These Regulations are adopted pursuant to Article 14-1, paragraph 2 of the Securities and Exchange Act, Article 97-1, paragraph 2 of the Futures Trading Act, and Article 93 of the Securities Investment Trust and Consulting Act.

A service enterprise establishing an internal control system shall do so in accordance with these Regulations and the rules prescribed by the competent authority; provided that where another act or regulation provides otherwise, the provisions of such act shall prevail.

The term "service enterprise" as used in these Regulations includes securities exchanges, over-the-counter securities markets, futures exchanges, central securities depositories, securities firms, futures enterprises, securities finance enterprises, securities investment trust enterprise, securities investment consulting enterprises operating discretionary investment services for customers (hereinafter, “securities investment consulting enterprise”), credit rating agencies, and any other service enterprises in the securities or futures market designated by the competent authority.

The internal control system of a service enterprise is a management process designed by management, passed by the board of directors, and implemented by the board of directors, management, and other personnel, with the aim of promoting sound corporate operations and providing reasonable assurance regarding the achievement of the following objectives:
1. Effectiveness and efficiency of operations.
2. Reliability, timeliness, transparency, and regulatory compliance of reporting.
3. Compliance with applicable laws, regulations, and bylaws.
The objective of effectiveness and efficiency of operations referred to in subparagraph 1 of the preceding paragraph includes objectives such as profits, operating performance, and safeguarding of assets.
The reporting referred to in subparagraph 2 of paragraph 1 includes internal and external financial and non-financial reporting of a service enterprise. The objectives of external financial reporting include ensuring that financial statements for external purposes are prepared in accordance with the regulations governing the preparation of financial reports prescribed for individual service enterprises and with generally accepted accounting principles, and that transactions are made with proper approval.

A service enterprise shall document its internal control system, including internal audit implementation rules, and have them passed by the board of directors. If any director expresses a dissenting opinion, where stated in minutes or in a written statement, the service enterprise shall submit the dissenting opinion to each and all supervisors, together with the internal control system that has been passed by the board of directors. The same shall apply to any amendment thereto.
Where a service enterprise has established the position of independent director, when it submits its internal control system for discussion by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinion; where an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, any adoption of or amendment to its internal control system shall be subject to the consent of one-half or more of the entire membership of the audit committee and be submitted to the board of directors for a resolution.
Any matter under the preceding paragraph that has not been approved with the consent of one-half or more of the entire membership of the audit committee may be adopted with the consent of two-thirds or more of the entire board of directors, and the resolution of the audit committee shall be recorded in the board of directors meeting minutes.
The term "entire membership of the audit committee" as used in paragraph 3, and the term "entire board of directors" as used in the preceding paragraph, shall be calculated as the number of members actually in office.
The board of directors of a service enterprise shall recognize operational risks, supervise operational results, and be ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained.

A service enterprise shall explicitly specify the internal organizational structure, report system, and appropriate assignment of authority and responsibility in its internal control system and include therein, with respect to members of management, the establishment of positions, position titles, appointment and dismissal, scope of duties and powers, and remuneration policy and system.
A service enterprise shall consider the overall operational activities of the enterprise and all subsidiaries in designing and scrupulously implementing an internal control system, and review the system from time to time to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the system.
The term "subsidiaries" referred to in the preceding paragraph are those as determined in accordance with the regulations governing the preparation of financial reports prescribed for individual service enterprises.

A service enterprise's internal control system shall consist of the following components:
1. Control environment: The control environment is the basis of the design and implementation of the internal control system across the service enterprise. The control environment encompasses the integrity and ethical values of the enterprise, governance oversight responsibility of the board of directors and supervisors, organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of codes of conduct for directors and employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the service enterprise, and with the suitability of the objects for the enterprise taken into consideration. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective, and possible fraud scenarios. The risk assessment results can assist the enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control activities: Control activities are the actions of carrying out policies and procedures taken by the service enterprise on the basis of risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the enterprise, at various stages within business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
4. Information and communication: Information and communication means the relevant and quality information that the service enterprise obtains, generates, or uses from both internal and external sources to support the functioning of other components of internal control, and the capability of effective communication between the enterprise and external parties. The Internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring and to provide information to those who need it in a timely manner.
5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by the service enterprise to ascertain whether each of the components of internal control is present and functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the enterprise. Separate evaluations are evaluations conducted by different personnel such as internal auditors, supervisors, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors, and improvements shall be made in a timely manner.
A service enterprise designing and implementing, or carrying out self-assessment of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the competent authority, may add additional items as dictated by actual needs.
The code of conduct for directors under paragraph 1, subparagraph 1 shall, at the least, specify that when a director discovers that the enterprise is likely to be materially harmed, the director shall handle the matter as quickly as possible, and immediately notify the audit committee, independent director members of the audit committee, or the supervisors, and report to the board of directors, and shall see to it that the service enterprise reports to the competent authority.

