| Content: |
1. These Directions are set forth to safeguard the interests of consumers and regulate the outsourcing operations of insurance enterprises (referred to as "outsourcing" hereunder).
Insurance enterprises should include the particulars of these Directions into their internal control procedures drafted pursuant to Article 5, paragraph 1, subparagraph 12 of the Regulations Governing Implementation of Internal Control and Auditing System of Insurance Enterprises.
2. The outsourcing operations of an insurance enterprise shall not violate any mandatory or prohibitive provisions [of law], public order or good customs, and shall observe the Insurance Act, the Money Laundering Control Act, the Personal Data Protection Act, the Consumer Protection Act, the Financial Consumer Protection Act, and other applicable laws and regulations.
An insurance enterprise shall vigorously supervise and manage matters relating to its outsourcing operations, and assume the responsibility of an authorizer.
3. Except as otherwise provided by laws and regulations upon which such laws and regulations shall be followed, the outsourcing of business items that an insurance enterprise may engage in pursuant to insurance regulations or policyholder information related operations by an insurance enterprise shall be limited to the following:
(1)Data entry, processing, output and delivery, development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the insurance enterprise's business.
(2)Conducting checking and investigation relating to insurance contract, consumer opinion survey, and customer follow-up by telephone.
(3)Production, delivery, safekeeping and disposal of forms and documents, such as insurance policy, renewal notice, notice of premium payment, notice of suspension in coverage, proof of annual premium payment and other forms and documents relating to the performance of insurance contract and lending operations.
(4)Overseas emergency assistance and roadside assistance services in connection with benefits under the insurance contract.
(5)Distribution of sales advertisements and consumer publications.
(6)Collection of premiums, and principal and interest payments on policy loans or other loans, provided the service provider is engaged in accordance with the Self-Regulatory Rules for Outsourcing the Collection of Premiums or Principal and Interest Payments on Policy Loans by Life Insurance Enterprises or the Self-Regulatory Rules for Outsourcing the Collection of Premiums by Non-life Insurance Enterprises.
(7)Collection of debts.
(8)Electronic customer services, including automated voice systems, phone answering service, answering and processing customer e-mails, and electronic commerce related inquiry service and assistance.
(9)Land registration or real estate management services, and disposal of collateral from claim entitlement.
(10) Locating cars with auto loan default and car auction, but excluding the determination of floor price for auction.
(11) Valuation, classification, bundling and sale of non-performing loans; provided such outsourcing agreement stipulates that the service providers and their employees involved in the outsourcing agreement shall not engage in any work or provide any consulting or advisory services which give rise to a conflict of interest with the outsourced services during the term of such outsourcing agreements or during a reasonable period of time after termination/expiry thereof.
(12) Other operations approved by the competent authority for outsourcing.
Except for outsourcing operations stipulated in subparagraph 7 and subparagraph 12 of the preceding paragraph where an insurance enterprise is required to apply to the competent authority for approval pursuant to Point 10 herein, an insurance enterprise shall file its outsourced operations, content and scope in a manner prescribed by the competent authority with the competent authority or an institution designated by the competent authority for other outsourcing operations stipulated in the preceding paragraph.
4. Under the premises that outsourcing will not affect the sound operation of the insurance enterprise, the interests of customers, or regulatory compliance, the insurance enterprise may outsource the operations stipulated in the preceding point in accordance with its internal outsourcing procedures approved by its board of directors, or by an officer authorized by the head office in the case of a branch of a foreign insurance enterprise in Taiwan.
The internal outsourcing procedures referred to in the preceding paragraph shall specify the following particulars:
(1)The designation of a unit-in-charge and its authority and responsibility.
(2)Scope of operations that may be outsourced.
(3)Internal operation and procedure that assure the protection of customer interests.
(4)Risk management principles and operating procedure.
(5)Internal control principles and operating procedure.
(6)Other outsourcing operations and procedures.
