Chapter 1: General rules
Article 1
These regulations are based on the provisions of the Banking Law (the "Law"), Article 47-3, paragraph 2.
Article 2
The term "service enterprise engaged in interbank credit information processing and exchange" as used in these regulations means an enterprise that either gathers credit information from financial institutions and/or enterprises related to financial institutions, or, having been authorized by the Competent Authority , gathers and processes various kinds of credit information with the object of duly providing it for access and use by financial institutions, interested parties, or other parties authorized by the Competent Authority.
Article 3
A service enterprise engaged in interbank credit information processing and exchange shall be established only with the prior approval of the Competent Authority, and its operations shall be subject to supervision by the Competent Authority.
Article 4
With the exception of enterprises authorized by the Competent Authority before these regulations took effect, enterprises engaged in interbank credit information processing and exchange shall be limited to those organized as a company limited by shares. The company shall have minimum paid-in capital of New Taiwan Dollars three billion five hundred million, and its shareholders shall be limited to banks and the government.
Chapter 2:Job requirements for the responsible person and technology security officer
Article 5
Anyone with any of the following condition is not eligible to take the role of the responsible person at a service enterprise engaged in interbank credit information processing and exchange, including the role of director, supervisor, president, vice president, assistant vice president, manager, assistant manager and any other positions with different titles but with the same responsibilities.
1. Any person with no legal capacity or limited legal capacity or subject to the commencement of assistance and those orders have not yet been revoked.
2. Any person who has received a final and unappealable conviction for violation of the provisions of the Organized Crime Prevention Act.
3. Any person who has received a final and unappealable sentence to not less than imprisonment for currency counterfeiting, securities counterfeiting, embezzlement, fraud, or breach of trust, and either the prison sentence has not yet been completed or ten years have not yet elapsed since the person completed the sentence, received a suspended sentence, or was granted a pardon.
4. Any person who has received a final and unappealable prison sentence for document forgery, breach of confidentiality, usury, defrauding of creditors, or a violation of the Tax Collection Law, the Trademark Law, the Patent Law, or any other regulations governing industry or commerce, and either the prison sentence has not yet been completed or five years have not yet elapsed since the person completed the sentence, received a suspended sentence, or was granted a pardon.
5. Any person who has received a final and unappealable prison sentence for corruption, and either the prison sentence has not yet been completed or five years have not yet elapsed since the person completed the sentence, received a suspended sentence, or was granted a pardon.
6. Any person who has received a final and unappealable prison sentence for violation of the Banking Law, the Financial Holding Company Act, the Trust Enterprise Act, the Act Governing Bills Finance Business, the Financial Assets Securitization Act, the Clauses of the Real Estate Securitization Act, the Act Governing Issuance of Electronic Stored Value Cards, the Insurance Law, the Securities and Exchange Law, the Futures Trading Law, the Securities Investment Trust and Consulting Act, the Statute for Regulation of Foreign Exchange, the Credit Cooperative Law, the Agricultural Finance Law, the Farmers Association Act, the Fishing Activities Act, the Money Laundering Prevention Law, or any other law governing financial matters, and either the prison sentence has not yet been completed or five years have not yet elapsed since the person completed the sentence, received a suspended sentence, or was granted a pardon.
7. Any person who has been adjudicated bankrupt and has not yet had his or her rights reinstated.
8. Any person who served as the responsible person of a juristic person at the time it was adjudicated bankrupt, where either five years have not yet elapsed since completion of the bankruptcy proceedings, or the person has failed to fulfill the terms of the bankruptcy agreement.
9. Any person who has been rejected for using any bills, or has not been restored with his or her right to use the bills, or has records of insufficient deposit that leads to rejection within three years after restoring the right of using bills.
10. Any person who has experienced an event causing serious loss of good credit standing and the problem remains unresolved, or five years have not yet elapsed since resolution.
11. Any person who has been ordered replaced or dismissed within the past five years by the Competent Authority due to violation of the Banking Law, the Financial Holding Company Act, the Trust Enterprise Act, the Act Governing Bills Finance Business, the Financial Assets Securitization Act, the Clauses of the Real Estate Securitization Act, the Act Governing Issuance of Electronic Stored Value Cards, the Insurance Law, the Securities and Exchange Law, the Futures Trading Law, the Securities Investment Trust and Consulting Act, the Credit Cooperative Law, the Agricultural Finance Law, the Farmers Association Act, the Fishing Activities Act, or any other law governing financial matters.