In addition to setting out control activities for different operating cycles based on the nature of its business, a service enterprise shall also consider its actual needs and include controls over the following activities in its internal control system:
1. Seal use management.
2. Management of the receipt and use of negotiable instruments.
3. Budget management.
4. Property management.
5. Management of endorsements/guarantees.
6. Management of liability commitments and contingencies.
7. Delegation of duties and implementation of deputy system.
8. Management of financial and non-financial information.
9. Management of related party transactions.
10. Management of the preparation process of financial statements, including management of the application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates.
11. Supervision and management over subsidiaries.
12. Compliance system.
13. Management of financial examination reports.
14. Management of protection of financial consumers, provided this does not apply to the enterprises that are excluded under Article 3, paragraph 2 of the Financial Consumer Protection Act.
15. Customer data confidentiality.
16. Handling of material events (e.g. a material violation, or a likelihood of suffering material loss).
17. Whistleblower system.
18. Management of outsourcing of operations.
19. Other matters designated by the competent authority.
In addition to controls over the activities under the preceding paragraph, a service enterprise that is a public company, or that is designated by the competent authority, shall also include in its internal control system the management of procedure for board of directors meetings and the management of shareholder services.
The internal control system of a service enterprise that has established an audit committee pursuant to the provisions of the Securities and Exchange Act shall include the management of audit committee meeting operations.
The internal control system of an enterprise whose stocks are already listed or traded over-the-counter at securities firms shall include controls over the following operations:
1. Management of the operations of the remuneration committee.
2. Management of the prevention of insider trading.
If a service enterprise is a financial institution as defined in the Money Laundering Control Act, its internal control system shall include mechanisms for preventing money laundering and countering terrorism financing, and shall include management of compliance with applicable laws and regulations, including mechanisms for managing the identification and measurement of, and monitoring for, money laundering and terrorism financing.
A service enterprise under the preceding paragraph which has established a domestic or foreign branch office (or subsidiary) shall formulate an overall group plan for preventing money laundering and countering terrorism financing, including policies and procedures for information sharing within the group for the purpose of preventing money laundering and countering terrorism financing that are in accordance with the laws and regulations of the place where the branch office (or subsidiary) is located.

(deleted)

A service enterprise that uses a computerized information processing system shall, in addition to clearly differentiating the functions and duties of information and user departments, at least include the following control procedures:
1. Clear demarcation of the functions and duties of the information-processing department.
2. Control of system development and program modification.
3. Control of preparation of system documentation.
4. Program and data access control.
5. Data input/output control.
6. Data processing control.
7. File and facility security control.
8. Control of purchase, usage, and maintenance of hardware and system software.
9. Control of system recovery plan and testing procedures.
10. Control of information and communications security inspection.
11. Control of relevant procedures, if required, for disclosing and reporting public information on a website designated by the competent authority.

A service enterprise shall carry out internal audits to assist the board of directors and management in inspecting and reviewing deficiencies in the internal control system as well as measuring effectiveness and efficiency of operations, and shall make timely recommendations for improvements to ensure the sustained operating effectiveness of the system and to provide a basis for review and correction.

