These rules are enacted pursuant to Paragraph 2, Article 17 of Act Governing Issuance of Electronic Stored Value Cards (referred to as “the Act” hereunder).
An issuer shall verify the identity of a customer when processing a cash transaction above a certain dollar amount, or an electronic stored value card above a certain amount pursuant to the Regulations Governing Anti-Money Laundering of Financial Institutions by examining the identity document or passport provided by that customer, and recording the name of the individual or institution, date of birth, address, telephone number, ID document number, or the unified business number of the institution, the number or dollar amount of the electronic stored value card purchased, and the electronic stored value card number(s).
The following electronic stored value cards shall be registered by name:
1. Those that are co-branded with other financial payment instruments; however, it does not apply those issued before April 1, 2012.
2. Those that can be used for internet transactions.
3. Those that can be automatically reloaded from a linked financial payment instrument.
4.Those that can transfer payment to other financial payment instruments.
5. Those that can redeem any payment during the process.
An issuer shall verify the cardholder’s identity when processing the registration of the electronic stored value card in a manner set forth in the Regulations Governing Anti-Money Laundering of Financial Institutions, and follow the provisions below:
1. Use reliable and independent documents, data, or information to identity and verify the customer’s identity, request the cardholder’s identity information, which shall at least include his or her name, nationality, date of birth, telephone number, electronic stored value card number, and ID document type and number, and keep a copy or record of such ID document.
2. If the cardholder provides a National Identity Card, contact the Ministry of the Interior, or the Joint Credit Information Center (hereinafter referred to as the “JCIC”) to look up the authenticity of the issuance/replacement/reissuance of the National ID Card; if the customer provides an alien permanent residence record, the issuer shall have the Ministry of the Interior authenticate the information.
3. Inquire of the JCIC about the following information, and keep relevant records:
(1) The deposit account information for any transaction which is suspiciously illegal or obviously abnormal.
(2) The information exchanged between the issuers pursuant to Subparagraphs 2 and 3, Paragraph 1, Article 2-1.
(3) The enhanced identity remarks requested by the individual.
(4) Other information prescribed by the competent authority.
The issuer shall prudently use any information obtained under Subparagraph 3 of the foregoing Paragraph, and decide whether to approve or reject the customer’s registration application at its objective discretion and independent judgment.
An issuer may be exempt from Paragraph 3 for issuing the following registered electronic stored value cards conforming with Article 7 of the Regulations Governing Anti-Money Laundering of Financial Institutions provided that:
1. The identity of an overseas cardholder has been verified by an overseas contracted institution in a manner of verification not less intense than Paragraph 3.
2. The issuance is a collaboration with a bank, school, telecommunications company, or governmental agency, combined with another financial payment instrument, student ID card, user number, ID document, or other registered instruments, or connected to other financial payment instruments.
When an electronic stored value card issued by an issuer by January 1, 2019 but not conformed with the requirements of Subparagraph 1 Paragraph 3, or the foregoing Paragraph, the issuer shall modify it to comply with the requirements before December 31, 2019. Any electronic stored value card that is not modified to conform with the requirements shall be deemed as an unregistered electronic stored value card.
An issuer may suspend the use of all or part of the services of the electronic stored value card, or immediately terminate the contract for significant incidents if the cardholder of a registered electronic stored value card has one of the following situations:
1. Refuses to cooperate with the verification, or re-verification of identity.
2. Would have submitted fake identity information.
3. Has used the electronic stored value card to engage in fraud, money-laundering, other illegal activities, or suspicious misconduct as sufficiently evidenced.
The issuer shall notify the JCIC when terminating the contract with the user pursuant to Subparagraphs 2 and 3 of the foregoing Paragraph.
Issuers shall transmit the information related to the business of electronic stored value cards to the JCIC.
Said transmission, scope of inquired information, filing and looking up method, fee standard, process management, disclosure period, information security control, and inspection procedures shall be prescribed by the JCIC and approved by the competent authority.
That the JCIC collects, processes, or uses the information transmitted by the issuers pursuant to Paragraph 1, is deemed as the necessary fulfilling obligation as described in Subparagraph 2, Paragraph 2, Article 8 of the Personal Information Protection Act (hereinafter referred to as the “PIPA”), and exempt from the notice subject to Article 9, Paragraph 1 of the PIPA.
