Amended on December 26, 2019
3.Except as otherwise provided by laws and regulations upon which such laws and regulations shall be followed, the outsourcing of business items that an insurance enterprise may engage in pursuant to insurance regulations or policyholder information related
operations by an insurance enterprise shall be limited to the following:
(1) Data entry, processing, output and delivery, development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the insurance enterprise's business.
(2) Conducting checking and investigation relating to insurance contract, consumer opinion survey, and customer follow-up by telephone.
(3) Production, delivery, safekeeping and disposal of forms and documents, such as insurance policy, renewal notice, notice of premium payment, notice of suspension in coverage, proof of annual premium payment and other forms and documents relating to the performance
of insurance contract and lending operations.
(4) Overseas emergency assistance and roadside assistance services in connection with benefits under the insurance contract.
(5) Distribution of sales advertisements and consumer publications.
(6) Collection of premiums, principal and interest payments on policy loans, other payments related to insurance contracts, or principal and interest payments on other loans.
(7) Collection of debts.
(8) Electronic customer services, including automated voice systems, phone answering service, answering and processing customer e-mails, and electronic commerce related inquiry service and assistance.
(9) Land registration or real estate management services, and disposal of collateral from claim entitlement.
(10) Locating cars with auto loan default and car auction, but excluding the determination of floor price for auction.
(11) Valuation, classification, bundling and sale of non-performing loans; provided such outsourcing agreement stipulates that the service providers and their employees involved in the outsourcing agreement shall not engage in any work or provide any consulting
or advisory services which give rise to a conflict of interest with the outsourced services during the term of such outsourcing agreements or during a reasonable period of time after termination/expiry thereof.
(12) Other operations approved by the competent authority for outsourcing.
Except for outsourcing operations stipulated in subparagraph 7 and subparagraph 12 of the preceding paragraph where an insurance enterprise is required to apply to the competent authority for approval pursuant to Point 10 herein, an insurance enterprise shall
file its outsourced operations, content and scope in a manner prescribed by the competent authority with the competent authority or an institution designated by the competent authority for other outsourcing operations stipulated in the preceding paragraph.
8.The internal control principles and operating procedures in connection with outsourcing operations of an insurance enterprise set out pursuant to Point 4, paragraph 2, subparagraph 5 herein shall contain at least the following:
(1) Drawing up and implementing the operating procedure for supervising and managing the scope of outsourcing.
(2) Incorporating the operating procedure in the preceding subparagraph in the overall internal control and internal audit systems of the insurance enterprise.
(3) The outsourcing of collection of premiums, principal and interest payments on policy loans, and other payments related to insurance contracts pursuant to Point 3, paragraph 1, subparagraph 6 herein shall be carried out according to the following rules:
A. The service provider that collects automobile insurance premiums shall deliver the premium payments collected to the insurer within one month from the date of collection.
B. Insurance brokers and agents shall directly deliver the premium payments collected in accordance with Article 40, paragraph 1 of the Regulations Governing Insurance Brokers and Article 40, paragraph 1 of the Regulations Governing Insurance Agents.
C. The insurance enterprise shall follow the self-regulatory rules drawn up by the insurance association with regard to the scope of payment collection that may be outsourced and the qualifications of the service provider.
(4) Supervising the establishment and implementation of internal control and internal audit system by the service provider.
(5) Other matters as required by the competent authority.
17-1 An insurance enterprise shall comply with the following rules when its outsourced operations involve cloud-based services:
(1) The insurance enterprise shall ensure proper control of operational risks and fully evaluate the risks of service provider. It shall adopt appropriate risk management and control measures to ensure the quality of outsourced operations and heed the proper
diversification of operations outsourced to cloud service providers.
(2) The insurance enterprise is ultimately responsible for the supervision of cloud service providers and it should have the professional skills and resources to supervise the cloud service providers’ execution of outsourced operations. If necessary, it may
request professional third parties to assist in their supervision operation.
(3) The insurance enterprise shall ensure that it and the competent authority or their designated representatives have access to related information on the outsourced operations performed by cloud service providers, including the audit report of customer information
and relevant systems, and the right to conduct on-site audit.
(4) The insurance enterprise may appoint an independent third party with expertise in information technology at its sole discretion or together with other insurance enterprises that outsource to the same cloud service provider to conduct audits and shall comply
with the following rules:
A.The insurance enterprise shall ensure that its audit scope covers important systems and control points related to the operations outsourced to the cloud service provider.
B.The insurance enterprise shall evaluate the eligibility of the third party and verify that the contents of the audit report produced by the third party are appropriate and meet the relevant international standards of information security.
C.The third party shall conduct audit based on the scope of outsourced operations and produce an audit report.
(5) Where the insurance enterprise transmits and stores customer information at the cloud service provider, it shall adopt customer data encryption, tokenization, or other effective protection measures and establish appropriate encryption and key management
(6) The insurance enterprise shall retain complete ownership of data outsourced to cloud service providers for processing. The insurance enterprise shall ensure that the cloud service provider does not have the right to access customer data except for the
execution of outsourced operations and that the cloud service provider may not use the data for purposes outside the scope of outsourced operations.