A service enterprise shall establish an internal audit unit in a direct reporting line to the board of directors and, except as otherwise provided by the competent authority, shall appoint, according to its business size, business condition, management needs, and the provisions of other applicable laws and regulations, qualified persons in an appropriate number as full-time internal auditors and have deputies in place for the internal auditors; the deputies are required to carry out audit work in accordance with these Regulations.
A service enterprise shall establish a chief internal auditor to oversee audit affairs, and who shall possess leadership ability and the ability to effectively oversee audit work. Any appointment or dismissal of the chief internal auditor shall be passed by the board of directors; where it has established the position of independent director, if an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, any appointment or dismissal of the chief internal auditor shall be subject to the consent of one-half or more of the entire membership of the audit committee and be submitted to the board of directors for a resolution, in which case the provisions of paragraphs 4 and 5 of Article 5 shall apply mutatis mutandis.
Except as otherwise required by provisions governing securities or futures enterprises, a service enterprise shall report any appointment or dismissal of the chief internal auditor, specifying the reason for such a change of position and providing a copy of the minutes of the board of directors meeting, to the competent authority for recordation within 5 days from the date of passage by the board of directors.
The appointment, dismissal, promotion, reward/discipline, rotation, and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the board of directors and ratified by the board. However, if a matter involves personnel of other management or business units, the chief auditor shall first request the personnel department to refer the matter to the general manager for consent, and it shall then be reported to the chairperson for ratification.
The requirements for the qualified full-time internal auditors referred to in paragraph 1 shall be as prescribed separately by the competent authority.

A service enterprise shall include at least the following items in its implementation rules for internal audits:
1. Purpose, functions, and responsibilities of the internal audit unit.
2. Assessment of the system of internal controls to measure the effectiveness of, and compliance with, the established policies and procedures, and their effects on operational activities.
3. A detailed listing of audit items, times, procedures, and methods.

A service enterprise's internal audit unit shall, based on the results of the risk assessment, prepare an annual audit plan which, except as otherwise required by the competent authority, shall include matters to be audited monthly; the internal audit unit shall scrupulously implement the annual audit plan, so as to assess its internal control system, and prepare audit reports annexed with working papers and relevant materials.
A service enterprise shall include at least the following as audit items in its annual audit plan for each year:
1. Matters relating to compliance with applicable laws, regulations, and bylaws.
2. The control activities for major financial or business activities, such as for acquiring or disposing of assets, engaging in derivatives transactions, management over making endorsements/guarantees for others, and management of related party transactions.
3. Supervision and management over subsidiaries.
4. Management of the preparation process of financial statements, including management of application of the International Financial Reporting Standards and procedures for professional accounting judgments and processes for making changes in accounting policies and estimates.
5. Inspection of information and communications security.
Each annual audit plan of a financial service enterprise as defined in the Financial Consumer Protection Act shall also include management of the protection of financial consumers, in addition to the audit items of the preceding paragraph.
Each annual audit plan of a service enterprise that is a public company, or that is designated by the competent authority, shall also include management of the procedure for board of directors meetings, in addition to the audit items of the preceding two paragraphs.
Each annual audit plan of a service enterprise whose stock is already listed or traded over-the-counter at securities firms shall also include management of the operations of the remuneration committee, in addition to the audit items of the preceding three paragraphs.
The annual audit plan of a service enterprise that has established an audit committee pursuant to the provisions of the Securities and Exchange Act shall also include the management of audit committee meeting operations.
If a service enterprise is a financial institution as defined in the Money Laundering Control Act, its annual internal audit plan shall include prevention of money laundering, countering of terrorism financing, and management of compliance with applicable laws and regulations.
A service enterprise shall have its annual audit plan, and any amendments thereto, passed by the board of directors.
Where a service enterprise has established the position of independent director, when it submits its annual audit plan for deliberation by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinion; when an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
The audit reports, working papers, and relevant materials under paragraph 1 shall be retained for no less than 5 years.

The internal auditors of a service enterprise shall communicate fully with the audited unit about the audit results of the items audited in the annual audit, and shall factually disclose in audit reports any deficiencies and irregularities of the internal control system identified in assessments and, after having presented the reports, shall follow up on the matters and prepare follow-up reports at least on a quarterly basis to be reported to the board of directors until correction is made, to ensure that the relevant departments have taken appropriate corrective actions in a timely manner.
The service enterprise shall include any identified deficiencies and irregularities of the internal control system and the correction thereof, as referred to in the preceding paragraph, as major items of performance evaluation for each department.
The correction of deficiencies and irregularities of internal control system referred to in paragraph 1 shall include all deficiencies identified by the competent authority or a self-regulatory organization in the course of examination, those identified in the course of internal audit operations, those listed in the Statement on Internal Control, and those identified in the course of self-assessment or by CPAs in special audits.

