Chapter 1 General Principles
These Regulations are enacted in accordance with Paragraph 1, Article 148-3 of the Insurance Act (the "Act").
The term "internal control system" as used in these Regulations means a management process designed by the management, passed by the board of directors, and implemented by the board of directors, management and other employees. The purpose of internal control system is to promote sound business operations of an insurance enterprise so as to reasonably ensure that the following objectives are achieved:
1. The insurance enterprise operates its business in a prudent manner in accordance with the policies and strategies formulated by its board of directors to achieve effectiveness and efficiency in profitability and performance.
2. All transactions are properly authorized;
3. Assets are safeguarded;
4. Financial and other records provide reliable, timely, transparent, complete, accurate and verifiable information and comply with relevant rules and regulations;
5. Management can identify, assess, manage and control operational risks and maintain sufficient capital to address operational risk exposures; and
6. Compliance with applicable rules and regulations.
The internal control system of an insurance enterprise shall be passed by its board of directors. If any director expresses reservation or dissenting opinions, those opinions and reasons therefor shall be recorded in the meeting minutes of the board of directors, which, together with the internal control system passed by the board, shall be submitted to the supervisors or the audit committee. The preceding provision applies to revisions of the internal control system.
If the insurance enterprise has independent director(s), the opinions of respective independent director should be taken into consideration fully when the internal control system is submitted to the board for discussion in accordance with the preceding paragraph. The reservation or dissenting opinions of the independent director(s) and reasons therefor shall be recorded in the meeting minutes of the board of directors.
If the insurance enterprise has established an audit committee, the adoption or revision of its internal control system shall be subject to the consent of at least the majority of the audit committee members and be submitted to the board of directors for a resolution.
Any matter under the preceding paragraph that has not been approved with the consent of at least the majority of the audit committee members may be adopted with the consent of at least two-thirds of all directors, and the resolution adopted by the audit committee shall be recorded in the meeting minutes of the board of directors.
The board of directors of the insurance enterprise shall be aware of the risks it faces in its operations, supervise its operating results and be ultimately responsible for ensuring the establishment and maintenance of a proper and effective internal control system.
Chapter 2 The Design and Implementation of Internal Control System
The internal control system of an insurance enterprise shall incorporate at least the following components:
1. Control environment: The control environment is the basis for the design and implementation of the internal control system of an insurance enterprise. The control environment encompasses the integrity and ethical values of the insurance enterprise, governance oversight responsibility of its board of directors and supervisors or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures and awards and discipline. The board of directors and management shall establish internal code of conduct, including the code of conduct for directors and code of conduct for employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of an insurance enterprise, and the suitability of the objectives should also be taken into consideration. The management should consider the impact of changes in the external environment and its own business model, and possible fraud scenarios that may occur. The risk assessment results can assist the insurance enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control operations: Control operations are means the actions of adopting proper policies and procedures by an insurance enterprise based on its risk assessment results to control risks within a tolerable range. Control operations shall be performed at all levels of the insurance enterprise, at various stages of business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
4. Information and communication: Information and communication means relevant and quality information that an insurance enterprise obtains, generates, and uses from both internal and external sources to support the continuous functioning of other components of internal control, and to ensure that information can be effectively communicated within and outside the organization. The internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring, and to enable timely access to information by those who need it.
5. Monitoring operations: Monitoring operations means ongoing evaluations, individual evaluations, or some combination of the two used by an insurance enterprise to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels. Individual evaluations are evaluations conducted by different personnel such as internal auditors, supervisors or audit committee, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors or audit committee, and improvements shall be made in a timely manner.
The code of conduct for directors specified in Subparagh 1 of the preceding article shall contain at least the rules that when a director discovers that the insurance enterprise is in danger of suffering material loss or damage, he shall handle the matter properly as soon as possible, immediately notify the audit committee or the independent directors or supervisors, report it to the board of directors and supervise the insurance enterprise to report to the competent authority.
An insurance enterprise shall, based on its business nature and scale, establish operating procedures for at least the following control operations according to the principles of internal check, and review and revise such procedures in a timely manner:
1. Insurance product development and management operation: Including risk assessment of insurance products, evaluation of premium rate adequacy, assessment of reserve adequacy and the product management operation.
2. Product sales operation: Including promotional materials and information to be disclosed in insurance policy, business solicitation, underwriting, contract conversion, reinstatement, conservation, fees and charges.