(7) In principle, customer data outsourced to a cloud service provider shall be processed and stored within the territories of the R.O.C. If it is located outside the R.O.C. territories, the following rules shall apply:
A.The insurance enterprise shall retain the right to designate the location for data processing and storage.
B.The data protection regulations in above location shall be no less stringent than the R.O.C. requirements.
C.Except with the approval of the competent authority, backups of important customer data shall be retained in the R.O.C.
(8) The insurance enterprise shall establish an appropriate emergency contingency plan to reduce the risks of service interruption due to outsourced operations. When the insurance enterprise terminates or ends the operations outsourcing, it shall ensure that
the outsourced operations can be smoothly transferred to another cloud service provider or transferred back for in-house processing. It shall also ensure that the original cloud service provider deletes or destroys all retained data and retains records of
the deletion or destruction.
17-2 Where an insurance enterprise outsources operations involving cloud-based services, and the outsourced operations are of material nature or the operations are outsourced to overseas service providers in accordance with Point 16 herein, it shall submit
the following documents to the competent authority to apply for approval before outsourcing:
(1)Operating procedures for the internal control of outsourcing established in accordance with Point 4, paragraph 2 herein.
(2)Meeting minutes containing resolutions of the board of directors, or a letter of consent signed by an officer authorized by the head office in case of the branch of a foreign insurance enterprise in Taiwan.
(3)Regulatory compliance statement.
(4)Analysis of the necessity and legality of outsourcing operations to cloud service providers, including evaluation of compliance status of the cloud service provider with respect to relevant customer data protection regulations of the R.O.C.
(5)An outsourcing plan, which should include:
A.Risk assessment and management mechanism:
a. Review of cloud service providers to ensure the reliability and legal compliance of the services provided, including analysis of business continuity, substitutability, and concentration.
b. Description of having professional skills and resources to monitor the cloud service provider’s execution of outsourced operations.
B. Information security and management:
a. Description of measures taken by the insurance enterprise with regard to the encryption, tokenization, key storage, data transmission and segmentation, and ownership of data.
b. Description of management policies with regard to the location of data storage, including description of relevant local legal, political, and economic stability assessments for data processing and storage in a foreign country and description of data backup
and access of data by the insurance enterprise at any time.
C. The scope and method for the insurance enterprise and the competent authority or their designated representatives to obtain information with regard to outsourced operations performed by the cloud service provider, including description of access to the audit
report of customer information and relevant systems and measures to ensure the right to conduct on-site audit.
D. Emergency contingency plan and exit mechanism, including the description of how the insurance enterprise possesses sufficient resources for emergency response and exit.
Operations of material nature specified in the preceding paragraph means any of the following conditions:
(1)Where the outsourced operation cannot perform service or where there are concerns for information security, and it will have significant impact on the business operation of the insurance enterprise.
(2)Where the outsourced operation is involved in a customer data security incident, and it will have significant impact on the rights and interests of the insurance enterprise or its customers.
(3)Other situations that will have significant impact on the rights and interests of the insurance enterprise or its customers.
Where the operations outsourced by an insurance enterprise that involve cloud-based services are not of material nature as mentioned in Paragraph 1 herein or are not outsourced to an overseas service provider as described in Point 16 herein, the insurance enterprise
shall submit documents specified in Paragraph 1, subparagraph 3 to subparagraph 5 herein to the competent authority for reference.
Where a branch or subsidiary of a foreign insurance enterprise in Taiwan outsources operations to its foreign head office, parent company, or another branch or subsidiary of its parent group and such operations are subcontracted to a cloud service provider,
it shall submit an outsourcing plan specified in Paragraph 1 along with documents specified in Point 16 herein to the competent authority to apply for approval, and comply with the following rules:
(1)The supervisory regulations for operations outsourced to cloud service providers stipulated by the competent authority at where the foreign head office, parent company, or a branch or subsidiary of the parent group is located shall be no less stringent than
the regulations of the R.O.C.
(2)The contents of the outsourcing plan may be substituted by a comparable explanatory document produced by the foreign head office, parent company, or a branch or subsidiary of the parent group.
18. The provisions of Point 16 and Point 17 do not apply in the case of any of the following circumstances:
(1)Where the insurance enterprise mandates an offshore institution to operate and manage its funds in compliance with the Insurance Act, relevant regulations and self-regulatory rules.
(2)Where the insurance enterprise engages an offshore institution to assist in the handling of claims, emergency rescue, investigation or assessment.
(3)Where the insurance enterprise outsources the part of the operations of its branches abroad that comply with the local regulations and do not involve the personal data of policyholders in Taiwan.
(4)Where the insurance enterprise outsources the development and maintenance of its onshore information system to an offshore institution.