Ⅰ. Preface

The FEB’s 2022 financial examination focuses are based on the results of examinations conducted in 2021, regulations and supervisory focus issues by the FSC in 2021, and reflects financial market conditions and the concerns of external stakeholders. The FEB selects the issues in each financial industry that require further scrutiny and includes them into the examination focuses. The FEB’s 2022 financial examination focuses are developed with reference to (a) the FSC’s supervisory focuses；(b)the concerns of external stakeholders, and (c) the development of major business lines of financial institutions to focus on seven categories in total, including (a) Financial consumer protection/ Measures to Ensure Friendly Financial Services/ Principles for fair treatment of consumers; (b)Examination of real estate lending; (c) Sustainable finance/ Green finance; (d) Cyber security management and personal information protection; (e) Management of Mainland China exposures; (f) Prevention of conflicts of interest between fund managers and securities investment trust funds (SITE fund) and discretionary investment accounts under their management, and control of investment procedures; and (g) Digital financial services. Besides, The FEB’s 2022 financial examination focuses for other cross-sector (or multi-sector) matters including (a) the implementation of anti-money laundering (AML), countering the financing of terrorism (CFT), and Counter Proliferation Financing (CPF) measures; (b) the implementation of legal compliance system; (c) corporate governance and (d) Overall and Individual Risk Control Mechanisms, four categories in total.

 

Ⅱ. 2022 Financial examination focuses for each type of financial service industries

1. Financing Holding Companies (FHCs)

A. The Implementation of AML/CFT/CPF requirements: FHC oversees subsidiaries’ understanding and compliance with AML regulations (e.g., by reviewing the consistency of the IRA assessment methodology and assessment results of different subsidiaries, and the reasonability of risk appetite at the group and subsidiary levels), oversees efforts by examined subsidiaries to carry out corrective action to address AML deficiencies, and request other subsidiaries that were not examined to review and refine their AML mechanisms.

B. The implementation of compliance system: The design and implementation of FHC’s compliance systems and overseeing efforts by the compliance officers of subsidiaries (including investees) to properly introduce, establish, and implement relevant internal rules and ensure the effectiveness of their compliance systems.

C. Management of investee companies:

a. FHC should establish appropriate guidelines and control mechanisms for investment and M&A management, and implement them, including mechanisms for control and management of confidentiality and prevention of insider trading, pre-investment assessments, review and approval procedures, public announcements and filings, compliance, post-investment monitoring of returns, and risk management, establish control, management, and audit mechanisms to regulate conflicts of interest and improper transactions.

b. FHC shall establish investment management policy and procedures for major foreign investee companies (including investments as a co-investor) that includes measures for ensuring the sound operations and compliance with regulations and the establishment of corresponding supervision, control, and management mechanisms.

c. FHC should regularly ensure the soundness of non-primary subsidiaries (e.g., entities apart from bank, insurance company, and securities firm) and their compliance with regulatory requirements (including the prevention of conflicts of interest, and control and management mechanisms for interested-party transactions and management operations, etc.), establish control and management mechanisms for monitoring and control of business risks such as:

(a) Venture capital subsidiaries: Reasonableness of use of funds, appropriateness of impairment assessments, and control mechanisms for managing the raising of capital for venture investment (including: establishing risk exposure for the corporate group and fund-raising policies, counterparties, and limits, and measures for fully understanding the investee’s products and customers, anti-money laundering and countering the financing of terrorism, resolving disputes, preventing conflicts of interest, managing related-party transactions, and preventing actions which constitute inappropriate general advertisements or public inducements) etc.

(b) Asset management subsidiaries: Examinations focus on established a clear internal control system, etc.

(c) Financial leasing subsidiaries: Examinations focus on whether business operations are in line with their risk-bearing capacity, and whether they have established credit check procedures that ensure fulfillment of the duty of professional care, etc.

D. Corporate governance:

a. Strengthen the functions of the board of directors and functional committees: Examinations focus on such matters as the organization and functions of the board of directors; the establishment and operation of the audit committee, risk management committee, and other functional committees; rules for the proceedings and decision-making procedures of the board of directors; the fiduciary duties and responsibilities of directors; and the establishment of a chief corporate governance officer and other corporate governance personnel.

b. Management mechanisms for the responsible persons’ concurrent positions and proper levels of responsibility: The internal management mechanisms to confirm whether the responsible persons’ holding of concurrent positions is compliant with related laws and internal regulations, whether any concurrently held positions other than that of chairperson or general manager is in the nature of a directorate-grade officer position, and whether the hierarchical delegation of responsibilities have been clearly segregated to preserve a balance of powers and responsibilities.

c. Mechanisms for reporting the holdings of major shareholders: Mechanisms for identifying the beneficial owners of major shareholders, including understanding whether major shareholders accurately report their beneficial owners in accordance with regulations; and procedures for processing cases where it has been found that information on a major shareholder has not been reported in accordance with regulations.

d. Data filing of interested parties and control and management of interested-party transactions:

(a) Whether FHC has established a database of interested parties and verify whether it has filed information correctly and regularly confirmed the accuracy of the interested parties’ information.

(b) Mechanisms for control and management of interested-party transactions and the legal compliance status, including transactions with substantively interested parties and the management of such transactions.

e. Establishment and implementation of the whistleblower system: Whether the whistleblower system is independent and effective, and verify that it truly protects whistleblowers’ interests.

