Ⅰ. Preface

The FEB’s 2021 financial examination focuses are based on the results of examinations conducted in 2020 and reflects financial market conditions and regulatory requirements. The FEB selects the issues in each financial industry that require further scrutiny and includes them into the examination focuses. The six cross-sector examination focuses of this year include the implementation of anti-money laundering (AML), countering the financing of terrorism (CFT), and Counter Proliferation Financing (CPF) measures; compliance system; corporate governance; information and communication security management; financial consumer protection; and personal information protection.

 

Ⅱ. 2021 Financial examination focuses for each type of financial service industries

1. Financing Holding Companies (FHCs)

A. The Implementation of AML/CFT/CPF requirements: FHC oversees subsidiaries’ understanding and compliance with AML regulations (e.g., by reviewing the consistency of the IRA assessment methodology and assessment results of different subsidiaries, and the reasonability of risk appetite at the group and subsidiary levels), oversees efforts by examined subsidiaries to carry out corrective action to address AML deficiencies, and request other subsidiaries that were not examined to review and refine their AML mechanisms.

B. The implementation of compliance system: The design and implementation of FHC’s compliance systems and overseeing efforts by the compliance officers of subsidiaries (including investees) to properly introduce, establish, and implement relevant internal rules and ensure the effectiveness of their compliance systems.

C. Management of investee companies:

a. FHC should establish appropriate guidelines for investment and M&A management, and implement related measures, including mechanisms for control and management of confidentiality and prevention of insider trading, pre-investment assessments, review and approval procedures, public announcements and filings, compliance, post-investment monitoring of returns, and risk management.

b. FHC shall establish investment management policy and procedures for major foreign investee companies (including investments as a co-investor) that includes measures for ensuring the sound operations and compliance with regulations and the establishment of corresponding supervision, control, and management mechanisms.

c. FHC should regularly ensure the soundness of non-primary subsidiaries (e.g., entities apart from bank, insurance company, and securities firm) and their compliance with regulatory requirements (including the prevention of conflicts of interest, and control and management mechanisms for interested-party transactions and management operations, etc.), establish control and management mechanisms for monitoring and control of business risks such as risks posed by venture capital subsidiaries (e.g., the reasonability of their use of proceeds and the appropriateness of impairment assessments), by asset management subsidiaries (e.g., whether they have established a clear internal control system, etc.), by financial leasing subsidiaries (e.g., whether their business operations are in line with their risk-bearing capacity, and whether they have established credit check procedures that ensure fulfillment of the duty of professional care, etc.), and by insurance broker (agent) subsidiaries (e.g., the appropriateness of soliciting, marketing, and expenses, etc.).

D. Corporate governance:

a. Strengthen the functions of the board of directors and functional committees: Examinations focus on such matters as the organization and functions of the board of directors; the establishment and operation of the audit committee, risk management committee, and other functional committees; rules for the proceedings and decision-making procedures of the board of directors; the fiduciary duties and responsibilities of directors; and the establishment of a chief corporate governance officer and other corporate governance personnel.

b. Management mechanisms for the responsible persons’ concurrent positions and proper levels of responsibility: The internal management mechanisms to confirm whether the responsible persons’ holding of concurrent positions is compliant with related laws and internal regulations, whether any concurrently held positions other than that of chairperson or general manager is in the nature of a directorate-grade officer position, and whether the hierarchical delegation of responsibilities have been clearly segregated to preserve a balance of powers and responsibilities.

c. Mechanisms for reporting the holdings of major shareholders: Mechanisms for identifying the beneficial owners of major shareholders, including understanding whether major shareholders accurately report their beneficial owners in accordance with regulations; and procedures for processing cases where it has been found that information on a major shareholder has not been reported in accordance with regulations.

d. Data filing of interested parties and control and management of interested-party transactions:

(a) Whether FHC has established a database of interested parties and verify whether it has filed information correctly and regularly confirmed the accuracy of the interested parties’ information.

(b) Mechanisms for control and management of interested-party transactions and the legal compliance status, including transactions with substantively interested parties and the management of such transactions.

e. Establishment and implementation of the whistleblower system: Whether the whistleblower system is independent and effective, and verify that it truly protects whistleblowers’ interests.

E. Risk management mechanisms:

a. Whether FHC has established proper risk management mechanisms for regional risks.

b. Whether FHC urges its subsidiaries to properly manage the risks of investees (including foreign companies) and report essential information to the FHC in order to control group risks.

c. Whether FHC has established response strategies and group risk management mechanisms for responding to economic changes caused by the pandemic and low interest rates such as business continuity management plans and stress tests for responding to changes in the financial industry.

