Data Source:Laws and Regulations Retrieving System of the Banking Bureau


Title: Implementation Rules for the Internal Audit and Internal Control System of Specialized Electronic Payment Institutions (2023.08.14 Modified)

  Chapter 1 General Provisions

Article    1   
These Rules are adopted pursuant to Article 33 of the Act Governing Electronic Payment Institutions (referred to as the "Act" hereunder).
Article    2   
The term "professional training institution" used in these Rules shall mean a training institution recognized as such in accordance with the Guidelines for Reviewing Training Institutions for Financial Holding Companies and Banking Enterprises.
Article    3   
A specialized electronic payment institution shall establish internal control system and ensure the on-going and effective implementation of the system to promote sound operation of its business.
A specialized electronic payment institution shall formulate overall business strategy, risk management policies and guidelines, and draft business plans, risk management procedures, and execution guidelines.
Article    4   
The primary purpose of a specialized electronic payment institution's internal controls are to promote sound business operations and, through joint compliance by its board of directors, management, and all employees, to reasonably ensure that the following objectives are achieved:
1. Effectiveness and efficiency of operations;
2. Reliability, timeliness, transparency and compliance of reporting; and
3. Compliance with applicable laws and regulations.
The objective of effectiveness and efficiency of operations referred to in Subparagraph 1 of the preceding paragraph includes objectives such as profits, performance, and safeguarding asset security.
The "reporting" referred to in Subparagraph 2 of Paragraph 1 includes internal and external financial reporting and non-financial reporting on the specialized electronic payment institution, where the objectives of financial reporting for external purpose include ensuring that it is prepared in accordance with the generally accepted accounting principles (GAAP), and that transactions are made with proper approval.
Article    5   
The internal control system of a specialized electronic payment institution shall be passed by its board of directors. If any director expresses dissent or reservation, those opinions and reasons therefor shall be recorded in the meeting minutes of the board of directors, which, together with the internal control system passed by the board, shall be submitted to the supervisors or the audit committee. The preceding provision applies to revisions of the internal control system.
Article    6   
The board of directors of the specialized electronic payment institution must be aware of the operational risks that the company faces, supervise its performance of operations, and bear the ultimate responsibility for ensuring its internal control system to be established and maintained appropriately and effectively.

