Ⅰ. Preface

Some of the financial examination focuses of the Bureau in 2019 remain the same as those of 2018. Also, in response to financial market conditions and supervisory concerns for each type of financial services firm, we have included some new focuses for 2019, namely, implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons, legal compliance system, management of information and communication security, financial customer protection, and personal information protection.

Ⅱ. The financial examination focuses of 2019 for each type of financial services firm are as follows:

1. Financial holding companies (FHCs)

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Establishing group overall anti-money laundering, counter-terrorism financing and non-proliferation of weapons programs, including internal management procedure for identifying, measuring and the risk control mechanisms of money laundering, terrorism financing and proliferation of weapons, and the information sharing policies and procedures within a group, and reviewing their implementation.

b. Supervising subsidiaries’ understanding and compliance with the related regulations on anti-money laundering (e.g., reviewing the consistency of assessment methodology for subsidiaries’ institutional risk assessment (IRA) and their assessment results, the reasonableness of risk appetite of the group level and each subsidiary), supervising inspected subsidiaries to improve examination deficiencies on anti-money laundering and revision of anti-money laundering mechanisms of other non-inspected subsidiaries in line with the examination.

B. Implementation of legal compliance system: implementation of the operation and function design of an FHC’s legal compliance system, and supervising the introduction, establishment and implementation of related internal rules by the compliance officers of an FHC’s subsidiary companies (including reinvested enterprises), so as to ensure the effectiveness of its legal compliance system.

C. Management of invested enterprises:

a. FHC should establish appropriate guidelines for investment and M&A management, and implement related measures, including management mechanisms of confidentiality and insider trading, pre-investment assessment (e.g., potential risks, investment returns, transaction prices, etc.), procedure for reviewing and approving, public announcement and declaration, legal compliance (e.g. Regulations Governing the Investing Activities of a Financial Holding Company, etc.) and post-investment benefit tracing and risk management.

b. Confirming the soundness operations of subsidiary companies outside the main entities (e.g., banks, insurance companies and securities firms) regularly, and that these subsidiary companies comply with regulatory requirements (including the prevention of the conflicts of interest and management mechanisms of interested-party transactions and their management, etc.), establishing the management mechanism for supervising operating risks, e.g. subsidiary companies of venture capital (such as the reasonable of using proceeds and the appropriateness of the impairment assessment) subsidiary companies of asset management companies (such as assets that were assumed or acquired within business scope should be sold on the primary basis, etc.,) financial leasing subsidiary companies (such as business operations should match their risk-bearing capacity and those companies should establish the measures of credit check management procedure with professional attention, etc.), insurance broker (agent) subsidiary companies (such as the appropriateness of soliciting and marketing and internal control systems, etc.)

D. Corporate governance:

a. Enhancing the functions of the board of directors, e.g. the organization and functions of the board of directors, the establishment and implementation of the audit committee and other functional committees, the rules for the proceedings and decision-making procedures of the board of directors, and the duty of loyalty and duty of care of directors, etc.

b. Management mechanism for the responsible persons’ concurrent positions and levels of responsibility: establishing an internal management mechanism to confirm whether the responsible persons’ concurrent positions meet the requirements of related laws and internal regulations, whether other staff except the chairperson and general manager have leadership positions, whether the internal stratified responsibility mechanism has a match between responsibility and authority.

c. Interested-party transactions:

(a)Management mechanisms for interested-party transactions and whether a FHC maintains good regulatory compliance in this area, including transactions and management with substantive interested-parties.

(b)For the directors and other interested-parties who are regulated by the guidelines of interested-party transactions, whether an FHC has established an appropriate verification mechanism to confirm they have properly declared their status as an interested-party.

d. Establishing the whistleblower system and implementation: confirming whether the whistleblower system is independent and effective and actually protecting whistleblower’s rights.

E. Risk management mechanism:

a. Control of total risk exposure in Mainland China.

b. Urging subsidiary companies to implement risk management of invested enterprises (including foreign companies) and reporting essential information to the holding company in order to control group risk.

c. For invested enterprises in another industrial group which were invested in by the director of a financial holding company and related cases involving the interests of their interested-parties, whether an FHC asks these directors to exercise appropriate recusal or strictly adhere to the related rules and establishes effective mechanisms for internal check and supervision.

d. Implementation of management mechanisms for identifying, measuring, and monitoring group risks.