E. Risk management mechanisms:

a. Whether FHC has established proper risk management mechanisms for regional risks (including mechanisms for managing the purchase of shares in foreign financial organizations).

b. Whether FHC urges its subsidiaries to properly manage the risks of investees (including foreign companies) and report essential information to the FHC in order to control group risks.

c. Whether FHC has established response strategies and group risk management mechanisms for responding to economic changes caused by the pandemic and low interest rates such as business continuity management plans and stress tests for responding to changes in the financial industry.

F. The appropriateness of FHC’s overseeing and checking its subsidiaries’ related operations for the updates of information system (e.g., stability and tests of system conversions) and controls and management of network system security and maintenance of information security, their establishment of effective measures for intrusion detection and defense, and their establishment of emergency response procedures, recovery plans, and mechanisms for protecting customer rights and interests to deal with network abnormalities.

G Personal information protection: The information security controls implemented by FHC and its subsidiaries for managing and controlling the safety of their customer information databases, as well as the protective measures implemented to protect the customer information collected, processed, and used by FHC and its subsidiaries, mechanisms for data breach response drill; and security maintenance measures and legal compliance for cross-selling operations.

H. Internal audits:

a. The overall planning, overseeing and executing of internal audits at FHC and its subsidiary companies, and the adequacy of human resources as well as the independence of internal audit units.

b. Examinations focus on: (a) the internal audit units of FHC and its subsidiaries have implemented suitable division of labor, based on the audited parties and the key points of the audits, to ensure that all subsidiaries are effectively audited; (b) an oversight mechanism for internal audits (included outsourced audits of foreign branches) has been established and implemented; and (c) FHC has strengthened the implementation and management of auditing operations (including the implementation of internal control and information security protection in the operating procedures for remote work and work from home) to ensure the quality of the audit and proper oversight of corrective actions taken to address identified deficiencies.

c. FHC’s confirmation, assessment, and oversight of the effectiveness of the risk-based auditing systems adopted by its banking subsidiaries.

d. The adequacy of auditing scope by FHC’s internal audit unit on subsidiaries other than banks, insurance companies, and securities firms to cover their key lines of business.

2. Domestic banks

A. Domestic banks’ (including their OBUs) compliance with anti-money laundering, counter-terrorism financing, and non-proliferation of weapons regulations:

a. Institutional risk assessment and internal controls framework: The completeness and reasonableness of institutional risk assessment as well as the appropriateness and effectiveness of overall internal control framework.

b. Customer due diligence measures and risk rating assessments: The identification and due diligence of beneficial owners, methodology of customer risk assessments, and the completeness and reasonableness of customer due diligence (whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of the monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests conducted by internal audit units and accountants of the effectiveness of AML/CFT/CPF systems.

B. Compliance system and its implementation: Such as (a) qualification requirements and training of the chief compliance officer and compliance personnel, and implementation of the compliance functions for compliance risk management and supervision framework (including establishment of consultation and communication channels for legal compliance, analysis and reporting of material compliance deficiencies or malpractice, legal advice for new business or products, and evaluation of compliance operations; (b) the compliance of personal information safeguards (including custody and utilization of customer data, cyber security mechanisms, etc.); (c) compliance with consumer protection requirements for trust business (including the product suitability, real estate development trusts and transaction fund trust for presold properties, etc.), and (d) the calculation of regulatory capital and risk-weighted assets (including compliance with regulations related to the use of the loan-to-value method for the calculation of property risk exposures).

C. Overseas exposures Management:

a. Management of foreign branches/subsidiaries: The oversight by the board of directors; head office oversight and allocation of resources to compliance operations at foreign branches; AML operations; credit risk concentration; assets quality; loan granting and credit checking, post-lending management, and sufficiency of the allowance for doubtful assets; operational risks; reporting mechanism for material events; mechanism for communication with host-country authorities; compliance operations (including the independence and fitness of chief compliance officer and compliance personnel, the state of compliance with local laws and regulations by foreign branches/subsidiaries, and establishment of compliance risk self-assessment, monitoring and control mechanisms); legal education and ethics evaluations for bank employees; and the quality of internal audits and tracking of correction plan of deficiencies.

b. Risk management for foreign securities investment, and risk management for loans, investments, and interbank placements/deposits in New Southbound countries and mainland China (including control and calculations of exposure limits, and loan granting, credit investigation and post-lending management, managing the purchase of shares in foreign financial organizations), and management mechanism for finance-related enterprises in mainland China.

D. Financial derivatives:

a. Customer credit risk control and management system: Compliance of (a) approval and management of hedging/trading purpose credit lines; (b) management mechanism for customer risk concentration; and (c) internal operating systems and procedures for initial margin and margin call requirements 【e.g., types of initial margin (including compliance of types of security eligible for initial margin, and the haircut rates and method for calculating net collateral value of the securities used as initial margin)】.

b. Appropriateness of sales operations for financial derivatives and structured products: Know-your-customer (KYC) procedures, product risk rating, product suitability assessment, qualifications of sales personnel, appropriateness and completeness of approaches, contents and record keeping of product risks disclosure.

c. Valuation and management mechanism for financial derivatives: The establishment of a valuation system for high-risk products to offer price quotes and calculate mark-to-market profits and losses on the basis of the product categories and type of linked underlying assets (high-risk and non-high-risk products) and establish verification procedures for the valuation system. With respect to non-high-risk products for which valuation system is not applied and price enquiry approach is used, an internal operation procedure for price reasonability checking should be established.