After having presented the audit and follow-up reports, a service enterprise shall submit the same for review by each and all supervisors by the end of the month next following the completion of the audit items.
A service enterprise's internal auditors identifying any material event such as a material violation or any likelihood of material loss to the enterprise shall promptly prepare and present a report and notify each and all supervisors. If any of the recommendations regarding any of the aforementioned deficiencies is not accepted by management, resulting in material loss by the service enterprise, the internal auditors shall also prepare and present a report and notify each and all supervisors as well as report to the competent authority.
Where a service enterprise has established the position of independent director, when an action is taken under the two preceding paragraphs, a copy of the submission or notice shall be provided simultaneously to the independent director(s).
After an examination of a service enterprise by its competent authority or an examination on a foreign branch (or subsidiary) by its local competent authority is completed, or after an examination report is received, the internal audit unit of its head office (or parent company) shall, in accordance with the principle of materiality, immediately report to the directors and supervisors, and report to the soonest board meeting. The report shall include the content of any examination communication meetings, any major deficiencies revealed by the examination, any rating downgrade by the competent authority, and any improvement plans demanded by the competent authority with respect to material deficiencies or possible disciplinary measures to be taken.

The internal auditors of a service enterprise shall be detached, independent, objective, and impartial, in scrupulously performing their duties, and fulfill the duty of professional care, and report their audit operations to each and all supervisors on a regular basis; in addition, the chief internal auditor shall attend a board of directors meeting to present a report.
The internal auditors shall perform their duties in good faith and shall not do any of the following:
1. Conceal or make false or inappropriate disclosures of any of the enterprise's business activities, reporting, or compliance with applicable laws, regulations, and bylaws that they know has caused direct damage to a beneficiary, a customer, or an interested party.
2. Cause damage to the right or interest of the enterprise or any beneficiary, customer or interested party through neglect of duty.
3. Act beyond the scope of audit functions or engage in other improper activity, or with the intent to gain illegal benefit for him/herself or a third party, violate the auditor’s duties or embezzle company assets.
4. Conduct an audit on a department where he/she worked within the past 1 year, provided that this rule does not apply where the competent authority provides otherwise.
5. Fail to recluse himself/herself from auditing of cases in which he or she has a personal interest or has a conflict of interest.
6. Fail to audit the matters instructed by competent authorities or provide relevant information.
7. Provide, promise, request, or accept, directly or indirectly, unreasonable gifts, entertainment, or any other improper benefits in whatever form.
8. Any other activity in violation of any law or regulation or otherwise prohibited by the competent authority.

The internal auditors of a service enterprise shall pursue continuing training as well as attend internal audit training held by institutions designated by the competent authority, so as to improve their auditing quality and competence.
The internal audit training referred to in the preceding paragraph shall include various professional courses, computerized auditing, and basic legal knowledge.
The number of hours required for the continuing training under paragraph 1 shall be as prescribed separately by the competent authority.

Except as otherwise required by provisions governing securities firms or futures enterprises, a service enterprise shall report to the competent authority, or an institution designated by the competent authority for recordation the names, ages, educational background, work experience, years of service, and professional training of its internal auditors by the end of January each year in the format and manner required by the competent authority.

Securities firms, futures enterprises, securities investment trust enterprises, and securities investment consulting enterprises, shall submit for recordation their annual audit plan, an account of the execution thereof, and a description of the correction of any irregularities identified, respectively to the securities exchange, over-the-counter securities market, central securities depository, futures exchange, securities dealers association, futures industry association, or the Securities Investment Trust and Consulting Association of the R.O.C., in the format and manner and at the time required respectively by each such institution.
Securities finance enterprises, credit rating agencies, and other service enterprises in the securities or futures market designated by the competent authority shall submit their next year's annual audit plan by the end of each fiscal year, and a report on the implementation of their previous year's annual audit plan within 2 months from the end of each fiscal year, to the competent authority for recordation in the format and manner required by the competent authority. They shall also submit to the competent authority for recordation their corrections of any irregularities identified in the previous year's internal auditing within 5 months from the end of each fiscal year.
Securities exchanges, over-the-counter securities markets, central securities depositories, and futures exchanges shall submit to the competent authority for recordation their next year's annual audit plan by the end of each fiscal year, and a report on the implementation of internal audits, any irregularities discovered, and the corrections made, during the previous quarter within 2 months from the end of each quarter.