No information transmitted and disclosed by the issuers pursuant to Paragraph 1 shall contain any false or untrue statements to ensure the accuracy of information.
Issuers shall specify their contact information, and the methods for looking up the rights and obligations of the cardholders of the electronic stored value card, in writing or by electronic document, and notify the cardholders about the following matters:
1. The method of using the stored value card, causes for termination and means of refund; and
2. Processing fees, and other charges that shall be paid by the cardholders. The description shall be written in plain language, and supplemented with examples.
3. The process of handling any disputed transaction of the electronic stored value cards.
4. The rights and obligations of the cardholders.
5. Other matters as required by the Competent Authority.
In addition to the above mandatory notifications, the issuers of registered electronic stored value cards shall notify the cardholders about the following matters in writing or by electronic document:
1. The procedure for handling lost, stolen, or destroyed electronic stored value cards;
2. The relevant rights and obligations when the electronic stored value card is misappropriated or used by a person other than the cardholder, altered, or counterfeited;
If the two foregoing matters are provided in an electronic document, the issuer shall specify the methods for looking up the terms and conditions of the cardholders on the electronic stored value card or in writing.
The statements in the written or electronic document under Paragraphs 1 and 2 shall be in plain and clear language. Any important information related to the cardholder’s rights shall be clearly marked.
The electronic document mentioned in Paragraph 1 and Paragraph 2 hereof is an electronic record referred to in Subparagraph 1, Paragraph 1, Article 2 of the Electronic Signatures Act.
The fees charged to cardholders by the issuer should reasonably reflect its costs.
A cardholder may report the loss and request to disable a lost or stolen electronic stored value card if it is one of the types below:
1. A registered electronic stored value card.
2. A registered electronic stored value card issued by an issuer by January 1, 2019 but not modified to conform with the requirements of Subparagraph 1, Paragraph 3, or Paragraph 5, Article 2, provided that the cardholder has been requested to submit the identity information under Subparagraph 1, Paragraph 3, Article 2.
3. An unregistered electronic stored value card, which is issued in collaboration with a bank, school, telecommunications company or governmental agency, combined with a student ID card, user number, ID document, or other registered instrument, provided that the cardholder has been requested to submit the identity information under Subparagraph 1, Paragraph 3, Article 2.
4. An unregistered electronic stored value card, which is issued for a special certain group in accordance with the policy of the governmental agency, provided that the cardholder has been requested to submit the identity information under Subparagraph 1, Paragraph 3, Article 2.
Issuers shall fill the same amount loaded into an electronic stored value card as the value stored in that card.
Issuers must not limit the time or number of use for the monetary value stored in a reloadable electronic stored value card. If the monetary value is stored in a disposable electronic stored value card, the issuer shall specify the expiration, limited number of use, and how to cease the use, if applicable, on the electronic stored value card.
Issuers shall comply with the requirements of the PIPA, and establish a management system when providing the electronic stored value card number to other persons for use.
Issuers shall follow the requirements when providing the block storage of the electronic stored value cards for other persons for use:
1. Specify the internal control system and procedures for providing the block storage of the electronic stored value cards to other persons for use, and submit for the approval of the Board of Directors; the same rule shall be applied when amending the internal control system and procedures.
2. Specify the internal control system, which shall at least cover:
(1) The scope of the block storage that may be provided to other persons for use.
(2) The contract setting forth the allocation of responsibilities that shall be in place and signed with the user of the block storage.
(3) Ensure the secrecy and security of the data stored in the block storage.
(4) The user of the block storage shall notify the cardholders about such event, and the rights and obligations between them.
(5) Ensure that the user of the block storage has complied with all laws and regulations, including the PIPA and Consumer Protection Act, with respect to the use of the block.
(6) Specify the contact information of the user of the block storage, and the methods for looking up the rights and obligations of the cardholders in a manner prescribed in the foregoing Article. Inform the cardholders that the issuer only provides the services of electronic stored value cards, and does not engage in the business of the user of the block storage which provides products or services.