12. Any person who has received a final and unrepealable detention sentence for hooliganism, or has been ordered to perform forced labor for theft or the handling of stolen goods, where the term of forced labor has not yet been completed or five years have not yet elapsed since completion.
13. Any person for whom there is evidence to prove that he or she has engaged or been involved in dishonest or improper activities or acts, or who does not have the ability to operate in a sound and effective manner a service enterprise engaged in interbank credit information processing and exchange, and is therefore demonstrably unfit to serve as a responsible person of a service enterprise engaged in interbank credit information processing and exchange.
Where a government agency or juristic person is a shareholder, if the natural person acting as the representative or designated representative thereof serves as a director or supervisor, the provisions of the preceding paragraph shall apply mutatis mutandis.
In the event that any responsible person at a service enterprise engaged in interbank credit information processing and exchange is found to have records stated in the first section, the same person should immediately notify the service enterprise and the service enterprise should take immediate action by reporting to the Competent Authority.
Article 6
The service enterprise engaged in interbank credit information processing and exchange should have one president, who is responsible for supervising the entire business of such service. No other person should take the same role. The president must have good codes of conduct, leadership and ability to effectively manage the business unit, and fulfill any of the following requirements:
1. Holds a bachelor's degree or higher in Taiwan or abroad, or possesses an equivalent level of education; has worked in banking for not less than nine years, including not less than three years as manager or higher at a bank's head office, or has not less than three years of equivalent experience, or has worked for not less than three years in a comparable position at a bank of comparable size; and performed well in all the above.
2. Holds a bachelor's degree or higher in Taiwan or abroad, or possesses an equivalent level of education; has worked for not less than nine years in the government in financial administration or oversight, including not less than three years at civil service Junior Rank [Class 9] or higher, in an equivalent position; and performed well in all the above.
3. Has worked in banking for not less than five years, including not less than three years as vice president or higher of a bank, or in an equivalent position; and performed well in the above.
4. Has worked for not less than three years as vice president or higher of a service enterprise engaged in interbank credit information processing and exchange; or has worked for not less than seven years in financial information services; and performed well in the above.
5. Can present other facts sufficient to prove that he or she has leadership ability and management experience, and is capable of properly and effectively operating a service enterprise engaged in interbank credit information processing and exchange.
No one shall serve as president of a service enterprise engaged in interbank credit information processing and exchange until documents proving his or her qualifications have been submitted for review to the Competent Authority and been approved thereby.
Article 7
The vice president, assistant vice president, manager and/or anyone with the equivalent job responsibility in the service enterprise engaged in interbank credit information processing and exchange should have good codes of conduct, leadership and ability to effectively manage the business unit, and fulfill any of the following requirements:
1. Holds a bachelor's degree or higher in Taiwan or abroad, or possesses an equivalent level of education; has worked in banking for not less than five years, including experience as assistant manager or higher at a bank's head office, or equivalent experience, or experience in a comparable position at a bank of comparable size; and performed well in the above.
2. Holds a bachelor's degree or higher in Taiwan or abroad, or possesses an equivalent level of education; has worked for not less than five years in the government in financial administration or oversight, including experience at civil service Junior Rank [Class 8] or higher, or experience in an equivalent position; and performed well in the above.
3. Has worked in banking for not less than three years, including experience as manager or higher of a bank, or experience in an equivalent position; and performed well in the above.
4. Has worked for not less than five years at a service enterprise engaged in interbank credit information processing and exchange, or has worked for not less than five years in financial information services, including experience at the rank of manager or higher, or experience in an equivalent position; and performed well in the above.
5. Can present other facts sufficient to prove that he or she is knowledgeable in the fields of finance and information technology, and is capable of properly and effectively operating a service enterprise engaged in interbank credit information processing and exchange.
Within 30 days from the day on which any person assumes the position of vice president, assistant vice president or manager of a service enterprise engaged in interbank credit information processing and exchange, the enterprise shall submit documentation of the person's qualifications to the Competent Authority for acknowledgement.
Article 8
A person serving as a responsible person of a service enterprise engaged in interbank credit information processing and exchange shall meet the qualification requirements set forth in these regulations. Where necessary, the Competent Authority may order a service enterprise engaged in interbank credit information processing and exchange to provide further information in this regard within a set time limit by either submitting documents and materials or dispatching a designated person.
