futures customer business information system deemed material, the FCM shall submit the following documents to the TAIFEX for review and subsequent forwarding to the competent authority
for approval:
1. The internal outsourcing rules adopted in accordance with Point 4, paragraph 2.
2. Meeting minutes containing a resolution of the board of directors, or a letter of consent signed by an officer authorized by the head office in the case of a Taiwan branch of a foreign FCM.
3. Necessity and legal compliance analysis of the outsourcing of business operations, including an evaluation of the service provider's compliance with the customer data protection laws and regulations of Taiwan.
4. Outsourcing plan, which shall include the following contents:
A. Risk assessment and management mechanisms:
a. Evaluation of the risk level and materiality of the outsourced operations and the impact on business operations and customers interests.
b. Due diligence check of the service provider to ensure the reliability and legal compliance of the services provided; the reliability check shall include analysis of business continuity, substitutability, and concentration.
c. Description showing adequate expertise and resources to monitor the service provider's execution of the outsourced operations.
d. Day-to-day monitoring plans and implementation units.
B. Description of customer information protection measures and whether customer consents have been obtained to ensure the quality of outsourced services and the protection of customer interests.
C. Information security and management:
a. Description of data security management measures, data transmission and segregation, and data ownership.
b. Description of management policies with regard to the locations of data storage, including assessment of legal, political, and economic stability at the data processing and storage locations, and description of data backup and data accessibility at any time.
D. Emergency response plans, including operational contingency plans that address circumstances in which the service provider is unable to provide service or the service is disrupted.
5. Letter of consent or outsourcing agreement signed by the service provider, agreeing that when necessary a person designated by the FCM may carry out auditing of the outsourced activities. An aforesaid designated person also may be assigned by the Taiwan
competent authority at the expense of the FCM.
6. A statement issued by the service provider certifying that it has not had any occurrence of incidents such as employee fraud, information security breach, or other incidents damaging customer interests or undermining sound operations in the last three years.
When conducting outsourcing under the preceding paragraph, an FCM shall comply with the following provisions in addition to the preceding point:
1. It shall ensure that the use, processing and management of customer information by the service provider comply with Taiwan's Personal Data Protection Act, retain complete audit trails, and include these compliance matter in key audit items.
2. It shall periodically evaluate cost-benefit and the reasonableness of expense allocation within the group and submit the report to the board of directors for approval.
3. The standards for information system security testing shall be no less rigorous than the requirements set forth by the competent authority, TAIFEX, TPEx, or Futures Association.
4. It shall conduct one routine audit and one special audit at least annually. The offshore outsourcing audit reports for the current year shall be submitted to the board of directors within four months after the end of each year. The aforementioned audits
may be performed by an independent third party specializing in information technology.
5. It shall establish operational contingency plans that address circumstances in which the service provider is unable to provide the service or the service is disrupted.
6. It shall specify in the outsourcing agreement, with respect to any circumstance in which an outsourced service is transferred to another service provider or transferred back to the FCM, the service provider's obligations regarding system migration and handling
of data, as well as the service provider's liability for damages in case of service disruption.
If a Taiwan branch of a foreign FCM outsources operations to its head office or overseas branches to accommodate its internal division of work, the outsourcing shall be handled in accordance with paragraph 1.
Point 13
An FCM shall comply with the following rules when its outsourced operations involve cloud-based services:
1. It shall formulate policies and principles for using cloud-based services, adopt appropriate risk control measures, and heed the proper diversification of operations outsourcing to cloud service providers.
2. The FCM is ultimately responsible for the monitoring of cloud service providers and it shall have the expertise and resources to supervise the cloud service providers' execution of outsourced operations. It may also request professional third parties to
assist in monitoring operations as needed.
3. The FCM may appoint an independent third party with expertise in information technology at its sole discretion or in conjunction with other FCMs that outsource to the same cloud service provider to conduct audits, subject to the following requirements:
A. The FCM shall ensure that the audit scope includes important systems and control measures related to the operations outsourced to the cloud service provider.
B. The FCM shall evaluate the suitability of the third party and verify that the contents of an audit report submitted by a third party meet the relevant international standards of information security and privacy protection.
C. The third party shall conduct the auditing based on the scope of the operations outsourced by the FCM and issue an audit report.
4. When the FCM transmits and stores customer data at a cloud service provider, it shall adopt customer data encryption, tokenization, or other effective protection measures and it shall also establish appropriate encryption key management mechanisms.
5. The FCM shall retain complete ownership of data outsourced to cloud service providers for processing. The FCM shall ensure that the cloud service provider does not have the authority to access customer data except for the execution of the outsourced operations
and it may not use the data for purposes outside the scope of the outsourced operations.
6. With respect to customer data processing by cloud service providers and the data storage locations, the following rules shall be observed:
A. The FCM must retain the right to designate the location for the processing and storage of the data.
B. The local data protection laws and regulations at the offshore location shall be no less rigorous than the requirements in Taiwan.
C. The customer data involving futures customer business information systems deemed material shall be stored in a location within Taiwan in principle. If located offshore, backups of important data of customers shall be retained in Taiwan unless otherwise approved
by the competent authority.
Point 14
When an FCM outsources the following operations, the preceding three points shall not apply:
1. When it outsources the operations of its foreign branches.
2. When it outsources the development and maintenance of onshore information systems to offshore institutions.
Point 15
When outsourcing operations, an FCM shall not violate any mandatory or prohibitive provisions, public order or good morals, and there shall not be any adverse impact on its business operations, management, or the interests of its customers. An FCM shall also
ensure that the Futures Trading Act, Money Laundering Control Act, Personal Data Protection Act, Financial Consumer Protection Act, and other applicable laws and regulations are complied with.
When outsourcing operations, an FCM shall vigorously observe applicable laws and regulations and the business rules or self-regulatory directions set forth by the TAIFEX, TPEx, and Futures Association.
Point 16
The competent authority, Central Bank, TAIFEX, TPEx, and Futures Association may access relevant data or reports and conduct financial examination or auditing on the outsourced operations of an FCM.
If a service provider violates these Directions or other laws and regulations, the competent authority may, depending on the severity of the case, instruct the outsourcing FCM to terminate the outsourcing arrangement pursuant to the outsourcing agreement, request
the service provider to make improvement within a given period of time, or suspend the outsourcing arrangement until improvement made by the service provider is confirmed.
Point 17
Unless otherwise provided in these Directions, an FCM shall bring its existing outsourcing activities that do not conform to the provisions herein into compliance with these Directions within one year following the issuance and implementation these Directions. |