(7) Establish the protection of the rights of consumers, and a risk management system.
3. If the block storage is for storing monetary value, the issuer shall issue the same as a co-brand electronic stored value card with the user of the block storage, unless the user is a governmental agency.
If an issuer has provided the block storage of the electronic stored value cards to other people for use by the promulgation of the amended provisions of these Rules on November 5, 2018, it shall modify the arrangement to conform with the foregoing Paragraph within one year hereafter.
The transactions of electronic stored value cards do not include fund transfer between the cards.
An issuer shall not provide credit line or overdraft service to cardholders of the electronic stored value cards. However, the preceding provision does not include one-time advance when the card is used to pay the fee of public transportation service or parking service referred to in the Mass Transportation Development Act.
Issuers shall provide the service that allows cardholders to inquire the transaction amount and the stored balance in the electronic stored value card.
Issuers bear the burden of proof in the event a dispute arises out of an unauthorized transaction of the electronic stored value card and bear the loss from such transaction if the cardholder is found not at fault.
An issuer that transfers funds pursuant to Article 5-1 of the Act shall follow the following provisions:
1. The issuer shall keep all records obtained in verifying a cardholder's identity in registered card issuance operation for at least five (5) years after the business relationship with the cardholder ends.
2. The issuer shall keep transaction details on transfer of funds stored in the cardholder's registered electronic stored value card into his/her electronic payment account, including time of transfer, the electronic stored value card number, the electronic payment account number, amount of transfer, code of transfer processing equipment, and transfer result.
3. When the issuer signs up an electronic payment institution as a contracted merchant, the issuer shall state in the contract that the electronic payment institution may not pass the transfer transaction fee to the cardholders.
Issuers who accept the cardholders to reload their electronic stored value cards from a linked deposit account (including debit card) shall comply with the following requirements:
1. The linked deposit account for reloading the electronic stored value card must be registered by name.
2. The linked deposit account shall be held by the cardholder, his or her spouse, direct blood relative, or custodian. The issuer shall request the cardholder provide the supporting documents to prove such relationship. The application shall be accepted subject to verification. The issuer shall keep a copy or record of such supporting documents.
3. Each electronic stored value card can only be linked to one deposit account.
4. The issuer shall reasonably restrict the number of electronic stored value cards linked to a deposit account held by a single cardholder. If the owner of the nominated deposit account and the cardholder are different, each person can only apply with the issuer for one electronic stored value card which is linked to another person’s deposit account.
5. Maximum amount for automatic reload:
(1) If the cardholder is the owner of the linked deposit account, the issuer and the cardholder shall agree upon the maximum amount for single transaction and daily limit for automatic reload, and the cardholder shall be allowed to terminate the automatic reload function.
(2) If the cardholder is not the owner of the linked deposit account:
A. The maximum amount that can be automatically reloaded onto a single electronic stored value card per day is NT$3,000.
B. The maximum amount each deposit account at a financial institution can reload onto another persons’ electronic stored value cards per month is NT$30,000. The account owner shall be allowed to select, and agree on a lower amount for the limit with his or her financial institution.
6. The issuer or the financial institution of the deposit account shall provide real-time notification or a monthly billing statement to the account owner about the reload history.
If an issuer accept the cardholders to reload their electronic stored value cards from a linked deposit account (including debit card) by the promulgation of the amended provisions of these Rules on November 5, 2018, it shall modify the arrangement to conform with the foregoing Paragraph within one year.
The issuer may allow the cardholders to reload the electronic stored value cards with their credit card subject to the following requirements:
1. Only New Taiwan Dollars are accepted for reloading the balance.
2. The issuer shall specify the maximum amount for using a credit card to reload per transaction, and set up the risk control system.
3. The amount reloaded with a credit card cannot be redeemed, or transferred to another financial payment instrument for withdrawal.
4. For automatic reload with a credit card, each electronic stored value card can only be linked to one credit card owned by the cardholder. The issuer and the cardholder shall agree upon the maximum amount for a single transaction and daily limit for automatic reload, and the cardholder shall be allowed to terminate the automatic reload function.
5. The issuer or the credit card issuer shall provide real-time notification or a monthly billing statement to the credit card owner about the reload history.