5. The unit-in-charge assigned by an insurance enterprise for its outsourcing operations pursuant to paragraph 2, subparagraph 1 of the preceding point shall carry out the following tasks:
(1)Managing outsourced operations in accordance with the internal outsourcing procedures set out in accordance with the preceding point.
(2)Supervising the outsourced operations in connection with the protection of customer interests, risk management and internal controls, conducting periodic evaluation, and submitting the findings to the board of directors or officer authorized by the head office in the case of a branch of a foreign insurance enterprise in Taiwan.
(3)Supervising the establishment and implementation of internal control and internal audit system by the service providers.
(4)Drafting and executing the measure for selecting service providers, and ensuring that the outsourced operation is a business item that the selected service provider is legally allowed to operate.
(5)Other matters as required by the competent authority.
When outsourcing the collection of debts arising from loans, the unit-in-charge should check regularly relevant information in the outsourcing service providers and employees registration system created by the Joint Credit Information Center (the "JCIC") and retain a copy of the inquiry record for future reference as a part of insurance enterprise's internal control activities over outsourcing and supervision of service provider's internal control systems.
6. The internal operations and procedures of an insurance enterprise in connection with the outsourcing operations of an insurance enterprise that assure the protection of customer interests as provided in Point 4, paragraph 2, subparagraph 3 herein shall contain at least the following:
(1)Where an outsourced operation involves customer information, the customer information shall be handled in accordance with the Personal Data Protection Act and the insurance contract executed by the insurance enterprise and the customer shall include a provision that requires the insurance enterprise to inform the customer [of the outsourcing]. If the agreement does not include such a provision, the insurance enterprise shall notify its customers in writing or by other appropriate means of the outsourcing activity.
(2)The scope of customer information or information of the applicant, the insured and the beneficiary in the insurance contracts to be provided [to the service provider] and procedural method for transferring such information. With respect to the information of the beneficiary, only the basic information of the beneficiary stated in the application form, change of beneficiary, benefit payment and other information that has the beneficiary's written consent (to transfer) may be transferred to the service provider for processing.
(3)Methods for supervising the use, processing and control of aforesaid customer information by the service provider and management mechanism.
(4)Procedure and time limit for handling customer dispute in connection of the outsourcing activity; the insurance enterprise should set up a coordination unit that handles customer complaints.
(5)Other necessary actions for the protection of customer interests.
An insurance enterprise shall be held equally responsible for its customer as provided by law if an intentional act or negligence of its outsourcing service provider or the employee of the service provider results in damage to customer interests.
7. The risk management principles and operating procedure in connection with the outsourcing operations of an insurance enterprise set out pursuant to Point 4, paragraph 2, subparagraph 4 herein shall contain at least the following:
(1)Establishing a risk and benefit analysis system for the outsourcing operations.
(2)Establishing procedure and management measures sufficient to identify, measure, supervise and control risks associated with outsourcing operations.
(3)Drawing up an emergency response plan.
(4)Other matters as required by the competent authority.
8. The internal control principles and operating procedures in connection with outsourcing operations of an insurance enterprise set out pursuant to Point 4, paragraph 2, subparagraph 5 herein shall contain at least the following:
(1)Drawing up and implementing the operating procedure for supervising and managing the scope of outsourcing.
(2)Incorporating the operating procedure in the preceding subparagraph in the overall internal control and internal audit systems of the insurance enterprise.
(3) The outsourcing of insurance premium collection pursuant to Point 3, paragraph 1, subparagraph 6 herein shall be carried out according to the following rules, and the service provider that collects auto insurance premiums shall deliver the premium payments collected to the insurer within one month from the date of collection:
A. Insurance brokers and agents shall directly deliver the premium payments collected in accordance with Article 32, paragraph 2 of the Regulations Governing Insurance Brokers and Article 31, paragraph 1 of the Regulations Governing Insurance Agents.