F. Supervising and inspecting of subsidiaries on security control of network systems and on maintenance of information security, establishing effective measures of detection and protection, setting up emergency response procedures, recovery plans and customer protection mechanisms for abnormality in network systems.

G. Personal information protection: whether the measures that an FHC and its subsidiary companies take for collecting, processing, and using customer information and cross-selling are secure enough, and meet all regulatory requirements, response exercise mechanism for personal information leaks, joint security maintenance measures and legal compliance situation.

H. Internal audit:

a. Overall planning, supervision and implementation, appropriateness of human resources and independence of internal audit for an FHC and its subsidiary companies.

b. Whether the auditing unit of an FHC and its subsidiary companies has carried out division of labor with regard audit counterparties and key audit items to ensure it can conduct an effective audit for all subsidiary companies (including foreign branches). To ensure auditing quality and to monitor improvements in deficiencies, the FHC should establish and implement a supervising mechanism of auditing (including the outsourcing audit of foreign branches), and strengthen the enforcement and management of auditing operations.

c. After an FHC’s subsidiary is inspected by the foreign financial authority or an FHC receives an inspection report from a foreign financial authority, the internal audit unit of an FHC and its subsidiaries should establish a mechanism that promptly reports to the FSC according to the materiality principle.

d. Confirming, assessing and supervising the implemented effectiveness of bank subsidiaries that adopt the risk-based auditing system.

2. Domestic banks

A. Compliance with regulations for anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Internal control system and risk assessment: the completeness and authenticity of institutional risk assessment (including inherent risk, mitigation measures and residual risk), the completeness and effectiveness of internal guidelines and operation procedures, the board of directors’ and senior managers’ supervision with regard related implementation.

b. Measures of customer due diligence: verification of customer identity (including politically exposed persons, PEPs) and the operation of sanction screening, identification of the beneficial owners, the effectiveness of customer risk assessment mechanism, and the enhanced reviewing measures for high-risk customers (including virtual currency trading platform industries).

c. Ongoing monitoring of accounts and transactions: the certification and verification of the red flags of suspicious money laundering transactions, ongoing monitoring of high-risk customers, and the treatment of the sanctioned individuals or entities.

d. Implementation of the procedures for declaration of suspicious transactions: the operation governing the transactions of suspicious money laundering, terrorism financing, and financing of weapons proliferation (including declaration, confidentiality procedures, and data preservation).

e. Organization and personnel: professionalism and adequacy of the chief officers and personnel, education and training, the independent testing for effectiveness of the AML/CFT/NPW systems by internal audit units.

f. Quality and credibility of the targeted examinations which are performed by the accountants entrusted by banks.

B. Legal compliance system and implementation: e.g., the establishment of legal compliance department, assignment and eligibility of chief compliance officer, education and training for compliance personnel, and implementation of compliance function (including establishment of a consultation and communication system for legal compliance, analysis and reporting of significant findings in legal compliance, providing of legal opinions on new business or new products, and auditing of self-assessment in legal compliance), the compliance of personal information protection (including custody and utilization of customer data , security mechanism of information and communications), the implementation of legal compliance for trust business-related consumer protection (including products suitability for selling, real estate development trust of pre-sale house and their values trust, etc.)

C. Management of overseas risk exposure:

a. Management of foreign branches: e.g., oversight by the board of directors, supervision by the head office (including outsourcing internal audit) and resource allocation to overseas subsidiaries for compliance, operation of anti-money laundering, concentration risks of credit, asset quality, loan and post-lending management, operation risks, reporting mechanism for major events, communication mechanism with local authority, regulatory compliance (including independence and eligibility of chief compliance officers and the personnel of legal compliance, the compliance with local laws and regulations by overseas branches and establishing the self-evaluation and monitoring mechanism), legal education for bank clerks and the assessment of bank clerks’ moral character and ethical integrity, and the implementation of internal audits to verify quality and track improvement of deficiencies.

b. Risk management for investment in foreign securities, loans, investments and interbank lending/borrowing/depositing in Mainland China (including control of exposure limits, correctness of exposure calculation, credit investigation and review for loans, and post-lending management) and management mechanism for other financial-related enterprises in Mainland China.