3. Claim operation: Including investigation of accident, review and payment operation.
4. Fund utilization operation: Including holistic investment policies, acquisition, custody and disposal of various investment assets, and rules for related party transactions.
5. Solvency assessment operation: Including assessment of provisions for various kinds of reserves, evaluation of asset quality, the match of assets and liabilities, resolution of overdue loans and non-accrual loans, management of investment and fund liquidity, assessment of financial conditions and capital adequacy, insurance enterprise risk management and assessment of the insurance enterprise’s self risks and solvency.
6. Processing derivatives transactions operation: Including trading principles and guidelines, operating procedures, announcement and reporting procedures, accounting treatment, internal control and audit system.
7. Reinsurance operation: Including methods of reinsurance, assessment of risks and risk tolerance, reinsurance retention ratio and selection of reinsurers and reinsurance brokers.
8. Control operations of accounting, general affairs, resources, personnel management and other businesses.
9. Management of financial examination reports.
10. Management of financial consumers protection.
11. Management of the application of International Financial Reporting Standards.
12. Mechanism for handling major contingencies.
13. Mechanism for anti-money laundering and combating the financing of terrorism (AML/CFT) and management of compliance with relevant laws and regulations, including the management mechanism for identifying, assessing, and monitoring AML/CFT risks.
14. Other matters designated by the competent authority.
Where an insurance enterprise is required to establish a remuneration committee according to law, the insurance enterprise shall design internal controls and operating procedures for the operation and management of the remuneration committee.
Where an insurance enterprise has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
For the stipulation, revision or abolition of all operational and management regulations mentioned in the preceding three paragraphs, it requires the participation of regulatory compliance, internal audit, and risk management agencies.
An insurance enterprise that uses a computerized information processing system shall, in addition to clearly delineating the authority and responsibility of information and user departments, include at least the following control operations in its internal control system and observe the self-regulatory rules established by the trade association it belongs to:
1. Clear division of authority and responsibility of the information processing department;
2. Control of system development and program modification;
3. System documentation control;
4. Program and data access control;
5. Data input/output control;
6. Data processing control;
7. Security control of the entrance of computer room;
8. System, files, computer and communications equipment security control;
9. Control of purchase, usage, and maintenance of hardware and system software;
10. Prevention and control of spread of computer viruses and hacker invasion;
11. Control of system recovery plan, disaster backup plan and testing procedures;
12. Control of outsourcing of core businesses;
13. Confidentiality and security control of classified data of customers and company; and
14. Prevention and control of computer crimes.
The Life Insurance Association of the Republic of China and The Non-Life Insurance Association of the Republic of China shall establish and periodically review self-regulatory rules for information security.
An insurance enterprise shall set up a dedicated information security unit and appoint a chief information security officer that may not handle concurrently information operation or other affairs that may pose a conflict of interest, and shall be allocated with proper manpower resources and equipment, except as otherwise provided by the competent authority with respect to insurance cooperatives.
An insurance enterprise whose total assets in the previous year as audited by a CPA exceed NTD 1 trillion shall appoint a person at the level of vice president or higher or a person in an equivalent position to serve concurrently as the chief information security officer, who shall oversee the implementation of information security policies and allocation of resources. It shall also set up a dedicated information security unit with independent function and appoint a person at the level of associate general manager or higher or a person in an equivalent position to be the chief officer of such dedicated information security unit.
The dedicated information security unit of an insurance enterprise is in charge of planning, monitoring and implementing information security management operation. The chief information security officer (the supervisor of the dedicated information security unit if no chief information security officer is appointed) shall, together with personnel specified in Paragraph 1, Article 25, jointly issue an internal control system statement to the board of directors (council) for approval.
The personnel of the dedicated information security unit of an insurance enterprise shall attend at least 15 hours of professional courses on information security, or on-the-job training every year. The personnel of the head office, domestic and foreign business units, product development management unit, fund utilization unit, information units, asset custody unit, and other management units shall attend at least 3 hours of information security courses every year.
Insurance enterprises governed by Paragraph 2 hereof shall make adjustment to become compliant within six months after it meets the applicable condition set forth therein.
For the purpose of maintaining effective operation of its internal control system to achieve the objectives of internal control set out in Article 2 herein, an insurance enterprise shall establish such three defense lines for internal control, including a self-inspection system, a regulatory compliance system and risk management mechanism and an internal audit system.