B. The insurance enterprise shall follow the Self-Regulatory Rules for Outsourcing the Collection of Premiums or Principal and Interest Payments on Policy Loans by Life Insurance Enterprises or the Self-Regulatory Rules for Outsourcing the Collection of Premiums by Non-life Insurance Enterprises.
(4)Supervising the establishment and implementation of internal control and internal audit system by the service provider.
(5)Other matters as required by the competent authority.
9. An insurance enterprise's outsourcing agreement shall specify at least the following:
(1)The scope of outsourcing and the responsibilities of service provider.
(2)A provision requiring the service provider to comply with Point 2 herein.
(3)Management of employees of the service provider assigned to the insurance enterprise.
(4)The service provider is required to carry out internal controls and internal audits in accordance with its standard operating procedures established under the supervision of the insurance enterprise.
(5)Unless with written authorization of the insurance enterprise, the service provider shall not use the name of the insurance enterprise in the course of handling the outsourced items, nor shall the service provider make untruthful advertising.
(6)Material events that would lead to the termination of outsourcing agreement with the service provider, including a provision on termination or revocation of the agreement if so instructed by the competent authority.
(7)The service provider agrees to let the competent authority access relevant data or reports and conduct financial examination with respect to the outsourced items, or provide relevant data or reports within a prescribed time period under the order of the competent authority.
(8)Consumer protection, including the confidentiality of customer data and adoption of security measures.
(9)The service provider is required to carry out consumer protection and risk management in accordance with its standard operating procedures established under the supervision of the insurance enterprise.
(10) Consumer dispute resolution mechanism, including the timetable and procedure for handling dispute and remedial measures.
(11) Other agreements.
The provisions of subparagraphs 8 through 10 of the preceding paragraph do not apply, provided the outsourcing agreement does not involve the interests or personal information of consumers.
Where the outsourcing agreement does not conform to the provisions in the Directions herein, the insurance enterprise may continue its outsourcing activity under the existing agreement until it expires.
10. If the outsourced operation of an insurance enterprise falls under Point 3, paragraph 1, subparagraph 7 or 12 herein where the approval of the competent authority is required, the insurance enterprise shall apply to the competent authority for approval by submitting the following documents:
(1)An outsourcing plan.
(2)Minutes of the board resolution (or a letter of consent signed by an officer authorized by the head office in the case of the branch of a foreign insurance enterprise in Taiwan)
(3)Regulatory compliance statement.
(4)Review form concerning the qualifications of the service provider.
(5)Other documents as required by the competent authority.
The outsourcing plan mentioned in the preceding paragraph shall contain at the least the following particulars:
(1)The internal control procedure for outsourcing operation drafted pursuant to Point 4, paragraph 2 herein.
(2)Necessity and compliance analysis of outsourcing for business operations.
(3)Outsourcing process.
(4)Other matters as required by the competent authority.
If an insurance enterprise intends to add new service providers to the outsourced operation specified hereof after approval by the competent authority, it shall apply to the competent authority for approval by submitting required documentation as provided in the first paragraph hereof.
The insurance enterprise shall draw up conducts, practices and collection letters in the outsourced collection process according to the samples prepared by the Non-Life Insurance Association of the Republic of China (referred to as the "Non-Life Insurance Association" hereunder) and Life Insurance Association of the Republic of China (referred to as the "Life Insurance Association" hereunder), and have its legal counsel review the collection letters to make sure they do not violate the Directions herein or other applicable rules and regulations before submitting the same to the competent authority for recordation.
An insurance enterprise shall carry out outsourcing specified in this point after approval by the competent authority in accordance with its internal outsourcing procedures drawn up pursuant to Point 4, paragraph 2 herein and relevant provisions in Points 5 through 8 herein.