  Chapter 2 Design and Implementation of Internal Control System

Article    7   
A specialized electronic payment institution shall establish an internal audit system, self-inspection system, regulatory compliance system, and risk management mechanism to maintain the effective and proper operation of its internal control system.
Article    8   
The internal control system of a specialized electronic payment institution shall contain the following components:
1. Control environment: The control environment is the basis for the design and implementation of the internal control system of a specialized electronic payment institution. The control environment encompasses the integrity and ethical values of the institution, governance oversight responsibility of its board of directors and supervisors or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of code of conduct for directors and employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of a specialized electronic payment institution, and with the suitability of the objectives for the institution taken into consideration. The management shall consider the impact of possible changes in the external environment and within its own business model, and likely fraud scenarios that may occur. The risk assessment results may be used to assist the institution in designing, correcting, and implementing necessary controls in a timely manner.
3. Control activities: Control activities are the actions of adopting appropriate policies and procedures by a specialized electronic payment institution based on its risk assessment results to limit relevant risks within an acceptable range. Control activities shall be performed at all levels of the institution, at various stages of business processes, and over the technology environment, and shall include supervision and management over subsidiaries, appropriate delegation of responsibilities and not assigning conflicting responsibilities to management and employees.
4. Information and communication: Information and communication means that a specialized electronic payment institution gathers, generates, and uses relevant and quality information from both internal and external sources to support the ongoing functioning of other components of internal control, and ensure effective communication within the organization and between the institution and external parties. The internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring, provide information to those who need it in a timely manner, and ensure the retention of complete financial, operational and compliance information. An effective internal control system shall have effective communication channels in place.
5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by a specialized electronic payment institution to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the institution. Separate evaluations are evaluations of other personnel conducted by internal auditors, supervisors or audit committee, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors or audit committee, and improvements shall be made in a timely manner.
The minimum requirement for directors’ code of conduct specified in Subparagraph 1 of the preceding paragraph shall incorporate that, the directors must not only take adequate actions promptly when the specialized electronic institution are found to face foreseeable material damages, but also have to notify the audit committee or independent directors or supervisors, and the board as well as instruct the said institution to report to the competent authority.
Article    9   
The internal control system shall cover all business activities, including the following appropriate policies and procedures, and shall be reviewed and revised in a timely manner:
1. Organizational rules and processes, or management rules, including a clear organizational system, functions of various units, scope of operations for each unit, and well-defined measures for authorizations and hierarchical delegation of responsibilities.
2. Related business rules and procedural manuals, including:
(1) Management of data confidentiality of users and contracted institutions.
(2) Management of the adoption of the International Financial Reporting Standards (IFRSs), workflow of preparing accounting and financial statements, management of general affairs, information, and personnel affairs
(3) Management of operations for disclosing information externally.
(4) Management of financial examination reports.
(5) Management of protection of financial consumers.
(6) Management of outsourcing operations.
(7) Management of identity verification for users and contracted institutions.
(8) Management of the businesses of collecting and making payments for real transactions as an agent, accepting deposits of funds as stored value funds, and domestic and foreign small-amount remittances.
(9) Management of information system and security management operations.
(10) Management of delineation of responsibilities between information unit and information system user units.
(11) Mechanisms for dealing with material contingencies.
(12) Mechanisms and compliance framework for anti-money laundering and counter the financing of terrorism (AML/CFT), including mechanisms for identifying, measuring, and monitoring risks associated with money laundering and financing of terrorism.
(13) Other business rules and operating procedures.
Where a specialized electronic payment institution has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
Where necessary, the compliance, internal audit, risk management units and other relevant units of a specialized electronic payment institution shall participate in the establishment, revision or cancellation of operational and management rules mentioned in Paragraph 1 hereof.

