Chapter 2. Internal Control System.
Section 1. Principles and Scope.
Article 4 | A bank’s internal control system shall be based on the following principles:
1. Management’s supervisory and control culture: The board of directors (the board) shall be responsible for approving and periodically reviewing overall business strategies and major policies, and the board has the ultimate responsibility for ensuring the establishment and maintenance of a suitable and effective internal control system. Senior management shall be responsible for carrying out the business strategies and policies approved by the board, developing procedures for identifying, measuring, supervising and controlling the bank’s risks, setting up proper internal control policies and supervising the efficiency and adequacy thereof;
2. Risk identification and evaluation: An effective internal control system shall facilitate the identification and continuous evaluation of material risks that may adversely affect the likelihood of bank achieving its goals, and determine how to respond to related risk to keep it within acceptable range;
3. Control activities and segregation of duties: Control activities shall be a part of a bank’s daily overall operations. A complete control structure should be established with internal control processes defined at every level. An effective internal control system should contain appropriate segregation of duties, and management and employees shall not be given conflicting responsibilities;
4. Information and communication: A bank shall keep pertinent and complete financial, operations and compliance information; such information shall be reliable, up to date, easily accessible, and provided in a uniform format. An effective internal control system shall have effective communication channels; and
5. Monitoring activities and remediation of deficiencies: A bank should continuously monitor the overall effectiveness of its internal control system. The business units, internal auditors and other internal control personnel shall, upon the discovery of deficiencies in such system, report to the appropriate management. Material internal control deficiencies shall be reported to senior management and the board, and be addressed promptly. |
Article 5 | A bank’s internal control system shall cover all business activities with the following policies and operating procedures established and timely reviewed:
1. Organization charter or management rules, which shall include a clear organizational system, functions and responsibility of respective department, and clear rules governing authorizations and hierarchy responsibilities.
2. Related business rules, procedures and operational manuals, including:
(1) Cashiers, deposits and remittances, extension of credit, foreign exchange, trust business and new financial products.
(2) Investment guidelines and equity management.
(3) Confidentiality of customer data.
(4) Transactions with stakeholders.
(5) Accounting and financial statement preparation process, general affairs, information and human resources (including rules for rotation and vacation).
(6) Management of information disclosure.
(7) Management of outsourcing operation.
(8) Other business rules and operating procedures.
Where necessary, the bank’s compliance and internal audit units should participate in the drafting, revision or abolishing of operational and management rules and procedures mentioned above. |
Article 6 | A bank shall set up a compliance system, a risk management mechanism, an internal audit system, and a self-inspection system to maintain the effective and proper operations of its internal control system. |
Article 7 | A bank’s internal control system shall be approved by its board of directors. If any of the directors expresses a dissenting view which is documented or comes with a written statement, the bank shall submit the dissenting view together with the internal control system approved by the board to its supervisors; the preceding provisions apply when the bank revises its internal control system.
If the bank has independent director(s), the views of respective independent director should be taken into account fully when the internal control system is submitted to the board for discussion. The specific consenting or opposing views of the independent director(s) and reasons for the opposition shall be recorded in the board meeting minutes. |
Section 2. Compliance System.
Section 3. Risk Management Mechanism.
Article 11 | A bank shall draw up pertinent risk management policy and process and set up an independent and effective risk management mechanism to evaluate and monitor its risk bearing capacity, current status of risk exposures, risk response strategies and compliance with risk management process.
The aforementioned risk management policy and process shall be approved by the board of directors, and reviewed and modified at opportune time. |
Article 12 | A bank shall set up an independent risk control unit that submits a risk control report to the board of directors on a regular basis, and take prompt and proper measures and report to the board of directors upon discovery of material exposure that might imperil the bank’s finance, business or compliance. |
Article 13 | A bank’s risk control mechanism shall contain the following principles:
1. Monitoring of capital adequacy by scale of business, the status of credit risk, market risk and operational risk, and future business trends;
2. Establishment of management mechanism for measuring and monitoring liquidity position to measure, monitor and control liquidity risk;
3. Carrying out asset allocation and establishing risk management for each business in consideration of overall exposure, own capital and liability characteristics;
4. Establishing methods for assessing the quality and classification of bank assets, calculating and controlling large-sum exposures, and periodically examining and truthfully setting aside loss provisions; and
5. Establishing information security mechanism and emergency response plan for bank’s businesses, transactions, and use of information. |
Section 4. Internal Audit System and Inspection.
Article 14 | The purposes of the internal audit system are to inspect and evaluate the effectiveness of internal control system and provide timely suggestions for improvement to ensure that the system will continue to be effective and to assist the board of directors and the management in performing their duties. |
Article 15 | A bank shall establish an internal audit unit under its board of directors that performs its duties with independent spirit and objectivity, and reports to the board of directors regularly at least once every half a year.
