| Chapter 3 Inspection of Internal Control System |
Section 5 Risk Management Mechanisms |
| Article 34 |
A specialized electronic payment institution shall formulate proper risk management policies and procedures, and establish independent and effective risk management mechanism, by which to assess and monitor the overall risk bearing capacity, current status of risks already incurred, and to determine the risk response strategies and the compliance framework of the risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner. |
| Article 35 |
A specialized electronic payment institution shall establish a risk management unit and regularly submit risk management reports to the board of directors. Upon identifying a significant risk exposure that might adversely affect its financial, or business status, or compliance with applicable acts and regulations, the specialized electronic payment institution shall take immediate and adequate measures and submit a report to the board of directors.
The risk management unit under the preceding paragraph may be replaced by a designated management unit. |
| Article 36 |
The risk management mechanisms of a specialized electronic payment institution shall include the following:
1. Establishing a fraud prevention mechanism to uphold transaction security and better control fraud risk.
2. Establishing the examination and control mechanism for operating procedures and establishing information security mechanism and emergency response plan.
3. Establishing users and contracted institutions management mechanism.
4. Establishing exit mechanism for circumstances when business or finance deteriorates significantly.
5. Establishing users’ funds of payment management mechanism.
6. Establishing users’ and contracted institutions’ identity verification mechanism.
7. Establishing users’ and contracted institutions’ information protection mechanism.
8. Establishing outsourcing management mechanism.
9. Establishing financial consumer protection mechanism. |
| Article 36- 1 |
If a specialized electronic payment institution whose total assets audited and certified by a certified public accountant in the previous year amounted to NT$1 billion or whose number of users reached 2 million or more, it must set up a dedicated information security unit and appoint a supervisor, who shall not be assigned to perform information management or other tasks with conflict of interest, and shall allocate suitable workforce and equipment.
If the dedicated information security unit specified in the preceding paragraph is part of the information management organization, it shall be set up as a separate entity from other information management units to meet the management mechanisms for independent operations.
If an electronic payment institution does not meet the provisions Paragraph 1, it shall implement adjustments within six months of the promulgation of the amendment to meet requirements. |