1. These Directions are specifically adopted to strengthen the anti-money laundering and countering terrorism financing (AML/CFT) regime of Republic of China (R.O.C.), and enhance soundness of the internal control and internal audit system of the banking industry in R.O.C.

2. A banking business shall conduct customer due diligence (CDD) and keep records on all business relations and transactions with its customers in accordance with the Directions as well as relevant provisions in “Money Laundering Control Act”, “Regulations Governing Cash Transaction Reports （CTR）and Suspicious Transaction Reports （STR） by Financial Institutions”, “Regulations Governing the Deposit Accounts and Suspicious or Unusual Transactions” and “Directions for Confirming Customer Identity in Domestic Remittance Operations of Financial Institutions”.

3. The "banking business" referred to in the Directions include banks, credit cooperatives, postal service institutions which also handle the money transactions of deposit, transfer and withdrawal, bills finance companies, credit card companies and trust enterprises.

4. A banking business shall comply with the following provisions in undertaking CDD measures:
(1) A banking business shall not keep anonymous accounts or accounts in fictitious names.
(2) A banking business shall undertake customer due diligence (CDD) measures when:
A. establishing business relations with any customer;
B. carrying out occasional transactions with respect to:
(A) cash receipt or payment in a single transaction (including all transactions recorded on cash deposit or withdrawal vouchers for accounting purpose), or the transaction of currency exchange of NTD 500,000 or more (including the foreign currency equivalent thereof); or
(B) a domestic cash remittance of NT$30,000 or more but less than NT$500,000, or a domestic account-transfer remittance of NT$30,000 or more;
C. there is a suspicion of money laundering or terrorism financing, or carrying out inward remittances from a country or region with high money laundering and terrorism financing risk; or
D. a banking business has doubts about the veracity or adequacy of previously obtained customer identification data.
(3) The CDD measures to be taken by a banking business are as follows:
A. Identifying the customer and verifying that customer’s identity using reliable, independent source documents, data or information. In addition, a banking business shall retain copies of the customer’s identity documents or record the relevant information thereon.
B. Verifying that any person purporting to act on behalf of the customer is so authorized, identifying and verifying the identity of that person using reliable, independent source documents, data or information where the customer opens an account or conducts a transaction through an agent. In addition, the banking business shall retain copies of the person’s identity documents or record the relevant information thereon.
C. Taking reasonable measures to identify and verify the identity of the beneficial owner of a customer.
D. Enquiring information on the purpose and intended nature of the business relationship when undertaking CDD measures.
(4) According to Item 3 of the preceding Subparagraph, a banking business shall obtain the following information to identify the beneficial owners of the customer when the customer is a legal person or a trustee:
A. For legal persons:
(A)The identity of the natural persons who ultimately have a controlling ownership interest in a legal person. A controlling ownership interest refers to owning more than 25 percents of a company’s shares or capital;
(B) To the extent that there is doubt under (A) above as to whether the person(s) with the controlling ownership interest are the beneficial owner(s) or where no natural person exerting control through ownership interests is identified, the identity of the natural persons (if any) exercising control of the customer through other means.
(C) Where no natural person is identified under (A) or (B) above, a banking business shall identify and take reasonable measures to verify the identity of the relevant natural person who holds the position of senior managing official.
B. For trustees: the identity of the settlor(s), the trustee(s), the trust supervisor, the beneficiaries, and any other person exercising ultimate effective control over the trust;
C. Unless otherwise provided for in the Proviso of Point 5, a banking business shall not be required to inquire if there exists any beneficial owner in relation to a customer that is
(A) a R.O.C government entity;
(B) a enterprise owned by the R.O.C government;
(C) a foreign government entity;
(D) a public company and its subsidiaries;
(E) an entity listed on a stock exchange outside of R.O.C. that is subject to regulatory disclosure requirements of its principal shareholders, and the subsidiaries of such entity;
(F) a financial institution supervised by the R.O.C. government, and an investment vehicles managed by such institution;
(G) a financial institution incorporated or established outside R.O.C. that is subject to and supervised for compliance with AML/CFT requirements consistent with standards set by the FATF, and an investment vehicle managed by such institution;
(H) Public Service Pension Fund, Labor Insurance, Labor Pension Fund and Postal Savings of R.O.C.
(5) Ongoing monitoring on accounts and transactions:
A. A banking business shall conduct ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.
B. A banking business shall periodically review the adequacy of customer identification information obtained in respect of customers and beneficial owners and ensure that the information is kept up to date, particularly for higher risk categories of customers.
C. A banking business is entitled to rely on the identification and verification steps that it has already undertaken, therefore a banking business is allowed not to repeatedly identify and verify the identity of each customer every time that a customer conducts a transaction unless it has doubts about the veracity of that information. Examples of situations that might lead a banking business to have such doubts could be where there is a suspicion of money laundering in relation to that customer, or where there is a material change in the way that the customer’s account is operated, which is not consistent with the customer’s business profile.
(6) A banking business shall apply CDD measures to existing customers on the basis of materiality and risk, and to conduct due diligence on such existing relationships at appropriate times, taking into account whether and when CDD measures have previously been undertaken and the adequacy of data obtained.

5. A banking business shall determine the extent of applying CDD and ongoing monitoring measures under Subparagraphs (3) and (5) of the preceding Point using a risk-based approach (RBA). The enhanced CDD and ongoing monitoring measures shall be applied to those circumstances with higher risk while the simplified CDD measures are allowed where a lower risk has been identified. However, simplified CDD measures are not allowed in the following circumstances:
(1) Where the customers are from or in countries and jurisdictions known to have inadequate AML/CFT regimes, including but not limited to those which designated by international organizations on AML/CFT as countries or regions with serious deficiencies in their AML/CFT regime , and other countries or regions that do not or insufficiently comply with the recommendations of international organizations on AML/CFT as forwarded by the Financial Supervisory Commission (FSC); or
(2) Where a banking business suspects that money laundering or terrorism financing is involved.

6. A banking business shall keep records on all business relations and transactions with its customers in accordance with the following provisions:
(1) A banking business shall maintain, for at least five years, all necessary records on transactions, both domestic and international.
(2) A banking business shall keep all the following information for at least five years after the business relationship is ended, or after the date of the occasional transaction:
A. All records obtained through CDD measures, such as copies or records of official identification documents like passports, identity cards, driving licenses or similar documents.
B. Account files.
C. Business correspondence, including inquiries to establish the background and purpose of complex, unusual large transactions and the results of any analysis undertaken.

7. Risk control mechanism and internal control system:
(1) The risk control mechanism and internal control system established by a banking business according to Article 35 of “Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries”, Article 5 of “Regulations Governing the Internal Controls and Audit System for Postal Remittances and Savings” or Article 33 of “Regulations Governing Institutions Engaging In Credit Card Business” shall contain the following items:
A. The policy and procedure to identify, assess and manage its money laundering and terrorism financing risks.
B. An AML/CFT program based on the result of risk assessment.
C. A standard operational procedure to comply with the AML/CFT regulations, which shall be included in the self-inspection and internal audit system.
(2) A banking business shall ensure that its foreign branches and subsidiaries apply AML/CFT measures, to the extent that the laws and regulations of host countries or jurisdictions so permit, consistent with the home country requirements.

8. If a banking business violates the Directions, the FSC may take appropriate sanctions commensurate with the seriousness of the violations in accordance with Articles 61-1, 129 of the Banking Act and other relevant regulations.