Article 9
The Board of Directors related to the service enterprise engaged in interbank credit information processing and exchange is responsible for selecting managers. They should review the qualification of candidates thoroughly and monitor the managers on their maintenance of qualification and suitability for their roles.
Article 10
People responsible for the technology security in the service enterprise engaged in interbank credit information processing and exchange should fulfill one of the following requirements:
1.Hold a bachelor's degree or higher related to information.
2.Worked more than three years in information-related companies or service enterprise engaged in interbank credit information processing and exchange even though he or she does not hold a bachelor's degree related to information.
Article 11
Service enterprise engaged in interbank credit information processing and exchange should draft an annual training program for the related personnel in regards to information security.
Chapter 3:Formation and amendment
Article 12
To establish an enterprise to engage in interbank credit information processing and exchange, the promoters shall apply to the Competent Authority for approval by submitting, in triplicate, an establishment approval application form and each of the following items:
1.Business plan: The business plan shall set forth the scope of business, the principles and guidelines of the business, and specific means of carrying them out (including a general description of systems and equipment; the method for gathering, archiving, processing, transmitting, and accessing information; measures for ensuring confidentiality and security of information; an internal auditing system; a membership protocol; the intended schedule of fees; a description of the internal organizational structure and the responsibilities of each department; personnel recruitment and training procedures; a business development plan; and business volume and financial forecasts for three years into the future).
2.Minutes of promoters' meetings.
3.Photocopies of the national ID cards of the president, vice presidents, assistant vice presidents, and managers, as well as the academic records, employment histories, and other proofs of the qualifications of these individuals.
4.The enterprise's Articles of Association.
5.An accountant's opinion and lawyer's opinion.
6.Other documents as required pursuant to the regulations of the Competent Authority.
Applications not accompanied by all of the documents listed above shall be rejected. Where it is possible to supplement the missing documents, the Competent Authority shall instruct the applicant to provide the missing documents within a specified time period; should the applicant fail to provide the missing documents within the specified time period, the application shall be rejected.
Article 13
The Articles of Association referred to in paragraph 1, subparagraph 4 of the preceding article shall specify the following particulars:
1.Name of enterprise;
2.Lines of business;
3.Total capital shares issued and nominal value per share;
4.The enterprise's location;
5.Means of public notice;
6.The number of directors and supervisors, their term of service, and rules governing their appointment and discharge;
7.The responsibilities of the board of directors, and a description of how the authority of the board of directors differs from that of the enterprise's management; and
8.The year, month, and date of adoption of the Articles of Association.
Article 14
If there is a change of promoters prior to the establishment and registration of a service enterprise engaged in interbank credit information processing and exchange, the Competent Authority may revoke or void its authorization to engage in interbank credit information processing and exchange.
If there is a change in anything other than promoters, the enterprise shall prepare a statement detailing legitimate reasons therefor, and shall apply in advance to the Competent Authority for approval. However, where circumstances prevent the enterprise from applying in advance for approval, it shall apply to the Competent Authority for approval within two weeks from the occurrence of the change.
Article 15
An enterprise intending to engage in interbank credit information processing and exchange shall, within six months from receipt of approval, complete its corporate establishment registration and apply to the Competent Authority for a business license by submitting, in triplicate, the registration and each of the following items:
1.Business license application;
2.Corporate registration documents;
3.Articles of Association;
4.List of shareholders and minutes of shareholder meetings;
5.List of directors and minutes of board of directors meetings;
6.List of managing directors and minutes of managing directors meetings;
7.List of supervisors and minutes of supervisors meetings;
8.List of corporate officers;
9.Bylaws;
10.A statement that none of the subparagraphs in Article 5 above applies to any of the enterprise's directors, supervisors, or corporate officers;
11.Records from a test of simulated access transactions lasting not less than two weeks.
Before the time limit set forth in the preceding paragraph expires, the enterprise may apply for an extension of the deadline if it has a legitimate reason. The deadline may be extended only once, up to a maximum of three months. Where an enterprise misses the deadline without receiving approval for an extension, the Competent Authority may void its authorization to engage in interbank credit information processing and exchange.