E. Risk management of securities investments and trading rooms:

a. Control and management of securities investments: The formulation, control, and management of risk limits, the setting and execution of stop-loss limits, and the appropriateness of the hedging strategy.

b. Internal control and management of trading rooms: The appropriateness of trading limits and authorizations, the completeness and credibility of front/middle/back-office internal control mechanisms (including the prevention of conflicts of interest between equity traders), and the integrity and thoroughness of the scope of internal audits and self-inspections for trading rooms.

F. Financial consumer protection (including wealth management mechanisms and operations for high-asset customers, and the protection of the rights of the disabled and elderly):

a. Know-your-customer (KYC) operations; product suitability assessment; fairness and reasonableness of contract terms; control of sale procedures; new products listing and reviewing procedures; the remuneration scheme for sales personnel; consumer dispute handling mechanism; implementation of principles for fair treatment of consumers (including the calculation and collection of credit card default charges and interest on revolving credit); implementation of the Measures to Ensure Friendly Financial Services (including financial services measures, such as online banking and mobile apps for the visually impaired); and protection of personal information (e.g., security measures for the collection, processing, and use of personal information, as well as mechanisms for data breach response drill ).

b. Implementation of internal control and management measures for preventing wealth management specialists from misappropriating client funds (including control mechanisms for bank statements, verifying the accuracy and authenticity of customer email addresses, implementing monitoring mechanisms and establishing investigation procedures for cases where wealth management specialists are suspected of misappropriating funds from customer accounts, and how reasonably related the salaries and bonuses of wealth management specialists are to their performance targets).

c. Concurrent operation of insurance broker and insurance agent business (including the solicitation of insurance products, control mechanism for verifying application documents signed personally by proposer, and mechanism verifying customers’ sources of funds for the purchase of insurance products).

G. Implementation of digital financial services:

a. Provision of control mechanisms for online account opening and service applications, mechanisms for protecting the security of users’ personal information or transactions, customer due diligence conducted, mechanisms for monitoring unusual transactions, the reporting of and monitoring mechanisms for suspicious or fraudulently-opened accounts, inquiries of customers’ information 【Ownership Rights for Customer Data, Consumer Information Protection, Protection of Customer Rights, Dispute Resolution Mechanisms, and Control Mechanisms Regulating the Management of Third-Party Service Providers (TSPs)】.

b. Security design for e-banking transactions (such as signature certificates, one-time passwords, biometrics, and key storage on mobile devices); provision of security management for application program interface (API) services (including customer data safety in open banking services), and management mechanism (including regular security checks) for the development and launch of mobile apps.

H. Implementation of corporate governance system:

a. Fulfillment of the functions of the board of directors: The organization and functions of the board of directors; overseeing of the establishment and operations of the audit committee and risk management committee; oversight of various business policies and management mechanism; and appropriateness of the board’s exercise of its powers in handling and responding to material events (such as major violations of laws and regulations, and significant exposures that adversely affect bank’s financial and business status).

b. Internal management mechanism for the responsible persons’ holding of concurrent positions, the compliance of laws and internal rules, and the appointment of a chief corporate governance officer and other corporate governance personnel.

c. Examinations focus on (a) the compliance of interested-party/substantively interested-party transactions (including loans, real estate, purchase of services and items, and other transactions) and control mechanism (including the self-regulatory mechanism for substantively interested parties); (b) irregularities with respect to strategies, counterparties, and prices for transactions within the group or with substantively interested parties (including major shareholders, directors, and supervisors); and (c) whether those transactions involve conflicts of interest or other compliance matters.

d. Independence and effectiveness of the whistleblower system (including internal operating procedures and control mechanism, such as channels for internal and external whistleblowers and whistleblower protection measures).

I. Management of information and communication security: Such as Governance of the board of directors in information security (including new system conversion and updates); fulfillment of the functions of the dedicated information security unit and the chief information security officer (including designating an employee of at least vice-president rank or equivalent to concurrently serve as the chief information security officer), control and management measures for preventing irregularities in server systems and applications (such as the recovery process for major changes to system architecture, integrity testing, source code review, monitoring of batch operations, and monitoring of system resources); control measures for storage, transfer, and retrieval of personal information 【including information security management mechanism for the MyData Digital Service Personalization Platform (MyData Platform)】; cyber security measures (e.g., firewall, intrusion detection), vulnerability scanning, penetration testing, and other security defense measures and patching cadence, system log collection, monitoring, and alerts, management of IoT device usage, notification and response mechanisms for cyber-attack incidents, connection security for employees working remotely or from home).

J. Business operation systems: Such as the issuance of account balance certifications; opening of checking accounts and issuance of blank checkbooks; internal control mechanism for prevention of loan fraud (including loan granting process, credit check procedures, and post-lending management); business continuity management mechanism, the compliance of outsourcing of operations; and periodic auditing of cross-border outsourcing operations (e.g., outsourcing to cloud service providers), measures, transition plans, and control mechanisms for implementing transition plans in response to the end of LIBOR.

K. Risk management and regulatory compliance of credit business: The credit investigation system for credit business (including financing and factoring of accounts receivable, mortgage, loans for unsold properties, land and construction loans, and syndicated loans like project finance); risk assessment and analysis; risk pricing; credit reviews; loan approval procedures; post-lending management; compliance with the regulation that prohibits from granting loans to SMEs with condition of re-deposit of the loan proceeds; control of the flow of loan proceeds of industrial land loans; the granting of loans for idle industrial land; and compliance with Article 72-2 of the Banking Act.

