These Regulations are adopted pursuant to Article 51 of the Financial Holding Company Act (the "Act").
The internal control and internal audit systems of a financial holding company shall be governed by these Regulations; for matters on which these Regulations are silent, the provisions of other relevant acts and regulations shall govern.
A financial holding company shall establish internal control and internal audit systems and ensure their on-going and effective operation, to promote the sound business operation of the company and its subsidiaries and further to safeguard investments and maintain financial stability.
The primitive objectives of a financial holding company's internal controls are to promote sound operations and, through joint compliance by the board of directors, management, and all personnel, to reasonably ensure that the following objectives are achieved:
1.Effectiveness and efficiency of operations;
2.Reliability of financial reporting; and
3.Compliance with applicable laws and regulations.
The objective of effectiveness and efficiency of operations referred to in subparagraph 1 of the preceding paragraph includes objectives such as profits, performance, and safeguarding asset security.
A financial holding company shall for itself and for all its subsidiaries map out overall operational strategies, risk management policies, and relevant guidelines, based upon which the financial holding company and its subsidiaries shall formulate their own operational plans, risk management procedures, and implementation guidelines.
The internal control system of a financial holding company shall incorporate the following principles:
1.Management oversight and the control culture: The board of directors shall have responsibility for approving and periodically reviewing overall business strategies and major policies, and shall be ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained; senior management shall have responsibility for implementing business strategies and policies approved by the board of directors, for developing processes that identify, measure, monitor, and control risks incurred by the financial holding company and its subsidiaries, for setting appropriate internal control policies, and for monitoring their effectiveness and adequacy.
2.Risk recognition and assessment: An effective internal control system requires that the material risks that could adversely affect the achievement of the overall goals of the financial holding company and its subsidiaries are being recognized and continually being evaluated, and that corresponding measures are being taken to limit relevant risks to a sustainable level.
3.Control activities and segregation of duties: Control activities shall be an integral part of the daily operations of a financial holding company. An appropriate control structure shall be set up, with internal control processes defined at every business level. An effective internal control system requires that there is appropriate segregation of duties and that management and employees are not assigned conflicting responsibilities.
4.Information and communication: A financial holding company shall maintain adequate and comprehensive internal financial, operational and compliance data that shall be reliable, timely, and accessible, and shall also establish effective channels of communication.
5.Monitoring activities and correcting deficiencies: A financial holding company shall monitor the effectiveness of its internal controls on an ongoing basis. Any identified internal control deficiencies shall be reported in a timely manner to the appropriate management level, and any significant internal control deficiencies identified on the part of the financial holding company and its subsidiaries shall be immediately reported to senior management and the board of directors and be promptly addressed.
The internal control system of a financial holding company shall cover all business activities, include appropriate policies and procedures as follows, and shall be reviewed and revised in a timely manner:
1.Organizational chart or corporate rules and bylaws, including a clear organizational system, unit functions, scope of operations for each unit, and rules governing authorizations and hierarchical delegation of responsibilities.
2.Related operational guidelines and procedural manuals, including:
(1) Investment guidelines.
(2) Subsidiary management.
(3) Co-marketing management.
(4) Customer data confidentiality.
(5) Regulation of interested party transactions.
(6) Management of shares.
(7) Workflow of preparing accounting and financial statements and administration of general affairs, information, and personnel affairs.
(8) Management of operations for disclosing information externally.
(9) Other operational guidelines and operating procedures.
Where necessary, revision to the procedural and managerial bylaws set forth in the preceding paragraph shall involve the participation of the compliance unit, internal audit unit, and other relevant units.
A financial holding company shall have its internal control system passed by the board of directors, and, if any director expresses dissent, where stated in minutes or in a written statement, shall submit such dissenting opinions to each supervisor together with the internal control system passed by the board of directors; the same shall apply to any amendment thereto.
Where a financial holding company has established the position of independent director, when it submits its internal control system for discussion by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinions; the independent directors' specific opinions of assent or dissent and the reasons for dissent shall be included in the board minutes.
To ensure compliance with acts and regulations, a financial holding company shall establish a compliance officer system in which a unit reporting directly to the board of directors or to the general manager shall be charged with the planning, management and execution of such system, and a senior executive shall be appointed as the compliance officer in overall charge of compliance matters who shall submit a report to the board of directors and to the supervisors at least semi-annually.
The list of compliance officers referred to in the preceding paragraph shall be filed with the competent authority for recordation via an Internet-based information system.
A compliance unit shall carry out the following activities:
1.Establish clear and adequate systems for transmission of, and consultation, coordination, and communication with respect to, acts and regulations.
