| 2019.09.30 |
Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation
[Chinese]
|
Article 1
These Regulations are enacted pursuant to paragraph 3, Article 45-1 of the Banking Act and paragraph 4, Article 21 of the Credit Cooperative Act.
Article 2
A bank shall enter a written agreement and abide by the Regulations herein for outsourcing its operations to a third party (referred to as "outsourcing" hereunder). Where the outsourcing involves foreign exchange business, relevant rules and regulations set forth by the Central Bank of China shall also apply.
Financial institutions to which the Regulations herein apply include domestic banks and their overseas branches, branches of foreign banks in Taiwan, credit cooperatives, bills finance companies and institutions operating credit card business.
The Regulations herein apply to financial institutions established under other laws referred to Article 139 of the Banking Act, unless such laws provide otherwise.
Article 3
The outsourcing of business items stated in its business license or operations related to customer information by a financial institution shall be limited to the following:
1. Data processing: Including the data entry, processing, and output of information system, the development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the financial institution's business.
2. Safekeeping of documents such as forms, statements and certificates.
3. Drawing negotiable instruments (e.g., checks and drafts) for customers.
4. Back office support for trade financing activities, but limited to the issuance and negotiation of letters of credit, factoring and import/export documentary collections.
5. Collection of consumer loans and credit card payment, provided the service provider has been approved by the competent authority.
6. Preparation of credit analysis reports on credit customers.
7. Marketing of credit card issuance, input of customer information, printing of relevant forms and statements, envelope stuffing, sorting and mailing, computerized and manual card activation, reporting of lost cards, cash advances and emergency services.
8. Electronic customer services (including automated voice systems, telemarketing, management of and response to customer e-mail, assistance to inquiries of electronic banking and electronic commerce customers, and phone banking customer services).
9. Marketing, management, customer service and consulting for auto loans, excluding approval or rejection of loan applications.
10. Marketing of consumer loans, excluding the granting or rejection of loan application.
11. Marketing of home loans, excluding the granting or rejection of loan application.
12. Collection of debts.
13. Hiring real estate closing agent to handle relevant legal matters, and entrusting other institutions to dispose collateral from the assumption of debts.
14. Repossessing and auctioning automobiles with overdue payment on a car loan (excluding the determination of the floor price for such auctions).
15. Appraisal of real estate.
16. Internal audit operations (provided the audits are not performed by the accountant who certifies the financial institution's financial statements).
17. Valuation, classification, bundling and sale of non-performing loans; provided such outsourcing agreement stipulates that the service providers and their employees shall not engage in any work or provide any consulting or advisory services which give rise to a conflict of interest with the outsourced services during the term of such outsourcing agreements or for a reasonable period of time after termination/expiry thereof.
18. Transporting securities, checks, forms and statements, and cash, and replenishing ATMs.
19. Customs clearance, deposit, transportation and delivery of precious metals such as gold bars, silver bars and platinum bars.
20. Other operations approved by the competent authority for outsourcing.
The outsourced operations specified in subparagraph 7 hereof on the marketing of credit card issuance and in subparagraphs 9 ~ 12 of the preceding paragraph may not be subcontracted. With respect to outsourcing in subparagraphs 9 ~ 11 on the marketing of loan business, the financial institution shall handle the guarantee and signature verification operation by itself.
A financial institution shall file its outsourced operations, content and scope accurately in a manner prescribed by the competent authority.
Article 4
In the scope of operations that may be outsourced as stipulated in the foregoing article, the outsourcing of credit card issuance, marketing of consumer loans other than auto loan, and collection of debts shall obtain the prior approval of the competent authority according to the provisions in Article 11 and Article 12 herein. Under the premises that outsourcing will not affect the sound operation of the financial institution, the interests of customers, or regulatory compliance, the financial institution may outsource other operations in accordance with its internal outsourcing rules approved by the board of directors, or by an officer authorized by the head office in the case of a branch of a foreign bank in Taiwan.
The internal outsourcing rules referred to in the preceding paragraph shall specify the following particulars:
1. The designation of a unit-in-charge and its authority and responsibility.
2. Scope of operations that may be outsourced.
3. Internal operation and procedure that assure the protection of customer interests.
4. Risk management principles and operating procedure.
5. Internal control principles and operating procedure.
6. Other outsourcing operations and procedures.
Article 5
When conducting outsourcing operations approved by the competent authority under subparagraph 20, paragraph 1, Article 3 herein, the financial institution shall apply to the competent authority for approval by submitting the following documents:
1. Scope of operations to be outsourced.
2. The minutes of the meeting of the board of directors involved, or a letter of consent signed by an officer authorized by the head office in the case of the branch of a foreign bank in Taiwan.