Article 16
The bylaws referred to in paragraph 1, subparagraph 9 of the preceding article shall include the following particulars:
1. The enterprise's organizational structure and the responsibilities of each department;
2. The allocation, management, and training of personnel;
3. The enterprise's internal control system (including operations management, information secrecy and security control measures, and accounting system);
4. The enterprise's internal auditing system;
5. A membership protocol;
6. A schedule of fees and the method for calculating them (for reference purposes);
7. Procedures to be followed when the interests of an interested party are prejudiced as a result of gathering, processing, or using personal information in a manner other than that prescribed by law, and criteria governing provisions for a general liability reserve; and
8. An operations handbook (to include: a description of how to gather, archive, process, transmit, exchange, and access information; procedures to be followed in the event that information is in error, destroyed, lost, or incorrectly processed, transmitted, exchanged, or accessed; an instruction manual for member organizations; secrecy rules and security control mechanisms to govern the handling of information by member organizations; a list of services; the format in which accessed information will be provided; and disaster recovery measures).
Article 17
The Competent Authority shall not issue a business license if:
1.any of the subparagraphs in Article 5 above apply to any of the enterprise's directors, supervisors, or corporate officers, or to an institutional shareholder's representative or designated representative who, in exercising his or her duties, serves as a director or supervisor;
2.the application contains material misrepresentations;
3.the internal control or internal auditing system is clearly inadequate;
4.the simulated access transactions show that the applicant cannot effectively provide interbank credit information;
5.the required documents have not been submitted; or
6.other cases where the Competent Authority believes it is likely that the applicant is not capable of properly and effectively operating a service enterprise engaged in interbank credit information processing and exchange.
Article 18
In connection with an establishment registration, the Competent Authority may at any time dispatch personnel, or designate an appropriate agency to dispatch personnel, for the purpose of carrying out inspections, systems testing, and certification, and may order the applicant to provide further information in this regard within a set time limit by either submitting documents and materials or dispatching a designated person.
Article 19
If the Competent Authority discovers material misrepresentation in the original application after a business license has been issued, the Ministry shall void its authorization to engage in interbank credit information processing and exchange.
Where a service enterprise engaged in interbank credit information processing and exchange fails to begin operating within six months from the issuance of its business license, the Competent Authority shall void its authorization to engage in interbank credit information processing and exchange, and shall order surrender of the license within a specified time period. However, with legitimate reasons and approval from the Competent Authority, the deadline may be extended one time only for up to a maximum of six months.
Article 20
For any change in the particulars listed on a business license, the approval of the Competent Authority shall first be obtained, and the original license shall be exchanged for a new one.
Article 21
An interbank credit information processing and exchange enterprise shall submit the following particulars to the Competent Authority for acknowledgement prior to the day on which it opens for business:
1.The date on which it will commence operations;
2.The hours during which it will provide services to the public;
3.A list of member organizations; an instruction manual detailing access procedures; a description of the format in which accessed information will be provided; the expiration date of credit-related information and the scope this information can be disclosed to and inquired by the financial institutions; and
4.Disaster recovery measures.
Chapter 4:Business and management
Article 22
An internal control system should be put in place in regards to a service enterprise engaged in interbank credit information processing and exchange. The service enterprise needs to ensure that the system can be implemented effectively and sustainably to solidify business management in the service enterprise.
Article 23
The internal audit team of the service enterprise engaged in interbank credit information processing and exchange should conduct at least one general inspection and special inspection each year in regards to the business, finance, asset management and information security. For other management units, at least one special inspection each year is required.
Article 24
The service enterprise engaged in interbank credit information processing and exchange should establish a self-inspection system. Each team of business, finance, asset management and information security should conduct at least one general self-inspection every six months, and at least one special inspection each month. However, the self-inspection can be exempt during the month of regular inspection conducted by internal and external auditors.
The service enterprise engaged in interbank credit information processing and exchange should continue to follow up on the improvement suggestions raised by internal and external auditors. In addition, the service enterprise should submit a report about how it follows up and improves the related areas in a written form to the Board of Directors and supervisors as a key indicator of rewards or punishment and performance review.
Article 25
When there is to be a change involving any of the following particulars, a service enterprise engaged in interbank credit information processing and exchange shall first report the matter to the Competent Authority and receive approval before implementing the change:
1.Articles of Association;
2.Organizational structure and the responsibilities of individual departments;
3.The internal control system;
4.The internal auditing system;
5.The membership protocol;
6.The schedule of fees and the method for calculating them; or
7.Criteria governing provisions for a general liability reserve.
Article 26
The financial institutions and financial related business appointed by the Competent Authority should submit pertinent information about loans, credit cards and financial derivatives business to the service enterprise engaged in interbank credit information processing and exchange. Such information also includes any case of suspected legal infringement or abnormal depositors, frauds, any staff in the bank violating laws or employment requirement and any other data required by the laws. However, information regarding crediting for bills should not be included.