F. The appropriateness of FHC’s overseeing and checking its subsidiaries’ related operations for the updates of information system (e.g., stability and tests of system conversions) and controls and management of network system security and maintenance of information security, their establishment of effective measures for intrusion detection and defense, and their establishment of emergency response procedures, recovery plans, and mechanisms for protecting customer rights and interests to deal with network abnormalities.

G. Personal information protection: The performance of FHC and its subsidiaries in measures for maintaining the security of customer information they collect, process, and use; mechanisms for data breach response drill; and security maintenance measures and legal compliance for cross-selling operations.

H. Internal audits:

a. The overall planning, overseeing and executing of internal audits at FHC and its subsidiary companies, and the adequacy of human resources as well as the independence of internal audit units.

b. Examinations focus on: (a) the internal audit units of FHC and its subsidiaries have implemented suitable division of labor, based on the audited parties and the key points of the audits, to ensure that all subsidiaries are effectively audited; (b) an oversight mechanism for internal audits (included outsourced audits of foreign branches) has been established and implemented; and (c) FHC has strengthened the implementation and management of auditing operations (including the implementation of internal control and information security protection in the operating procedures for remote work and work from home) to ensure the quality of the audit and proper oversight of corrective actions taken to address identified deficiencies.

c. After FHC or any of its subsidiaries is examined by a host-country authority or receives an examination report issued by the host-country authority, its internal audit unit is required to promptly report the matter to the FSC in accordance with the materiality principle.

d. FHC’s confirmation, assessment, and oversight of the effectiveness of the risk-based auditing systems adopted by its banking subsidiaries.

e. The adequacy of auditing scope by FHC’s internal audit unit on subsidiaries other than banks, insurance companies, and securities firms to cover their key lines of business.

2. Domestic banks

A. Domestic banks’ (including their OBUs) compliance with anti-money laundering, counter-terrorism financing, and non-proliferation of weapons regulations:

a. Institutional risk assessment and internal controls framework: The completeness and reasonableness of institutional risk assessment as well as the appropriateness and effectiveness of overall internal control framework.

b. Customer due diligence measures and risk rating assessments: The identification and due diligence of beneficial owners, methodology of customer risk assessments, and the completeness and reasonableness of customer due diligence (whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of the monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests conducted by internal audit units and accountants of the effectiveness of AML/CFT/CPF systems.

B. Compliance system and its implementation: Including: (a) qualification requirements and training of the chief compliance officer and compliance personnel, and implementation of the compliance functions for compliance risk management and supervision framework (including establishment of consultation and communication channels for legal compliance, analysis and reporting of material compliance deficiencies or malpractice, legal advice for new business or products, and evaluation of compliance operations; (b) the compliance of personal information safeguards (including custody and utilization of customer data, cyber security mechanisms, etc.); and (c) compliance with consumer protection requirements for trust business (including the product suitability, real estate development trusts and transaction fund trust for presold properties, etc.).

C. Overseas exposures Management:

a. Management of foreign branches/subsidiaries: The oversight by the board of directors; head office oversight and allocation of resources to compliance operations at foreign branches; AML operations; credit risk concentration; assets quality; loan granting and credit checking, post-lending management, and sufficiency of the allowance for doubtful assets; operational risks; reporting mechanism for material events; mechanism for communication with host-country authorities; compliance operations (including the independence and fitness of chief compliance officer and compliance personnel, the state of compliance with local laws and regulations by foreign branches/subsidiaries, and establishment of compliance risk self-assessment, monitoring and control mechanisms); legal education and ethics evaluations for bank employees; and the quality of internal audits and tracking of correction plan of deficiencies.

b. Risk management for foreign securities investment, and for loans, investments, and interbank placements/deposits in New Southbound countries and mainland China (including control and calculations of exposure limits, and loan granting, credit investigation and post-lending management), and management mechanism for finance-related enterprises in mainland China.

D. Financial derivatives:

a. Customer credit risk control and management system: Compliance of (a) approval and management of hedging/trading purpose credit lines; (b) management mechanism for customer risk concentration; and (c) internal operating systems and procedures for initial margin and margin call requirements (e.g., types of initial margin, types of security eligible for initial margin, and the haircut rates and method for calculating net collateral value of the securities used as initial margin).

b. Appropriateness of sales operations for financial derivatives and structured products: Know-your-customer (KYC) procedures, product risk rating, product suitability assessment, qualifications of sales personnel, appropriateness and completeness of approaches, contents and record keeping of product risks disclosure.

c. Valuation and management mechanism for financial derivatives: The establishment of a valuation system for high-risk products to offer price quotes and calculate mark-to-market profits and losses on the basis of the product categories and type of linked underlying assets (high-risk and non-high-risk products) and establish verification procedures for the valuation system. With respect to non-high-risk products for which valuation system is not applied and price enquiry approach is used, an internal operation procedure for price reasonability checking should be established.