11. Before applying to the competent authority for approving the outsourcing of its debt collection operation, an insurance enterprise shall make sure in advance that the appointed service provider meets the following qualification requirements:
(1) The service provider shall be one of the following:
A.A company having registered in accordance with the Company Act or the Business Registration Act and received a document evidencing company registration or business registration issued by the competent authority that indicates "providing money claim management services to insurance enterprises" in the scope of business.
B.A lawfully established law office.
C.A lawfully established accountants office.
(2)The service provider does not incur accumulated loss or its loss does not exceed one third of its paid-in capital. The preceding provision does not apply if the service provider has incurred loss exceeding one third of its paid-in capital, but has completed the capital increase formalities according to applicable regulations.
(3)The collection personnel of the service provider has completed the training course or passed the examination on collection given by Non-Life/Life Insurance Association or an institution sanctioned by such association and received a credential therefor, and is free of the following situations:
A.Having been convicted under final and unappealable judgment of a crime of violence under the Criminal Code, Organized Crime Act, Anti-Hoodlum Act, or Guns, Ammunition and Knives Control Act, or being wanted for a crime of violence in an ongoing case.
B.Having been adjudicated bankruptcy, and has not had rights and privileges reinstated.
C.Having been denied service by the bills clearing house and rejected status has not yet be removed, or having other poor credit record that is still open.
D.Being legally incompetent or having limited legal capacity or being subject to the order of commencement of assistance and such order has not been revoked.
E.Left his or her job for violation of the Directions herein and the employer financial institution or insurance enterprise has reported the matter to the JCIC.
(4)If the collection personnel of the service provider has not completed the training course or passed the examination on collection given by Non-Life/Life Insurance Association or an institution sanctioned by such association and has not received a credential therefor, said personnel shall remedy the situation within two months after taking the post.
(5)The responsible person of the service provider shall be free of the situations described in the subparagraphs under Article 3, paragraph 1 of the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises other than subparagraph 13 therein, and shall issue a statement therefor.
(6)A service provider should be equipped with complete computer facilities necessary for the handling of outsourced items, and the telephones of its relevant personnel should come with a recording system where the recording may be accessed instantly in coordination with the computer system for the purposes of audit or verification in case of a dispute. All phone conversations and field visits of the collection personnel shall be recorded with a copy made and retained for at least six months. The service provider shall not delete or alter its recording record.
12. An insurance enterprise shall conduct regular and unscheduled audit and supervision of the debt collection operation of its service provide to ensure compliance with the following provisions:
(1)A debt collector shall not use violence, intimidation, coercion, verbal abuse, harassment, sham, or false, deceptive or misleading representation against the debtor or any third party, or engage in other illicit debt collection practices that invade the privacy of the debtor.
(2)A debtor collector shall not use harassing means that disrupts the regular living conditions, schooling, work, business or the life of others in the debt collection process.
(3)A debt collector may engage in debt collection from 7:00AM to 10:00PM, unless it is otherwise agreed by the debtor.
(4)A debt collector shall not by any means collect debt by harassing or from a third party.
(5)A debt collector communicating with a third party for the purpose of acquiring the location information about the debtor shall identify himself and state that his purpose is to obtain contact information of the debtor. If so requested by said third party, the debt collector should identify the outsourcing insurance enterprise, and the name of his employer. A debtor collection shall also present a letter of authorization when making field visit.
(6)The service provider or its employees shall not collect payment or any fees from the debtor or any third party for the debt collection work, unless the service provider is collecting withheld salary under a court order for an action in which the service provider is a litigation agent on behalf of the insurance enterprise and has the consent of the insurance enterprise to collect the withheld salary of debtor.
(7)The service provider personnel shall wear ID badge in field visits and record the entire conservation with the debtor or related parties in the course of visit. Unless with the consent of the debtor, the service provider personnel may not at his own discretion enter the residence of the debtor by any means.
Any of the following practices is deemed a false, deceptive or misleading representation mentioned in subparagraph 1 of the preceding paragraph:
(1)False representation or implication that nonpayment of debt will result in the arrest, detainment or other criminal disposition against the debtor.