  Chapter 3 Inspection of Internal Control System

   Section 1 Internal Audit

Article   10   
The purpose of internal audit is to assist the board of directors and the management in checking and assessing whether the internal control system works effectively and to provide timely suggestions for improvements so as to reasonably ensure the ongoing and effective implementation of the internal control system and to serve as the basis for reviewing and revising the internal control system.
Article   11   
A specialized electronic payment institution shall set up an internal audit unit that is directly under the board of directors and performs audits independently and honestly. The internal audit unit shall report its audit business to the board of directors and supervisors or audit committee at least annually.
A specialized electronic payment institution shall, in view of its business size, business conditions and management needs, establish a chief auditor position of comparable rank to oversee the audit affairs. The chief auditor shall possess sufficient leadership and ability to effectively supervise the audit work, and may not hold other positions that are in conflict or interfere with the audit work.
The employment, dismissal, or reassignment of chief auditor shall first obtain the consent of at least two-thirds of all directors.
Where a specialized electronic payment institution has an audit committee established, the employment, dismissal or reassignment of chief auditor shall first obtain the consent at least the majority of all audit committee members. If the matter does have the consent of at least the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where a specialized electronic payment institution does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors shall also be recorded in the meeting minutes of the board of directors.
The employment, dismissal, promotion, reward and punishment, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor shall first consult with the personnel office and obtain the consent of the president before reporting the matter to the chairman for approval.
Article   12   
When the chief auditor of a specialized electronic payment institution has any of the following situations, the competent authority may, in view of the severity of the situation, issue an official reprimand, order remedial action within a specified time limit, or order the specialized electronic payment institution to release the chief auditor from duty:
1. Abusing power of office with factual evidence showing that he/she has engaged in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for a third party, or to damage the interests of the employer, which results in damages to the employer or its subsidiary or a third party.
2. Disclosing, delivering, or publicizing all or part of the examination reports to a person unrelated to such job without the consent of the competent authority.
3. Failing to notify the competent authority of any material malpractice or fraud at the employer due to internal mismanagement.
4. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of the internal audit unit.
7. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8. Having committed other acts that impair the reputation or interests of the employer.
Article   13   
A specialized electronic payment institution shall be staffed with an appropriate number of competent full-time internal auditors in accordance with the number of users and contracted institutions, business volume, business conditions, management needs, and the requirements of other relevant laws and regulations, who shall perform their duties in an objective detached independent, objective and impartial objective manner. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The internal auditors of a specialized electronic payment institution shall meet the following qualification requirements:
1. Having not less than two years of experience in financial examination; or having graduated from a college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than two years of experience in financial business; or having not less than five years of experience in financial business. A specialized electronic payment institution must be staffed with at least one qualified internal auditor who meets the aforementioned qualifications. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor or an auditor in an accounting firm, or a programmer or system analyst in a computer company for not less than two years, and has received not less than three months of training in the business operations and management of a specialized electronic payment institution.
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of another person, and the demerit has been offset by other merits; and
3. Internal auditor who acts as a team leader shall have not less than three years of experience in auditing or financial examination, or have not less than one year of experience in auditing and not less than five years of experience in financial business, or have not less than one year of experience in auditing and have worked as an auditor for an accounting firm for at least three years.
A specialized electronic payment institution shall check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution shall order the auditor to take remedial action within two months from the date of discovery and shall immediately reassign the auditor to another job if he or she fails to complete the remedial action within the specified time period.
Article   14   
The internal auditors of a specialized electronic payment institution shall perform their duties in good faith and shall not have any of the following situations:
1. Concealing or making false or inappropriate disclosures while being well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of any stakeholder.
2. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the employer.
3. Causing damages to the employer or harming the interests of stakeholders due to negligence in duties.
4. Conducting audit on a department where he/she worked within the past one year.
5. Failing to disqualify him/herself from auditing previously handled business or cases or from auditing cases in which he/she has a stake.
6. Accepting any improper entertainment or gift or other improper benefits provided by the employer or its employees or customers.
7. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8. Engaging in other acts that violate rules or regulations, or are prohibited by the competent authority.
A specialized electronic payment institution shall check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution shall reassign the auditor to another job within one month from the date of discovery.
Article   15   
The internal audit unit shall undertake the following tasks:
1. Plan the organizational structure, size and responsibilities of the internal audit unit and produce internal audit working manuals and working papers, which shall include at least assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide suggestions for improvement.
2. Supervise the formulation of self-inspection contents and procedures by respective units, and the implementation of self-inspection by each unit.
3. Formulate annual audit plans and draw up the audit plans for respective unit based on the business risk profile of and implementation of internal audits by each unit.
A specialized electronic payment institution shall ensure that all of its units carry out self-inspection, and assign its internal audit unit to review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken, will serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system, and to issue the statement on internal control.
Article   16   
The internal audit unit of a specialized electronic payment institution shall conduct a routine audit and a special audit at least annually on its business, finance, asset safekeeping and information units, and a special audit at least annually on other management units.
The internal audit unit shall include the execution status of the regulatory compliance system into the routine audit or special audit of the business and management units.
Article   17   
When the internal audit unit of a specialized electronic payment institution carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary review of audit, financial status, business performance, asset quality, management of the board of directors and audit committee meeting procedures, regulatory compliance, internal controls, the control and internal management of various businesses, management of data protection for users and contracted institutions, information management, employee confidentiality education, protection measures for financial consumers, implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the financial examination agency, accountants, internal audit unit (including the internal audit unit of the parent company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information shall be retained for at least 5 years.
Article   18   
Where a significant fraudulent event occurs at a specialized electronic payment institution as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent company), the personnel involved shall be held responsible for dereliction of duties. A specialized electronic payment institution shall reward its internal auditors who identify any significant fraud or negligence and thereby avert material loss to the institution.
When a significant deficiency or fraudulent event arises within a unit of a specialized electronic payment institution, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in the internal audit report.
Article   19   
A specialized electronic payment institution shall deliver its internal audit report to its supervisors or audit committee for review. Unless otherwise prescribed by the competent authority, it shall submit the internal audit report to the competent authority within two months following completion of the audit. The internal audit report shall also be delivered to the independent directors if such positions are set up by the specialized electronic payment institution.
Article   20   
The first-time internal auditors of a specialized electronic payment institution shall attend at least eighteen hours of audit-related professional training courses held by professional training institutions designated by the competent authority within six months from the date they start the audit work.
The internal auditors (including the chief auditor) of a specialized electronic payment institution shall attend professional training related to electronic payment business offered by competent authority-designated professional training institutions or by the specialized electronic payment institution itself every year. The minimum number of training hours shall be ten hours for the chief auditor, and fifteen hours for the other internal auditors. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Professional training courses related to electronic payment business offered by competent authority-designated professional training courses shall comprise not less than one half of the total hours of training under the preceding paragraph.
A specialized electronic payment institution shall formulate self-inspection programs every year and continuously provide proper training to self-inspection personnel in accordance with the business nature of each unit.
A specialized electronic payment institution shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.
Article   21   
A specialized electronic payment institution shall file the data on its internal auditors with the competent authority for record before the end of January every year via a web-based information system and in a format prescribed by the competent authority.
When filing the basic data of internal auditors according to the preceding paragraph, a specialized electronic payment institution shall verify whether these auditors have met the requirements stipulated in Paragraph 2 of Article 13 and the preceding article herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within two months, or else be reassigned to another job.
Article   22   
A specialized electronic payment institution shall file the next year's audit plan to the competent authority for record by the end of each fiscal year, and a report on the execution of its preceding year's annual audit plan within two months from the end of each fiscal year, in a prescribed format stipulated by the competent authority via a web-based information system.
A specialized electronic payment institution shall deliver its next year's audit plan in writing to the supervisors or audit committee for review and record the comments of supervisors or audit committee by the end of each fiscal year. If the institution does not have an audit committee, it shall deliver the audit plan to its independent directors for comments. The annual audit plan and changes thereof shall be approved by the board of directors.
The audit plan mentioned in the preceding paragraph shall contain at least a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), frequency of audit, and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit shall also be noted.
Article   23   
A specialized electronic payment institution shall file the deficiencies, irregularities, and improvement of internal audit of the previous year to the competent authority for record in a format prescribed by the competent authority via a web-based information system within five months after the end of each fiscal year.