3. Necessity and compliance analysis of outsourcing on business operations.
4. Operating process.
5. Other matters designates by the competent authority.
Article 6
The unit-in-charge specified in subparagraph 1, paragraph 2 of Article 4 herein shall carry out the following tasks:
1. Managing outsourced operations in accordance with the internal outsourcing rules set forth in accordance with Article 4 herein.
2. Supervising the outsourced operations in connection with the protection of customer interests, risk management and internal controls, conducting periodic evaluation, and submitting the findings to the board of directors or officer authorized by the head office in the case of a branch of a foreign bank in Taiwan. Where any material irregularities or deficiencies occur, a report shall be filed with the competent authority and the Central Bank of China as soon as possible.
3. Supervising the establishment and implementation of internal control and internal audit system by the service providers.
4. Drafting and executing the measure for selecting service providers, and ensuring that the outsourced operation is a business item that the selected service provider is legally allowed to operate.
The unit-in-charge should check regularly relevant information in the outsourcing service providers and employees registration system created by the Joint Credit Information Center (the "JCIC") and retain a copy of the inquiry record for future reference as a part of financial institution's internal control activities over outsourcing and supervision of service provider's internal control system.
Article 7
The internal operation and procedure of a financial institution that assure the protection of customer interests as provided in subparagraph 3, paragraph 2 of Article 4 herein shall include the following:
1. Where operations involve customer information, the agreement executed by the financial institution and the customer shall include a provision that requires the financial institution to inform the customer of the outsourcing. If the agreement does not include such a provision, the financial institution shall notify its customers in writing of the outsourcing activity and the regulations in the Personal Data Protection Act shall apply.
2. The scope of customer information to be provided [to the service provider] and procedural method for transferring such information.
3. Methods for supervising the use, processing and control of aforesaid customer information by the service provider.
4. Procedure and time limit for handling customer dispute in connection of the outsourcing activity; the financial institution should set up a coordination unit that handles customer complaints.
5. Other necessary actions for the protection of customer interests.
A financial institution shall be held equally responsible for its customer as provided by law if an intentional act or negligence of its outsourcing service provider or the employee of the service provider results in damage to customer interests.
Article 8
The risk management principles and operating procedure set forth in the internal outsourcing rules of a financial institution as provided in subparagraph 4, paragraph 2 of Article 4 herein shall include the following:
1. Establishing a risk and benefit analysis system for the outsourcing activity.
2. Establishing procedure or management measures sufficient to identify, measure, supervise and control risks associated with outsourcing.
3. Drawing up an emergency response plan.
Article 9
The internal control principles and operating procedure set forth in the internal outsourcing rules of a financial institution as provided in subparagraph 5, paragraph 2 of Article 4 herein shall include the following:
1. Drawing up and implementing the operating procedure for supervising and managing the scope of outsourcing.
2. Incorporating the operating procedure in the preceding subparagraph in the overall internal control and internal audit system of the financial institution.
3. Supervising the establishment and implementation of internal control and internal audit system by the service provider.
Article 10
A financial institution's outsourcing agreement shall specify the following:
1. The scope of outsourcing and the responsibilities of service provider.
2. A provision requiring the service provider to comply with Article 21 herein.
3. Consumer protection, including the confidentiality of customer data and adoption of security measures.
4. The service provider is required to carry out consumer protection, risk management, and internal control and internal audit in accordance with its standard operating procedures established under the supervision of the financial institution.
5. Consumer dispute resolution mechanism, including the timetable and procedure for handling dispute and remedial measures.
6. Management of service provider's employees, including employee recruitment, promotion, performance review and discipline.
7. Material events that lead to the termination of outsourcing agreement with the service provider, including a provision on termination or revocation of the agreement if so instructed by the competent authority.
8. The service provider agrees to let the competent authority and Central Bank of China access relevant data or reports and conduct financial examination with respect to the outsourced items, or provide relevant data or reports within a prescribed time period under the order of the competent authority or the Central Bank of China.
9. The service provider shall not use the name of the outsourcing financial institution in the course of handling the outsourced items, nor shall the service provider make untruthful advertising or charge the customers any fees when conducting marketing of loan service.
10. The service provider is required to inform the financial institution where the outsourced operation involves any material irregularities or deficiencies.
11. Other agreements.
The financial institution shall provide in the agreement requiring the service provider not to subcontract the outsourced operation unless with its written consent. The outsourcing agreement should specify the scope, limitations or conditions for subcontracting by service provider. The provisions in this article shall apply to the subcontracting agreement between the service provider and its subcontractor.