2.Ascertain that all procedural and managerial bylaws are updated in a timely manner in response to applicable acts and regulations, so that all business activities comply with the provisions of acts and regulations.
3.Formulate the content of and procedures for compliance-related self-auditing and assessment and monitor the implementation of periodic self-audits by each unit.
4.Administer adequate and proper legal training on acts and regulations to personnel of each unit.
A financial holding company shall conduct self-audits to monitor compliance with applicable acts and regulations at least semi-annually and deliver the results to the compliance unit for recordation. The head of a unit shall designate dedicated personnel to conduct self-audits of the unit.
A financial holding company shall formulate adequate risk management policies and procedures and establish operationally independent and effective risk management mechanisms, by which to assess and monitor the respective risk-bearing capacity of, and current status of risks already incurred by, itself and its subsidiaries, and to determine their compliance with the risk response strategies and risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner.
A financial holding company shall establish an independent risk management task force and regularly furnish risk management reports to the board of directors; upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable acts and regulations, it shall take immediate and adequate countermeasures and submit a report to the board of directors.
The risk management mechanisms of a financial holding company shall include the following matters:
1.Monitoring the capital adequacy of the financial holding company and of all subsidiaries based on their respective business scale, credit, market, and operational risks, and future business trends.
2.Adopting adequate long- and short-term financing principles and guidelines, and establishing management mechanisms for measuring and monitoring the liquidity positions of the financial holding company and of all subsidiaries, by which to measure, monitor, and manage the liquidity risks of the financial holding company and of all subsidiaries.
3.Making various investment allocations after having considered the overall risk exposure, equity capital, and characteristics of liabilities of the financial holding company, and establishing various measures to manage investment risks.
4.Establishing uniform assessment methodologies for rating and classifying the quality of assets of the financial holding company and of all subsidiaries, calculating and controlling large risk exposures of the financial holding company and its subsidiaries, carrying out periodic reviews, and faithfully setting aside allowances or reserves for loss.
5.Building information security mechanisms and contingency plans with respect to business exchanges, transactions, or other activities between the financial holding company and its subsidiaries and between its subsidiaries.
The purpose of the internal audit system is to audit and assess whether the internal control system is effectively operating, to measure the efficiency of business operations, and to provide timely recommendations for improvement, all for the purposes of ensuring the on-going and effective implementation of the internal control system and assisting the board of directors and management in the effective discharge of their duties.
A financial holding company shall set up an internal audit unit reporting directly to the board of directors, prescribe the organization, staffing, and functions for internal audits, and establish the position of auditor general who shall oversee the audit affairs in a spirit of independence and impartiality and report at least semi-annually to the board of directors and supervisors.
An internal audit unit shall carry out the following activities:
1.Prepare internal audit working manuals and working papers, which shall at least include assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide recommendations for improvement.
2.Prescribe the content of and procedures for self-audits and assessments of the internal control system, and monitor the implementation of periodic self-audits by each unit.
3.Formulate annual audit plans and, based on the business risk profile of and implementation of internal audits by each subsidiary, determine audit plans targeted at each individual subsidiary.
For the purpose of self-auditing its internal control system, a financial holding company shall see to it that all of its internal departments and subsidiaries carry out self-audits on at least an annual basis, and have its internal audit unit review the self-audit reports of each department and subsidiary; such self-audits, together with the reports on the correction of any deficiencies and irregularities discovered in the internal control system by the internal audit unit, shall serve as a basis for the board of directors, general manager, auditor general, and compliance officer to evaluate the overall efficacy of the internal control system and to issue internal control system statements.
An auditor general shall have leadership ability and the ability to effectively oversee internal audit work, and shall comply with the provisions governing the scope of and qualification requirements for the promoters and responsible persons of financial holding companies authorized under Article 17, paragraph 1, of the Act; the auditor general shall have rank equivalent to assistant general manager, and may not concurrently hold any position that might conflict with or otherwise impede the audit work.
The appointment, dismissal, or transfer of the auditor general shall be passed by the board of directors with a two-third majority of all directors, and be reported to the competent authority for approval. The appointment, dismissal, promotion, reward/discipline, rotation, and performance review of any personnel in the internal audit unit shall be reported by the auditor general to the chairperson for ratification. Where such a matter involves the personnel of other managerial units, the auditor general shall first request the personnel department to refer the matter to the general manager for consent, and then report to the chairperson for ratification.