E. Risk management of securities investments and trading rooms:

a. Control and management of securities investments: The formulation, control, and management of risk limits, the setting and execution of stop-loss limits, and the appropriateness of the hedging strategy.

b. Internal control and management of trading rooms: The appropriateness of trading limits and authorizations, the completeness and credibility of front/middle/back-office internal control mechanisms (including the prevention of conflicts of interest between equity traders), and the integrity and thoroughness of the scope of internal audits and self-inspections for trading rooms.

F. Financial consumer protection:

a. Know-your-customer (KYC) operations; product suitability assessment; fairness and reasonableness of contract terms; control of sale procedures; new products listing and reviewing procedures; the remuneration scheme for sales personnel; consumer dispute handling mechanism; implementation of principles for fair treatment of consumers (including the calculation and collection of credit card default charges and interest on revolving credit); implementation of the Measures to Ensure Friendly Financial Services (including financial services measures, such as online banking and mobile apps for the visually impaired); and protection of personal information (e.g., security measures for the collection, processing, and use of personal information, as well as mechanisms for data breach response drill ).

b. Implementation of internal control and management measures for preventing wealth management specialists from misappropriating client funds.

c. Concurrent operation of insurance broker and insurance agent business (including the solicitation of insurance products, control mechanism for verifying application documents signed personally by proposer, and mechanism verifying customers’ sources of funds for the purchase of insurance products).

G. Implementation of digital financial services:

a. Examinations focus on the provision of online account opening and online applications; mechanisms for protecting the security of users’ personal information or transactions; customer due diligence; and mechanisms for monitoring of unusual transactions.

b. Security design for e-banking transactions (such as signature certificates, one-time passwords, biometrics, and key storage on mobile devices); provision of security management for application program interface (API) services; and management mechanism (including regular security checks) for the development and launch of mobile apps.

H. Implementation of corporate governance system:

a. Fulfillment of the functions of the board of directors: The organization and functions of the board of directors; overseeing of the establishment and operations of the audit committee and risk management committee; oversight of various business policies and management mechanism; and appropriateness of the board’s exercise of its powers in handling and responding to material events (such as major violations of laws and regulations, and significant exposures that adversely affect bank’s financial and business status).

b. Internal management mechanism for the responsible persons’ holding of concurrent positions (including the compliance of the responsible persons’ holding of concurrent positions with related laws and internal rules, and ensuring that any concurrently held positions other than that of chairperson or general manager is in the nature of a directorate-grade officer position); and the appointment of a chief corporate governance officer and other corporate governance personnel.

c. Examinations focus on (a) the compliance of interested-party/substantively interested-party transactions (including loans, real estate, purchase of services and items, and other transactions) and control mechanism (including the self-regulatory mechanism for substantively interested parties); (b) irregularities with respect to strategies, counterparties, and prices for transactions within the group or with substantively interested parties (including major shareholders, directors, and supervisors); (c) and whether those transactions involve conflicts of interest or other compliance matters.

d. Independence and effectiveness of the whistleblower system (including internal operating procedures and control mechanism, such as channels for internal and external whistleblowers and whistleblower protection measures).

I. Management of information and communication security: Governance of the board of directors in information security(including new system conversion and updates); fulfillment of the functions of the dedicated information security unit and the chief information security officer; control and management measures for preventing irregularities in server systems and applications (such as the recovery process for major changes to system architecture, integrity testing, source code review, monitoring of batch operations, and monitoring of system resources); control measures for storage, transfer, and retrieval of personal information; information security management mechanism for the MyData Digital Service Personalization Platform (MyData Platform); security measures for the payment systems such as ATM and SWIFT; cyber security measures (e.g., firewall, intrusion detection), vulnerability scanning, penetration testing, and other security defense measures and patching cadence, system log collection, monitoring, and alerts, management of IoT device usage, notification and response mechanisms for cyber-attack incidents); and procedures for collecting and evaluating cyber security information.

J. Business operation systems: The issuance of account balance certifications; opening of checking accounts and issuance of blank checkbooks; internal control mechanism for prevention of loan fraud (including loan granting process, credit check procedures, and post-lending management); business continuity management mechanism, the compliance of outsourcing of operations; and periodic auditing of cross-border outsourcing operations (e.g., outsourcing to cloud service providers).

K. Risk management and regulatory compliance of credit business: The credit investigation system for credit business (including financing and factoring of accounts receivable, mortgage, loans for unsold properties, and syndicated loans like project finance); risk assessment and analysis; risk pricing; credit reviews; loan approval procedures; post-lending management; compliance with the regulation that prohibits from granting loans to SMEs with condition of re-deposit of the loan proceeds; control of the flow of loan proceeds of industrial land loans; the granting of loans for idle industrial land; and compliance with Article 72-2 of the Banking Act.