The collection, processing or use of the information stated before is in compliance with Article 8 Section 2 Clause 2 in Personal Information Protection Law. Therefore, it is not necessary to notify the Party subject to Article 9 Section 1 of Personal Information Protection Law.
The service enterprise engaged in interbank credit information processing and exchange should complete the scope and filing for information about loans, credit cards, financial derivatives business and other data required by the Competent Authority. Such information should be submitted to Competent Authority as well.
The information required to be declared subject to Section 1 by financial institutions and financial related business appointed by Competent Authority should be truthful and accurate.
Unless otherwise stipulated in other laws or announcement by the regulators, the bank does not need to notify consecutively or repetitively the clients when their information inquired or submitted via the service enterprise engaged in interbank credit information processing and exchange to fulfill the requirement of financial institutions and regulators is stated in the contract signed between the bank and the clients. This approach holds true when the contract includes the definitive clauses to specify the source of information and other requirements defined by the laws, and after the signing of the contract, the bank collects, inquires, handles, utilizes, transmits or submits the same information included in the contract.
Article 27
A service enterprise engaged in interbank credit information processing and exchange shall gather, process, and use information in a manner consistent with the relevant legal requirements, and shall ensure its privacy and security.
A service enterprise engaged in interbank credit information processing and exchange shall be liable to ensure that credit information is archived, processed, transmitted, exchanged, and accessed using correct procedures. Where information is in error, destroyed, lost, or incorrectly processed, transmitted, exchanged, or accessed, the enterprise shall be liable to investigate the problem, carry out corrective and remedial measures, and exercise the care of a good administrator.
A record of the accessing and processing referred to in the preceding paragraph shall be kept on file for not less than five years.
Article 28
Where a service enterprise engaged in interbank credit information processing and exchange violates the provisions of the preceding article and fails to correct the problem within the time period specified by the Competent Authority, and the problem is of material significance, the Competent Authority may order the enterprise to dismiss related corporate officers, suspend the enterprise's business operations, or void its authorization to engage in interbank credit information processing and exchange.
Article 29
To ensure the confidentiality and security of information, a service enterprise engaged in interbank credit information processing and exchange shall periodically reassess and improve its maintenance measures and plans for information confidentiality and security controls, and shall report its actions to the Competent Authority for acknowledgement.
A service enterprise engaged in interbank credit information processing and exchange shall enter into a membership protocol with its member financial institutions, and in the membership protocol shall include stipulations regarding suspension and reinstatement of access, liability for damages, etc., in the event there are violations of the security control mechanism, access procedures, or the terms and conditions of information confidentiality. A service enterprise engaged in interbank credit information processing and exchange may carry out inspections as necessary to ascertain whether and how well its member organizations are implementing security control mechanisms and abiding by access procedures and the terms and conditions of information confidentiality.
Article 30
Within three months from the end of each fiscal year, a service enterprise engaged in interbank credit information processing and exchange shall submit to the Competent Authority its annual report, an accountant-certified financial statement, and other documents related to the enterprise's operations.
In the interest of understanding the business and financial status of enterprises engaged in interbank credit information processing and exchange, the Competent Authority may at any time require them to provide relevant reports and explanations, and may also dispatch personnel as necessary to carry out on-site inspections. Enterprises may not refuse such inspections.
Article 31
When a service enterprise engaged in interbank credit information processing and exchange intends to cease all or part of its business operations, it shall report its plans to the Competent Authority one year prior to cessation of business, and shall not cease business operations without the approval of the Competent Authority.
Article 32
A service enterprise engaged in interbank credit information processing and exchange shall not invest in enterprises not related to its own business. An investment in an enterprise related to its own business shall be carried out only after it has been approved through not less than a three-quarters majority vote by the directors at a board of directors meeting attended by no fewer than two-thirds of the board members, reported to the Competent Authority, and approved thereby.
Article 33
Any party that has already archived interbank credit information pursuant to designation by the Competent Authority prior to enforcement of these regulations shall be regarded as having been established with the approval of the Competent Authority. With the exception of the requirement to apply to the Competent Authority for a business license, such a party shall not be subject to the restrictions set forth in Article 4 or Articles 12 to 20.
Article 34
Shares held by banks and government agencies pursuant to the provisions of Article 4 may be transferred only to banks.
Article 35
These regulations shall take effect on the date of their promulgation.