D. Financial derivatives：

a. Mechanism with regard to customer credit risk management: customer hedging line and non-hedging line, management mechanisms for customer concentration risk, internal operating systems and procedures for initial margin and margin call requirements: e.g., what kinds of product require initial margin, what kinds of security can be used as initial margin, discount ratios and valuation methods of securities used as initial margin, and the implementation situation of other legal compliance.

b. Appropriateness of sales operations for financial derivatives and structured products: e.g., procedure for Know-Your-Customer (KYC), risk classification of product, assessment of product suitability (including the adequacy of the assessment methods for evaluation of whether a professional customer possesses adequate professional knowledge and meets the requirements of the related rules of trading experience with respect to financial products), informing and disclosure of product risks, and qualifications of sales persons.

c. Valuation and management mechanisms for financial derivatives: e.g., establishing the valuation system of high-risk products to offer quoted price and calculate the market price to evaluate profit and loss, and regulate the verifying procedure of valuation system in accordance with the asset classification and product categories of the linked underlying assets (high-risk and non-high-risk products). For non-high-risk products which have not established the valuation system and use a price inquiry method, an internal operation procedure for price reasonableness inspection standard should be established.

E. OBU business:

a. Enhanced control measures and training for identified higher money-laundering threats and weaknesses (e.g., trade finance or tax risk), procedures for opening bank account and verifying client identity (including taking related follow-up management and risk-mitigation measures for existing customers who are unable to provide requested documents) and implement anti-money laundering procedures, e.g., requiring customers to provide sufficient information and documents, and appropriately verifying these information and documents (including effective mechanism on verifying the authenticity of registration of offshore legal entities), not persuading customers to register an offshore legal entity or introducing them to an agent for setting up an offshore legal entity, appropriately identifying high-risk customers, and enhancement in identity verification and ongoing monitoring.

b. Appropriateness of internal control procedure for financial derivatives and structured products business: e.g., identification standards and reviewing practices (mechanism for reviewing authenticity of financial reports and no involvement of bank employees in preparation of financial reports of customers) with regard professional legal entity customers, and procedures for KYC and KYP.

F. Financial consumer protection: e.g., the mechanism for the handling of Know-Your-Customer (KYC), assessment of product suitability, fairness and reasonableness of contract terms, control of procedures for product sales, review procedures for new products, the remuneration system for sales personnel, consumer dispute handling mechanism, the implementation of the principle of treating customers fairly (including the collection of credit cards’ default charge and revolving credit interest) and in a friendly way, and personal information protection (e.g., security measures for collecting, processing and using personal information, response exercise mechanism for personal information leaks).

G. Implementation of digital financial business: e.g., the management mechanism thereof, such as providing online banking, online application, mobile payment, and others financial services, users’ personal information and the safety of financial transactions, confirming customer identity, monitoring unusual transactions, and the developing and launching (including regular safety check) management mechanism of mobile applications (APP).

H. Implementation of corporate governance system

a. Fulfilling the powers of the board of directors: e.g., the organization and powers of the board of directors, the establishment and implementation of an audit committee, supervising the various business policies and management mechanisms, and the appropriateness of the exercise of power for handling and responding to major events (such as major violations of laws and regulations, a significant risk exposure that might adversely affect its financial or business status, etc.) of the board of directors.

b. Internal management mechanism for responsible persons’ concurrent positions (including regulatory compliance of the responsible persons who have concurrent positions, other staff members except the chairperson and general manager who have a non-leadership position).

c. Interested-parties’ (including the substantive interested-parties) transactions (including loans, real estate, other transactions, etc.) and management mechanisms (including the self-control mechanism for substantive interested-parties), and whether there are abnormalities with respect to strategies, counterparties and prices for transactions within the group or with substantive interested-parties (including major shareholders, directors, supervisors, etc.) and whether those transactions involve conflicts of interest.

d. Independent and effectiveness of the whistleblower system (including the related internal operating procedures and management mechanisms, e.g., the channels for internal and external whistleblowers, whistleblower protection measures).

I. Management of information and communication security: e.g., establishing a dedicated information security unit and appointing a dedicated officer to act as the chief information security officer, grasping and reporting the overall implementation of information security, safeguard measures for the payment system (like ATM, SWIFT), the head office’s supervision and management on information security protection of foreign branches, security control of using IoT equipment, cyber security measures (e.g., firewall, intrusion detection and prevention, vulnerability scanning, penetration testing, and other security defense measures and track improvement of related deficiencies, “monitoring, reporting and response mechanisms for internet attack events”, simulated hacker attack situation or operations), procedures and mechanisms of collecting and keeping digital evidence, the effectiveness of information backup system and their drills.