(2)Informing the debtor that his property will be seized while such property is not subject to seizure according to law.
(3)Collecting fees from the debtor other than the amount of debt owed or collecting fees not claimable under the law.
(4)False representation that nonpayment of debt will result in a court action of arrest, garnishment, seizure or auction.
Any of the following practices is deemed as using harassing means that disrupts the regular living conditions, work, business or the life of others mentioned in subparagraph 2 of paragraph 1 hereof:
(1)Repeatedly or during non-collection hours using telephone, fax, short message, e-mail or other communication means, or visiting the debtor's residence, school, work, or business location or other places to collect debt.
(2)Using post cards for collection or using any language, symbols or other means on the envelope of collection letter that could reveal the debt situation or other private information of the debtor to third parties. The preceding provision does not apply to the name of company.
(3)Using bulletin, signboards or other similar methods that reveals the debt situation or other private information of the debtor to third parties.
13.The outsourcing agreement on debt collection operation entered by an insurance enterprise and a collection agency shall contain at least the following in addition to complying with the provisions in Point 10 herein:
(1)The work guidelines of the service provider shall include conduct and practices prohibited as provided in the preceding point and standards for dismissing or punishing violating employees.
(2)Subcontracting the debt collection work by service provider is prohibited.
(3)The service provider should report the handling of debt collection or customer complaint to the outsourcing insurance enterprise regularly or as needed; when there are situations where the service provider or its employees violate applicable laws and regulations in its internal management or collection operation, the service provider shall immediately report the event to the insurance enterprise.
(4)When recruiting personnel for the purpose of providing outsourcing service for the collection of debts arising from loans, the service provider shall obtain the written consent of the employee permitting the outsourcing insurance enterprise and JCIC to collect, process and use his personal data.
(5) When providing outsourcing service for the collection of debts arising from loans, the service provider shall provide the insurance enterprise with information of departed employee who leaves job due to violation of any subparagraph under Point 12, paragraph 1 herein for posting with JCIC. The posted information shall include:
A.Basic data of the departed employee.
B.Date of departure.
C.Reasons for departure.
(6)When outsourcing the collection of debts arising from loans to a service provider, an insurance enterprise shall submit the basic information of said service provider to JCIC. The service provider shall agree that the outsourcing insurance enterprise may submit the information on termination of outsourcing agreement due to violation of the Directions herein by the service provider to JCIC for posting. The posted information shall include:
A.Basic information of the service provider.
B.Date of agreement execution and date of its termination.
C.Reasons for violation of the Directions herein.
14. An insurance enterprise shall comply with the following provisions in outsourcing its debt collection operation:
(1)The insurance enterprise shall heed the complaints made by the debtor or any third party regarding the practices of outsourced service provider in the collection of debt arising from loans and check the relevant information in the outsourcing service providers and employees registration system created by the JCIC in a regular and timely manner; when there are material incidents under which the service provider should dismiss its unfit employee pursuant to the outsourcing agreement or the insurance enterprise should terminate the outsourcing agreement with the service provider, the insurance enterprise shall take actions in accordance with the Directions herein and the outsourcing agreement.
(2)If the service provider or any of its employees that provides outsourcing service for the collection of debts arising from loans, has been reported to the JCIC by other insurance enterprises pursuant to Point 13, subparagraphs 5 and 6 herein, but the incident is not significant enough as grounds for termination of outsourcing agreement, the insurance enterprise should step up the frequency and scope of audit for the service provider.
(3)Where the service provider has engaged in practice that violates a subparagraph under Point 12, paragraph 1 herein and makes it unacceptable to the debtor and the debtor contacts the insurance enterprise directly to negotiate the settlement of debt, the insurance enterprise shall accept the request of the debtor and actively handle the matter.
(4)Where the insurance enterprise finds that its service provider or any of its employees resorts to violence, coercion or intimation in the collection process, it should report the matter to law enforcement agency.