   Section 2 Self-inspection and Statement on Internal Control

Article   24   
A specialized electronic payment institution shall establish a self-inspection system. Its business, finance, asset safekeeping and information units shall conduct a routine self-inspection and a special self-inspection at least semi-annually.
For the self-inspection mentioned in the preceding paragraph, the head of the unit shall assign a person other than the original handling staff to conduct the inspection and keep the inspection activity confidential before implementation.
The self-inspection report under Paragraph 1 hereof shall include working papers, and along with the relevant information shall be retained for at least five years for future reference.
Article   25   
The internal audit unit of a specialized electronic payment institution shall continually conduct follow-up reviews on the examination opinions or audit deficiencies brought up by the financial examination authority, accountants, or the internal audit unit (including the internal audit unit of parent company), or in self-inspection conducted by internal units, and on matters requiring improvements as specified in the statement on internal control. It shall submit a written report on the follow-up of improvement actions taken to the board of directors, and deliver a copy of the report to the supervisors or audit committee, which shall be used as an important reference in reward, punishment, and performance evaluation of respective units.
Article   26   
The president of a specialized electronic payment institution shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, president, chief auditor, and chief compliance officer shall jointly issue a statement on internal control (see attached), which shall be submitted to the board of directors for approval. The specialized electronic payment institution shall disclose its statement on internal control on its website and publish it on a website designated by the competent authority within three months after the end of each fiscal year.