To allow the use of the electronic stored value cards in internet transactions, the issuer shall submit the operation proposal to the competent authority for approval, and comply with the following requirements:
1. Register the card pursuant to Article 2, and verify the mobile number provided by the cardholder.
2. The aggregate monthly payment of internet transactions shall not exceed NT$30,000. If a single cardholder holds two or more electronic stored value cards which are issued by the same issuer and can be used in internet transactions, the transaction amount of all cards held by the individual shall be added together, and the total transaction amount entered into his or her account shall not exceed the foregoing limit.
3. If there is any consumer dispute regarding non-provision of products or services between the merchant and the cardholder arising from an internet transaction, the merchant and the issuer who engages said merchant shall bear the burden of proof. The issuer shall specify the procedures for disputed payment if the product or service has not been provided.
4. The issuer shall establish the mechanisms of risk control, fraud prevention, anti-money laundering, and countering the financing of terrorism for internet transactions.
When a cardholder terminates the use of an electronic stored value card, he or she may ask the issuer to refund the balance in the card and the amount collected in advance and promised to be refunded by the issuer within a reasonable of time.
For bearer electronic stored value cards, the issuers should not refund the balance in the card in part or in whole, except in the case of termination of card use referred to in the preceding paragraph.
An issuers shall include the materials produced for the advertising or other marketing activities of its electronic stored value card business under the management of its internal control systems and ensure that such materials are free of improper content, false representation, misleading information or violation of relevant laws or regulations, and have been reviewed by its chief compliance or auditing officer before being released for external use.
If an issuer collects certain amount in advance from the cardholders and promises to refund it later, except for money stored in the electronic stored value card which shall be handled in accordance with Articles 18 ~ 20 of the Act, the remainder of collected amount shall be declared trust in full or fully guaranteed by a bank.
Issuers shall declare trust in accordance with the preceding article by depositing the amount collected from the cardholders each day into a trust account under the trust agreement on the next business day.
The amount declared trust may not be drawn unless for the following purposes:
1. To reimburse the cardholders upon request.
2. To make use of the trust property.
3. To dispense interest or other income earned from the trust property to the issuer.
A trust enterprise may make use of the trust property only in any of the following manners:
1. Deposit it in banks.
2. Purchase government bonds or bank debentures.
3. Purchase treasury bills or negotiable certificates of deposit.
4. Purchase other financial products approved by the Competent Authority.
A trust enterprise shall dispense the interest or other income earned from the trust property, less costs, necessary expenses and loss, to the issuer in the year of income occurred according to the trust agreement.
Except for the drawing of the trust property, the mandatory and prohibitory provisions to be included in the trust agreement shall conform to the provisions in the Mandatory and Prohibitory Provisions To Be Included In Trust Contract for the Stored Value of Electronic Stored Value Cards.
The claims of the cardholders arising from the electronic stored value cards they hold over the trust property deposited with a trust enterprise shall have precedence over the claims of other creditors of the issuer and the right to compensation of the issuer’s shareholders.
“Full guarantee from a bank” referred to in Article 9 herein means that the issuer shall enter a full performance guarantee agreement with a bank where the bank assumes the guarantee responsibility for the balance of funds received by the issuer.
An issuer shall complete the contract renewal or enter a new contract according to Article 9 herein at least one month before the expiration of the trust contract or the guarantee agreement, and report the same to the Competent Authority in writing.
An issuer that fails to conform to the preceding paragraph is not allowed to issue new cards.
An issuer shall appoint an accountant to conduct quarterly audit of the state of compliance with Article 9 herein, and submit the accountant’s audit report to the Competent Authority for reference in one (1) month after the end of each quarter.
The trust declared by issuers in accordance with Article 9 herein and Article 18 of the Act shall be handled according to the following rules:
1. Where the balance of the trust property as regularly settled by the trust enterprises does not reach the level required of the issuer to declare trust, the issuer shall, as notified by the trust enterprise, deposit the shortfall in cash into the trust account.