Where the outsourcing agreement or sub-contracting agreement does not conform to the provisions in the Regulations herein, the financial institution may continue its outsourcing activity under the existing agreement until it expires. However if such outsourcing agreement does not have an expiration date, the financial institution shall remedy the nonconformities within six (6) months from the date the Regulations are promulgated, or else upon which the agreement expires automatically.
Article 11
When applying for the approval of the competent authority for outsourcing the services of credit card issuance and marketing of consumer loans other than auto loan, a financial institution shall submit the following documents:
1. Internal outsourcing rules drawn up pursuant to paragraph 2 of Article 4 herein.
2. The minutes of the meeting of the board of directors involved, or a letter of consent signed by an officer authorized by the head office in the case of the branch of a foreign bank in Taiwan.
3. The review status of regional distribution of the service provider and perform a prior review of the service provider's internal control system and relevant operating procedures.
4. Regulatory compliance statement.
When outsourcing the operation specified in this article, a financial institution should entrust a marketing company that it fully owns or controls to provide the services. However it may outsource its marketing of credit card issuance operation to a non-fully-owned marketing company, provided the following conditions are met:
1. A financial institution has a sound internal control and internal audit system in place.
2. The marketing company offers only credit card marketing service.
3. The marketing company accepts the commission of only one card issuing financial institution without re-outsourcing or subcontracting the work to other businesses or individuals.
4. The financial institution has examined the quality of past credit card applications handled by said marketing company and found it satisfactory.
5. The financial institution shall produce onsite audit report on the marketing company on a quarterly basis; the report also includes evaluation of the quality of credit card applications accepted by said company.
When outsourcing the operation specified in this article, the financial institution shall require that the service provider does not conduct marketing by offering giveaways or prizes, or setting up a booth on the street or under a building overhang.
When outsourcing its marketing of credit card issuance operation to specified, the financial institution shall require that the service provider to operate in accordance with the relevant marketing provisions of Regulations Governing Institutions Engaging In Credit Card Business.
Article 12
When applying for the approval of the competent authority for outsourcing the debt collection operation, a financial institution shall submit the following documents:
1. Internal outsourcing rules drawn up pursuant to paragraph 2 of Article 4 herein.
2. The minutes of the meeting of the board of directors involved, or a letter of consent signed by an officer authorized by the head office in the case of the branch of a foreign bank in Taiwan.
3. Regulatory compliance statement.
4. Review form concerning the qualifications of the service provider.
If the financial institution plans to add new service providers to the outsourced operation specified hereof after approval by the competent authority, it shall apply to the competent authority for approval by submitting required documentation as provided in the subparagraphs 3 and 4 of preceding paragraph.
A financial institution shall draw up conducts, practices and collection letters in the outsourced collection process according to the specimens prepared by the Bankers Association of the Republic of China (hereinafter referred to as the Bankers Association), who should have its legal counsel review the collection letter specimen to make sure that it does not violate the Regulations herein or other relevant rules and regulations before submitting to the competent authority for reference.
Article 13
Before applying to the competent authority for approving the outsourcing of its debt collection operation, a financial institution shall make sure in advance that the appointed service provider meets the following qualification requirements:
1. The service provider shall be one of the following:
(1) A company having registered in accordance with the Company Act or the Business Registration Act and obtained company or business registration certificates issued by the competent authority that indicates "providing money claim management services to financial institutions" in the scope of business.
(2) An asset management company with all shares directly or indirectly held by the financial holding company or the bank and accepts the parent company’s outsourcing to conduct debt collection operations in accordance with Article 2, Subparagraph 1 of the Operations Principles for Asset Management Companies Invested by Financial Holding Companies (Banks).
(3) A lawfully established law office.
(4) A lawfully established accountant office.
2. The loss of service provider does not exceed one third of its paid-in capital. The preceding provision does not apply if the service provider has incurred loss exceeding one third of its paid-in capital, but has completed the capital increase formalities according to applicable regulations.
3. The collection personnel of the service provider has completed the training course or passed the examination on collection given by Bankers Association or an institution sanctioned by Bankers Association and received a credential therefore, and is free of the following situations:
(1) Having been convicted of a crime of violence under the Criminal Code, Organized Crime Act, Anti-Hoodlum Act, or Guns, Ammunition and Knives Control Act, or being wanted for a crime of violence in an ongoing case.
(2) Having been adjudicated bankrupt, and has not had rights and privileges reinstated.
(3) Having been denied service by the bills clearing house and rejected status has not yet be removed, or having other poor credit record that is still open.