A bank shall establish the position of chief auditor who oversees the audit business. The chief auditor should have leadership and the capability to effectively oversee the audit work. The qualifications of chief auditor shall comply with the Regulations Governing Qualification Requirements for Responsible Persons of Banks, and such position shall be equivalent to a vice president. The chief auditor shall not hold concurrent position that may conflict with or impede his or her audit duties.
The appointment, dismissal or transfer of the chief auditor shall have the consent of at least two third (2/3) of the members of the board of directors and the prior approval of the competent authority. The appointment, discharge, promotion, reward, punishment, transfer and performance review of audit personnel will be handled by the chief auditor and take effect after approval by the chairman of the board. Where such action involves the personnel of other administrative or business units, the chief auditor shall first consult the personnel office to seek the consent of the president and then final approval from the chairman of the board. |
Article 16 | Internal auditors shall perform their duties based on the principles of honesty and credibility and stay free of the following conducts:
1. Concealing knowledge of bank’s business activity, financial reporting and compliance status that directly impairs the interests of stakeholders, or making untruthful or improper disclosure.
2. Engaging in conduct exceeding the bounds of audit authority or other illicit activity by disclosing privileged information to others for personal gain or damaging the interests of the bank.
3. Not withdrawing from audit cases involving business he or she used to perform or is having an interest in.
4. Accepting unjustified entertainment or gratuity or other illicit benefits from bank employee or customer.
5. Failing to carry out audit or provide related information as instructed by the competent authority.
6. Engaging in activities that violate laws and regulations or is prohibited by the competent authority. |
Article 17 | The internal audit unit shall undertake the following tasks:
1. A bank should outline the organization, organizational structure and responsibility of its internal audit unit, and draft the internal audit manual and working papers. The internal audit manual shall contain at least the evaluation of established internal control requirements and business procedures to determine whether the existing requirements and procedures are properly controlled and whether the administrative units and business units faithfully implement internal control and the outcome of implementation is reasonably effective, and to make suggestions for improvement whenever needed.
2. Drawing up the content and procedure for self-inspection and overseeing the self-inspection carried out by respective units.
3. Drafting an annual audit plan and audit plans for individual units in view of the risk exposures and internal audit implementation of respective units.
The bank should urge respective units to undertake self-inspection. The internal audit unit will review the self-inspection reports produced by respective units, which, together with the internal control deficiencies discovered by the internal audit unit and results of improvement actions taken, will be used as basis for the board of directors, president, chief auditor and chief compliance officer to assess the effectiveness of the bank’s internal control system and issue an internal control statement. |
Article 18 | A bank’s internal audit report in general audit shall, by the nature of the audited unit, disclose the following:
1. The scope of audit, summary evaluation, financial status, capital adequacy, business performance, asset quality, regulatory compliance, internal control, transactions with related parties, procedural control and internal management for respective business, security management of customer data, information management, employee’s education concerning confidentiality, and status of self-inspection; and
2. A status report with regard to status of improvement and inactions by each business unit in response to the examination opinions of or deficiencies found by banking examiner, accountant, or internal auditor (including the internal auditor of the financial holding company) or self-inspection personnel, and recommendations enumerated in the internal control statement. |
Article 19 | The internal audit unit shall conduct general audit and target audit of the domestic business, asset management, and information units at least once a year, and conduct target audit of other administrative units at least once each year, and general audit of operations centers and oversees business units at least once a year. The internal audit unit may conduct document audit of the overseas liaison offices or adjust the frequency of their field audit.
The bank’s internal audit unit should include the implementation of regulatory compliance system into the general audit or target audit of business and administrative units.
The internal audit report, working papers and relevant data in the first paragraph shall be retained for at least five years. |
Article 20 | A bank shall allocate qualified and a suitable number of full time internal auditors commensurate with the number of business units and the size of such businesses, and such auditors should include computer auditors who perform their duties in an independent, objective and impartial manner.
The bank’s internal auditors shall meet the following requirements:
1. Having minimum two years of experience in financial examination; or having graduated from a collage or university; or have passed the Higher Civil Service Examination or any examination equivalent thereto and with minimum two years of experience in the financial business; or having minimum five years of experience in financial business; or having minimum two years of professional experience as an auditor in a accounting firm, or a programmer or systems analyst in a computer firm and having received minimum three months of training in financial business and management;
2. Free of any record of demerit from employer in the last three years, unless the demerit record was a result of joint disciplinary action on account of the violation or offense of a colleague, and the demerit has been offset by other merits; and
3. The lead auditor shall have minimum three years of experience in audit or insurance examination, or minimum one year of audit experience and five years of experience in financial business. |
Article 21 | The auditors, lead auditor, and chief and assistant chief of the internal audit unit shall attend at least one session of auditor training class, computer auditing training class, lead auditor training class or chief and assistant chief training class sponsored by a training institution designated by the competent authority. New auditors shall pass the examination of aforesaid training institution and receive a certificate of class completion.
Internal auditors shall attend more than thirty (30) hours of finance-related professional training sponsored by a training institution designated by the competent authority, or the financial holding company or the employer bank each year.