   Section 3 Audit of Specialized Electronic Payment Institutions by Accountants

Article   27   
If the annual financial report of a specialized electronic payment institution is audited and certified by an accountant, the institution shall also engage the accountant to conduct an audit of its internal control system. The accountant shall also express an opinion on the accuracy of reports submitted by the specialized electronic payment institution to the competent authority, and the appropriateness of the implementation status of internal control system and regulatory compliance system.
The competent authority may request the specialized electronic payment institution to authorize an accountant to conduct a targeted examination of its personal data protection and AML/CFT mechanisms.
The audit fees for the accountant shall be negotiated and agreed between the specialized electronic payment institution and the accountant, and paid by the specialized electronic payment institution.
Article   28   
Where necessary, the competent authority may invite a specialized electronic payment institution and its appointed accountant to discuss audit-related matters under the preceding article. If the competent authority finds the accountant appointed by the specialized electronic payment institution not sufficiently competent for the audit work, the competent authority may order the specialized electronic payment institution to replace its accountant and appoint another accountant to re-conduct the audit work.
Article   29   
When an accountant conducts an audit specified in Article 27 herein, the accountant shall inform the competent authority immediately when the audited specialized electronic payment institution has any of the following situations:
1. During the course of audit, the specialized electronic payment institution fails to provide the accountant with requested reports, certificates, account books and meeting minutes, or refuses to make further explanation on the inquiries made by the accountant, or the accountant is unable to continue the audit work as constrained by other objective circumstances.
2. There are false, forged or missing data of serious nature in its accounting or other records.
3. Its assets are insufficient to pay its debts or its financial condition deteriorates significantly.
4. There is evidence indicating that certain transactions may cause great damage to its net asset.
If an audited specialized electronic payment institution has a situation provided in Subparagraphs 2 to 4 of the preceding paragraph, an accountant shall submit in advance a summarized report based on the audit results to the competent authority.
Article   30   
When a specialized electronic payment institution appoints an accountant to conduct audit under Article 27 herein, the institution shall submit the accountant's audit report of the previous year to the competent authority for record before the end of April every year. The audit report shall describe at least the scope, basis, procedure, and results of the audit.
When the competent authority inquires the contents of the audit report, the accountant shall provide full and accurate information and elaboration.

   Section 4 Regulatory Compliance System

Article   31   
A specialized electronic payment institution shall assign a management unit directly under the president to take charge of the planning, management and implementation of regulatory compliance system, and appoint a high-level manager to act as the chief compliance officer who oversees the compliance matters and report to the board of directors, supervisors, or audit committee at least semiannually. If any major violation of regulations is discovered, the chief compliance officer shall immediately report to the directors and supervisors, and report the compliance related matters to the board of directors.
The chief compliance officer and personnel of the compliance unit shall attend at least fifteen hours of training a year offered by competent authority-designated professional training institutions or their employer. The training courses shall cover at least the latest regulatory amendments.
A specialized electronic payment institution shall file the list of chief compliance officer and personnel of compliance unit and their training records to the competent authority via a web-based information system.
Article   32   
A specialized electronic payment institution shall establish advisory and communication channels for compliance related matters to keep employees informed of relevant rules and regulations, swiftly clarify any questions its employees may have on compliance matters, and ensure regulatory compliance.
The compliance unit of a specialized electronic payment institution shall analyze the causes of significant deficiency or fraud in compliance related matters within respective unit, and propose suggestions for improvement. The report produced thereof shall be signed off by the president and then submitted to the board of directors for approval.
Article   33   
The compliance unit of a specialized electronic payment institution shall conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of compliance matters.
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3. Before a specialized electronic payment institution introduces a new product or service, or applies to the competent authority for approval to offer a new business, the chief compliance officer shall issue and sign an opinion statement undertaking that the new product, service or business complies with applicable regulations and internal rules.
4. Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the president, will be used as reference in the performance evaluation of the unit.
5. Providing pertinent appropriate regulatory training to personnel at various units.
The internal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.
A specialized electronic payment institution shall perform self-evaluation of compliance at least semiannually. The results shall be sent to the compliance unit for future reference. The head of a unit shall designate a dedicated person to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least five years.