(4) Being legally incompetent or having limited legal capacity or is subject to the order of the commencement of assistance that has not been revoked yet.
(5) Left his or her job for violation of the Regulations herein and the employer financial institution has reported the matter to the JCIC.
4. If the collection personnel of the service provider has not completed the training course or passed the examination on collection given by Bankers Association or an institution sanctioned by Bankers Association and has not received a credential therefore, said personnel shall remedy the situation within two months after taking the post.
5. The responsible person of the service provider shall be free of the situations described in paragraph 1, Article 3 of the Regulations Governing Qualification Requirements for Responsible Persons of Banks other than subparagraph 13 therein, and shall issue a statement therefore.
6. A service provider should be equipped with complete computer facilities necessary for the handling of outsourced items, and the telephones of its relevant personnel should come with a recording system where the recording may be accessed instantly in coordination with the computer system for the purposes of audit or verification in case of a dispute. All phone conversations and field visits of the collection personnel shall be recorded with a copy made and retained for at least six months. The service provider shall not delete or alter its recording record.
Article 14
A financial institution shall conduct regular and unscheduled audit and supervision of the debt collection operation of its service provide to ensure compliance with the following provisions:
1. A debt collector shall not use violence, intimidation, coercion, verbal abuse, harassment, sham, or false, deceptive or misleading representation against the debtor or any third party, or engage in other illicit debt collection practices that invade the privacy of the debtor.
2. A debtor collector shall not use harassing means that disrupts the regular living conditions, schooling, work, business or the life of others in the debt collection process.
3. A debt collector may engage in debt collection time from 7:00AM to 10:00PM, unless it is otherwise consented by the debtor.
4. A debt collector shall not by any means collect debt by harassing or from a third party.
5. A debt collector communicating with a third party for the purpose of acquiring location information about the debtor shall identify himself and state that his purpose is to obtain contact information of the debtor. If so requested by said third party, the debt collector should identify the outsourcing financial institution, and the name of his employer. A debtor collection shall also present a letter of authorization when making field visit.
6. The service provider or its employees shall not collect payment or any fees from the debtor or any third party for the debt collection work, unless the service provider is collecting withheld salary under a court order for an action in which the service provider is a litigation agent on behalf of the financial institution and has the consent of the financial institution to collect the withheld salary of debtor.
7. The service provider personnel shall wear ID badge in field visits and record the entire conservation with the debtor or related parties in the course of visit. Unless with the consent of the debtor, the service provider personnel may not enter the residence of the debtor by any means at his own discretion.
Any of the following practices is deemed a false, deceptive or misleading representation mentioned in subparagraph 1 of the preceding paragraph:
1. False representation or implication that nonpayment of debt will result in the arrest, detainment or other criminal disposition against the debtor.
2. Informing the debtor that his property will be seized while such property is not subject to seizure according to law.
3. Collecting fees from the debtor other than the amount of debt owed or collecting fees not claimable under the law
4. False representation that nonpayment of debt will result in a court action of arrest, garnishment, seizure or auction.
Any of the following practices is deemed as using harassing means that disrupts the regular living conditions, work, business or the life of others mentioned in subparagraph 2 of paragraph 1:
1. Repeatedly or during non-collection hours using telephone, fax, short message, e-mail or other communication means, or visiting the debtor's residence, school, work, or business location or other places to collect debt.
2. Using post cards for collection or using any language, symbols or other means on the envelope of collection letter that suffice to reveal the debt situation or other private information of the debtor to third parties. The preceding provision does not apply to the name of company.
3. Using bulletin, signboards or other similar methods that reveals the debt situation or other private information of the debtor to third parties.
Article 15
The outsourcing agreement on debt collection operation entered by a financial institution and a collection agency shall contain the following in addition to complying with the provisions in Article 10 herein:
1. Setting out work guidelines for the service provider, which shall include at least the prohibited conduct and practices provided in Article 14 herein and require that the service provider shall draft specific standards for dismissing or punishing violating employees.
2. Subcontracting the debt collection work by service provider is prohibited.
3. The service provider should report the handling of debt collection or customer complaint to the outsourcing financial institution regularly or as needed; when there are situations where the service provider or its employees violate relevant laws and regulations in its internal management or collection operation, the service provider shall immediately report the event to the financial institution.
4. When personnel recruitment, the service provider shall obtain the consent of the employee permitting the outsourcing financial institution and JCIC to collect, process and use his personal data.
5. The service provider shall provide the financial institution with information of departed employee who leaves job due to violation of Article 14 herein for posting with JCIC. The posted information shall include:
(1) Basic data of the departed employee.