(5)The insurance enterprise shall not give information on people who do not have legal obligation in the performance of debt to its service provider.
(6)Prior to outsourcing its collection operation to a service provider, the insurance enterprise shall send the debtors a written notice, informing them of the name of service provider, amount of debt owed, the duration of retaining collection recording record, telephone number (of the insurance enterprise) for making a complaint, and practices prohibited as provided in the subparagraphs under Point 12, paragraph 1 herein.
(7)The insurance enterprise should make public the basic information of its service provider at its business places and on its website to make it convenient for debtors to check the relevant information of the collection agency.
15.Where the service provider providing debt collection service for an insurance enterprise is referred to the law enforcement agency due to alleged use of violence in the collection process, the insurance enterprise may terminate its outsourcing agreement in view of the severity of the case, and must terminate the outsourcing immediately provided the service provider is indicted.
Where a service provider does not meet the qualification requirements set forth in Point 11 herein, or violates any of the subparagraphs under Point 12, paragraph 1 herein, or violates other laws and regulations, the competent authority may, depending on the severity of the case, instruct the outsourcing insurance enterprise to terminate the outsourcing pursuant to the outsourcing agreement, request the service provider to make improvement within a given period of time, or suspend the outsourcing until the agency (institution) relevant to the qualification or practice of the service provider deems that it has made improvement.
Where an insurance enterprise violates the Directions herein in the outsourcing of its debt collection operation, the competent authority may, depending on the severity of the case, order the insurance enterprise to make improvement within a given time period, or suspend or revoke the permission allowing the insurance enterprise to outsource its debt collection operation.
16.An insurance enterprise shall submit the following documents to the competent authority for approval before outsourcing its operations to offshore service providers:
(1) A written confirmation from the foreign competent authority at where the service provider is located, which shall contain the following:
A. Said competent authority is aware of the matter and agrees to the performance of services for outsourced items by the service provider.
B. Said competent authority agrees that the competent authority in Taiwan may require the service provider to provide relevant information on outsourced items.
C. Said competent authority allows the competent authority in Taiwan and the outsourcing insurance enterprise to conduct necessary examination of the outsourced items.
D. Said competent authority will inform the competent authority in Taiwan in advance if it plans to examine the outsourced items.
E. Said competent authority agrees not to obtain the information of customers in Taiwan, and will inform the competent authority in Taiwan in advance if it must obtain such information for the purpose of performing its supervisory authority.
(2) Internal outsourcing procedures established pursuant to Point 4, paragraph 2 herein.
(3) Minutes of the meeting of the board of directors indicating the resolution (on outsourcing) adopted; for branches of foreign insurance companies in Taiwan, a letter of consent signed by an officer authorized by the head office.
(4) The necessity and compliance analysis of outsourcing of business operations, including evaluation of compliance with consumer data protection related regulations by the service provider.
(5) Description of measures for the protection of policyholder data and whether policyholders have given their consent to the outsourcing to ensure the quality of outsourcing service and the interests of customers.
(6) For branches of foreign insurance companies in Taiwan, a letter of undertaking from the head office or the regional headquarters authorized by the head office regarding data access, security management and compliance with the supervisory requirements in Taiwan.
Where an insurance enterprise is unable to obtain the written confirmation from the insurance competent authority at where the service provider is located as mentioned in subparagraph 1 of the preceding paragraph, it shall submit the following documents:
(1) A letter of consent from the service provider, agreeing that where necessary, a person designated by the insurance enterprise may examine the outsourced items; the aforementioned designated person may also be assigned by the competent authority in Taiwan at the expense of the insurance enterprise.
(2) Review report on the internal control systems and relevant operating procedures of the service provider.
(3) An opinion letter that the level of policyholder data protection provided at where the service provider is located is not inferior to that provided by the laws in Taiwan.