J. Business operation systems: e.g., the management of currency deposit machines, the instant confirmation and notification mechanisms of internet-banking transactions, the operations of issuance for account balance certification, management mechanisms to prevent a bank clerk from conducting related transactions on behalf of customers in private without client authorization or misappropriating client deposits, checking account opening and blank check issuance operations, internal control mechanism for prevention of loan fraud (including pre-loan review process, credit check procedure, and post-lending management mechanism), concurrently operating insurance brokers’ business and insurance agents’ business (including the operations of soliciting insurance products, management mechanisms for confirmation of the insurance related application documents signed by applicant in person, whether the audit plan take the business into consideration).

K. Control of risks associated with loans and regulatory compliance: e.g., credit investigation system for credit business (including syndicated loan, such as mortgage loans, project finance, etc.), risk assessment and analysis, risk pricing, credit review, approved loan procedures and post-lending management.

L. Implementation of internal audit: e.g., the independence of the audit unit, the appropriateness of audit personnel, the implementation of the competent authority’s requested internal audit items, reporting and resolving mechanisms of major events, the implementation of auditing operations at overseas branches, supervising the improvements in deficiencies, and the implementation effectiveness of banks that adopt the risk-based auditing system .

M. Management of invested enterprises: e.g., supervising the subsidiary companies to set and implement related operation and risk control regulations (including the related management mechanisms of interested-party transactions), the consistency of the actual business items and original operation plan, and establishing a regular reporting mechanism and related management measures for subsidiary companies’ major business plans, transactions, business performance and exposures, etc.

3. Foreign bank branches in Taiwan

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Internal control system and risk assessment: the completeness and authenticity of institutional risk assessment (including inherent risk, mitigation measures and residual risk), the completeness and effectiveness of internal guidelines and operation procedures, senior managers’ supervision with regard related implementation.

b. Measures of customer due diligence: verification of customer identity (including politically exposed persons, PEPs) and sanction screening operations, identification of the beneficial owners, the effectiveness of the customers risk assessment mechanism, the enhanced reviewing measures for high-risk customers (including virtual currency trading platforms industries).

c. Ongoing monitoring of accounts and transactions: the certification and verification of the red flags of suspicious money laundering transactions, ongoing monitoring of high-risk customers, and the treatment of the sanctioned individuals or entities.

d. Implementation of the procedures for declaration of suspicious transactions: the operation governing the transactions of suspicious money laundering, terrorism financing, and financing of weapons proliferation (including declaration, confidentiality procedures, and data preservation).

e. Organization and personnel: professionalism and adequacy of the chief officers and personnel, training, the independent test for the effectiveness of the AML/CFT/NPW systems by internal audit units.

B. The implementation of providing information and consultation service about offshore financial derivatives by banks: e.g., the implementation of legal compliance of the person serviced, the scope of products offered, the content of services offered, the quotation status, and the income of fee-splitting offered.

C. Financial derivatives：

a. Management mechanisms for the strategies and procedures for financial derivatives transactions.

b. Establishing and maintaining an effectiveness valuation mechanism of financial derivatives and the implementation situation of their management mechanism.

D. OBU business:

a. Procedures for opening bank account, verifying client identity, and implementing anti-money laundering of OBU.

b. Implementation of re-confirmation of identity of pre-existing customers of a OBU.

E. Legal compliance system and compliance with legal limits: e.g., training for compliance personnel, implementation of compliance function (including establishment of a consultation and communication system for legal compliance, analysis and reporting of significant findings in legal compliance, providing of legal opinions on new business or new products, auditing of self-assessment in legal compliance), and compliance with legal limits (e.g., control of credit limit in Mainland China).

F. Management of outsourcing business: e.g., compliance with regulations for outsourcing business, and periodic audits of cross-border outsourcing.