(2) Date of departure.
(3) Reason for departure.
6. When outsourcing the debt collection operation to a service provider, a financial institution shall submit the basic information of said service provider to JCIC. The service provider shall agree that the outsourcing financial institution may submit the information on termination of outsourcing agreement due to violation of the Regulations herein by the service provider to JCIC for posting. The posted information shall include:
(1) Basic information of the service provider.
(2) Date of agreement execution and date of its termination.
(3) Reasons for violation of the Regulations herein.
Article 16
A financial institution shall comply with the following provisions in outsourcing its debt collection operation:
1. The financial institution shall heed the complaints made by the debtor or any third party regarding debt collection practice, and check the relevant information in the outsourcing service providers and employees registration system created by the JCIC in a regular and timely manner; when there are material incidents under which the service provider should dismiss its unfit employee pursuant to the outsourcing agreement or the financial institution should terminate the outsourcing agreement with the service provider, the financial institution shall take actions in accordance with the Regulations herein and the outsourcing agreement.
2. If the service provider or any of its employees has been reported to the JCIC by other financial institutions pursuant to subparagraphs 5 and 6 of Article 15 herein, but the incident is not significant enough as grounds for termination of outsourcing agreement, the financial institution should step up the frequency and scope of audit for the service provider.
3. Where the service provider has engaged in practice that violates any of the provisions in Article 14 herein and makes it unacceptable to the debtor and the debtor contacts the financial institution directly to negotiate the settlement of debt, the financial institution shall accept the request of the debtor and actively handle the matter.
4. Where the financial institution finds that its service provider or any of its employees resorts to violence, coercion or intimation in the collection process, it should report the matter to law enforcement agency.
5. The financial institution shall not give information on people who do not have legal obligation in the performance of debt to its service provider.
6. Prior to outsourcing its collection operation to a service provider, the financial institution shall send the debtors a written notice, informing them of the name of service provider, amount of debt owed, the duration of retaining collection recording record, telephone number (of the financial institution) for making a complaint, and practices prohibited in Article 14 herein.
7. The financial institution should make public the basic information of its service provider at its business places and on its website to make it convenient for debtors to check the relevant information of the collection agency.
Article 17
Where the service provider providing debt collection service for a financial institution is turned over to the law enforcement agency due to alleged use of violence in the collection process, the financial institution may terminate its outsourcing agreement in view of the severity of the case, and must terminate the outsourcing immediately provided the service provider is indicted.
Where a service provider does not meet the qualification requirements set forth in Article 13 herein, or violates the provisions in Article 14 herein, or violates other laws and regulations, the competent authority may, depending on the severity of the case, instruct the outsourcing financial institution to terminate the outsourcing pursuant to the outsourcing agreement, request the service provider to make improvement within a given period of time, or suspend the outsourcing until the agency (institution) relevant to the qualification or practice of the service provider deems that it has made improvement.
Where a financial institution violates the Regulations herein in the outsourcing of its debt collection operation, the competent authority may, depending on the severity of the case, order the financial institution to make improvement within a given time period, or suspend or revoke the permission allowing the financial institution to outsource its debt collection operation.
Article 18
A financial institution shall first submit the following documents to the competent authority for approval, then outsource its operations to overseas service providers:
1. The confirmation letter in writing from the financial competent authority where the service provider is located. The letter shall contain the following:
(1) The competent authority is aware of the matter and agrees the service provider to perform the outsourced services.
(2) The foreign competent authority agrees the competent authority in Taiwan to request the service provider to provide the relevant information on the outsourced items.
(3) The foreign competent authority allows the competent authority in Taiwan and the outsourcing financial institution to conduct necessary examination of the outsourced items.
(4) The foreign competent authority shall inform the competent authority in Taiwan in advance if it plans to examine the outsourced items.
(5) The foreign competent authority agrees not to obtain the customer information in Taiwan. If it obtains to execute the supervisory function, it shall inform the competent authority in Taiwan in advance.
2. Managing outsourced operations in accordance with the internal outsourcing rules set forth in accordance with paragraph 2 of Article 4 herein.
3. The minutes of the meeting of the board of directors involved, or a letter of consent signed by an officer authorized by the head office in the case of the branch of a foreign bank in Taiwan.
4. Necessity and compliance analysis of outsourcing on business operations, including the compliance status evaluation to the service provider with respect to the protection of customer information.
5. Descriptions for the protection of customer data and whether customers have given their consent to the outsourcing to ensure the quality of outsourcing service and the interests of customers.