The purposes of self-assessment by a service enterprise of its internal control system is to implement a self-monitoring mechanism and adapt to changes in the environment in a timely manner, so as to adjust the design of the internal control system and enhance the internal audit department's audit quality and efficiency. The assessment scope shall include the design and operation of all aspects of the enterprise's internal control system.
Before carrying out the assessment referred to in the preceding paragraph, a service enterprise shall set out in its internal control system the procedures and methods for self-assessment operations.
A service enterprise shall pay close attention to matters relating to compliance with applicable laws, regulations, and bylaws, and shall, based on the results of the risk assessment, determine the procedures and methods for self-assessment operations referred to in the preceding paragraph, which shall at least include the following:
1. Determining which controls should be tested.
2. Determining the business units to include in the self-assessment.
3. Evaluating the design effectiveness of controls.
4. Evaluating the operating effectiveness of controls.

When conducting self-assessments of its internal control system, a service enterprise shall, except as otherwise required by the competent authority, first arrange for self-assessments by all internal departments and subsidiaries on an at least annual basis, have its internal audit unit review each unit's self-assessment report, and submit the self-assessment reports, together with the reports on the correction of deficiencies and irregularities of the internal control system identified by the audit unit, as a primary basis for the board of directors and general manager to evaluate the overall effectiveness of the enterprise's internal control system and to produce a Statement on Internal Control.
The self-assessment s under the preceding paragraph shall be recorded in working papers that shall be retained, together with the self-assessment reports and relevant materials, for no less than 5 years.

A service enterprise's findings in its self-assessment of the internal control system shall classify the system as either "effective internal control system" or "materially deficient internal control system" based on whether or not the system provides reasonable assurance regarding the following:
1. That the board of directors and the general manager understand the degree to which the objective of effectiveness and efficiency of operations has been achieved.
2. That reporting is reliable, timely, transparent, and complies with applicable rules.
3. That applicable laws, regulations, and bylaws have been complied with.

A service enterprise shall conduct annual self-assessment of the design and implementation effectiveness of its internal control system and prepare a Statement on Internal Control in the format required by the competent authority, and, except as otherwise provided by applicable laws and regulations governing the individual service enterprises, shall submit it to the competent authority for recordation within 3 months from the end of each fiscal year.
Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, the design and operating effectiveness of the internal control system as referred to in the preceding paragraph shall be subject to the consent of one-half or more of the entire membership of the audit committee, in which case the provisions of paragraphs 4 and 5 of Article 5 shall apply mutatis mutandis.
The Statement on Internal Control, and any amendment thereto, as referred to in paragraph 1 shall first be passed by the board of directors.
A service enterprise that is also a public company, or that is designated by the competent authority, shall publicly announce and report the Statement on Internal Control referred to in paragraph 1 through a website designated by the competent authority, and need not further submit the written materials to the competent authority for recordation.
The Statement on Internal Control referred to in paragraph 1 shall, as required, be included in the enterprise's annual report, stock issue prospectus, prospectus, or investment memorandum.

To strengthen the control of computer information systems, securities exchanges, over-the-counter securities markets, futures exchanges, and central securities depositories shall, on a regular basis, engage professionals with public credibility and audit capability to conduct special audits regarding the use of computer information systems in the handling of various operations, and submit the results of the audit to the competent authority for recordation.

Articles 25 through 36 of the Regulations Governing the Establishment of Internal Control Systems by Public Companies shall apply mutatis mutandis where a CPA is engaged by a service enterprise to conduct a special audit of its internal control system.
If a service enterprise is a financial institution under the Money Laundering Control Act, the competent authority may ask securities and futures related institutions such as the Taiwan Stock Exchange, the Taipei Exchange, the Taiwan Futures Exchange, or the Securities Investment Trust and Consulting Association of the R.O.C. to conduct a special audit of personal information protection, prevention of money laundering, and countering terrorism financing, and when necessary may require the enterprise to hire a CPA to conduct the special audit.

The competent authority may, after having considered the size, business nature, and organizational characteristics of a securities firm, futures enterprise, securities finance enterprise, securities investment trust enterprise, securities investment consulting enterprise, credit rating agency, or any other service enterprise in the securities or futures market designated by the competent authority, order such an enterprise to establish a unit in a direct reporting line to the general manager, to be charged with the planning, management and execution of a compliance system.
The board of directors shall designate a member of senior management as the chief compliance officer, to be responsible for overseeing compliance matters and submit a report to the board of directors and to each and all supervisors at least semi-annually. If a material violation is discovered or there is a rating downgrade by the competent authority, the chief compliance officer shall immediately report to the directors and supervisors, and report to the board of directors any matters relating to compliance with applicable laws and regulations. The report shall, at the least, include analysis of the cause of the event, the potential impact, and recommendations for improvement.
Except as otherwise required by provisions governing securities or futures enterprises, the information on the compliance officer described in the preceding paragraph shall be filed with the competent authority for recordation, specifying the reason for such a designation and annexed with the minutes of the board of directors meeting, within 5 days from the date of passage by the board of directors.

