| Legislative: |
Financial-Supervisory-Securities-Firms-1110384596 |
| Content: |
Order of the Financial Supervisory Commission
Issue date: 3 November 2022
Issue no.: Financial-Supervisory-Securities-Firms-1110384596
1. This order is issued pursuant to Articles 36-2 and 37 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets.
2. The service enterprises listed in the subparagraphs below shall appoint a person at the level of deputy general manager (vice president) or higher or a person of equivalent rank to concurrently serve as chief information security officer, who shall be in
charge of the overall promotion of information security policy and the allocation of resources.
A. Securities firms with paid-in capital of NT$10 billion or more or at which electronically placed orders reach a certain percentage rate. “Electronically placed orders reach a certain percentage rate” means the following conditions are all simultaneously
met:
a. The monetary amount of executed trade orders placed online plus of those placed by direct market access (DMA) accounts for 60 percent or more of the monetary amount of the firm’s executed trade orders.
b. The monetary amount of the firm’s executed brokerage trades account for a share of 2 percent or more of the monetary amount of all executed brokerage trades in the market.
c. The firm’s natural person customers account for 50 percent or more of all the firm’s customers.
B. Futures commission merchants (FCMs) with paid-in capital of NT$2 billion and at which, furthermore, electronically placed orders reach a certain percentage rate. “Electronically placed orders reach a certain percentage rate” means the following conditions
are all simultaneously met:
a. The number of contracts traded through orders placed online and by DMA accounts for 60 percent or more of the total number of contracts traded through all the FCM’s executed trade orders.
b. The FCM’s executed brokerage trades account for a share of 2 percent or more of the number of contracts traded in all executed brokerage trades in the market.
c. The FCM’s natural person customers account for 50 percent or more of all the FCM’s customers.
C. Securities investment trust enterprises (SITEs) and those securities investment consulting enterprises that operate the business of discretionary investment services for customers (SICEs), with average monthly onshore and offshore managed assets of NT$600
billion or more in the preceding fiscal year.
D. The Taiwan Stock Exchange, Taipei Exchange, Taiwan Futures Exchange, and Taiwan Depository and Clearing Corporation.
3. Each service enterprise shall allocate appropriate human resources and equipment to plan and monitor the information security system and implement the information security management operations. “Allocate appropriate human resources” means to comply with
the following provisions:
A. Securities firms, futures enterprises, securities finance enterprises, SITEs, SICEs, and credit rating agencies with paid-in capital of NT$20 billion or more shall set up a dedicated information security unit. That unit shall have a dedicated chief officer
and at least three dedicated personnel members, who shall be specifically responsible for information security related tasks or duties and who may not concurrently handle any information business or other business that could involve conflict of interest with
their duties.
B. Securities firms, futures enterprises, securities finance enterprises, SITEs, SICEs, and credit rating agencies with paid-in capital of less than $20 billion:
a. Those with paid-in capital of NT$10 billion or more but less than NT$20 billion shall have a chief information security officer and at least three information security personnel members. However, those that have already set up a dedicated information security
unit may have a dedicated chief information security officer and two dedicated information security personnel members.
b. Those with paid-in capital of NT$4 billion or more but less than NT$10 billion shall have a chief information security officer and at least two information security personnel members.
c. Those with paid-in capital of less than NT$4 billion shall have at least one information security personnel member.
C. The Taiwan Stock Exchange, Taipei Exchange, Taiwan Futures Exchange, and Taiwan Depository and Clearing Corporation shall each set up a dedicated information security unit. That unit shall have a dedicated chief officer and the necessary dedicated personnel
members, who shall be specifically responsible for information security related tasks or duties and who may not concurrently handle any information business or other business that could involve conflict of interest with their duties.
4. The chief information security officers and the personnel members mentioned in subparagraph B of the preceding point, with the exception of performing information related duties, may not concurrently handle any other business that could involve conflict
of interest with their duties.
5. In the case of a foreign financial institution, securities firm, futures enterprise, or credit rating agency that—pursuant to applicable administrative regulations such as the Standards Governing the Establishment of Securities Firms, the Standards Governing
the Establishment of Futures Commission Merchants, or the Regulations Governing the Administration of Credit Rating Agencies—has established a branch in Taiwan and operates, or concurrently operates, business in the field of securities, futures, or credit
rating, its allocated operating capital, rather than paid-in capital, shall be used in the calculations under Points 2 and 3.
6. Within 6 months after meeting any applicable condition set out in Point 2 or Point 3, a service enterprise shall make the adjustments necessary to become compliant.
7. Each service enterprise shall include the status of overall implementation of information security in its Statement on Internal Control and submit it for approval by the board of directors. The content of that Statement shall be disclosed on the Market Observation
Post System (MOPS) within 3 months after the close of each fiscal year.
8. This Order is effective from 1 January 2023. The 30 September 2021 Financial Supervisory Commission Order No. Financial-Supervisory-Securities-Firms-11003637894 is repealed from 1 January 2023. |