L. Operations of internal audits:

a. The independence of the audit unit; the suitability of audit personnel; compliance with requested auditing items by the competent authority; mechanism for reporting of and response to material events; implementation of audits of foreign branches (including the head office’s management of internal audit operations at foreign branches); oversight of follow-up on audit findings and implementation of corrective measures; and benefits achieved by adopting risk-based auditing.

b. Audit unit’s efforts for strengthening audit screening principles, frequency, and audit focuses to prevent wealth management specialists from misappropriating client funds (including business dealings between wealth management specialists and customers as well as specialists’ related accounts).

c. Audits of concurrently operated insurance broker or insurance agent businesses.

M. Management of investees: Oversight of subsidiaries’ establishment and implementation of operation and risk control rules (including control mechanism for interested-party transactions); verify the consistency of actual lines of business with those listed in the original business plan; and verify the establishment of regular reporting mechanism and management measures for subsidiaries’ major business plans, transactions, business performance, and exposures.

N. Concurrent operation by banks of underwriting and proprietary trading involving bonds, beneficiary securities, asset-backed securities: Position limits for the aforementioned lines of business; control procedures for the underwriting of bonds issued by affiliates of the same business group; and risk management and product suitability systems for the aforementioned lines of business.

O. Operation management of concurrent electronic payment businesses (including control mechanism for identity verification and transaction limits).

3. Foreign bank branches in Taiwan

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons (including OBUs):

a. Institutional risk assessments and internal controls framework: Completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control framework.

b. Customer due diligence measures and risk rating assessment: The identification and due diligence of beneficial owners, methodology of customer risk assessment, and the completeness and reasonableness of customer due diligence (whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units and accountants of the effectiveness of AML/CFT/NPW systems.

B. Provision by banks of information and consultation services pertaining to offshore financial derivatives: The state of compliance with respect to such matters as the clientele served, the scope of products offered, the content of services offered, the offering of price quotes, and the distribution of dividend income.

C. Financial derivatives:

a. Customer credit risk management system.

b. Appropriateness of sales operations for financial derivatives and structured products.

c. Valuation and control and management mechanism for financial derivatives.

D. Compliance system and implementation status: (a) training for compliance personnel; (b)implementation of compliance functions (including the establishment of consultation and communication system for legal compliance, analysis and reporting of material compliance deficiencies or malpractice, provision of compliance advices for new business or products, and evaluation of compliance self-assessments; and (c) implementation of information security operations.

E. Compliance with legal limits and risk management of the use of funds:

a. Control and management of credit limits in mainland China.

b. Control and management mechanisms for calculating the regulated total deposit balance.

c. Sources and uses of funding for extending loans and investments, asset and liability maturity allocation, and liquidity risk management.

F. Management of outsourcing processes: Compliance with regulations for outsourcing business; periodic auditing of cross-border outsourcing; and information security and risk management measures for business outsourced to cloud service providers.

G. Personal information protection and management of information and communication security.

H. Concurrent operation by banks of underwriting and proprietary trading involving bonds, beneficiary securities, asset-backed securities: Position limits for the aforementioned lines of business; control procedures for the underwriting of bonds issued by affiliates of the same business group; and risk management and product suitability systems for the aforementioned lines of business.

I. Management of project finance: Risk assessment and analysis; measures to strengthen protection of creditor rights; and post-loan management.

J. Implementation and auditing of internal control measures for preventing wealth management specialists from misappropriating client funds (including business dealings between wealth management specialists and customers and specialists’ related accounts).

4. Credit cooperatives

A. Compliance with regulations governing anti-money laundering, counter terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls frameworks: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessments: The identification and due diligence of beneficial owners, methodology of customer risk assessments, and the completeness and reasonableness of customer due diligence (whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units and accountants of the effectiveness of AML/CFT/CPF systems.

B. Implementation of the compliance and risk management system:

a. Whether laws and regulations are updated in a timely manner, and the appropriateness of compliance training and compliance reports.

b. Establishment and operations of the risk management committee.

C. Credit risk management:

a. Operations of the credit review committee.

b. Risk management for related-party loans and large loans.

c. Risk management, compliance, and the implementation of reporting operations for real estate loans: Construction loans, residential loans, home improvement loans, and unsold properties loans.

d. Whether responsible persons or other personnel have engaged in irregular transactions with customers.

e .Compliance with the regulation that prohibits from granting loans to SMEs with condition of re-deposit of the loan proceeds.