G. Implementation of personal information protection and information and communications security management.

4. Credit cooperatives

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Internal control system and risk assessment: the completeness and authenticity of institutional risk assessment (including inherent risk, mitigation measures and residual risk), the completeness and effectiveness of internal guidelines and operation procedures, the board of directors’ and senior managers’ supervision with regard related implementation.

b. Measures of customer due diligence: verification of customer identity (including politically exposed persons) and the operation of sanction screening, identification of beneficial owners, effectiveness of customers’ risk assessment mechanism, enhanced reviewing measures for high-risk customers.

c. Ongoing monitoring of accounts and transactions: certification and verification of the red flags of suspicious money laundering transactions, ongoing monitoring of high-risk customers and the handling of sanctioned individuals or entities.

d. Implementation of the procedures for declaration of suspicious transactions: the handling of transactions of suspicious money laundering, terrorism financing, and financing of proliferation (including declaration, confidentiality procedures, and data preservation).

e. Organization and personnel: professionalism and adequacy of the chief officers and personnel, training, independent testing of the effectiveness of the AML/CFT/NPW systems by internal audit units.

B. Legal compliance system: e.g., other posts concurrently held by the chief compliance officer, conveyance mechanism of regulatory requirements, training for compliance personnel.

C. Risk management of credit extensions to the same related parties, and large exposures.

D. Implementation of risk control, regulatory compliance and reporting operations for mortgage loans, e.g., construction loans, residential loans, home improvement loans, vacant land loans, and loans for land in industrial districts etc.

E. Management mechanisms and compliance with regulations for interested-party loans and transactions, and whether there are unusual transactions between staff and customers.

F. Financial customer protection operations: e.g., implementation of cooperation with other industries to promote the sale of financial products (including mortgage life insurance), appropriateness of advertising content, full understanding of the information pertaining to financial consumers in order to ascertain the suitability of products or services for financial consumers, full explanation of the important aspects of financial products, services and contracts, personal information protection, handing mechanism of consumer disputes and treating consumers fairly and in a friendly way in financial services.

G. Management of information and communication security: e.g., system control of network financial business (including online financial services), transaction security design, measures to protect cyber security (including preventive measures for information security, e.g., firewall, intrusion detection and prevention, vulnerability scanning, e-mail social engineering drills, and education and training on information security), cybersecurity control of IoT, and the improvement of deficiencies of information security assessment reports and ATM attack drill results.

H. Management mechanisms for the related operations of money deposit or withdrawal: e.g., completeness of the related specifications for money deposit and withdrawal (“whether self-inspection items prohibit an employee of credit cooperative to deposit money, withdraw money on behalf of a customer or keep a customer’s seal or passbook, and implementation of internal audit of these items”, “completeness of the related measures of withdrawal of money without passbook”, and “completeness of contract with customer with regard rights and obligations”).

I. Liquidity control measures: e.g., setting liquidity risk management policy, establishing an appropriate information system to measure and monitor liquidity risk, disclosing the qualitative information of liquidity risk management regularly, setting limit of liquidity positions by period, establishing a risk management index and early warning mechanism of liquidity risk, reviewing the source, allocation and the concentration risk of large amount of funds regularly.

5. Bill finance companies

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons: the internal control system for anti-money laundering, counter-terrorism financing and non-proliferation of weapons, implementation of risk assessment and risk reduction measures, verification of customer identity, name screening, ongoing monitoring of accounts and transactions, establishing and integrating the information system, filtering and reporting of suspicious money laundering, and training on anti-money laundering.

B. Corporate governance: e.g. enhancing the functions of the board of directors, controlling interested-party transactions and protection measures for internal whistleblowers.

C. Management mechanisms and implementation situation of legal compliance for granting credit extension or engaging in transactions other than credit extension to an interested-party.

D. Implementation and effectiveness of business risk control mechanisms for non-guarantee commercial papers.

E. Risk control of guarantee business: e.g., concentration risk control of groups, real estate, and leasing business, whether credit procedures are implemented, and real estates collateral valuation.

F. Risk control mechanisms for investing in bills, bonds and their holding positions: e.g., investment valuation, price reviewing and interest risk management in response to rising interest rate.

G. Liquidity risk management mechanism and implementation situation.

H. Risk control for engaging in the trading of financial derivatives.

I. Risk control mechanism and implementation situation of revolving issue of floating rate commercial papers due within a year.