L. Operations of internal audits:

a. The independence of the audit unit; the suitability of audit personnel; compliance with requested auditing items by the competent authority; mechanism for reporting of and response to material events; implementation of audits of foreign branches (including the head office’s management of internal audit operations at foreign branches); oversight of follow-up on audit findings and implementation of corrective measures; and benefits achieved by adopting risk-based auditing.

b. Audit unit’s efforts for strengthening audit screening principles, frequency, and audit focuses to prevent wealth management specialists from misappropriating client funds (including business dealings between wealth management specialists and customers as well as specialists’ related accounts).

c. Audits of concurrently operated insurance broker or insurance agent businesses.

M. Management of investees: Such as oversight of subsidiaries’ establishment and implementation of operation and risk control rules (including control mechanism for interested-party transactions); verify the consistency of actual lines of business with those listed in the original business plan; and verify the establishment of regular reporting mechanism and management measures for subsidiaries’ major business plans, transactions, business performance, and exposures, and business related to venture capital within the bank’s control, with regard to the control mechanisms for the raising of capital for venture investment.

N. Concurrent operation by banks of underwriting and proprietary trading involving bonds, beneficiary securities, asset-backed securities: Position limits for the aforementioned lines of business; control procedures for the underwriting of bonds issued by affiliates of the same business group; and risk management and product suitability systems for the aforementioned lines of business.

O. Operation management of concurrent electronic payment businesses (including control mechanism for identity verification and transaction limits).

3. Foreign bank branches in Taiwan

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons (including OBUs):

a. Institutional risk assessments and internal controls framework: Completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control framework.

b. Customer due diligence measures and risk rating assessment: The identifying and due diligence of beneficial owners, methodology for customer risk assessment, and the completeness and reasonableness of customer due diligence (it must be commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list, and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units and accountants of the effectiveness of AML/CFT/NPW systems.

B. Provision by banks of information and consultation services pertaining to offshore financial derivatives: The state of compliance with respect to such matters as the clientele served, the scope of products offered, the content of services offered, the offering of price quotes, and the distribution of dividend income.

C. Wealth management business for high-asset customers: Such as the criteria for accepting customers, the processes for KYC, the appropriateness of the overall investment portfolio of customers, the control of the concentration of high risk, the product review procedures, the management of the sales process, the sales personnel remuneration, and the dispute resolution mechanisms.

D. Financial derivatives:

a. Customer credit risk management system.

b. Appropriateness of sales operations for financial derivatives and structured products.

c. Valuation and control and management mechanism for financial derivatives.

E. Compliance system and implementation status: (a) training for compliance personnel; (b)implementation of compliance functions (including the establishment of consultation and communication system for legal compliance, analysis and reporting of material compliance deficiencies or malpractice, provision of compliance advices for new business or products, and evaluation of compliance self-assessments; and (c) implementation of information security operations.

F. Compliance with legal limits and risk management of the use of funds:

a. Control and management of credit limits in mainland China.

b. Control and management mechanisms for calculating the regulated total deposit balance.

c. Sources and uses of funding for extending loans and investments, asset and liability maturity allocation, and liquidity risk management.

G. Management of outsourcing processes: Compliance with regulations for outsourcing business; periodic auditing of cross-border outsourcing; and information security and risk management measures for business outsourced to cloud service providers.

H. Personal information protection and management of information and communication security.

I. Concurrent operation by banks of underwriting and proprietary trading involving bonds, beneficiary securities, asset-backed securities: Position limits for the aforementioned lines of business; control procedures for the underwriting of bonds issued by affiliates of the same business group; and risk management and product suitability systems for the aforementioned lines of business.

J. Management of project finance: Risk assessment and analysis; measures to strengthen protection of creditor rights; and post-loan management.

K. Implementation of internal control and management measures for preventing wealth management specialists from misappropriating client funds: Such as control mechanisms for bank statements, and systems for monitoring wealth management specialists in cases of suspected misappropriations of client funds (including defining different types of suspected misappropriations and how investigations into suspected misappropriations are carried out).

4. Credit cooperatives

A. Compliance with regulations governing anti-money laundering, counter terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls frameworks: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessments: The identifying and due diligence of beneficial owners, methodology for customer risk assessments, and the completeness and reasonableness of customer due diligence (it must be commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a list of specially designated nationals, and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units and accountants of the effectiveness of AML/CFT/CPF systems.

B. Implementation of the compliance and risk management system:

a. Whether laws and regulations are updated in a timely manner, and the appropriateness of compliance training and compliance reports.

b. Establishment and operations of the risk management committee.

C. Credit risk management:

a. Operations of the credit review committee.

b. Risk management for related-party loans and large loans.

c. Risk management (including interest rate pricing and post-lending management), compliance, and the implementation of reporting operations for real estate loans: Such as construction loans, residential loans, home improvement loans, and unsold properties loans and land loans (including idle land in industrial zones) etc.

d. Whether responsible persons, or staff and other related interested parties have engaged in irregular financial movements with customers (including applying for loans under the names of other persons).

e .Compliance with the regulation that prohibits from granting loans to SMEs with condition of re-deposit of the loan proceeds.

D. Financial customer protection: Such as cooperation with other enterprises to promote the sale of financial products (including mortgage life insurance); full understanding of financial consumers to ascertain the suitability of products or services for consumers; full explaining the important aspects of financial products, services, and contracts, fairness and reasonableness of contract terms; the sales personnel remuneration system; protection of the personal information of customers; consumer dispute resolution mechanisms; implementation of principles for fair treatment of consumers and implementation of principles for fair treatment of consumers and the Measures to Ensure Friendly Financial Services (including protection of the interests of the elderly and customers with physical or mental disabilities), and the supply of information and disclosure of fees for consumer loans and interest rate adjustments in accordance with the contract.