The hours of finance-related professional training received from training institutions designated by the competent authority shall make up at least half of the required training hours specified in the foregoing paragraph.
A bank shall have a plan for continuous and proper training of personnel involved in self-inspection. |
Article 22 | A bank shall affirm that its internal auditors meet the qualifications as stipulated in the Rules herein. The affirmation documents and records shall be filed and saved for future reference. |
Article 23 | To enhance internal check and balance so as to prevent the occurrence of fraud, a bank shall establish a self-inspection system. The business, asset management and information units of the bank shall conduct general self-inspection at least once every half a year, and special self-inspection at least once every month. Notwithstanding the foregoing, special self-inspection is not required in the month when a general self-inspection has been conducted, or when a general business audit has been conducted by the internal audit unit of the bank or the financial holding company, or when a general business examination has been conducted by the financial examiner, or when the audit department has conducted a full business audit, or when a self-evaluation of regulatory compliance has been conducted.
When conducting self-inspection, the chief of the business, asset management or information units shall assign a personnel other than the one who handles the work to carry out self-inspection, and keep the self-inspection operation confidential beforehand.
The self-inspection report, its working papers and related data shall be retained for at least five years. |
Article 24 | Bank officers at various levels with the authority to approve bank business or transactions shall meet any of the requirements below prior to taking office:
1. Having minimum one year of practical experience in conducting internal audits as an employee of the internal audit unit;
2. Having passed the examination and received a certification of course completion in an auditor or computer auditor training course offered by an institution designated by the competent authority.
3. Having passed the test for of banking internal control and internal audit and received a certificate therefore from an institution designated by the competent authority. The content of the test should be comparable to the training course and examination mentioned in the preceding subparagraph.
Bank officers at various levels in overseas business office with the authority to approval bank business or transactions may attend professional audit training sponsored by foreign institutions or obtain similar examination credential in lieu of the requirements specified in paragraph 1 hereof.
First-time business unit manager of a domestic bank shall, in addition to meeting a requirement as provided in the first paragraph hereof, participate in the audit internship of the internal audit unit at least four times in the first half year of appointment, provided he or she is qualified for the job by meeting the requirement specified in subparagraph 2 or 3 in the first paragraph hereof. The aforesaid internship shall cover at least one audit item in each audit and at least four audit items cumulatively. The intern shall also produce an internship report for the perusal of the chief auditor. The chief auditor, after approving the report, will issue a certificate and preserve it along with other documents for future reference.
Officers of the branch of a foreign bank in Taiwan with the authority to approve bank business or transactions may be exempted from the requirements in this article provided he or she has completed the training required by the foreign bank for its internal auditor and such training requirement is at par with the requirements specified in the first paragraph hereof.
If a foreign bank has already set up a branch in Taiwan when the amended Rules herein were promulgated on June 14, 2005, its officers having the authority to approve bank business or transactions shall possess the qualification as provided in the first paragraph hereto or complete the training described in the foregoing paragraph in one year from the promulgation date of the amended Rules herein on June 14, 2005. |
Section 5. Audits by the Accountant.
Article 25 | When a bank engages an accountant to audit its annual financial statements, it shall also ask the same accountant to audit its internal control system and express opinion regarding the accuracy of information provided in the financial statements as well as the implementation of the bank’s internal control system, regulatory compliance system, and the appropriateness of bank’s bad debt reserve policy.
The accountant’s audit fees will be at the expense of the bank as agreed between the bank and the accountant.
Paragraph 1 does not apply to a bank which is taken over by the competent authority pursuant to laws. |
Article 26 | Where necessary, the competent authority may invite the bank and its accountant to a discussion meeting regarding the audit as described in the preceding article, and ask the bank to replace its accountant to conduct another audit if the competent authority deems that the accountant is incompetent for the audit work. |
Article 27 | In carrying out audit as described in Article 25 herein, the accountant shall inform the competent authority immediately in case of any of the following situations:
1. In the process of audit, the accountant was unable to continue the audit work because the bank did not provide the statements, supporting documents, account books or meeting minutes asked by the accountant or refuse to provide explanation to the inquires of the accountant, or due to the other objective circumstances.
2. The bank under audit is found to contain untruthful information in its accounting or other records, falsify, or omit accounting or other records, and the situation is of serious nature.
3. The bank under audit does not have adequate assets to cover its liabilities or its financial conditions markedly deteriorate.
4. Evidence indicates that a transaction of the bank might bring about material loss to its net assets.
Where the bank under audit is found to be in any of the situations described in subparagraphs 2 ~ 4 of the preceding paragraph, the accountant shall first submit a summary report to the competent authority based on the audit results. |
Article 28 | A bank shall file the previous year’s audit report of its accountant regarding the audits described in Article 25 herein to the competent authority before the end of April every year. Such audit report shall contain at least information on the scope and basis of audit, audit procedure and results.
The accountant of a bank is obliged to provide relevant information and explanations to the questions raised by the competent authority regarding the audit report. |