6. Securities firms

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Internal control system and risk assessment: the board of directors’ and senior managers’ supervision with regard implementation on anti-money laundering and counter-terrorism financing, the completeness and authenticity of institutional risk assessment (including inherent risk, mitigation measures and residual risk), completeness and effectiveness of internal guidelines and operating procedures for anti-money laundering and counter-terrorism financing.

b. Measures of customer due diligence: verification of customer identity and name screening (including sanction list, and politically exposed persons), identification of beneficial owners, the effectiveness of customer risk assessment mechanism, e enhanced reviewing measures for high-risk customers.

c. Ongoing monitoring of accounts and transactions: certification and verification of the red flags of suspicious money laundering transactions, ongoing monitoring of high-risk customers, and the handling of sanctioned individuals or entities.

d. Implementation of the procedures for declaration of suspicious transactionsp: the operation governing the transactions of suspicious money laundering, terrorism financing, and financing of proliferation (including declaration, confidentiality procedures, and data preservation).

e. Organization and personnel: professionalism and adequacy of chief officers and personnel, training, independent testing of the effectiveness of the AML/CFT/NPW systems by internal audit units.

B. Borrowing or lending money in connection with securities business: purpose and scope of usage of borrowing securities, actual charge for borrowing securities, revenues and costs of borrowing securities business, storage and use of margin, and procedures for credit extension operations and risk control.

C. Securities-backed line of credit: advance rate, the scope of collateral, mark to market procedure for collateral, and procedures for credit extension operations and risk control.

D. Oversight and management of overseas subsidiaries: establishment of required control tasks for subsidiary companies, implementation situation with regard urging and supervising the establishment of internal control systems by a firm’s subsidiary companies and whether the matters for investing in domestic securities by customers comply with the review mechanism of domestic laws and regulations and required content of control tasks (including operation management, finance, business, legal compliance and internal audit management) with respect to oversight and management of subsidiary companies.

E. Implementation of legal compliance system: e.g., appropriateness of internal rules, implementation of self-assessment, implementation of legal compliance training, and so on.

F. Corporate governance: e.g. enhancing the functions of the board of directors, interested-party transactions and protection matters for internal whistleblowers.

G. Risk management of day trading: whether the securities firms implements risk management and strengthens management of the substantial amounts of day trading in accordance with the Operational Rules Governing Day Trades of Securities.

H. Business of brokered trades of foreign securities: grading management in accordance with investors’ investment attributes, operation of KYC, segmentation of trust investment products by investors, recommendative contract signing before giving recommendations.

I. Financial consumer protection: e.g., implementation of the treating customer in a friendly way principle, establishment and implementation of internal control system and fair treatment of wealth management customers in opening accounts and selling products, full disclosure of fees charged and commission received, information security maintenance, appropriateness of business bonus program, and handling complaints from consumers.

J. Personal information protection: e.g., security measures for collecting, processing and using personal information, response exercise mechanism for personal information leaks.

7. Securities investment fund companies

A. Implementation situation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Internal control system and risk assessment: the board of directors’ and senior managers’ supervision with regard implementation of the anti-money laundering and counter-terrorism financing program, the completeness and authenticity of institutional risk assessment (including inherent risk, mitigation measures and residual risk), the completeness and effectiveness of internal guidelines and operating procedures for anti-money laundering and counter-terrorism financing.

b. Measures of customer due diligence: verification of customer identity and name screening operations (including sanction list, and politically exposed persons), identification of beneficial owners, effectiveness of customer risk assessment mechanism, enhanced review measures for high-risk customers.

c. Ongoing monitoring of accounts and transactions: certification and verification of the red flags of suspicious money laundering transactions, ongoing monitoring of high-risk customers, and the handling of sanctioned individuals or entities.

d. Implementation of the procedures for declaration of suspicious transactions: the handling procedure for transactions of suspicious money laundering, terrorism financing, and financing of weapons proliferation (including declaration, confidentiality procedures, and data preservation).

e. Organization and personnel: professionalism and adequacy of chief officers and personnel, training, the independent testing of the effectiveness of AML/CFT/NPW systems by internal audit units.

B. Implementation of disclosure of dividend distribution by onshore and offshore funds, exposing the risk of high-yield bond funds, conducting the fund suitability assessment with regard customers, and Know-Your-Customer (KYC) and Know-Your-Product (KYP) requirements in connection with fund sales.

C. Measures for preventing conflicts of interest with regard to re-investing in an enterprise with self-owned capital and the implementation of internal control systems: e.g., investing in FinTech industry, insurance agent companies or insurance broker companies, serving as general partnership of private equity fund in an invested subsidiary, being entrusted to manage private equity funds and adopting the “seed capital” mechanism, etc.