E. Management of information and communication security: Manpower, training, and management for information security, system security and control for online financial business (including online financial services); transaction security design; cyber security measures (e.g., firewall, intrusion detection, vulnerability scanning; email social engineering exercises, penetration testing, and other security defense measures and patching cadence, system log collection, monitoring, and alerts, management of IoT device usage, notification and response mechanisms for cyber-attack incidents); control and management measures for storage, transfer, and retrieval of personal information; and procedures for collecting and evaluating cyber security intelligence.

F. Mechanisms for control and management of deposit and withdrawal operations: Such as the management mechanisms for preventing employees from misappropriating customer funds and conducting transactions on behalf of customers as well as the effectiveness of such systems, and operation and control and management mechanisms for supervisor cards (password).

G. Liquidity control and management measures: Formulation of a liquidity risk management policy and the establishment of an appropriate information system to measure and monitor liquidity risks; regular disclosure of qualitative and quantitative information on liquidity risk management; establishment of liquidity risk management indicators and early-warning mechanisms; regular reviews of the sources of large amounts of funds, usage of such funds, and concentration risk; and the establishment of an emergency response plan and procedures for obtaining funds under emergency circumstances.

H. Operations and implementation of the credit cooperative governance system:

a. Operations of the general meeting of cooperative members, the board of directors, the board of supervisors, and cooperative affairs committee (including measures taken in response to the pandemic).

b. Fulfillment of the functions of the board of directors and board of supervisors: The organization and functions of the board of directors and board of supervisors; and the appropriateness of oversight of the various business policies and management mechanisms.

c. Mechanism for control of interested-party loans and transactions and the compliance status.

d. Establishment and implementation of the whistleblower system: The independence and effectiveness of the whistleblower system and the integrity of its protection of the whistleblower’s interests.

I. Operations of internal audits: Such as whether internal audit units have conducted independent and unbiased audits.

5. Bill finance companies

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons: Institutional risk assessments and internal controls framework; customer due diligence measures and risk rating assessment; ongoing monitoring of accounts and transactions; suspicious transaction reporting procedures and quality of reporting; education and training; and the quality and reliability of independent tests by internal audit units and accountants.

B. Corporate governance and business continuity management mechanisms: Protection of shareholder interests; strengthening of the functions of directors; fulfillment of the functions of supervisors; respect for the rights and interests of interested parties (safeguards for internal whistleblowers); enhancement of information transparency; and the establishment and implementation status of business continuity management mechanisms.

C. The implementation of internal control and compliance mechanisms for the granting of credit to interested parties (including substantively interested parties), and conduct of transactions other than credit extensions with such parties.

D. The risk management mechanism for non-guaranteed commercial paper and their implementation (including the appropriateness of underwriting limits for non-guaranteed commercial paper issued by individual issuers, and control and management of a company’s holdings of non-guaranteed commercial paper issued by a single group of related parties or by the members of a single corporate group).

E. Compliance with enhanced control and management for guarantee business statutory ratios. Examples include the inclusion of guarantee advances not yet reclassified as non-accrual loans into the total outstanding amount of endorsements and guarantees and plans to raise the required ratio for reserves against outstanding real estate guarantees to 1.5%.

F. Internal operating rules for guarantee and endorsement business for the real estate industry (including civil construction loans and unsold properties loans).

a. Measures for managing concentration risk and other related risks for real estate guarantees (including for managing risk pricing and post-lending management etc.).

b. The internal control and internal audit mechanisms established in accordance with the Central Bank Regulations on Real Estate Mortgages Issued by Bills Companies and their implementation.

G. Debt instrument (including foreign currencies bonds) investments and management mechanisms for their position risks and their implementation status: Investment valuation, price review, management of interest risks associated with fluctuating interest rates, and investment positions and mechanisms for the control and management of their credit ratings.

H. Liquidity risk management mechanism and the implementation (including compliance with the “Self-Regulation for the Liquidity Risk Management of Bills Finance Companies”).

I. Risk management mechanisms and implementation thereof in foreign currency funding operations conducted by offshore banking units (OBUs) and offshore securities units (OSUs) for operations in bonds denominated in foreign currencies.

J. Implementation of information and communication security management measures:

a. Security measures for IT systems: How vulnerability scans of IT systems have been carried out, and measures for patching and improving IT systems.

b. Website security measures: The versions of the programming language tools used to code the company website and website firewalls.

c. Personal information protection: Security and protection measures for the storage, processing, and transmission of personal information.

6. Securities firms

A. Compliance by securities firms (including their OSUs) with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls frameworks: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessments: The identification and due diligence of beneficial owners, methodology for customer risk assessments, and the completeness and reasonableness of customer due diligence (it must be commensurate with customer risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a list of specially designated nationals, and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units of the effectiveness of AML/CFT/NPW systems.

B. Management of internal personnel: The implementation of auditing for insider conflicts of interest and whether securities firms have properly inspected insider conflicts of interest; whether personnel are prevented from carrying out prohibited actions based on the regulations of an internal controls system, and the appropriateness of the remuneration and personnel evaluation mechanisms.

C. Wealth management business (including high-asset customers): Services or products provided to customers through sub-brokerage, wealth management trusts, or proprietary trading in the business premises, whether customers meet related qualifications and criteria, and whether the securities firm has fully performed its information disclosure and reporting obligations and established a product suitability system and product review standards, whether trusts have been managed pursuant to the terms provided in trust agreements for the beneficiary’s interests or for another specific purpose, the use of the securities involved, and how earnings from trusts are distributed.