6. A foreign bank branch in Taiwan shall obtain the letter of consent authorized by its head office or regional head office regarding to the obtainment and use on data, security control and cooperation with the supervisory requirements in Taiwan.
Where the financial institution is unable to acquire the letter of consent as described in the preceding paragraph from the foreign competent authority where the service provider is located, it shall submit the following documents:
1. A letter of consent from the service provider, agreeing that where necessary, a person designated by the financial institution may examine the outsourced items. The aforesaid designated person may also be assigned by the competent authority at the expense of the financial institution.
2. The evaluation on internal control principles and operating procedure of the service provider.
3. The legal opinion indicates the protection of customer data where the service provider is located is not below the condition in Taiwan.
4. The financial statements of service provider audited and attested by a CPA for the most recent fiscal year.
5. A statement issued by the service provider certifying that no violation on customer interests, personnel malpractice, information and technology security and other occurrences that have impact on sound business operation in the last three years.
In the case of a branch of a foreign bank in Taiwan outsource operation to head office or foreign branches under its internal division of work; it shall apply for approval in accordance with the two preceding paragraphs.
When the foreign competent authority requests to provide the customer information in Taiwan, it shall inform the competent authority in Taiwan in advance and obtain consent before submitting.
A domestic bank that meets the qualification requirements may outsource its operations of data entry, processing, and output of information system related to retail financial business to an offshore service provider, provided it is duly approved by the Financial Supervisory Commission ("FSC") after the bank submitting documents provided in Paragraphs 1 and 2 hereof along with the following documentation:
1. An inspection report, issued by an independent third party specializing in information technology, indicating that the information system of the offshore service provider is not below the domestic information security standards.
2. A contingency plan in the event the offshore information system fails to provide services, and an assessment report issued by an independent third party specializing in information technology indicating that such plan meets the following requirements:
(1) The bank shall assure the functional operations of deposit, withdrawal and payment transactions of existing customers within four hours after the offshore information system fails to provide services, and shall assure the proper management of financial and business risks; and
(2) The bank shall assure the functional operations of its credit and other major businesses in Taiwan within seven days of the incident, through activation of the backup system, installation of (temporary) information server or other means, provided it is evaluated that the offshore information system could not be functional within a short period of time due to a natural disaster.
3. An ordinary supervision plan with the following particulars:
(1) The setup of a supervisory unit or committee consisting personnel of compliance, internal audit, operational risk management and information management to effectively carry out the ordinary supervision; and
(2) An outsourcing operations' supervision mechanism including: the log file of customer information accession, authorization of system access and non-routine operations, with the detailed descriptions of the operational contents, methods, and processes along with the deficiency resolving mechanism
4. An evaluation report on the cost benefit and the reasonableness of expense allocation within the group that has been resolved by the bank's board of directors.
The term "qualification requirements" mentioned in the preceding paragraph shall mean that the domestic bank meets the following requirements:
1.Not having been subject to sanction by the competent authority due to violation of financial regulations in the previous 1 year, or having made concrete improvement actions recognized by the competent authority over the violation.
2.All deficiencies as redressed by the competent authority or the Central Bank of China before the end of year preceding application have been effectively remedied; and
3. Not having any major breach of information security that is not yet remedied in the past year.
A domestic bank outsourced its operations of data entry, processing, and output of information system related to retail financial business to an offshore service provider prior to implementation of the amendment to the Regulations, shall apply to the FSC in accordance with the preceding two paragraphs within one year from the date the amendment is implemented.
If a domestic bank that filed an application in accordance with Paragraphs 5 and 6 hereof during the aforementioned period and the application was duly rejected by the FSC, the bank shall repatriate the operations of data entry, processing and output of information system related to retail financial business within two years after the expiration of the aforementioned period.
Article 19
A financial institution that plans to outsource its operations to overseas service providers shall comply with the following matters:
1. A financial institution shall fully understand and handle the use, processing and control of customer information of information by the service provider.
2. A financial institution shall only provide the customer information limit to directly relevant necessary outsourcing matters.
3. A financial institution shall require the service provider to comply with the following matters:
(1) The customer data of financial institution shall only use and process by the authorized persons of the service provider within scope of outsourcing matters.
(2) The customer data of financial institution shall be separate clearly from those of service provider and other outsourcing institutions.
(3) The customer data of financial institution proceeded by service provider shall be able to provide for the competent authorities and the financial institution promptly.
4. A financial institution shall conduct regular and unscheduled audit and supervision of the use, processing and control of customer information by the service provider, the relevant audit matters may be assigned to external auditors. A branch of a foreign bank in Taiwan may designate the auditing divisions of its head office or regional head office to handle the matters; the relevant divisions shall report to the branch of a foreign bank in Taiwan.