A unit responsible for legal and regulatory compliance shall carry out the following activities:
1. Establish clear and adequate systems of advocacy of laws and regulations, consultation, coordination, and communication.
2. Ensure that procedural and managerial bylaws are updated in a timely manner in response to applicable laws and regulations, so that operations are in compliance with all laws and regulations.
3. Formulate the content of and procedures for assessing compliance with laws and regulations and monitor the periodic self-assessment of the implementation thereof by each unit.
4. Administer adequate and proper legal training on laws and regulations to personnel of each unit.
5. Monitor the compliance by domestic and foreign branch offices with the laws and regulations of the country in which they are located.
6. Carry out such other activities as may be required by the competent authority.
If a service enterprise has established a foreign branch office, the unit responsible for overseeing legal compliance matters shall supervise the foreign branch office in handling the following matters:
1. Matters to ensure compliance with local laws and regulations, including collecting information on local financial laws and regulations, implementing self-assessment of compliance with laws and regulations faithfully, ensuring suitability of the chief compliance officer and the adequacy of resources (including personnel, equipment, and training) for compliance with laws and regulations.
2. Establishment of a mechanism for self-assessment and monitoring of legal compliance risks. If the scale of business is large, or the complexity or the degree of risk is high, a local external independent expert shall be engaged to verify the effectiveness of the mechanism for self-assessment and monitoring of legal compliance risks.
Self-assessment of compliance with laws and regulations shall be performed no less frequently than annually, with the results delivered to the compliance unit for future reference. The head of a unit shall designate a person responsible for performing self-assessment within that unit.
Working papers and materials in connection with the self-assessment under the preceding paragraph shall be retained for no less than 5 years.

To promote sound corporate operations, a service enterprise shall set up a whistleblower system, and designate a unit with independent exercise of powers, to be responsible for the processing and investigation of whistleblower reports.
A service enterprise shall provide the following protections for whistleblowers:
1. The identity information of the whistleblower shall be kept confidential, and no information may be disclosed that could be used to identify the whistleblower.
2. The whistleblower may not be terminated, dismissed, demoted/relocated, or receive a reduction in pay, or impairment of any rightful entitlement under law or regulation, contract, or custom, or other unfavorable disposition due to the reported case.
Any person with a conflict of interest shall recuse himself or herself from the processing and investigation of the reported case.
The whistleblower system under paragraph 1 shall at least include the following matters, and be resolved by the board of directors:
1. The express provision that anyone who discovers any potential crime, misconduct, or legal violation may file a whistleblower report.
2. The types of reports that will be accepted for processing.
3. The establishment and making public of the channels for reporting.
4. The procedures for investigation and collaborative support, rules of recusal, and standard operating procedures for follow-up and disposition of cases.
5. Whistleblower protection measures.
6. The documentation and preservation of records covering the acceptance of reported cases, the investigation process, investigation results, and the preparation of relevant documents.
7. That the whistleblower shall be given appropriate notice in writing or by other means with respect to the progress of the reported case.
If the alleged perpetrator is a director, supervisor, or management personnel at a level equivalent to or higher than vice president, the investigation report shall be submitted to and reviewed by the supervisors or the audit committee.
The service enterprise shall take the initiative to file a report or an information with the relevant authorities if any material contingency or legal violation is discovered in the investigation.
The service enterprise shall hold regular awareness programs and education and training in the whistleblower system for its personnel.

An internal audit unit shall incorporate the implementation status of the compliance system into its audit of the business and management units.

Articles 38 through 41 of the Regulations Governing the Establishment of Internal Control Systems by Public Companies shall apply mutatis mutandis to a service enterprise' supervision and management over its subsidiaries.
Where a service enterprise's subsidiary is also a service enterprise as defined under Article 3 of these Regulations, its supervision and management over such subsidiary is exempted from the provision of the preceding paragraph.