D. Financial customer protection: Cooperation with other enterprises to promote the sale of financial products (including mortgage life insurance); full understanding of financial consumers to ascertain the suitability of products or services for consumers; full explaining the important aspects of financial products, services, and contracts; protection of the personal information of customers; consumer dispute resolution mechanisms; implementation of principles for fair treatment of consumers and of the Measures to Ensure Friendly Financial Services; and the supply of information and disclosure of fees for consumer loans and interest rate adjustments in accordance with the contract.

E. Management of information and communication security: Manpower, training, and management for information security, system security and control for online financial business (including online financial services); transaction security design; cyber security measures (e.g., firewall, intrusion detection, vulnerability scanning; email social engineering exercises, penetration testing, and other security defense measures and patching cadence, system log collection, monitoring, and alerts, management of IoT device usage, notification and response mechanisms for cyber-attack incidents); control and management measures for storage, transfer, and retrieval of personal information; and procedures for collecting and evaluating cyber security intelligence.

F. Mechanism for control and management of deposit and withdrawal operations: The appropriateness of rules governing deposit and withdrawal operations (including rules that prohibit employees from keeping customers’ seals, passbooks, or blank withdrawal slips already signed/sealed; and rules governing the processing of withdrawals without a passbook); and operation and control and management mechanisms for supervisor cards (password).

G. Liquidity control and management measures: Formulation of a liquidity risk management policy and the establishment of an appropriate information system to measure and monitor liquidity risks; regular disclosure of qualitative and quantitative information on liquidity risk management; establishment of liquidity risk management indicators and early-warning mechanisms; regular reviews of the sources of large amounts of funds, usage of such funds, and concentration risk; and the establishment of an emergency response plan and procedures for obtaining funds under emergency circumstances.

H. Operations and implementation of the credit cooperative governance system:

a. Operations of the general meeting of representatives of credit cooperative members.

b. Fulfillment of the functions of the board of directors and board of supervisors: The organization and functions of the board of directors and board of supervisors; and the appropriateness of oversight of the various business policies and management mechanisms.

c. Mechanism for control of interested-party loans and transactions and the compliance status.

d. Establishment and implementation of the whistleblower system: The independence and effectiveness of the whistleblower system and the integrity of its protection of the whistleblower’s interests.

5. Bill finance companies

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons: Institutional risk assessments and internal controls framework; customer due diligence measures and risk rating assessment; ongoing monitoring of accounts and transactions; suspicious transaction reporting procedures and quality of reporting; education and training; and the quality and reliability of independent tests by internal audit units and accountants.

B. Corporate governance and business continuity management mechanisms: Protection of shareholder interests; strengthening of the functions of directors; fulfillment of the functions of supervisors; respect for the rights and interests of interested parties (safeguards for internal whistleblowers); enhancement of information transparency; and the establishment and implementation status of business continuity management mechanisms.

C. The implementation of internal control and compliance mechanisms for the granting of credit to interested parties (including substantively interested parties), and conduct of transactions other than credit extensions with such parties.

D. The risk management mechanism for non-guaranteed commercial paper and their implementation (including the appropriateness of underwriting limits for non-guaranteed commercial paper issued by individual issuers, and control and management of a company’s holdings of non-guaranteed commercial paper issued by a single group of related parties or by the members of a single corporate group).

E. Compliance with enhanced control and management for guarantee business statutory ratios. Examples include the inclusion of guarantee advances not yet reclassified as non-accrual loans into the total outstanding amount of endorsements and guarantees and plans to raise the required ratio for reserves against outstanding real estate guarantees to 1.5% before the end of 2021.

F. Internal operating rules for guarantee and endorsement business for the real estate industry (including civil construction loans and unsold properties loans, and the appropriateness and implementation of risk management measures.

G. Debt instrument (including foreign currencies bonds) investments and management mechanisms for their position risks and their implementation status: Investment valuation, price review, management of interest risks associated with fluctuating interest rates, and investment positions and mechanisms for the control and management of their credit ratings.

H. Liquidity risk management mechanism and the implementation (including compliance with the “Self-Regulation for the Liquidity Risk Management of Bills Finance Companies”).

I. Risk management mechanisms and implementation thereof in foreign currency funding operations conducted by offshore banking units (OBUs) and offshore securities units (OSUs) for operations in bonds denominated in foreign currencies.

6. Securities firms

A. Compliance by securities firms (including their OSUs) with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls frameworks: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessments: The identification and due diligence of beneficial owners, methodology of customer risk assessments, and the completeness and reasonableness of customer due diligence (whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units of the effectiveness of AML/CFT/NPW systems.

B. Management of internal personnel: The implementation of auditing for insider conflicts of interest and whether securities firms have properly inspected insider conflicts of interest; compliance and audits on the prohibited actions of business personnel (e.g., whether business personnel have engaged in operations on behalf of customers and whether there are capital borrowing and lending between business personnel and customers), and the appropriateness of the remuneration and personnel evaluation mechanisms.