D. Guidelines of internal control system and implementation situation of investment analysis, investment decision, implementation and review of the investments or transactions of investment trust funds and discretionary investment accounts (including companies entrusted with investing government funds).

E. Personal information protection: e.g., safekeeping measures for data storage, processing and transmitting of personal information.

F. Implementation and management of the control operations of information and communication security auditing.

G. Implementation of auditing for sales agent management and sub-distributor distribution fees payment situation: the operation of sales agents’ selection and investigation, the criteria for selecting staff to attend training, the appropriateness of training matched with travel, the implantation of the pre-evaluation and post-reviewing with regard to distribution fees.

H. Corporate governance: e.g. enhancing the functions of the board of directors, controlling interested-party transactions and protection measures for internal whistleblowers.

8. Life insurance companies

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Internal control system and risk assessment: the completeness and authenticity of institutional risk assessment (including inherent risk, mitigation measures and residual risk), the completeness and effectiveness of internal guidelines and operating procedures, the board of directors’ and senior managers’ supervision of related implementation.

b. Measures of customer due diligence: verification of customer identity (including politically exposed persons, PEPs) and the operation of sanction screening, identification of the beneficial owners, effectiveness of customers’ risk assessment mechanism, enhanced reviewing measures for high-risk customers (including virtual currency trading platforms industries).

c. Ongoing monitoring of accounts and transactions: certification and verification of the red flags of suspicious money laundering transactions, ongoing monitoring of high-risk customers, and the treatment of the sanctioned individuals or entities.

d. Implementation of the procedures for declaration of suspicious transactions: the operation governing the transactions of suspicious money laundering, terrorism financing, and financing of proliferation (including declaration, confidentiality procedures, and data preservation).

e. Organization and personnel: professionalism and adequacy of chief officers and personnel, training, independent testing of the effectiveness of the AML/CFT/NPW system by internal audit units.

B. Implementation of legal compliance system:

a. Implementation of establishing the company-wide frameworks of legal compliance, risk management and related supervision by the insurance companies which asset amounts reach NT. $ 1 trillion.

b. Establishment of legal compliance department and conveyance and communication mechanism for regulatory requirements.

c. Implementation of issuing and signing legal compliance opinions for new products and services before specific or material fund utilization.

d. Processing procedures of significant findings or malpractice in legal compliance.

e. Training on legal compliance, implementation of self-assessment in legal compliance, and supervising and auditing overseas subsidiaries’ compliance with local laws and regulations.

C. Financial consumer protection:

a. Handling mechanisms for notification of policy proceeds, processing mechanism for policy proceeds unclaimed.

b. Establishment of management system for conservation and complaints, and its execution.

c. Procedure of provisioning reserve for offsetting interest margin from mortality margin.

d. Appropriateness of marketing for interest-sensitive products and investment link products.

e. Appropriateness of marketing for investment-link products (including whether the solicitation and underwriting operations meet related regulations, whether solicitors fulfill their KYC obligations when insurance applicants are aged over 70 years old.

f. Implementation of the management principle for underwriting for physically and mentally disabilities (e.g., whether the solicitation and underwriting operations for physically and mentally disabilities involve non-prejudicial treatment) and the implementation of treating customers fairly and in a friendly way in the financial services industry.

D. Marketing and management of insurance products:

a. Management of solicitors (including supervising solicitors fill out a solicitation report exactly).

b. Convening the meetings of insurance product management teams to review the implementation of legal compliance and reasonable pricing.

c. Operation of declared interest rates and management of assets segregation for interest-sensitive insurance products.

d. Management of business dealing with insurance brokers and insurance agents (including checking whether insurance companies’ supervision and management are in accordance with the laws and relations for asking insurance brokers and insurance agents to comply with related guidelines.

E. Regulatory compliance and control procedures for interested-party transactions.

F. Implementation of foreign investment:

a. Terms, risk management and legal compliance of investment in senior corporate bonds, subordinated corporate bonds, subordinated financial bonds, and international bonds.

b. Internal control mechanism for investment in foreign real estate: e.g., ownership, expenses paid, rent revenues and consistence of trust contract for the investment by trust.

c. Pre-investing and post-investing management mechanisms of equity investment in the Mainland China’s insurance companies and foreign insurance-related enterprises and their implementation of legal compliance (including major event handling mechanism for invested enterprises’ violations of AML/CFT related laws and regulations, major frauds caused by ineffective internal control and other events which might affect their reputation, normal business operation, etc.)

d. Implementation of foreign asset custody, qualification of custodian, and adaptability of custodial services contract.