D. Brokerage trading of foreign securities: The classification and management of investor based on their profiles; KYC operations; differentiation of offered investment products based on differences between individual investors (such as only offering TLAC securities to professional investors, and only when they have a credit rating of BB or higher), whether criteria for selecting the foreign securities offered to investors and for which investors order for purchase through the financial institution via dollar cost averaging have been determined based on the securities’ level of risk and liquidity, whether transaction prices are calculated and whether fees are collected based on established fee schedules etc., and whether related information has been adequately disclosed, and management mechanisms for rewards or gift certificates provided for bank channels.

E. Financial derivative transactions: The securities firms’ procedures for signing contracts with customers in financial derivative transactions, product suitability system (KYC and KYP operations), control of the marketing process, customer complaint processing, contract rescission and settlement, product appraisal and quotation, risk management, and the status of hedging operations.

F. ETN operations: Implementation of marketing-making and hedging for exchange-traded notes (ETN).

G. Implementation of digital financial services: Online services provided for opening accounts and applying for related services (such as applying for API access and DMA electronic trading), control mechanisms for managing customer personal information, identity verification, and abnormal transactions.

H. Risk management mechanisms: Whether the securities firm has established response strategies for responding to economic changes caused by the pandemic and low interest rates; whether the securities firm has formulated and fully implemented business continuity management regulations; examine whether the operations of risk management mechanisms are adequate (e.g., supervision and management by the board of directors and management, the risk management committee, management of transaction limits, stop loss management, and mechanisms for addressing exceptions).

I. Oversight and management of foreign subsidiaries (a) the securities firm’s formulation of rules that set out required control tasks for its subsidiary companies; (b) the firm’s supervision of the efforts of its subsidiaries to establish an internal control system; (c) the firm has established review mechanisms to verify that the domestic securities investments of the firm’s customers comply with domestic laws and regulations (including KYC due diligence procedures, confirmation that clients’ funds are not derived from Taiwan or mainland China, and confirmation that clients are not nationals of mainland China); and (d) key matters in the firm’s oversight and management of its subsidiaries (including business management, financial matters, operational matters, legal compliance, and management of internal audits).

J. Securities lending transactions by securities dealers: Whether securities lending strategy has been based on internal controls regulations, and whether risk has been appropriately managed.

K. Corporate governance implementation status: Implementation of corporate governance and strengthening the functions of the board of directors, including such matters as whether the firm has established the internal whistleblower system and implementation thereof; it has created the post of a chief corporate governance officer, and the implementation of compliance matters; and verify that the firm observes the prohibition against any independent director serving more than three consecutive terms.

L. Implementation of financial consumer protections: Such as management of default risk, how Friendly Financial Services measures have been implemented (including protections for the rights of the disabled and elderly), whether the firm has established and properly implemented an internal control system for oversight of account openings and product sales in the wealth management business; whether the firm fully discloses information on service charges and commissions received; appropriateness of the distribution of performance bonuses and the firm’s handling consumer complaints, and whether data on the MyData platform as well as personal information have been collected, processed, and used appropriately.

M. Principles for Fair Treatment of Consumers: Implementation of the Principles for Fair Treatment of Consumers by Financial Services Enterprises.

7. Securities investment trust companies

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls framework: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessment: The identification of beneficial owners, methodology for customer risk assessment, and the completeness and reasonableness of customer due diligence (it must be commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a list of specially designated nationals, and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officers and personnel, education and training, and independent tests by internal audit units of the effectiveness of AML/CFT/CPF systems.

B. Disclosure of information related to domestic and offshore funds, how KYC and KYP procedures have been implemented:

a. The disclosure of dividend distributions of onshore and offshore funds, risk disclosures for high-yield bond funds, warning messages for fund investment risks, the advertisement and marketing documents for target maturity bond funds, the implementation of customer fund suitability assessments, and the implementation of know-your-customer (KYC) and know-your-product (KYP) requirements in the course of fund sales.

b. The accuracy of disclosed investor information provided by offshore funds, such as whether information disclosures provided fit the template established by industry associations, and whether the investor information fits the information stated in the fund prospectus and fund factsheet etc.

C. Measures for preventing conflicts of interest with regard to the investment of proprietary funds in other enterprises, and the implementation of the internal control system: Investments in the FinTech industry, insurance agent companies, or insurance broker companies; instances in which an investee acts as the general partner of a private equity fund; and instances in which a security investment trust company adopts the “seed capital” mechanism to manage a private equity fund or to invest its proprietary funds.

D. Scope for conflicts of interest and investment process controls for investment trust funds and discretionary investment accounts (including discretionary investment accounts managed by government-run investment funds):

a. Instances in which a securities investment trust fund’s manager, or a spouse or minor child of such a manager, or anyone else acting as a nominee thereof, trades in the same instruments as those held by the investment trust fund or held in a discretionary investment account that is managed by that fund.

b. Internal control rules governing analysis reports, decisions, execution records, and review reports regarding investments and transactions conducted by an investment trust fund or through an discretionary investment account in such a fund (including discretionary investment accounts managed by government-run investment funds), and the implementation of those internal control rules.

E. The offering and sale of ETFs (including futures-based ETFs), management of discounts and premiums, the underlying indices tracked by ETFs, and how improvements to ETF information disclosures have been implemented.

F. Information disclosures for the offering of Environmental, Social, and Governance (ESG) funds: Includes information that should be disclosed in offering plans and prospectuses for newly-established funds, and areas of improvement for existing funds.