   Section 5 Risk Management Mechanisms

Article   34   
A specialized electronic payment institution shall formulate proper risk management policies and procedures, and establish independent and effective risk management mechanism, by which to assess and monitor the overall risk bearing capacity, current status of risks already incurred, and to determine the risk response strategies and the compliance framework of the risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner.
Article   35   
A specialized electronic payment institution shall establish a risk management unit and regularly submit risk management reports to the board of directors. Upon identifying a significant risk exposure that might adversely affect its financial, or business status, or compliance with applicable acts and regulations, the specialized electronic payment institution shall take immediate and adequate measures and submit a report to the board of directors.
The risk management unit under the preceding paragraph may be replaced by a designated management unit.
Article   36   
The risk management mechanisms of a specialized electronic payment institution shall include the following:
1. Establishing a fraud prevention mechanism to uphold transaction security and better control fraud risk.
2. Establishing the examination and control mechanism for operating procedures and establishing information security mechanism and emergency response plan.
3. Establishing users and contracted institutions management mechanism.
4. Establishing exit mechanism for circumstances when business or finance deteriorates significantly.
5. Establishing users’ funds of payment management mechanism.
6. Establishing users’ and contracted institutions’ identity verification mechanism.
7. Establishing users’ and contracted institutions’ information protection mechanism.
8. Establishing outsourcing management mechanism.
9. Establishing financial consumer protection mechanism.

  Chapter 4 Supplemental Provisions

Article   37   
A specialized electronic payment institution shall ensure the confidentiality of its financial examination reports. Unless otherwise provided by law or consented by the competent authority, its responsible persons or employees are not allowed to read, disclose, deliver, or make public all or part of the financial examination report to persons unrelated to the performance of duties.
A specialized electronic payment institution shall draft internal management rules and operating procedures relating to the financial examination report in compliance with the requirements of the competent authority, and submit them to the board of directors for approval.
Article   38   
A specialized electronic payment institution shall set out in its internal control system penalties for violations of these Rules or its internal control rules by managers and relevant personnel.
Article   39   
The internal auditors and chief compliance officer of a specialized electronic payment institution shall immediately prepare a report for submission, with a notice to the independent directors and supervisors or audit committee, and report to the competent authority when their recommendations for improvements regarding significant deficiencies or noncompliance identified in internal controls are not accepted by management, which will cause the specialized electronic payment institution to incur material losses.
Article   40   
After an examination conducted by the competent authority completed or an examination report received, the internal audit unit of a specialized electronic payment institution shall, based on the principle of materiality, promptly notify the directors and supervisors, and report in the next board meeting. The content of the report shall include examination communication meeting, major deficiencies found in the examination, improvement actions required by the competent authority, or possible disciplinary measures to be taken.
Article   41   
Internal auditors of specialized electronic payment institutions who do not meet the provisions in Subparagraph 1, Paragraph 2 of Article 13 herein shall make adjustment to become compliant within nine months after the promulgation of these Rules.
The internal auditor of a specialized electronic payment institution who acts as a team leader but does not meet the provisions in Subparagraph 3, Paragraph 2 of Article 13 herein shall make adjustment to become compliant within three months after the promulgation of these Rules.
Article   42   
The Regulations shall enter into force on July 1, 2021.
The amendment of these Implementation Rules shall enter into force on the date of promulgation.