To implement the regulations in the foregoing paragraph, the insurance enterprise shall adopt the following measures:
1. Internal audit system: an audit unit shall be set up to take charge of auditing each unit and periodically evaluating the performance of self-inspection conducted by each business unit.
2. Regulatory compliance system: The chief compliance officer examines duly whether business personnel comply with relevant laws and regulations in conducting business in accordance with the compliance plan developed by the head office.
3. Self-inspection system: Members of business, financial and information units check on each other the actual implementation of internal controls under the supervision of managerial personnel or personnel at comparable position or higher as assigned by each unit to discover deficiencies early and take corrective actions in a timely manner.
4. CPA auditor system: When a certified public accountant (CPA) engaged by an insurance enterprise conducts annual audit of the enterprise, the CPA should also examine the effectiveness of its internal control system and express opinions on the accuracy of financial information the enterprise files with the competent authority and the status of implementation of internal control system and regulatory compliance system.
5. Risk management mechanism: Establish independent and effective risk management mechanism to assess and monitor the overall risk bearing capacity and current status of risks already incurred, and to determine their compliance with the risk response strategies and risk management procedures.
The execution procedures for the three defense lines for the internal control system of an insurance enterprise have been collectively established by the Life Insurance Association of the Republic of China and the Non-Life Insurance Association of the Republic of China and have been filed with the competent authority for record.
An insurance enterprise shall formulate adequate risk management policies and procedures. Those policies and procedures shall be passed by the board of directors and regularly reviewed and revised.
An insurance enterprise shall establish an independent risk management task force and regularly furnish risk management reports to the board of directors;
The risk management mechanisms of an insurance enterprise shall include the following:
1. Identifying and assessing acceptable risk range based on its business scale, product features and overall economic situation.
2. Risks to be taken into consideration include underwriting risk, risks associated with reserve assessment, market risk (including interest rate risk), operational risk, compliance risk and other relevant risks.
3. The management should regularly review the risk control mechanism and adopt suitable strategies based on the actual economic circumstances.
Chapter 3 The Inspection of Internal Control System
Section 1 Internal Audit
The purpose of internal audit is to assist the board of directors and the managerial level to verify and evaluate whether the operation of internal control system works effectively and provide appropriate suggestions for revision, which can ensure the on-going performance of effective internal control and serve as the basis of internal control system revisions.
An insurance enterprise shall plan the organization, size and responsibilities of its internal audit unit and produce internal audit working manuals, which shall include at least the following particulars:
1. Operational process of annual audit plan;
2. Inspection and assessment of internal control system to measure the effectiveness and compliance status of existing policies and procedures and their effect on various business activities;
3. Audit items, time, procedures and methods; and
4. The contents of the formats, processing and retention of internal audit reports.
An insurance enterprise should see to it that all of its units carry out self-inspection, and have its internal audit unit review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken will serve as a basis for the board of directors,general manager, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system and to issue an internal control system statement.
An insurance enterprise should set up an internal audit unit that is directly subsidiary to the board of directors which should perform audit business honestly and independently. The chief auditor is required to report its audit business to the board of directors and supervisors or audit committee at least semiannually.
The internal audit unit shall establish a chief auditor system to manage all audit business. The qualifications of chief auditor shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises, and has the power as an vic general manager. The auditor is not allowed to take a job that will cause conflicts or limitations to the audit work.
The employment, dismissal or transfer of chief auditor shall have the consent of more than two-thirds of the board of directors and report to the competent authority for ratification.
If an insurance enterprise has an audit committee, the appointment, dismissal or transfer of chief auditor mentioned in the preceding paragraph shall first have the consent of at least the majority of all audit committee members. In the absence of the consent of the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where an insurance enterprise does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors regarding the chief auditor shall also be recorded in the meeting minutes of the board of directors.
When any of the following circumstances applies to a chief auditor in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the chief auditor to make improvements within a specified time limit, or otherwise order the insurance enterprise to release the chief auditor from duty:
1. Abusing power of office to engage in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for others, or taking advantage of the job to damage the interests of the employer or others.
2. Disclosing, delivering, or publicizing all or part of insurance examination reports on the employer to a person unrelated to such job without the consent of the competent authority.
3. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
4. Failing to notify the competent authority any material malpractice or fraud at the employer due to internal mismanagement.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
7. Having improper financial dealings with customer or counterparty of transaction involving employer's funds as evidenced by facts.
8. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of internal auditor.
9. Having committed other acts that impair the reputation or interests of the employer.
An insurance enterprise shall be staffed with an appropriate number of competent full-time internal auditors based on its scale of investment, business condition (the number of branches and business volume), management needs and applicable laws and regulations. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The appointment, dismissal, promotion, reward/discipline, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor should first consult with the personnel office and obtain the consent of the general manager before reporting the matter to the chairman for approval.
When the competent authority conducts examination of the insurance enterprise, the internal audit unit shall assign an internal auditor as the contact person and to provide relevant information and assist in the examination.
The internal auditors of an insurance enterprise shall meet the following qualification requirements:
1. Having not less than 2 years of experience in insurance examination; or having graduated from a junior college, college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than 2 years of experience in insurance business; or having not less than 5 years of experience in insurance business; or having not less than 5 years of experience in insurance business. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor in an accounting firm or a system analyst in a computer company for not less than 2 years, and has received not less than 3 months of training in insurance business and administration. However, the number of auditor with such qualification shall not exceed one third of total number of auditors;
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of a co-worker, and the demerit has been offset by other merits; and
3. An internal auditor who acts as a lead auditor shall have not less than 3 years of experience in auditing or insurance examination, or have not less than 1 year of experience in auditing and not less than 5 years of experience in insurance business.
The internal auditors of an insurance enterprise shall perform their duties in good faith, and shall not have any of the following situations:
1. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the insurance enterprises.
2. Conducting audit on operations where he/she worked on within one year or failing to disqualify him/herself from auditing cases or operations in which he/she has a stake or conflict of interest.
3. Accepting improper entertainment or gift or other improper benefits provided by people in insurance business or customers.
4. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
5. Concealing or making false or inappropriate disclosures while well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of beneficiaries, policyholders or any stakeholder.
6. Causing harm to the interests of the company, beneficiaries, policyholders or any stakeholder due to dereliction of duty.
7. Any other violation of rules or regulations, or practices prohibited by the competent authority.
Auditors of the internal audit unit of an insurance enterprise shall, before starting the job or within half a year after starting the job, enroll in the following trainings held by institutions recognized by the competent authority:
1. When acting as an internal auditor for the first time, the auditor should participate in the audit training course or computer audit training course for more than sixty hours. The auditor should also pass the exam and obtain the completion certificate.
2. An internal auditor with leadership duty should participate in the internal auditor leader train course for more than nineteen hours.
3. The auditor manager should participate in audit manager training course for more than twelve hours.
Internal auditors, internal auditor with leadership and auditor manager in charge of audit operations shall attend more than 30 hours of insurance-related professional training offered by the aforementioned training institutions or financial holding companies or the employing insurance enterprise every year. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Insurance-related professional training courses offered by competent authority-recognized institutions shall comprise not less than one half of the required hours of training under the preceding paragraph.
For auditors stationed overseas, the training hours they have received from insurance-related training institutions established in accordance with the local laws and regulations are also recognized.
An insurance enterprise shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.
The department heads/office chiefs of an insurance enterprise or the head of its branch office or persons with comparable decision-making authority shall, before taking office or within half a year after taking office shall meet one of the following requirements:
1. Having worked as an auditor of the internal audit unit and conducted internal audit work for more than one year; or
2. Having attended an auditor, computer audit or supervisor audit training course offered by a competent authority recognized institution, and passed the exam conducted by the aforementioned training institution and obtained a completion certificate therefor. In case of a foreigner, he or she may choose to attend the internal audit training course held by the employing insurance enterprise.
The person who acts for the first time as the department head/office chief of an insurance enterprise or the head of its branch office or person with sufficient decision-making authority shall meet all of the requirements listed in the preceding paragraph. In addition, the person who meets the requirement set forth in Subparagraph 2 of the preceding paragraph shall participate in at least four times of audit practices with the internal audit unit before actually assuming the post or within six months after assuming the post. Such person shall be responsible for at least one item in each practice, audit at least four items in the audit practices, write a report on the practice, and submit it to the chief auditor for acknowledgement. The chief auditor shall issue a certificate and keep the report for further reference.