2. The trust enterprise shall comply with the specific conditions when making use of the trust property to make bank deposits, purchase bank debentures or purchase negotiable certificates of deposit. Such bank holding the deposit, or issuing the debenture and negotiable certificates of deposit shall meet the following criteria:
(1) The ratio of regulatory capital and risk weighted assets as filed with the competent authority in the last quarter shall comply with Article 5 of the Regulations Governing the Capital Adequacy and Capital Category of Banks.
(2) The average non-performing loans ratio of the last three months is lower than 2 per cent.
(3) There is no consecutive accumulated deficit in the last two years based on CPA audit.
Where an issuer acquires full performance guarantee from a bank in accordance with Article 9 herein and Article 18 of the Act, the bank that signs the performance guarantee agreement with the issuer shall meet the criteria specified in Subparagraph 2 of the foregoing Article.
The amount collected by an issuer that acquires full performance guarantee from a bank as mentioned in the preceding paragraph shall be used only in the following manners:
1. Deposit it in banks.
2. Purchase government bonds or bank debentures.
3. Purchase treasury bills or negotiable certificates of deposit.
4. Other manners as approved by the Competent Authority.
The bank deposits, bank debentures and negotiable certificates of deposit shall meet the specific conditions set forth in Subparagraph 2 of the foregoing Article.
For interest or other income earned by a non-bank issuer from utilizing funds mentioned in Paragraph 1, Article 18 of the Act, the non-bank issuer shall, within five (5) business days after receiving the income, set aside the required amount and deposit it in a dedicated account opened with a bank in accordance with Paragraph 3, Article 18 of the Act.
The non-bank issuer shall engage an accountant to conduct audit of the state of compliance with the preceding paragraph every half fiscal year, and submit the accountant’s audit report to the Competent Authority for record in two (2) months after the end of every half fiscal year.
Issuers shall not invest in other enterprises, unless it is a subsidiary that the investment in which has been approved by the Competent Authority, the business of the subsidiary is closely related to that of the issuer, and in which the issuer holds more than fifty percent (50%) of the issued shares of the subsidiary.
The total investment made by an issuer shall not exceed ten percent (10%) of the balance of its paid-in capital at the time of investment less the minimum paid-in capital as stipulated under the Act and accumulated loss.
Issuers shall draw up internal operating guidelines for the utilization of own funds and submit the guidelines and any subsequent revisions thereto to the board of directors for approval.
Issuers may not provide guarantees for others.
If deemed necessary, the Competent Authority may prescribe requirement for the debt ratios of issuers.
Issuers that set up new business outlets shall, within five (5) working days from the date of setup, report the date of setup, address, and scope of business of the new outlet to the Competent Authority for reference. The preceding provision applies to the relocation or closing of business outlets.
Issuers that apply for approval to conduct other businesses pursuant to Article 5 of the Act shall submit a business plan and the meeting minutes of their board of directors to the Competent Authority to apply for approval.
The business plan in the preceding paragraph shall contain the following particulars:
1. Purpose for conducting such business;
2. Analysis of legal compliance for conducting such business;
3. Agreements among relevant parties to such business regarding their respective rights and obligations;
4. Business rules, business procedures and risk management; and
5. Market prospects, and risk/benefit evaluation.
When the business rules, business procedures or rights and obligations of relevant parties of the electronic stored value card business of an issuer differ from those proposed in the business plan originally approved by the Competent Authority and the difference has material impact on consumer interest, the issuer shall take actions in accordance with the preceding two paragraphs.
If the issuer that provides terminal equipment and shares with other issuers, credit card acquirers or electronic payment institutes meets any of the following conditions, such issuer shall not apply to the provisions in preceding paragraph:
1.The issuer and the institutes sharing the use of terminal equipment (hereafter referred to as “Sharing Institutes ”) each connect with the shared terminal equipment and deliver the transaction information of each party to each institute system, and then process the transaction by each system.
2.The issuer is appointed by Sharing Institutions to deliver the transaction information of Sharing Institutions from the shared terminal equipment to Sharing Institutions through the issuer’s internet, but the issuer in not involved in the handling of transaction information of Sharing Institutions.
Where an issuer plans to terminate part of its business, it shall apply to the Competent Authority for approval by submitting a plan. The plan in the preceding paragraph shall contain the following particulars:
1. The reason for the planned termination or not being able to continue; and
2. A concrete explanation of the handling of existing customers' rights and obligations or alternative methods for providing services.