C. Wealth management business (including high-asset customers): Services or products provided to customers through sub-brokerage, wealth management trusts, or proprietary trading in the business premises, whether customers meet related qualifications and criteria, and whether the securities firm has fully performed its information disclosure and reporting obligations and established a product suitability system and product review standards.

D. Brokerage trading of foreign securities: The classification and management of investor based on their profiles; KYC operations; segmentation of brokerage investment products by investors; whether the firm collects the renewal rate according to the set charging standard and fully discloses the information, and management mechanisms for rewards or gift certificates provided for bank channels.

E. Financial derivative transactions: The securities firms’ procedures for signing contracts with customers in financial derivative transactions, product suitability system (KYC and KYP operations), control of the marketing process, customer complaint processing, contract rescission and settlement, product appraisal and quotation, risk management, and the status of hedging operations.

F. ETN operations: Implementation of marketing-making and hedging for exchange-traded notes (ETN).

G. Risk management mechanisms: Whether the securities firm has established response strategies for responding to economic changes caused by the pandemic and low interest rates; whether the securities firm has formulated and fully implemented business continuity management regulations; examine whether the operations of risk management mechanisms are adequate (e.g., supervision and management by the board of directors and management, the risk management committee, management of transaction limits, stop loss management, and mechanisms for addressing exceptions).

H. Oversight and management of foreign subsidiaries (a) the securities firm’s formulation of rules that set out required control tasks for its subsidiary companies; (b) the firm’s supervision of the efforts of its subsidiaries to establish an internal control system; (c) the firm has established review mechanisms to verify that the domestic securities investments of the firm’s customers comply with domestic laws and regulations (including KYC due diligence procedures, confirmation that clients’ funds are not derived from Taiwan or mainland China, and confirmation that clients are not nationals of mainland China); and (d) key matters in the firm’s oversight and management of its subsidiaries (including business management, financial matters, operational matters, legal compliance, and management of internal audits).

I. Corporate governance implementation status: Implementation of corporate governance and strengthening the functions of the board of directors, including such matters as whether the firm has established the internal whistleblower system and implementation thereof; it has created the post of a chief corporate governance officer, and the implementation of compliance matters; and verify that the firm observes the prohibition against any independent director serving more than three consecutive terms.

J. Financial consumer protection: Implementation of the Measures to Ensure Friendly Financial Services; whether the firm has established and properly implemented an internal control system for oversight of account openings and product sales in the wealth management business; whether the firm fully discloses information on service charges and commissions received; appropriateness of the distribution of performance bonuses and the firm’s handling consumer complaints; and whether the firm collects, processes, and uses customer information appropriately.

K. Principles for Fair Treatment of Consumers: Implementation of the Principles for Fair Treatment of Consumers by Financial Services Enterprises.

7. Securities investment trust companies

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls framework: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessment: The identification of beneficial owners, methodology of customer risk assessment, and the completeness and reasonableness of customer due diligence (whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officers and personnel, education and training, and independent tests by internal audit units of the effectiveness of AML/CFT/CPF systems.

B. The disclosure of dividend distributions of onshore and offshore funds; risk disclosures for high-yield bond funds, the advertisement and marketing documents for target maturity bond funds, the implementation of customer fund suitability assessments, and the implementation of know-your-customer (KYC) and know-your-product (KYP) requirements in the course of fund sales.

C. Measures for preventing conflicts of interest with regard to the investment of proprietary funds in other enterprises, and the implementation of the internal control system: Investments in the FinTech industry, insurance agent companies, or insurance broker companies; instances in which an investee acts as the general partner of a private equity fund; and instances in which a security investment trust company adopts the “seed capital” mechanism to manage a private equity fund or to invest its proprietary funds.

D. Investment trust funds and discretionary investment accounts (including discretionary investment accounts managed by government-run investment funds): (a) instances in which a securities investment trust fund’s manager, or a spouse or minor child of such a manager, or anyone else acting as a nominee thereof, trades in the same instruments as those held by the investment trust fund or held in a discretionary investment account that is managed by that fund; (b) and internal control rules governing analysis reports, decisions, execution records, and review reports regarding investments and transactions conducted by an investment trust fund or through an discretionary investment account in such a fund (including discretionary investment accounts managed by government-run investment funds), and the implementation of those internal control rules.

E. The offering and sale of bond ETFs and futures ETF investment trusts, management of discounts and premiums, and such ETFs’ tracking of the underlying index.

F. Personal information protection: Security and protection measures for the storage, processing, and transmission of personal information.

