||Amended on September 27, 2022 per Order Ref. Jin-Kuan-Bao-Tsai 11104805211 of the Financial Supervisory Commission.
||Article 8 (deleted)
An insurance company may apply to the competent authority for approval to adopt a risk-based internal auditing system. A subsidiary that was evaluated and exempted from adopting the system for implementation in accordance with Paragraph 3, Article 38 shall
provide evaluation documents. The competent authority may ask an insurance company to apply for approval to adopt a risk-based internal auditing system in view of the insurance company's asset size, business risks, and other necessary conditions.
An insurance company that applies for approval to adopt a risk-based internal auditing system must meet the following criteria:
1.The insurance company's capital adequacy ratio and net worth ratio in the most recent filing to the competent authority complies with regulations regarding the capital adequacy ratio in Subparagraph 1, Paragraph 1, Article 5 of the Regulations Governing Capital
Adequacy of Insurance Companies.
2. The amounts in preparatory funds based on the most recent actuarial opinions meet requirements in related regulations and adequacy requirements.
3. The insurance company has established an effective internal control system.
The provisions on auditing frequency in Paragraph 1 of the preceding article do not apply to insurance companies that have been approved to adopt a risk-based internal auditing system.
The provisions in this article do not apply to branch companies of foreign insurance companies in Taiwan, reinsurance companies, and insurance cooperatives.
Section 5. risk management mechanism
An insurance company shall establish suitable risk management policies and procedures, which shall be passed by the board of directors and be regularly reviewed.
An insurance company shall establish an independent risk management task force and regularly report to the board of directors; upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable
acts and regulations, it shall take immediate and adequate countermeasures and submit a report to the board of directors.
The risk management mechanisms of an insurance company shall include the following principles:
1. Identifying and evaluating the acceptable scope of risks based on the business scale, product characteristics, and overall economic conditions.
2. Risks that must be considered include market risks (including interest rate risks), credit risks, liquidity risks, operational risks, insurance risks, asset liability matching risks, and other risks. Related risk management mechanisms shall also be established.
3. The management must regularly review the risk management mechanism and the own risk and solvency assessment (ORSA) mechanisms in accordance with relevant laws and regulations, self-regulatory guidelines, and actual economic conditions, and adopt appropriate
An insurance company shall consider the nature, scale, and complexity of its business risks based on its risk management framework and develop ORSA operation processes that are suitable for its organizational structure and risk management system.
The risk management mechanisms established by an insurance company shall include at least the following matters:
1. The risk management framework shall include risk governance, risk management organizational framework and duties, risk identification, risk measurement, risk response, risk monitoring and information, communication, and documentation.
2.The risk management mechanisms shall incorporate the business management and corporate culture of the insurance company, which adopts qualitative and quantitative technologies in accordance with the risk management policies it established to manage relevant
risks that can be reasonably anticipated by the insurance company.
3. The insurance company shall set its risk appetite and specify the risk level it is willing to accept to attain strategic objectives and business plans. It must also set main risk limits for regular monitoring and management.