G. Implementation and management of information security inspections and controls

a. Personal information protection: Such as security and protection measures for the storage, processing, and transmission of personal information.

b. Verify the procedures taken by those members in response to cyber security information or alerts released by the Financial Information Sharing and Analysis Center (F-ISAC).

H. Status of management and auditing of sub-distributors, and payment of distribution fees: Screening of sub-distributors and on-site visits; eligibility criteria for selected training program participants; the appropriateness of tours incorporated into training programs, and a reasonable ratio of professional courses related to funds, establishes and implements mechanisms for the prior assessment of distribution fees and their subsequent audit, and the reasonableness of distribution fees paid (including whether the distribution fees collected by back-end load and front-end load funds are reasonable, and whether the fund entices investors to buy specific types of funds through distribution fees etc).

I. Implementation status of corporate governance and business continuity management mechanisms: The enhancement of the functions of the board of directors, interested-party transactions, whistleblower protection measures; whether the “Stewardship Principles for Institutional Investors” have been implemented in compliance with internal control rules; and whether the company has formulated and implemented business continuity management regulations.

8. Life insurance companies

A. Examinations focus on compliance by life insurance companies (including their OIUs) with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons:

a. Institutional risk assessments and internal controls frameworks: The completeness and reasonableness of institutional risk assessments as well as the appropriateness and effectiveness of overall internal control frameworks.

b. Customer due diligence measures and risk rating assessment: The identification and due diligence of beneficial owners, methodology of customer risk assessment, and the completeness and reasonableness of customer due diligence whether commensurate with risks).

c. Ongoing monitoring of accounts and transactions: The reasonableness of transaction monitoring patterns and the setting of monetary amount thresholds, the screening and verification of money laundering red flags or signs that customers and their transaction counterparties may meet the conditions for inclusion on a sanctions list and the independence and effectiveness of monitoring operations.

d. Suspicious transaction reporting procedures, and quality of reporting: The handling of suspected ML/TF/PF transactions (including reporting, confidentiality procedures, and record-keeping).

e. Organization and personnel: The professionalism and adequacy of the chief officer and personnel, the adequacy of resource allocation, education and training, and the quality and reliability of independent tests by internal audit units and accountants of the effectiveness of AML/CFT/CPF systems.

B. Implementation of the compliance system:

a. The compliance department’s announcement and communication of laws, regulations, and rules.

b. The provision of compliance advices before launching new services or products, or undertaking specific or major use of funds.

c. The procedures for handling each unit’s material discrepancies in compliance or malfeasance, as well as how these procedures have been implemented.

d. Compliance training, implementation of compliance self-assessments, and the insurer’s overseeing and auditing of its foreign branches’ compliance with laws.

C. Financial consumer protection:

a. The establishment and execution of a management system for conservation, compensation, and complaints.

b. Appropriateness of marketing for interest-sensitive insurance products, insurance products denominated in foreign currencies, and investment insurance products.

c. The establishment and implementation of product suitability policies for insurance products sold to elderly customers.

d. Protection of the rights of persons with disabilities to obtain insurance (e.g.: verify whether there is any discrimination in the solicitation and underwriting of insurance for persons with physical and mental disabilities, establishment and implementation of insurance underwriting procedures and training for underwriting personnel), and the implementation of the Measures to Ensure Friendly Financial Services as well as the Principles for Fair Treatment of Consumers by Financial Services Enterprises.

D. Marketing and management of insurance products:

a. Management of solicitors: The establishment and implementation of internal control procedures for overseeing solicitors to ensure they fill out solicitation reports correctly and preventing solicitors from using or misappropriating the funds of the insured.

b. Method for the declaration of interest rates and its management of asset segregation for interest-sensitive insurance products.

c. Management measures before and after the sales of disability support insurance policies as well as insurance products connected to catastrophic illness cards.

d. Performance in convening meetings of the insurance product management team, and in verifying that its products are legally compliant, reasonably priced, and controlling product sales to not exceed regulatory limits.

e. Risk management mechanisms for insurance product sales, and how overall reports on the impact of product sales to the company’s financial condition, business operations, and ability to repay debt have been reported to the company’s board of directors.

f. Management of business dealings with insurance brokers and insurance agents (including the oversight and management of the signature procedures by insurance brokers and agents and the management of payments for ads in sales channels and networking expenses).

E. Corporate governance: Such as the fulfillment of the functions of the board of directors and functional committees such as the risk management committee; compliance and control and management procedures for interested-party transactions; and establishment and establishment and implementation of the whistleblower system.

F. Implementation status of foreign investments:

a. The investment terms, risk management, and legal compliance of investments in senior corporate bonds, subordinated corporate bonds, subordinated financial bonds, and international bonds.

b. Pre-investment and post-investment management mechanisms for equity investments in foreign insurance enterprises and mainland China insurance entities as a co-investor and the insurer’s implementation of legal compliance at the investees (including handling mechanisms to ensure an appropriate response when there is a major violation of AML/CFT legislation, material malpractice caused by ineffective internal controls, a material change in the investment plan filed to the competent authority at an investee, or other material incidents that might affect its reputation or impede normal business operations).

c. The maintenance of custody over foreign assets, qualifications and criteria of custodian institutions, and the legality of custodial services contracts.

d. Operating procedures and management system for discretionary investments.

G. Establishment and implementation of internal control systems for domestic securities investments: The establishment of investment policies and procedures, post-investment review mechanisms, control and management mechanisms for front/middle/back-office powers and responsibilities; operating procedures and management system for discretionary investments, and the appropriateness of mechanisms for preventing conflicts of interest among equity investment staff.