In the case of a branch of a foreign bank in Taiwan outsource operation to head office or foreign branches under its internal division of work; it shall be handled in accordance with the preceding paragraph.
A domestic bank that outsources the operations of data entry, processing, and output of information system related to retail financial business to an offshore service provider, shall observe the following rules in addition to the provisions in Subparagraphs 1 to 3 of Paragraph 1 hereof:
1. The bank shall assure the compliance of the using, processing and safekeeping of customer information by the service provider to the Personal Information Protection Act, retain complete audit trails and shall include the compliance matter in the key audit items.
2. The domestic bank shall periodically evaluate cost benefit and the reasonableness of expense allocation within the group, and submit the report to its board of directors for approval.
3. The standard of security evaluation to information system conducted by the domestic bank shall be no less than the requirements set forth by the competent authority or the Bankers' Association of R.O.C..
4. The bank shall conduct one routine audit and one target audit at least annually. The aforementioned audits may be performed by an independent third party specializing in information technology.
5. The bank shall file the annual audit report of its offshore outsourcing to the FSC by the end of each year, with the report been submitted to its board of directors.
6. When its offshore information system fails to provide services which impairs the interests of its customers or impacts the sound business operation of the bank, the bank shall promptly notify the Central Bank of China, the Central Deposit Insurance Corp and the FSC, and shall submit a detailed report regarding the incident or subsequent actions taken within one week after the event.
7. The cumulative interruption time of offshore information system shall not exceed 4 hours in a year, provided that the incidents keep the bank from providing customers with deposit, withdrawal and payment transaction services (including domestic interbank remittance and currency exchange services).
When a domestic bank outsources the operations of data entry, processing, and output of information system related to retail financial business to an offshore service provider and the service provider has the incident of service interruption, or violates the provisions in Subparagraph 3 of Paragraph 1 hereof, or other regulations, the competent authority may duly notify the domestic bank to terminate the outsourcing according to the service contract, to ask the service provider to make improvement within a given time period or to temporarily suspend the outsourcing until the service provider has made confirmed improvement. The domestic bank shall stipulate matters to be performed by the service provider regarding system relocation when so requested by the bank and the service provider's liability for damages in case of service interruption in the service contract.
Article 19-1
A financial institution shall comply with the following rules when its outsourced operations involve cloud-based services:
1. The financial institution shall ensure proper control of operational risks and fully evaluate the risks of service provider. It shall adopt appropriate risk management and control measures to ensure the quality of outsourced operations. It shall also pay attention to proper diversification of operations outsourced to cloud service providers.
2. The financial institution is ultimately responsible for the supervision of cloud service providers and it should have the professional skills and resources to supervise the cloud service providers’ execution of outsourced operations. It may also request professional third parties to assist in their supervision.
3. The financial institution shall ensure that it, the competent authority, the Central Bank, or their designated representatives have access to related information on the outsourced operations executed by cloud service providers, including the audit report of customer information relevant systems, and on-site audit right.
4. The financial institution may appoint an independent third party with expertise in information technology at its sole discretion or in conjunction with other financial institutions that outsource to the same cloud service provider to conduct audits and the following rules shall apply:
(1) The financial institution shall ensure that its audit scope includes important systems and control measures related to the operations outsourced to the cloud service provider.
(2) The financial institution shall evaluate the eligibility of the third party and verify that the contents of the audit report submitted by the third party meets the relevant international standards of information security.
(3) The third party shall conduct audit based on the scope of outsourced operations and issue the audit report.
5. Where the financial institution transmits and stores customer information at the cloud service provider, it shall adopt customer data encryption, tokenization, or other effective protection measures and it shall also establish appropriate encryption key management mechanisms.
6. The financial institution shall retain complete ownership of data outsourced to cloud service providers for processing. The financial institution shall ensure that the cloud service provider does not have the right to access customer data except for the execution of outsourced operations and it may not use the data for purposes outside the scope of outsourced operations.
7. In principle, where customer data is outsourced to a cloud service provider, the location for processing and storage shall be within the territories of the R.O.C. If it is located outside the territories, the following rules shall apply:
(1) The financial institution shall retain rights to designate the location for the processing and storage of the data.
(2) The local data protection regulations in above location shall not be lower than the requirements of the R.O.C.
(3) Except with the approval of the competent authority, backups of customer important data shall be retained in the R.O.C.
8. The financial institution shall establish appropriate emergency contingency plans to reduce the risks of service interruption due to outsourced operations When the financial institution terminates or ends the operations outsourcing, it shall ensure that the outsourced operations can be smoothly transferred to another cloud service provider or transferred back to the financial institution. It shall also ensure that the cloud service provider deletes or destroys all retained data. It shall retain records of the deletion or destruction.