The internal audit unit of an insurance enterprise shall conduct at least a routine audit every year on its business, finance, information and other management units, and conduct special audits as needed. The audit of its overseas branches (including liaison office) may be replaced with a reporting audit or have site audit frequency adjusted flexibly.
The internal audit unit shall include the implementation status of regulatory compliance system into the routine audit or special audit of the business and management units.
When an insurance enterprise carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary commentary, financial status, capital adequacy, business performance, asset quality, management of shares, management of the board of directors and audit committee meeting procedures, regulatory compliance, related-party transactions, control and internal management of various businesses, management of customer data confidentiality, information management, employee confidentiality education, and implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the competent authority, accountants, internal audit unit (including the internal audit unit of the financial holding company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information under the preceding paragraph shall be retained for at least 5 years.
An insurance enterprise shall, in a prescribed format and via a Web-based information system, file with the competent authority for record next year's audit plan before the end of December each year and a report on the execution of its previous year's annual audit plan before the end of February each year.
An insurance enterprise shall, by the end of each fiscal year, deliver its next year's audit plan in writing to its supervisors or audit committee for review and record the comments of supervisors or audit committee. If the insurance enterprise does not have an audit committee but independent directors, it shall deliver the audit plan to the independent directors for comments.
The audit plan under the preceding paragraph shall contain at least: a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), and frequency of audit and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit should also be noted.
The annual audit plan and changes thereof shall be approved by the board of directors.
The internal audit unit shall follow up on the status of improvements made by respective units regarding the examination opinions of or deficiencies found by competent authority, accountants, internal audit units (including the internal audit unit of the parent financial holding company) and self-check personnel, and recommendations enumerated in the statement on internal control, and produce a written follow-up report to be provided to the board of directors and the supervisors or the audit committee for review and to be used as important reference in reward/discipline decisions and performance review.
The internal audit report shall be provided to the supervisors or the audit committee for review, and unless it is otherwise stipulated by the competent authority, submitted to the competent authority within two (2) months from the date the audit is completed.
Where an insurance enterprise has independent director(s), the reports shall be simultaneously provided to the independent director(s) when an action is taken under the two preceding paragraphs.
The major points of audit task for an insurance enterprise should be prescribed by the competent authority.
An insurance enterprise shall, in the format prescribed by the competent authority and via a Web-based information system, file with the competent authority for record information on its internal auditors, including the name and years of service by the end of January each year.
An insurance enterprise shall, before the end of May each year, file with the competent authority for record the improvement actions taken for deficiencies and irregularities in its internal control system identified during the previous year's internal audit via a Web-based information system and in a format prescribed by the competent authority.
An insurance enterprise should examine at all time whether its internal auditors have violated the provisions of Article 15 herein. If an auditor is found to violate the provisions, the insurance enterprise shall reassign the auditor within one month from the date of discovery.
When filing the basic data of internal auditors according to Article 21 herein, an insurance enterprise should verify whether its auditors meet the requirements stipulated in Article 14 and Article 16 herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within 2 months, or else be reassigned to another job.
Section 2 Self-inspection and Internal Control System Statement
An insurance enterprise should establish a self-inspection system to strengthen internal check so as to prevent the occurrence of fraud. Its finance, business and information units shall conduct routine self-inspection at least once every year and conduct special self-inspection as needed.
For the self-inspection mentioned in the preceding paragraph, the head of the unit should assign a person other than the original handling staff to conduct the inspection and keep the inspection activity confidential beforehand.
The self-inspection report and its working papers shall be retained for at least 5 years for future reference.
An insurance enterprise should establish self-inspection training programs and continue proper training to self-inspection personnel in accordance with the business nature of each unit.
The general manager of an insurance enterprise shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, general manager, chief auditor and head office chief compliance officer shall jointly issue an internal control system statement (Attachment), which shall be submitted to the board of directors for approval, and submitted together with the annual report set forth in Article 148-1 of the Act to the competent authority before the end of March each year.
An insurance enterprise shall disclose its internal control system statement on its website.
Section 3 Audit by an Accountant
If the annual financial report of an insurance enterprise is audited and certified by an accountant, the enterprise should also appoint the accountant to conduct an audit of on its internal control system. The accountant should also comment on the correctness of the report submitted by the insurance enterprise to the competent authority and the implementation status of internal control system and regulatory compliance system. The scope of such audit shall also cover the foreign branches of the insurance enterprise.