G. Examinations focus on (a) implementation and management of information security inspections and controls; and (b) for securities investment trust companies that have already become a member of the Financial Information Sharing and Analysis Center (F-ISAC), verify the procedures taken by those members in response to cyber security information or alerts released by the F-ISAC.

H. Management and auditing of sub-distributors, and payment of distribution fees: Screening of sub-distributors and on-site visits; eligibility criteria for selected training program participants; the appropriateness of tours incorporated into training programs, and a reasonable ratio of professional courses related to funds (education and training for sub-distributors); implementation of pre-evaluation and post-review mechanisms of distribution fees; whether the internal controls includes distribution fee controls; and whether the payment items and amount of distribution fees are reasonable and comply with regulations.

I. Implementation status of corporate governance and business continuity management mechanisms: The enhancement of the functions of the board of directors, interested-party transactions, whistleblower protection measures; whether the “Stewardship Principles for Institutional Investors” have been implemented in compliance with internal control rules; and whether the company has formulated and implemented business continuity management regulations.

8. Life insurance companies

A. Examinations focus on compliance by life insurance companies (including their OIUs) with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls frameworks: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessment: The identification and due diligence of beneficial owners, methodology of customer risk assessment, and the completeness and reasonableness of customer due diligence whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units and accountants of the effectiveness of AML/CFT/CPF systems.

B. Implementation of the compliance system:

a. Establishment by insurers with total assets NT$1 trillion or more of a company-wide framework for oversight of compliance risk management.

b. Establishment of a compliance department and its mechanism for the announcement and communication of laws, regulations, and rules.

c. The provision of compliance advices before launching new services or products, or undertaking specific or major use of funds.

d. Each unit’s procedures for handling of material discrepancies in compliance or malfeasance.

e. Compliance training, implementation of compliance self-assessments, and the insurer’s overseeing and auditing of its foreign branches’ compliance with laws.

C. Financial consumer protection:

a. Claim settlement notice operations and the processing mechanisms for payable policy payments that were not claimed by the insured.

b. The establishment and execution of a management system for conservation and complaints.

c. Appropriateness of marketing for interest-sensitive and investment insurance products.

d. The establishment and implementation of product suitability policies for insurance products sold to elderly customers.

e. Implementation of amendments to the model provisions for insurance policies.

f. Protection of the rights of persons with disabilities to obtain insurance (e.g., verify whether there is any discrimination in the solicitation and underwriting of insurance for persons with physical and mental disabilities), and the implementation of the Measures to Ensure Friendly Financial Services as well as the Principles for Fair Treatment of Consumers by Financial Services Enterprises.

D. Marketing and management of insurance products:

a. Management of solicitors: The establishment and implementation of internal control procedures for overseeing solicitors to ensure they fill out solicitation reports correctly and preventing solicitors from using or misappropriating the funds of the insured.

b. Performance in convening meetings of its insurance product management team and in verifying that its products are legally compliant and reasonably priced.

c. Method for the declaration of interest rates and its management of asset segregation for interest-sensitive insurance products.

d. Management measures before and after the sales of disability support insurance policies as well as insurance products connected to catastrophic illness cards.

e. Management of business dealings with insurance brokers and insurance agents (including the oversight and management of the signature procedures by insurance brokers and agents and the management of payments for ads in sales channels and networking expenses).

E. Corporate governance: The fulfillment of the functions of the board of directors and functional committees such as the risk management committee; compliance and control and management procedures for interested-party transactions; and establishment of the whistleblower system.

F. Implementation status of foreign investments:

a. The investment terms, risk management, and legal compliance of investments in senior corporate bonds, subordinated corporate bonds, subordinated financial bonds, and international bonds.

b. Pre-investment and post-investment management mechanisms for equity investments in foreign insurance enterprises and mainland China insurance entities as a co-investor and the insurer’s implementation of legal compliance at the investees (including handling mechanisms to ensure an appropriate response when there is a major violation of AML/CFT legislation, material malpractice caused by ineffective internal controls, a material change in the investment plan filed to the competent authority at an investee, or other material incidents that might affect its reputation or impede normal business operations).

c. The maintenance of custody over foreign assets, qualifications and criteria of custodian institutions, and the legality of custodial services contracts.

d. Operating procedures and management system for discretionary investments.

G. Establishment and implementation of internal control systems for domestic securities investments: The establishment of investment policies and procedures, post-investment review mechanisms, control and management mechanisms for front/middle/back-office powers and responsibilities; operating procedures and management system for discretionary investments, and the appropriateness of mechanisms for preventing conflicts of interest among equity investment staff.

H. Implementation status of real estate investments: The investment procedures and internal control mechanism for real estate investments, compliance with the requirement for prompt utilization and income, and the procedures for subsequent measurement of real estate investments included in the accounts.