(4) The CPA-audited and certified financial report of the service provider for the most recent period.
(5) A statement from the service provider that it has been free of incident of employee fraud, information or communication security breach or other incidents that result in damage to the interests of customers or adversely affect sound operations of the company for the last three years.
Branches of foreign insurance companies in Taiwan that outsource their operations to their head office or other overseas branches for internal division of labor purpose shall apply for prior approval in accordance with the preceding two paragraphs.
When the competent authority at where the service provider is located requests the provision of information on policyholders in Taiwan, the insurance enterprise shall first inform the competent authority in Taiwan and obtain consent therefrom before providing such information.
A domestic insurance enterprise that meets the qualification requirements may, after submitting the documents mentioned in paragraph 1 and paragraph 2 hereof along with the following documents to the competent authority and obtaining approval therefrom, outsource the operations of data entry, processing and output of information system related to retail policyholders to an offshore service provider:
(1) An inspection report issued by an independent third party specializing in information technology that the level of security for the offshore information system is not less than that required of non-life (life) insurance enterprises according to the self-regulatory rules.
(2) A contingency plan in the event the offshore information system becomes unable to provide services, and an assessment report issued by an independent third party specializing in information technology indicating that such plan meets the following requirements:
A. It ensures restoration to normal operations regarding policy loan, claim payment and other claim services (including overseas emergency assistance) for existing policyholders within four (4) hours after an incident of service breakdown of the offshore information system and that proper management of financial and business risks will be maintained.
B. If it is determined that the offshore information system cannot restore service in a short period of time due to a natural disaster, event, the insurance enterprise shall ensure restoration to normal operation for its major businesses in Taiwan within seven (7) days after the occurrence of the event through the activation of backup system, installation of (temporary) information server or other means.
(3) A plan for routine supervision mechanism, which includes:
A. Setting up a management unit or committee in charge of supervising the offshore outsourcing of information operations, which shall comprise supervisory personnel for compliance, internal audit, operational risk management and information management to carry out routine supervision effectively.
B. Mechanism for outsourcing of routine operations, including the checking of policyholder data access, setting of system access authority and non-routine operations; the plan shall describe in details the management operations, methods, processes and deficiency handling mechanism.
(4) An evaluation report on cost benefit analysis and reasonableness of expense allocation within the group that has been approved by the board of directors.
The qualification requirements referred to in the preceding paragraph means that a domestic insurance enterprise meets the following requirements:
(1) Not having been subject to sanction by the competent authority due to violation of insurance regulations in the past year, or having made concrete improvements over the violation as recognized by the competent authority;
(2) All deficiencies as pointed out by the competent authority before the end of year preceding application have been effectively remedied; and
(3) Not having any major breach of information security that is not yet remedied in the past year.
A domestic insurance company that has outsourced its operations of data entry, processing, and output of information system related to retail policyholders to an offshore service provider prior to implementation of the amendment to the Directions, shall apply to the competent authority in accordance with the preceding two paragraphs within one year from the date the amendment is implemented.
If a domestic insurance enterprise that filed an application in accordance with paragraphs 5 and 6 hereof during the aforementioned period and the application was duly rejected by the competent authority, the insurance enterprise shall repatriate the operations of data entry, processing and output of information system related to retail policyholder within two years after the expiration of the aforementioned period.
17. An insurance enterprise that plans to outsource its operations to offshore service providers shall comply with the following provisions:
(1)The insurance enterprise shall understand and grasp fully the use, processing and control of policyholder information by the service provider.
(2) The insurance enterprise shall furnish only necessary policyholder information that is directly related to the outsourced items to the service provider.
(3) The insurance enterprise shall require the service provider to observe the following:
A.The policyholder information of the insurance enterprise shall only be used and processed within the scope of outsourced items by authorized persons of the service provider.
B.The policyholder information of the insurance enterprise shall be clearly segregated from those of the service provider and other outsourcing institutions.