The competent authority may require the insurance enterprise to appoint an accountant to conduct a special audit of personal information protection and AML/CFT in accordance with the rules set forth by the competent authority.
The audit fee for the accountant may be agreed upon by the insurance enterprise and the accountant and shall be paid by the insurance enterprise.
The provisions of Paragraphs 1 and 2 do not apply to an insurance enterprise under receivership by the competent authority pursuant to law.
Where necessary, the competent authority may invite an insurance enterprise and its appointed accountant to discuss audit related matters under the preceding article. If the competent authority finds the accountant appointed by the insurance enterprise not sufficiently competent for the audit work, the competent authority may demand the insurance enterprise to replace its accountant and appoint another accountant to re-conduct the audit work.
When an accountant conducts audit provided in Article 26 herein, the accountant should inform the competent authority immediately when the following conditions are found:
1. During the course of audit, the insurance enterprise fails to provide the accountant with requested reports, certificates, account books and meeting minutes, or refuses to make further explanation on the inquiries made by the accountant, or the accountant is unable to continue the audit work as constrained by other objective circumstances.
2. There are false, forged or missing data of serious nature in its accounting or other records.
3. Its assets are insufficient to pay its debts or its financial condition deteriorates significantly.
4. There is evidence indicating that certain transactions may cause material impairment of its net assets.
If an audited insurance enterprise has a situation provided in Subparagraphs 2 ~ 4 of the preceding paragraph, the accountant should submit in advance a summary report based on the audit results to the competent authority.
When an insurance enterprise appoints an accountant to conduct audit under Paragraph 1 of Article 26 herein, the enterprise shall, before the end of March each year, submit an independent auditor's report of the previous year to the competent authority for record.
When the competent authority inquires the contents of the independent auditor's report, the accountant should provide detailed and relevant information and explanations.
Section 4 Regulatory Compliance System
The head office of an insurance enterprise shall, based on its size, business nature and organizational characteristics, establish a compliance unit directly under the general manager to take charge of the planning, management and implementation of regulatory compliance system.
The compliance unit shall establish the position of head office chief compliance officer who oversees the compliance matters and reports to the board of directors (council) and supervisors or the audit committee at least semiannually, and in case of any major regulatory violation, immediately inform the directors (council members) and supervisors, and report to the board of directors (council) on compliance matters.
The requirements for establishing a compliance unit and the position of head office chief compliance officer under the preceding two paragraphs are as follows:
1. An insurance enterprise whose total assets in the previous year as audited by a CPA exceed NTD 1 trillion shall set up a dedicated compliance unit that may also take charge anti-money laundering and combating terrorist financing (AML/CFT) affairs, but may not take charge of legal affairs unrelated to the planning, management and implementation of legal compliance system or any other affairs that may pose a conflict of interest. The head office chief compliance officer shall be a full-time job and shall not concurrently hold other positions except for concurrently serving as the head of dedicated AML/CFT unit without conflicts of interest.
2. For insurance enterprises not governed by the preceding subparagraph, their head office chief compliance officer shall be a full-time job and shall not concurrently hold other positions except for concurrently serving as the chief legal officer and the head of dedicated AML/CFT unit without conflicts of interest.
The head office chief compliance officer of an insurance enterprise shall have a position equivalent to a vice general manager and possess the leadership and the ability to effectively supervise the compliance works. The qualifications of head office chief compliance officer shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises.
The branches of foreign insurance enterprises in Taiwan, reinsurance enterprises and insurance cooperatives may appoint a high level manager to act as the head office chief compliance officer under the preceding paragraph, and insurance cooperatives are not subject to the restriction on head office chief compliance officer holding concurrently other internal positions under Paragraph 3 hereof.
Chief auditor, head of audit unit and internal auditors may not serve as the head office chief compliance officer under Paragraph 2 hereof.
The appointment and dismissal of head office chief compliance officer shall have the consent of at least the majority of all directors and be reported to competent authority for record.
The head office chief compliance officer, the head and personnel of the compliance unit of an insurance enterprise shall attend at least 20 hours of on-the-job training courses a year offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise. The training courses shall cover at least the latest regulatory amendments and new insurance products launched.