I. Risk management, internal control mechanisms, and legal compliance for insurers’ use of funds in special projects and investments in private investment funds or venture capital firms.

J. Implementation of Own Risk and Solvency Assessments (ORSA): e.g., the internal implementation of the ORSA (including risk response measures and monitoring mechanisms).

K. Conduct of digital financial services: Management mechanism for the development and launch (including regular safety checks) of mobile apps; administration of electronic insurance policies; implementation of customer due diligence for mobile device applications and online applications for insurance; confirmation of bona fide intent to purchase insurance; and control and management mechanisms for underwriting and notifications.

L. Management mechanism for information and communication security as well as personal information protection:

a. Management mechanisms and security and protection measures for the collection, processing, and use of personal information, and the compliance (including the supervision and management of personal information protection for the insured in operations outsourced to third-party service providers).

b. Business continuity management mechanism, information system security controls, and mechanism for data breach response drill.

9. Non-life insurance companies

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons: The internal control system for anti-money laundering and counter-terrorism financing; implementation of risk assessment and risk reduction measures; customer due diligence; name screening; ongoing monitoring of accounts and transactions; establishing and integrating the information system; screening for money laundering transactions and filing of suspicious transaction reports; and AML training.

B. Implementation of the legal compliance system:

a. Establishment of a legal compliance department and its mechanisms for the announcement and communication o laws, regulations, and rules.

b. The provision of compliance advices before launching new services or products, or undertaking specific or major use of funds.

c. Each unit’s procedures for the handling of material compliance failures or malfeasance.

d. Compliance training, implementation of compliance self-assessments, and the insurer’s supervision and inspections of its foreign branches’ compliance with laws.

C. Financial consumer protection:

a. The processing mechanism for payable policy payments that were not claimed by the insured.

b. Protection of the rights of persons with disabilities to obtain insurance (e.g., whether there is any discrimination in the solicitation and underwriting of insurance for persons with physical and mental disabilities), and the implementation of the Measures to Ensure Friendly Financial Services as well as the Principles for Fair Treatment of Consumers by Financial Services Enterprises.

c. State of compliance with the mandatory and prohibitory provisions of standard form contract and standard provisions for insurance policies.

D. Marketing and management of insurance products:

a. Performance in convening meetings of its insurance product management team, and in verifying that its products are legally compliant and reasonably priced.

b. The implementation of rate-making for commercial fire insurance and private passenger car physical damage insurance (including surcharges).

c. Management of the insurer’s business dealings with insurance broker and agent distribution channels and business collaboration with other industries (including the supervision and management of the signature procedures by insurance brokers and agents and the management of payments for ads in sales channels and networking expenses).

E. Establishment and implementation of solicitation, premium collection, underwriting, and claim procedures for voluntary automobile insurance:

a. Implementation of premium collection and issuance of insurance policies, handling of policy underwriting conditions and endorsements that stipulate driver-only coverage, implementation status of insurance underwriting for corporate fleets, appropriateness of indirect solicitation fees paid to automobile dealers, verify that the insurer properly obtains statements of deductible expenses and quotation (repair) forms, and review mechanisms for checking the reasonableness of spare part prices.

b. Handling of underwriting and claims for compulsory automobile liability insurance and management mechanisms for archiving of electronic application forms.

F. Risk management mechanisms for funds utilization: The compliance of the insurer’s investments in securities and foreign assets, related transaction control mechanisms and risk management measures, appropriateness of mechanisms for preventing conflicts of interest among equity investment staff, and operating procedures and management system for discretionary investments.

G. Implementation of Own Risk and Solvency Assessments (ORSA): e.g., the internal implementation of the ORSA (including risk response measures and monitoring mechanisms).

H. Conduct of digital financial services: Management mechanism for the development and launch (including regular safety checks) of mobile apps, administration of electronic insurance policies, implementation of customer due diligence for mobile device applications and online applications for insurance, confirmation of bona fide intent to purchase insurance, and control mechanisms for underwriting and notifications.

I. Management mechanisms for information and communication security as well as personal information protection:

a. Management mechanism and security and protection measures for the collection, processing, and use of personal information, and the compliance thereof (including the supervision and management of personal information protection for the insured in operations outsourced to third-party service providers).

b. Business continuity management mechanism, information system security controls, and mechanism for data breach response drill.

J. Corporate governance: The fulfillment of the functions of the board of directors and functional committees such as the risk management committee; compliance and control and management procedures for interested-party transactions; and establishment of the whistleblower system.

K. Management mechanisms for outward reinsurance: The management of the obtaining of written confirmations and reinsurance contract documents from reinsurers and reinsurance brokers; and mechanisms for checking reinsurers’ qualifications, reinsurance arrangements, and the underwriting terms and conditions of the original insurance contracts.