The auditor general of a financial holding company may, having regard to operational needs, assign any internal auditor(s) from any subsidiary(ies) to carry out internal audit work of the financial holding company and of its subsidiaries, and shall be ultimately responsible for ensuring that an adequate and effective internal audit system is maintained by the financial holding company and by each subsidiary.
A financial holding company shall, after having regard to its investment scale, business condition, management needs, and relevant provisions of acts and regulations, staff competent persons in an appropriate number as full-time internal auditors who shall perform their duties in a detached, independent, objective, and impartial manner.
An internal auditor of a financial holding company shall meet the following qualification requirements:
1.Have not less than two years of experience in financial examination; or have graduated from a junior college, college, or university or passed a senior civil service examination or an examination equivalent to senior civil service examination and have not less than two years of experience in financial operations; or have not less than five years of experience in financial operations. A person is deemed as meeting such requirements if he or she has worked as a professional, such as an auditor in an accounting firm, or a programmer or system analyst in a computer company, and has received not less than three months of training in financial operations and administration.
2.Free of any record of demerit or more serious from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of another person, and the demerit has been offset by other merits; and
3.If a lead auditor, have not less than three years of experience in auditing or financial examination, or have not less than one year of experience in auditing and not less than five years of experience in financial business.
An internal auditor of a financial holding company each year shall attend a minimum of 30 hours of finance-related professional training held by a competent authority-designated institution or by the financial holding company or a subsidiary thereof, so as to enhance his or her auditing quality and competence.
Not less than one-half of the training hours that an internal auditor attends as required in the preceding paragraph shall be shall finance-related professional training held by a competent authority-designated institution.
The internal auditors of a financial holding company shall perform their duties in good faith, and may not do any of the following:
1.Conceal or make false or inappropriate disclosures of any of the company's business activities, financial reporting, or compliance with acts and regulations that they know to directly cause damage to any interested party.
2.Act beyond the scope of audit functions or engage in other improper activities, or externally disclose any acquired information, attempt to profit therefrom, or otherwise use the information against the interest of the company.
3.Fail to recuse himself or herself from auditing of cases or business within the scope of his or her past duties or matters in which he or she has a personal interest.
4.Accept any improper entertainment or gift or other improper benefit.
5.Fail to audit matters that the competent authority has instructed to him or her to audit or to provide relevant information.
6.Any other violation of an act or regulation, or practice prohibited by the FSC.
A financial holding company shall verify that its internal auditors meet the qualification requirements set forth herein. The verification documentation and records for such purpose shall be preserved in a separate file for future reference.
A financial holding company shall conduct a routine business audit at least annually, and a special business audit on its and all its subsidiaries' finances, risk management, and compliance with applicable acts and regulations at least semiannually, and prepare internal audit reports accordingly.
Where a financial holding company conducts the routine business audits set out under the preceding paragraph in a manner that covers the items and scope of special a business audit with respect to its and all its subsidiaries' finances, risk management, and compliance with applicable acts and regulations, and where the audit results reveal no significant deficiency, and it expressly states such in the internal audit report, it is not required to conduct a special business audit for that current half-year.
The internal audit report of a financial holding company shall be delivered to the supervisors for review and, within two months following completion of the audit, submitted to the competent authority by letter.
A financial holding company shall disclose at least the following information in its internal audit report for routine business audits.
1.Audit scope; summary commentary; investment activities; management of shares; financial status; capital adequacy; asset quality; compliance with major acts, regulations, and rules; internal controls; interested party transactions; risk management for loans extended, endorsements given, or any other transactions conducted by all subsidiaries of the financial holding company to, for, or with a same person, same related parties, or same affiliated enterprises; co-marketing and management of customer data confidentiality; and information management.
2.Status of improvement measures taken in response to the examination opinions given or deficiencies identified by the financial examination authority and by the internal audit unit, and taken to treat outstanding matters requiring stronger improvement efforts as specified in the internal control system statement.
All subsidiaries shall submit to the financial holding company their board meeting minutes, CPA audit reports, examination reports issued by the financial examination agency, and other relevant materials, and, for subsidiaries having established an internal audit unit, audit plans and reports on significant deficiencies identified in internal audit reports and the status of improvements thereof; the financial holding company shall review such documents and monitor the implementation of improvements by each subsidiary.
The auditor general of a financial holding company shall periodically evaluate the efficacy of the internal control activities of a subsidiary as set forth in the preceding paragraph and, after having reported to the board of directors, send the evaluation results to the relevant subsidiary's board of directors for their reference in personnel evaluations.