A service enterprise shall specify in its internal control system the penalties for violation of these Regulations or its internal control system rules by members of management and relevant personnel.
A service enterprise shall from time to time check, with respect to its internal auditors, whether there is any violation of Article 12, paragraph 1 in relation to the "qualified" and "full-time" requirements or Article 17, paragraph 2, and upon discovery of any violation, shall adjust the position of the auditor within 1 month from the date of discovery, unless otherwise provided by law or regulation.
When reporting basic information on internal auditors pursuant to Article 19, a service enterprise shall check whether or not the internal auditors have met the requirements under Article 18, paragraph 1. If any auditor has not, the auditor shall take corrective measures within 1 month; otherwise, the service enterprise shall promptly adjust the auditor's position, unless otherwise provided by law or regulation.

If any of the following circumstances occurs to the internal chief auditor of a service enterprise, the competent authority may, depending on the severity of the circumstance, issue a reprimand, order it him or her to make corrections within a specified time limit, or order the service enterprise to dismiss the internal chief auditor from his or her position:
1. Has engaged in any improper transfer of funds with any customer, as proven by factual evidence.
2. Has abused authority of office, there is factual evidence showing that he or she has carried out improper activities, or he or she has committed an act in breach of official duties with intent to gain illegal benefit for him/herself or a third party, or intending to harm the any interest of the enterprise, causing damage to the enterprise or any third party.
3. Has disclosed, delivered, or made public the whole or any part of the content of the financial examination report to any person unrelated to the execution of duties without the approval of the competent authority.
4. Has failed to notify the competent authority of any significant malpractice that because of poor internal management has occurred in the enterprise.
5. Has failed to disclose in an internal audit report any significant deficiency identified in the finances or business of the enterprise.
6. Has issued a fraudulent internal audit report on internal audit findings.
7. Has failed to identify a serious deficiency in finances or business operations as a result of obviously insufficient staffing or staffing of obviously incompetent internal auditors in the enterprise.
8. Has failed to follow the instructions of the competent authority in conducting audit work or in providing relevant information.
9. Has otherwise committed any act that impairs the reputation or interests of the enterprise.

Under any of the following circumstances, the competent authority may order a service enterprise to make improvements within a prescribed time limit, or where necessary, to engage a CPA to conduct a special audit of its internal control system and obtain an audit report and submit it to the competent authority for recordation:
1. Failure to document its internal control system.
2. Failure to appoint qualified personnel as full-time internal auditors or to appoint them in an appropriate number.
3. Failure to file a report within a prescribed time limit on, or fail to scrupulously execute, its annual audit plan.
4. Failure to file a report within a prescribed time limit on the actual execution of its annual audit plan.
5. Failure to file a report within the prescribed time limit on the correction of any deficiency or irregularity of the internal control system identified in an audit.
6. Failure to duly conduct self-assessment of its internal control system or to prepare a Statement on Internal Control.
7. Serious instance of failure to correct a deficiency of the internal control system pursuant to the internal control recommendations issued by a CPA.
8. Serious instance of false external financial reporting or violating a law, regulation, or bylaw.
9. Any material fraud or suspicion of fraud.
10. Other condition where the competent authority deems a special audit to be necessary.

A service enterprise shall ensure the confidentiality of the financial examination report. Its responsible person or employees, except as provided by law or regulation or approved by the competent authority, may not read, nor may they disclose, deliver, or make public to any person unrelated to the execution of duties, the whole or any part of the content of the financial examination report.

When a service enterprise makes any concealment of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system or legal compliance system, or the results of implementation of improvement of any deficiency specified by a competent authority in an examination opinion requiring review and follow-up, or the internal audit unit otherwise conceals any audit findings, and it results in material malpractice, the personnel involved shall be held responsible for negligence in their duties. A service enterprise shall reward an internal auditor who identifies any significant malpractice or negligence and thereby averts material loss to the enterprise.
When a material deficiency or malpractice arises within the management or operational units of a service enterprise, the internal audit unit shall have the power to recommend penalties, and shall make a full disclosure in the internal audit report of the negligent personnel who shall be held responsible for the material deficiency.

Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, the provisions of Article 5, paragraph 1, Article 7, paragraph 1, subparagraphs 1 and 5, Article 16, paragraphs 1 and 2, Article 17, paragraph 1, and Article 27, paragraph 2 of these Regulations in relation to supervisors shall apply mutatis mutandis to the audit committee.

A service enterprise shall adopt appropriate risk management policies and procedures, and establish independent and effective risk management mechanisms, to assess and monitor the overall risk-bearing capacity, and the current status of risk already incurred, and to determine its compliance with the risk response strategies and risk management procedures.