Article 19-2
Where a financial institution outsources operations involving cloud-based services, and outsourcing operation are material or where it outsources operations to a foreign country in accordance with Article 18, it shall submit the following documents to the competent authority for application before outsourcing:
1. Internal operating guidelines established in accordance with Article 4, Paragraph 2.
2. Meeting minutes containing resolutions of the board of directors, or a letter of consent signed by an officer authorized by the head office in case of the branch of a foreign bank in Taiwan.
3. Regulatory compliance statement.
4. Analysis of the necessity and legal compliance on outsourcing operations to cloud service providers, including compliance status evaluation to the cloud service provider with respect to the relevant customer data protection regulations.
5. Business plan for outsourcing. Contents include:
(1) Risk assessment and management mechanisms:
A. The financial institution shall review cloud service providers to ensure the reliability and legal compliance of the services provided. The review shall include analysis of business continuity, substitutability, and concentration.
B. The financial institution should have the expertise and resources to monitor the performance of cloud service providers with regard to outsourced operations.
(2) Information security and management:
A. Description of measures taken by financial institution with regard to the encryption, encryption tokenization, key storage, data transmission and segmentation, and ownership of data.
B. The management policies with regard to the location of data storage, including description of relevant local legal, political, and economic stability assessments for data processing and storage in a foreign country and description of data backup and the data can be accessed by financial institutions at all times.
(3) The scope and method for the financial institution, the competent authority, the Central Bank, or their designated persons to obtain information with regard to outsourced operations performed by the cloud service provider, including description of access to customer information, audit reports of relevant systems and measures to ensure the rights to perform on-site audits.
(4) Emergency contingency plans and exit mechanisms, including the description of financial institution retaining sufficient resources for emergency response and exit.
Material operations specified in the preceding paragraph refer to one of the following conditions:
1. Where outsourced operations cannot be performed or where there are concerns for information security, and such issues have significant impact on businesses performed by the financial institution.
2. Where an incident on customer data security occurs in the outsourced operations and such incident has a significant impact on the rights and interests of the financial institution or customers.
3. Other issues having significant impact on the rights and interests of the financial institution or customers.
Where the financial institution outsources operations involving cloud-based services that are not material outsourcing as specified in Paragraph 1 or where it does not outsource operations to a foreign country in accordance with Article 18, it shall submit the documents specified in Paragraph 1, Subparagraph 3 to Subparagraph 5 to the competent authority for reference.
Where a branch or subsidiary bank of a foreign bank in Taiwan outsource operations to the head office, parent bank, or an institution or subsidiary company of its parent group and such operations are subcontracted to a cloud service provider, it shall submit business plan for outsourcing specified in Paragraph 1 along with the documents specified in Article 18 to the competent authority for approval, and comply with the following rules.
1. The regulations for operations outsourced to cloud service providers imposed by the competent authority at the location of the head office, parent bank, or an institution or subsidiary company of its parent group must be no less stringent than the regulations in Taiwan.
2. The contents of the business plan for outsourcing may be substituted by explanatory documents with equivalence issued by the head office, parent bank, or an institution or subsidiary company of its parent group.
Article 20
A financial institution that outsources the following operations to service providers, the Article 18 to the proceeding Article shall not apply:
1.Where a financial institution outsources the operation of its foreign branches and subsidiaries.
2.Where a financial institution outsources the development and maintenance of onshore information system to offshore institutions.
Article 21
When outsourcing operations to outside service providers, a financial institution may not violate any mandatory or prohibitive provisions, public order or good morals, and there shall not be any adverse impact on its business operations, management or the interests of its customers. The financial institution shall also ensure that the Banking Act, Money Laundering Control Act, Computer-Processed Personal Data Protection Act, Consumer Protection Act, and other applicable laws and regulations are complied with.
When outsourcing its operations to outside service providers, a financial institution shall vigorously observe applicable laws and regulations, business rules or self-regulatory agreement set forth by the Bankers Association, and rules and regulations promulgated by the National Federation of Credit Co-operatives, ROC.
Article 22
The competent authority and the Central Bank of China may access relevant data or reports and conduct related financial examination on the outsourced operations of a financial institution.
Article 23
Unless it is otherwise provided in the Regulations herein, a financial institution shall bring its existing outsourcing activities that do not conform to the provisions herein in compliance with the Regulations within six months following its promulgation.
Article 24
The Regulations herein are in force on the date of promulgation.