| Article 22 | An internal control system should be put in place in regards to a service enterprise engaged in interbank credit information processing and exchange. The service enterprise needs to ensure that the system can be implemented effectively and sustainably to solidify business management in the service enterprise. |
| Article 23 | The internal audit team of the service enterprise engaged in interbank credit information processing and exchange should conduct at least one general inspection and special inspection each year in regards to the business, finance, asset management and information security. For other management units, at least one special inspection each year is required. |
| Article 24 | The service enterprise engaged in interbank credit information processing and exchange should establish a self-inspection system. Each team of business, finance, asset management and information security should conduct at least one general self-inspection every six months, and at least one special inspection each month. However, the self-inspection can be exempt during the month of regular inspection conducted by internal and external auditors.
The service enterprise engaged in interbank credit information processing and exchange should continue to follow up on the improvement suggestions raised by internal and external auditors. In addition, the service enterprise should submit a report about how it follows up and improves the related areas in a written form to the Board of Directors and supervisors as a key indicator of rewards or punishment and performance review. |
| Article 25 | When there is to be a change involving any of the following particulars, a service enterprise engaged in interbank credit information processing and exchange shall first report the matter to the Competent Authority and receive approval before implementing the change:
1.Articles of Association;
2.Organizational structure and the responsibilities of individual departments;
3.The internal control system;
4.The internal auditing system;
5.The membership protocol;
6.The schedule of fees and the method for calculating them; or
7.Criteria governing provisions for a general liability reserve. |
| Article 26 | The financial institutions and financial related business appointed by the Competent Authority should submit pertinent information about loans, credit cards and financial derivatives business to the service enterprise engaged in interbank credit information processing and exchange. Such information also includes any case of suspected legal infringement or abnormal depositors, frauds, any staff in the bank violating laws or employment requirement and any other data required by the laws. However, information regarding crediting for bills should not be included.
The collection, processing or use of the information stated before is in compliance with Article 8 Section 2 Clause 2 in Personal Information Protection Law. Therefore, it is not necessary to notify the Party subject to Article 9 Section 1 of Personal Information Protection Law.
The service enterprise engaged in interbank credit information processing and exchange should complete the scope and filing for information about loans, credit cards, financial derivatives business and other data required by the Competent Authority. Such information should be submitted to Competent Authority as well.
The information required to be declared subject to Section 1 by financial institutions and financial related business appointed by Competent Authority should be truthful and accurate.
Unless otherwise stipulated in other laws or announcement by the regulators, the bank does not need to notify consecutively or repetitively the clients when their information inquired or submitted via the service enterprise engaged in interbank credit information processing and exchange to fulfill the requirement of financial institutions and regulators is stated in the contract signed between the bank and the clients. This approach holds true when the contract includes the definitive clauses to specify the source of information and other requirements defined by the laws, and after the signing of the contract, the bank collects, inquires, handles, utilizes, transmits or submits the same information included in the contract. |
| Article 27 | A service enterprise engaged in interbank credit information processing and exchange shall gather, process, and use information in a manner consistent with the relevant legal requirements, and shall ensure its privacy and security.
A service enterprise engaged in interbank credit information processing and exchange shall be liable to ensure that credit information is archived, processed, transmitted, exchanged, and accessed using correct procedures. Where information is in error, destroyed, lost, or incorrectly processed, transmitted, exchanged, or accessed, the enterprise shall be liable to investigate the problem, carry out corrective and remedial measures, and exercise the care of a good administrator.
A record of the accessing and processing referred to in the preceding paragraph shall be kept on file for not less than five years. |
| Article 28 | Where a service enterprise engaged in interbank credit information processing and exchange violates the provisions of the preceding article and fails to correct the problem within the time period specified by the Competent Authority, and the problem is of material significance, the Competent Authority may order the enterprise to dismiss related corporate officers, suspend the enterprise's business operations, or void its authorization to engage in interbank credit information processing and exchange. |
| Article 29 | To ensure the confidentiality and security of information, a service enterprise engaged in interbank credit information processing and exchange shall periodically reassess and improve its maintenance measures and plans for information confidentiality and security controls, and shall report its actions to the Competent Authority for acknowledgement.
A service enterprise engaged in interbank credit information processing and exchange shall enter into a membership protocol with its member financial institutions, and in the membership protocol shall include stipulations regarding suspension and reinstatement of access, liability for damages, etc., in the event there are violations of the security control mechanism, access procedures, or the terms and conditions of information confidentiality. A service enterprise engaged in interbank credit information processing and exchange may carry out inspections as necessary to ascertain whether and how well its member organizations are implementing security control mechanisms and abiding by access procedures and the terms and conditions of information confidentiality. |
| Article 30 | Within three months from the end of each fiscal year, a service enterprise engaged in interbank credit information processing and exchange shall submit to the Competent Authority its annual report, an accountant-certified financial statement, and other documents related to the enterprise's operations.
In the interest of understanding the business and financial status of enterprises engaged in interbank credit information processing and exchange, the Competent Authority may at any time require them to provide relevant reports and explanations, and may also dispatch personnel as necessary to carry out on-site inspections. Enterprises may not refuse such inspections. |
| Article 31 | When a service enterprise engaged in interbank credit information processing and exchange intends to cease all or part of its business operations, it shall report its plans to the Competent Authority one year prior to cessation of business, and shall not cease business operations without the approval of the Competent Authority. |
| Article 32 | A service enterprise engaged in interbank credit information processing and exchange shall not invest in enterprises not related to its own business. An investment in an enterprise related to its own business shall be carried out only after it has been approved through not less than a three-quarters majority vote by the directors at a board of directors meeting attended by no fewer than two-thirds of the board members, reported to the Competent Authority, and approved thereby. |
| Article 33 | Any party that has already archived interbank credit information pursuant to designation by the Competent Authority prior to enforcement of these regulations shall be regarded as having been established with the approval of the Competent Authority. With the exception of the requirement to apply to the Competent Authority for a business license, such a party shall not be subject to the restrictions set forth in Article 4 or Articles 12 to 20. |
| Article 34 | Shares held by banks and government agencies pursuant to the provisions of Article 4 may be transferred only to banks. |
| Article 35 | These regulations shall take effect on the date of their promulgation. |