An issuer that plans to suspend part of its business shall apply to the Competent Authority for approval by submitting a plan and information on the duration of planned suspension. When such issuer plans to resume business, it shall report in writing to the Competent Authority for reference in advance.
When signing a contract with a merchant, the issuer shall establish the merchant review process based on the type of the merchant, transaction amount, transaction model (face-to-face or indirect), risk of deferred products or services, and the offered products, and enhance the education and training, audit management, and regular merchant inspection. There shall be a daily abnormal transaction monitoring mechanism for indirect transactions with high-risk merchants in place to protect the cardholders’ rights.
The issuer shall request the merchant to allow the cardholder to verify the transaction records through any of the following methods upon the completion of the transaction processed with an electronic stored value card:
1. Provide a receipt that shows the amount deducted from the electronic stored value card, and the card balance for verification.
2. Show the amount deducted from the electronic stored value card and the balance upon the completion of the transaction; allow the cardholder to choose whether to print out the receipt.
3. Show the amount deducted from the electronic stored value card and the balance upon the completion of the transaction; have the issuer provide the approaches for the cardholder to look up their transaction history in the future.
4. Notify the cardholder of the amount deducted from the electronic stored value card and the balance upon the completion of the transaction by text message, email, online platform, mobile application, or other means.
This rule does not apply if the merchant in the foregoing Paragraph is a public transport company, or parking lot service provider as defined in the Act of Encouraging Public Transportation Development, or is a public phone service operator, and can display the amount deducted from the electronic stored value card and the balance during the transaction with the cardholder.
Issuers shall demand that contracted merchants may not refuse to accept electronic stored value cards for transaction unless with justified reason.
Issuers shall file periodic reports on their electronic stored value card business with an institution designated by the Competent Authority.
The institution designated by the Competent Authority under the preceding paragraph shall determine the scope of information to be reported and rules for the filing operations, and submit the same to the Competent Authority for reference.
Issuers shall establish internal control and audit systems and implement them diligently and effectively.
The internal control systems of an issuer regarding management and business rules of organization charter, overall business strategy, major policies, material risks, shall be passed by its board of directors, whereas the rest of the operations shall be carried out in accordance with the internal division of responsibility and authorization rules passed by the board of directors. If any of the directors voices opposition or reservation in a board of directors’ meeting, such opinions and reasons held shall be documented in the meeting minutes, which, together with the internal control systems passed by the board of directors, shall be submitted to the supervisors or the audit committee of the issuer. The preceding provision applies to any revision to the internal control systems.
Issuers shall set up an internal audit unit directly under the board of directors, and assign an appropriate number of qualified and full-time internal auditors, including the computer auditor.
The internal audit unit shall, based on the results of risk assessment, draft annual audit plan and seek the approval of the board of directors. The preceding provision applies to any revision to the annual audit plan.
The internal audit unit of an issuer shall conduct at least one general audit and one special audit a year of the business, assets safekeeping and information technology units, and shall conduct at least one special audit of other management units a year. The internal audit reports shall be submitted to the supervisors as well as independent director(s) or the audit committee, if applicable, for review. The internal audit reports shall also be filed with the Competent Authority in two (2) months from the completion of the audit.
Issuers may outsource the businesses in the business license, or the process of the cardholders information pursuant to Paragraph 4, Article 5 of the Act only to the extent of:
1. Sales and return of bearer electronic stored value cards;
2. Value adding operation of electronic stored value cards;
3. Data Processing: Including the data registration, process, and output in the information system, development, monitoring, maintenance of information system, and back-end support for data processing.
4. Customer Services: Including interactive voice response, reply and processing of emails from cardholders, inquiry and assistance about the electronic stored value card services.
5. Transport operations of cash and electronic stored value cards;
6. Installation, test, maintenance, training and examination operations of terminal equipment of electronic stored value cards;
7. Sharing the terminal equipment of other issuers, credit card acquirers, merchants, value-added institutions,or electronic payment institutes, connecting with the shared terminal equipment at its own, and then delivering its own transaction information to the system belong to itself for the handling of transaction;
8.Sharing the terminal equipment of other issuers, credit card acquirers , merchants, value-added institutions, or electronic payment institutes and appointing the provider of such terminal equipment to deliver the transaction information belong to itself. However, the provider of such terminal equipment is not involved in the handling of transaction information.