The internal audit unit of a financial holding company shall continually conduct follow-up reviews on any examination opinions or audit deficiencies brought up by the financial examination authority, CPA, or internal audit unit, and on matters specified in the internal control system statement as requiring stronger improvement efforts, and submit a written report on the implementation of improvement of deficiencies to the board of directors, together with a copy to the supervisors, and list these as an important factor in the relevant department's performance evaluations.
Where a financial holding company makes any concealment of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and compliance officer system, or the results of implementation of improvement of any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the internal audit unit otherwise conceals any audit findings, and where such concealment constitutes significant malpractice, the personnel involved shall be held responsible for negligence in their duties, and the matter will be taken into reference by the competent authority when reviewing and making decisions on any applications filed by the financial holding company and its subsidiaries.
A financial holding company shall commend an internal auditor who identifies any significant malpractice or negligence and thereby averts material loss to the company.
When a significant deficiency or malpractice arises within a financial holding company, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in an internal audit report.
When conducting self-audits to monitor compliance with applicable acts and regulations under Article 10, paragraph 2, conducting self-audits of its internal control system under Article 16, paragraph 2, and conducting routine and special business audits under Article 23, paragraph 1, a financial holding company shall in all such cases record the results in working papers that shall be preserved together with the self-audit or internal audit reports and relevant materials for not less than five years.
A financial holding company shall carefully assess and review the effectiveness of the design and operation of its internal control system, and, separately for self-audit results and internal audit reports, submit internal control system statements jointly signed and issued by the chairperson, general manger, auditor general, and compliance officer (as per attachment) to the board of directors for approval, and subsequently within four months from the end of each fiscal year disclose the information contained therein on the company's website and publish the same on a website designated by the competent authority.
The internal control system statement under the preceding paragraph shall be duly published in the annual report, stock issue prospectuses, and other prospectuses.
The internal auditors and compliance officer of a financial holding company shall immediately prepare a report for submission, with a notice to the supervisors and report to the competent authority, when their recommendations for improvements regarding significant deficiencies or noncompliance identified in internal controls are not accepted by management and as a result the financial holding company might incur a material loss.
The provisions of Article 23, paragraph 3, and Article 30 shall apply mutatis mutandis where a financial holding company has established the position of independent director(s) or established an audit committee.
A financial holding company shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation the information on the name, age, educational background, experience, seniority, and training of its internal auditors by the end of January each year.
A financial holding company shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation its next year's audit plan by the end of each fiscal year and a report on the execution of its preceding year's annual audit plan within two months from the end of each fiscal year.
A financial holding company shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation its improvements of deficiencies and irregularities identified in the internal control system during the preceding year's internal auditing, within five months from the end of each fiscal year.
When any of the following circumstances applies to an auditor general in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the auditor general to make improvements within a specified time limit, or otherwise order the financial holding company to release the auditor general from duty.
1.Has made any improper loan extension, been involved in a material breach of the principles for giving credit, or otherwise engaged in any improper transfer of funds with customers, as established by factual proof.
2.Has abused authority of office, there is evidence showing that he or she has carried out improper activities, or he or she has misused power, in an attempt to seek profits for him or herself or for another.
3.Has disclosed or delivered information or made public the entire or any part of the financial examination report to any person unrelated to the execution of audit work without the approval of the competent authority.
4.Has failed to notify the competent authority of any significant malpractice that due to poor internal management has occurred in the financial holding company.
5.Has failed to disclose in an internal audit report any significant deficiency identified in the financial and business operations of the financial holding company.
6.Has issued a fraudulent internal audit report on internal audit findings.
7.As a result of obviously insufficient staffing or staffing of obviously incompetent internal auditors in the financial holding company, has failed to identify a serious deficiency in financial and business operations.
8.Has failed to follow the instructions of the competent authority in conducting audit work or in providing relevant information.
9.Has otherwise committed any act that impairs the reputation or interests of the financial holding company.
A financial holding company shall set out in its internal control system penalties for violations of these Regulations or its internal control system rules by managers and relevant personnel.
A financial holding company shall from time to time check whether there is any violation of Article 21 by its internal auditors, and, upon discovery of any such violation, shall adjust the position of the auditor within one month from the date of discovery.
When filing basic information of internal auditors under Article 32, a financial holding company shall check whether or not the internal auditors have met the requirements set forth in Articles 19 and 20; if not, the auditor shall make improvements within two months, failing which, the financial holding company shall promptly adjust the auditor's position.
The competent authority shall separately prescribe the formats of materials required hereunder.
These Regulations shall enter into force from the date of promulgation.
In the event of any discrepancy between this English translation and the original Chinese text, the original text will take precedence.