A service enterprise with specific requirements shall appoint a person at the level of deputy general manager (vice president) or higher or a person of equivalent position to concurrently serve as its chief information security officer, who shall be in charge of the overall promotion of information security policy and the allocation of related resources. Those requirements shall be prescribed by the competent authority.
A service enterprise shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The competent authority may, after having considered the size, business nature, and organizational characteristics of the services enterprise, order service enterprises to establish a dedicated information security (i.e., cybersecurity) unit, chief officer, and other personnel.
Each year, the service enterprise's chief information officer or highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue the Statement on Internal Control set out in Article 24, with content including the status of overall implementation of information security in the preceding fiscal year, and submit it to the board of directors for approval within 3 months after the end of the fiscal year.
The service enterprise's information security officer and personnel shall attend at least 15 hours of information security professional courses or functional training every year. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year.
The Securities Association, National Futures Association, and Securities Investment Trust and Consulting Association of the R.O.C. shall adopt and regularly review self-disciplinary regulations relating to information security.

A service enterprise may have in place, according to its business conditions and management needs, qualified corporate governance personnel in an appropriate number and may appoint one chief corporate governance officer as the most senior executive for corporate governance affairs. However, the competent authority shall require a service enterprise to appoint a chief corporate governance officer if so required in consideration of its size or business nature or in any other necessary circumstances.
The corporate governance affairs referred to in the preceding paragraph shall include, at a minimum, the following:
1. Handling of matters relating to board of directors meetings and shareholders meetings in compliance with law.
2. Preparation of minutes of board of directors meetings and shareholders meetings.
3. Assistance in onboarding and continuing education of the directors and supervisors.
4. Provision of information required for performance of duties by the directors and supervisors.
5. Assistance to the directors and supervisors in complying with laws and regulations.
6. Other matters specified by the articles of incorporation or by contract.
The chief corporate governance officer described in paragraph 1 shall be a managerial officer of the company. The chief corporate governance officer shall be subject to the following requirements, unless otherwise provided by law or regulation:
1. A chief corporate governance officer shall be a qualified, practice-eligible lawyer or CPA or have served in a managerial position for at least 3 years in a securities, financial, or futures related institution or a public company in a unit handling legal affairs, legal compliance, internal auditing, financial affairs, stock affairs, or corporate governance affairs.
2. A chief corporate governance officer shall complete a minimum of 18 hours of continuing education courses within 1 year from the date of the person's appointment to that position, and a minimum of 12 hours of continuing education courses in each following year. The continuing education courses shall include, at a minimum, corporate governance related topics such as commerce, legal affairs, finance, accounting, corporate social responsibility, risk management, and internal control. The qualified continuing education institutions and the conduct of continuing education shall be subject mutatis mutandis to the provisions of the Directions for the Implementation of Continuing Education for Directors and Supervisors of TWSE Listed and TPEx Listed Companies, as jointly adopted by the Taiwan Stock Exchange and the Taipei Exchange, with respect to the continuing education system.
Unless otherwise provided by law or regulation, a service enterprise may appoint a person holding another position in the company to concurrently serve as its chief corporate governance officer. Where the service enterprise appoints a person holding another position to concurrently serve as its chief corporate governance officer, it shall ensure that the functions and duties of both the principal position and the concurrent position of that person are discharged effectively, and there shall be no conflicts of interest or violations of the internal control system.
In the event of resignation or dismissal of the chief corporate governance officer appointed under the proviso of paragraph 1, the service enterprise shall appoint another person to fill the vacancy within 1 month from the date of occurrence.

The competent authority shall separately prescribe the formats described in these Regulations.

In the case of a service enterprise being a foreign enterprise's branch unit within the territory of the Republic of China, the functions required by these Regulations to be performed by the board of directors or the supervisors may be performed by the responsible person of that branch unit within the territory of the Republic of China authorized by the board of directors of the foreign enterprise.

These Regulations shall enter into force from the date of issuance.
The 21 December 2011 amendments shall enter into force 3 months after the date of issuance, except Article 8, paragraph 1, subparagraph 14 and Article 14, paragraph 3, which shall enter into force from 30 December 2011.
The provisions amended and issued on 22 September 2014 shall enter into force from 1 January 2015.
Article 28-1 introduced in the 30 May 2018 amendments shall enter into force 6 months after the date of issuance.