H. Implementation status of real estate investments: The investment procedures and internal control mechanism for real estate investments, compliance with the requirement for prompt utilization and income, and the procedures for subsequent measurement of real estate investments included in the accounts.

I. Risk management, internal control mechanisms, and legal compliance for insurers’ use of funds in special projects and investments in private investment funds or venture capital firms.

J. Implementation of Own Risk and Solvency Assessments (ORSA): e.g.: Proportionality of risk appetite and different risk areas, documentation of the established procedures for setting risk tolerance limits for each category correlated to risk appetite (including building a model to determine these limits), and how ORSA reports have been submitted to the board of directors for discussion.

K. Implementation of digital financial services: Whether digital business activities are compliant with laws and regulations, management mechanism for the development and launch (including regular safety checks) of mobile apps; administration of electronic insurance policies, identity verification for customers purchasing insurance policies through mobile apps or online (including mobile identity verification), confirmation of bona fide intent to purchase insurance; and control and management mechanisms for underwriting and notifications.

L. Management mechanism for information and communication security as well as personal information protection:

a. Management mechanisms and security and protection measures for the collection, processing, and use of personal information, and the compliance (including the supervision and management of personal information protection for the insured in operations outsourced to third-party service providers).

b. Business continuity management mechanism, information system security controls, and mechanism for data breach response drill.

c. The status of the establishment of a chief information security officer and an information security department with independent authority by insurance companies with total assets of NT$1 trillion or more.

9. Non-life insurance companies

A. Compliance with regulations governing anti-money laundering, counter-terrorism financing, and non-proliferation of weapons: The internal control system for anti-money laundering and counter-terrorism financing; implementation of risk assessment and risk reduction measures; customer due diligence; name screening; ongoing monitoring of accounts and transactions; establishing and integrating the information system; screening for money laundering transactions and filing of suspicious transaction reports; and AML training.

B. Implementation of the legal compliance system:

a. The compliance department’s announcement and communication of laws, regulations, and rules.

b. The provision of compliance advices before launching new services or products, or undertaking specific or major use of funds.

c. The procedures for handling each unit’s material discrepancies in compliance or malfeasance, as well as how these procedures have been implemented.

d. Compliance training, implementation of compliance self-assessments, and the insurer’s supervision and inspections of its foreign branches’ compliance with laws

C. Financial customer protection: Such as protection of the rights of persons with disabilities to obtain insurance (e.g.: whether there is any discrimination in the solicitation and underwriting of insurance for persons with physical and mental disabilities, establishment and implementation of insurance underwriting procedures and training for underwriting personnel, and the implementation of the Measures to Ensure Friendly Financial Services as well as the Principles for Fair Treatment of Consumers by Financial Services Enterprises.

D. Marketing and management of insurance products:

a. How rates have been determined for commercial fire insurance and physical damage insurance for private passenger vehicles (including surcharges), and how plans for monitoring and adjusting these rates have been implemented.

b. Performance in convening meetings of the insurance product management team, and in verifying that its products are legally compliant, reasonably priced, and controlling product sales to not exceed regulatory limits.

c. Risk management mechanisms for insurance product sales, and how overall reports on the impact of product sales to the company’s financial condition, business operations, and ability to repay debt have been reported to the company’s board of directors.

d. Management of the insurer’s business dealings with insurance broker and agent distribution channels and business collaboration with other industries (including the supervision and management of the signature procedures by insurance brokers and agents and the management of payments for ads in sales channels and networking expenses).

E. The implementation status of solicitation, premium collection, underwriting, and claim procedures for insurance: Such as how premiums for car insurance, fire insurance, accident insurance, and health insurance are determined, what the underwriting procedures are, and how insurance claims are processed.

F. Risk management mechanisms for funds utilization: The compliance of the insurer’s investments in securities and foreign assets, related transaction control mechanisms and risk management measures, appropriateness of mechanisms for preventing conflicts of interest among equity investment staff, and operating procedures and management system for discretionary investments.

G. Implementation of Own Risk and Solvency Assessments (ORSA): e.g.: Documentation of the established procedures for setting risk tolerance limits for each category correlated to risk appetite (including building a model to determine these limits), and how ORSA reports have been submitted to the board of directors for discussion.

H. Implementation of digital financial services: Whether digital business activities are compliant with laws and regulations, management mechanism for the development and launch (including regular safety checks) of mobile apps, administration of electronic insurance policies, implementation of customer due diligence for mobile device applications and online applications for insurance, confirmation of bona fide intent to purchase insurance, and control mechanisms for underwriting and notifications.

I. Management mechanisms for information and communication security as well as personal information protection:

a. Management mechanism and security and protection measures for the collection, processing, and use of personal information, and the compliance thereof (including the supervision and management of personal information protection for the insured in operations outsourced to third-party service providers).

b. Business continuity management mechanism, information system security controls, and mechanism for data breach response drill.

J. Corporate governance: Such as the fulfillment of the functions of the board of directors and functional committees such as the risk management committee; compliance and control and management procedures for interested-party transactions; and establishment and implementation of the whistleblower system.

K. Management mechanisms for outward reinsurance: Management mechanisms for obtaining documents confirming acceptance and reinsurance contract documents from reinsurers, criteria for foreign insurance brokers appointed by reinsurers and reinsurance brokers, and mechanisms for reviewing reinsurance arrangements and the underwriting conditions of the original insurance contract.