C.The policyholder information of the insurance enterprise processed by the service provider shall be readily provided to the competent authority and the insurance enterprise when needed.
(4) The insurance enterprise shall conduct regular and unscheduled audits and supervision of the use, processing and control of policyholder information by the service provider; relevant audit matters may be assigned to external auditors. The branch of a foreign insurance enterprise in Taiwan may designate the auditing unit of its head office or regional headquarters to handle the matters and the auditing unit shall provide the branch in Taiwan with an audit report.
The branch of a foreign insurance enterprise in Taiwan that outsources its operations to its head office or other overseas branches for internal division of labor purpose shall handle the matters in accordance with the preceding paragraph.
A domestic insurance enterprise that outsources the operations of data entry, processing, and output of information system related to retail policyholders to an offshore service provider shall observe the following rules in addition to the provisions in paragraph 1, subparagraphs 1 to 3 hereof:
(1) The insurance enterprise shall assure that the use, processing and control of policyholder information by the service provider comply with the Personal Information Protection Act with complete audit records retained and shall include the compliance matters in the key audit items.
(2) The insurance enterprise shall periodically evaluate cost benefit and the reasonableness of expense allocation within the group, and submit the report thereon to its board of directors for approval.
(3) The standards for security testing of information system adopted by the domestic insurance enterprise shall not be inferior to those set forth by the competent authority or the Non-life Insurance Association and the Life Insurance Association.
(4) The domestic insurance enterprise shall conduct at least one routine audit and one special audit annually. The aforementioned audits may be performed by an independent third party specializing in information technology.
(5) The domestic insurance enterprise shall file the annual audit report of its offshore outsourcing operation with the competent authority by the end of each year after the report has been presented to its board of directors.
(6) In the event the offshore information system becomes unable to provide services which impairs the interests of policyholders or affects the sound business operation of the insurance enterprise, the insurance enterprise shall promptly notify the competent authority, and shall submit a detailed report regarding the incident or subsequent actions taken within one week after the event.
(7) The cumulative time of service interruption of the offshore information system used by a domestic insurance enterprise shall not exceed 4 hours in a year, provided that the incidents keep the insurance enterprise from providing policy loan, claim payment and other claim services (including overseas emergency assistance) for existing policyholders.
When a domestic insurance enterprise outsources the operations of data entry, processing, and output of information system related to retail policyholders to an offshore service provider and the service provider has an incident of service interruption, or violates the provisions in paragraph 1, subparagraph 3 hereof, or other regulations, the competent authority may, in view of the severity of situation, notify the domestic insurance enterprise to terminate the outsourcing according to the outsourcing agreement, or to ask the service provider to make improvement within a given time period, or to temporarily suspend the outsourcing until the service provider has made confirmed improvement. The domestic insurance enterprise shall stipulate in the outsourcing agreement matters to be performed by the service provider regarding system relocation when so requested by the insurance enterprise and service provider's liability for damages in case of service interruption.
18. Provisions in the preceding two points do not apply in the case of any of the following circumstances:
(1)Where the insurance enterprise mandates an offshore institution to operate and manage its funds in compliance with the Insurance Act, relevant regulations and self-regulatory rules.
(2) Where the insurance enterprise engages an offshore institution to assist in the handling of claims, emergency rescue, investigation or assessment.
(3) Where the insurance enterprise outsources the part of the operations of its branches abroad that comply with the local regulations and do not involve the personal data of policyholders in Taiwan.
(4)Where the insurance enterprise outsources the development and maintenance of its onshore information system to an offshore institution.
19.The competent authority or appropriate institutions or persons commissioned by the competent authority may audit the outsourcing operations of an insurance enterprise at the expense of said insurance enterprise.
20.If the outsourcing operations of an insurance enterprise violate these Directions, the competent authority may mete out appropriate disciplinary action pursuant to the Insurance Act in view of the severity of violation.
|