G. Establishment and implementation of internal control systems for domestic securities investment, e.g., establishment of investment policies and procedures, review mechanism of post-investing, the control mechanism of front/middle/back offices’ operation responsibility, appropriateness of mechanism for preventing the conflicts of interest with regard to equity investment staff.

H. Risk management of investing in private investment funds, the internal control mechanism and implementation of legal compliance (including the identification of the beneficial owners and reviewing whether the private investment fund transactions are classified as interested-party transactions.)

I. Risk management of venture capitalist investment, internal control mechanisms and the implementation of legal compliance.

J. Implementation of Own Risk and Solvency Assessment (ORSA): e.g., the internal implementation of the ORSA (including risk response measures and monitoring mechanisms etc.).

K. Implementation of digital financial services: e.g., the developing and launching (including regular safety check) management mechanism for mobile application (APP), electronic insurance policy operations, identity verification of customer’s purchasing insurance online or through mobile services, confirmation of intention to purchase insurance, management mechanisms of underwriting and notification.

L. Management mechanism for information and communication security as well as personal information protection.

a. Legal compliance, management mechanisms and security measures for collecting, processing, and using personal information.

b. Security control of information system and the response exercise mechanism for personal information leaks.

9. Non-life insurance companies

A. Implementation of anti-money laundering, counter-terrorism financing, and non-proliferation of weapons: the internal control system for anti-money laundering and counter-terrorism financing, implementation of risk assessment and risk reduction measures, verification of customer identity, name screening, ongoing monitoring of accounts and transactions, establishing and integrating the information system, screening and reporting of suspicious money laundering, and AML training.

B. Implementation of legal compliance system:

a. Establishment of legal compliance department and conveyance and communication mechanism for regulatory requirements.

b. Implementation of issuing and signing legal compliance opinions for new products and services before the specific or material fund utilization.

c. Processing procedures of significant findings or malpractices in legal compliance.

d. Training on legal compliance, implementation of self-assessment in legal compliance, and supervising and auditing overseas subsidiaries’ compliance with local laws and regulations.

C. Financial consumer protection:

a. Processing mechanism for policy proceeds unclaimed.

b. Implementation situation of the handling principles for underwriting for physically and mentally disabilities (e.g., whether the solicitation and underwriting operations for physically and mentally disabilities involve non-prejudicial treatment), and the implementation of treating customers fairly and in a friendly way in the financial services industry.

D. Marketing and management of insurance products:

a. Management of brokerage channel.

b. Implementation of premium rate determination of huge insurance premiums for commercial fire insurance, non-natural disaster insurance premium rate for small & medium-sized insured amount insurance contracts, and the risk premium rate of personal automobile physical damage insurance.

c. Convening meetings of insurance product management teams to review implementation of legal compliance and reasonable pricing.

E. Establishment and implementation of solicitation, premium collection, underwriting, and claim procedures for voluntary automobile insurance:

a. Implementation of premium collection and issue of insurance policies, underwriting and endorsement operations for finite driver only coverage, appropriateness of indirect solicitation expense paid to automobile dealers, certificate of deductible obtaining situation, and checking and control of price quotations for repairs to automobiles.

b. Implementation situation of management, underwriting and claim for certificate of insurance of compulsory automobile liability insurance.

F. Risk management mechanism for fund utilization: e.g., control mechanism and measures of compliance, transaction and risk management for investment in securities and foreign assets.

G. Implementation of Own Risk and Solvency Assessment (ORSA): e.g., internal implementation of the ORSA (including risk response measures and monitoring mechanisms etc.).

H. Implementation of digital financial services: e.g., the developing and launching (including regular safety check) management mechanism for mobile applications (APP), electronic insurance policy operation identity verification of customer purchasing insurance through online or mobile services, confirmation of intention to purchase insurance, management mechanisms of underwriting and notification.

I. Management mechanism for information and communication security as well as personal information protection:

a. Legal compliance, management mechanisms and security measures for collecting, processing, and using personal information.

b. Security control of information system and the response exercise mechanism for personal information leaks.