The compliance officer of the business unit, product development and management unit, fund utilization unit, information unit and asset custody unit and other units of an insurance enterprise shall attend at least 15 hours of on-the-job training a year offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise.
The compliance officer of a foreign branch of an insurance enterprise shall attend at least 15 hours of on-the-job training courses on regulatory compliance a year offered by the local competent authority or relevant institutions. If no such training course is available, the officer may attend the training courses offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise.
The training methods for on-the-job training set forth in the preceding three paragraphs given by the insurance enterprise itself shall be approved by the board of directors (council), and the head office shall keep the attendance records of relevant personnel for reference.
When a dedicated AML/CFT compliance unit is set up under the compliance unit, the required training for AML/CFT compliance unit personnel before their appointment and the annual required training for them after their appointment shall observe the relevant AML/CFT regulations and is not subject to the provisions of Paragraph 8 of this article and Paragraph 2 of Article 33.
An insurance enterprise shall file the list of head office chief compliance officer, head and personnel of compliance unit and their reward/disciplinary records, qualifications and training records in the past three years with the competent authority via a Web-based information system.
An insurance enterprise should establish counseling and communication channels for regulatory compliance matters to keep employees informed of rules and regulations, swiftly clarify any questions of the employees on rules and regulations, and ensure regulatory compliance.
When the compliance unit of an insurance enterprise makes a report to the board of directors in accordance with Paragraph 2 of the preceding article, the report should contain at least analysis of the causes of significant deficiency or malpractice in compliance matters within respective unit and as well as possible effects and recommendations for improvement.
The regulatory compliance unit of an insurance enterprise shall establish a regulatory compliance system which will be implemented after being passed by the board of directors. The regulatory compliance unit shall also review from time to time the regulatory compliance system in line with the amendment of insurance rules and regulations, and implement the revised system after it is passed by the board of directors.
The regulatory compliance system shall include at least the following particulars:
1. Decision making process of board of directors and control functions of directors;
2. Preservation of board meeting minutes;
3. Operation monitoring functions of supervisors;
4. Code of regulatory compliance for directors’ conduct;
5. Establishment of regulatory compliance evaluation standards;
6. Formulation of annual regulatory compliance plan;
7. Creation of a regulatory compliance environment;
8. The audit of regulatory compliance operations and handling of regulatory violation;
9. Regulatory compliance organization and duties; and
10. Drafting of regulatory compliance manual.
The regulatory compliance unit should draw up an annual regulatory compliance plan, which will be implemented after being passed by the board of directors.
The annual regulatory compliance plan shall contain at least the following particulars:
1. Evaluation plan for regulatory compliance by respective unit;
2. Review of handling results for regulatory violation cases in the previous year;
3. Management of changes in insurance related laws and regulations;
4. Training and promotion of regulatory compliance matters; and
5. Review and improvement of regulatory compliance system.
The regulatory compliance unit of an insurance enterprise should conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of rules and regulations.
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3. Before an insurance enterprise introduces a service, a new insurance product or an insurance product which is deemed to constitute material change by the competent authority and requires approval by the competent authority before marketing, or undertakes specific or major use of funds, the head office chief compliance officer shall issue and sign an opinion statement undertaking that the service, product or use of funds complies with applicable regulations and internal rules.
4. Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the general manager, will be used as reference in the performance evaluation of respective units.
5. Providing pertinent regulatory training to personnel of various units.
6. Supervising the introduction, establishment and implementation of relevant internal rules by the compliance officer of respective unit.
The internal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.
An insurance enterprise governed by Subparagraph 1, Paragraph 3 of Article 30 shall establish a company-wide compliance risk management and supervision framework. The basis of such framework, functions and responsibilities are as follows:
1. The compliance unit shall establish procedures, plans and mechanisms for identifying, assessing, controlling, measuring, monitoring, and independently reporting any compliance risk in order to fully control, supervise, and support each domestic or foreign department, branch, and subsidiary with respect to individual business unit, cross-department and cross-border regulatory compliance matters.
2. The compliance unit shall set up an adequate number of professional units based on the classification of business or the focus of regulatory compliance to monitor, implement and support the regulatory compliance matters of the domestic or foreign business units related to that business or regulations.
3. The compliance unit may assess the appointment and enhance the independence of compliance officer under respective units using a risk-based approach. Notwithstanding to the requirements in the front section of Paragraph 1 of Article 33, units with lower compliance risk may not need to have a separate compliance officer but may be charged by the head office chief compliance officer.