9. Production and code generation of electronic stored value cards.
10. Download and issuance of electronic stored value cards from a trustworthy cloud service management platform.
11. Registration operations of electronic stored value cards; return and refund operations of registered electronic stored value cards.
12. Promotion of electronic stored value cards acquiring services by other issuers and credit card acquirers, and merchant inspection; provided that the issuer shall enter into the contract with said merchant on its own.
13. Clearing of electronic stored value cards by other issuers sharing the terminal equipment, and the credit card acquirer.
14. Storage of forms and receipts.
15. Cardholder identity verification of offshore cardholders by an offshore contractor.
16. Other operations approved for outsourcing by the Competent Authority.
Issuers shall comply with the following rules when outsourcing their operations:
1. The issuer shall adopt internal operating systems and procedures covering the scope of matters that can be outsourced, protection of cardholder rights and interests, risk management, and internal control principles, and those operating systems and procedures and any subsequent revisions thereto shall be passed by the board of directors.
2. Outsourcing the processes in connection with collecting, processing, and using personal information under Subparagraph 3, and Subparagraphs 15 and 16 in the foregoing Paragraph requires prior approval of the competent authority. Other outsourced processes shall be reported to the competent authority within five business days of the initial provision of such services.
3. The issuer shall make sure the outsourcing service providers meet its requirements for operational security and risk management.
4. The issuer shall ask the outsourcing service providers to comply with the mandatory or prohibitory provisions of laws.
5. The issuer shall demand that the outsourcing service providers agree to give the Competent Authority and the Central Bank of the ROC access to data or reports relating to the outsourced operation and allow them to conduct financial examination.
6. The issuer shall be held jointly liable as provided by law for customers whose interests are damaged by the intentional act or negligence of an outsourcing service provider or its employees.
The outsourcing procedure of a bank for operations provided in Paragraph 1 hereof shall comply with Article 4 of the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation and the bank's internal outsourcing rules approved by its board of directors.
An issuer shall file its outsourced items, content and scope accurately in a manner prescribed by the Competent Authority.
An issuer having any of the situations below shall report to the Competent Authority for prior approval:
1. Change of articles of incorporation.
2. Undergoing merger or acquisition.
3. Transferring all or major part of operations or assets to others.
4. Receiving the transfer of all or major part of operations or assets from others.
5. Change of capital.
6. Change of business place.
7. Others matters that require prior approval as prescribed by the Competent Authority.
An issuer having any of the following events shall promptly report to the Competent Authority by stating the particulars of the event and providing related information, and send a copy of the same to the Central Bank of the ROC:
1. Transfer of equity or change of equity structure involving more than ten percent (10%) of its ownership.
2. Having the incidence of bounced check due to insufficient funds, being denied services by banks, or having other events that cause loss of good credit standings.
3. Having a litigious or non-litigious event, or an administrative disposition or administrative lawsuit that has material impact on the finance or business of the institution.
4. Having a situation provided in Subparagraph 1, Paragraph 1, Article 185 of the Company Law.
5. Having a fraud or material deficiency in internal controls.
6. Having an information security breach that results in damage to the interests of customers or affects the sound operation of the institution.
7. Other significant events that are sufficient to affect the operation or the interests of shareholders.
The provisions in Articles 9 ~ 14, Article 16, Article 21, Article 23 and Article 24 herein do not apply to banks engaging concurrently in electronic stored value card business.
The provisions in Articles 14, 16, 21, 23 and 24 herein do not apply to electronic payment institutions engaging concurrently in electronic stored value card business.
Paragraphs 3, 5, and 6 of Article 2, Articles 2-1, 2-2, Subparagraphs 2 to 4, Paragraph 7, Article 3, and Subparagraph 1 Article 6 of the Rules as amended on November 5, 2018 shall be effective as of January 1, 2019. Other amended and reinstated provisions shall be effective as of the date of promulgation.