4. The compliance unit shall establish the mechanism of independent reporting, assessment and response to compliance risk alert.
5. The compliance unit shall evaluate the management of compliance risks with respect to key operating activities, products and services, fund utilization or business projects, and major customer complaints where regulatory violation may be involved on a regular and ad-hoc basis, and shall establish the horizontal communication mechanism with other second lines of defense.
6. The compliance unit may request each unit to provide relevant information in order to understand the compliance risks across the company.
7. The compliance unit shall include the evaluation of management and department heads into its opinion on their implementation of regulatory compliance program.
8. An insurance enterprise and its compliance unit shall fully understand the compliance requirements applicable to the foreign business units, and the criteria required by the local competent authority, and provide full resources and support.
9. The compliance unit shall specify the weakness of compliance risk management, and supervise the improvement plans and schedules with respect to domestic and foreign operations across the company when reporting compliance affairs to the board of directors (council) and supervisors or audit committee at least semiannually pursuant to Paragraph 2, Article 30. The board of directors (council) shall provide sufficient resources and appropriate mechanism of rewards and disciplines applicable to the business units in order to progressively establish a company-wide culture of compliance.
10. The chief auditor shall include the performance of the compliance office and the assessment opinion of the compliance status across the company when reporting the audit business to the board of directors (council) and supervisors or audit committee at least once every half year pursuant to Paragraph 1 of Article 11.
An insurance enterprise governed by the preceding paragraph shall established a dedicated compliance unit and appoint the chief compliance officer at the head office pursuant to Subparagraph 1, Paragraph 3 of Article 30 within six months after meeting the applicable conditions set forth therein, and report the adjusted company-wide compliance risk management and supervision framework to the competent authority, and file the evaluation reports under Subparagraphs 5 and 9 of the preceding paragraph with the competent authority by the end of every April pursuant to Article 148-1 of the Act.
In order to promote sound operation, an insurance enterprise shall set up a whistleblower system, and designate a unit at the head office with independent functions to accept and investigate the reported cases.
An insurance enterprise shall protect the whistleblower as follows:
1. The whistleblower’s identity shall be kept confidential; no information that may be used to identify that person shall be disclosed.
2. A whistleblower shall not be terminated, dismissed, downgraded/relocated, given a reduction in pay, impairment to any entitlement under the law, contract or customs, or other unfavorable disposition due to the reported case.
Any person with conflict of interest shall recuse himself/herself from the acceptance and investigation of the reported case.
The whistleblower system under Paragraph 1 shall at least cover the following particulars and be approved by the board of directors (council):
1. The system expressly declares that anyone may file a report when discovering any crime, corruption, or potential legal violation.
2. The types of reported cases that will be accepted.
3. The system establishes and publishes the channels of reporting.
4. The process of investigation and cooperation in investigation, rules of recusal and the standard operating procedure of subsequent disposition mechanism.
5. Whistleblower protection measures.
6. Acceptance of reported case, investigation process, investigation results, records and retention of relevant documentation.
7. The whistleblower shall be given appropriate notice in writing or by other means with respect to the progress of the reported case.
If the alleged perpetrator is a director (council member), supervisor (member of the board of supervisor), or a managerial officer in a position equivalent to a vice general manager or higher, the investigation report shall be reviewed by the supervisors (board of supervisors) or the audit committee.
An insurance enterprise shall report to or inform relevant authorities any material incident or violation discovered following an investigation.
An insurance enterprise shall regularly introduce the whistleblower system to its employees and provide relevant training.
The head office compliance unit, business unit, product development and management unit, fund utilization unit, information unit, asset custody unit, other management units and foreign branches of an insurance enterprise shall assign personnel to act as the compliance officer of the unit to take charge of compliance matters. The position of the compliance officer in the foreign branches shall be arranged in compliance with the local laws and regulations and the requirements by the local authorities, and the compliance officer shall not hold other posts concurrently except in any of the following situations:
1. The compliance officer serves concurrently as the AML/CFT compliance officer.
2. The compliance officer may hold concurrent posts that do not constitute any conflict of interest according to local laws and regulations.
3. Where it is not clearly prescribed in local laws and regulations regarding whether or not compliance officers may hold concurrent posts, the compliance officer may hold other concurrent posts that do not result in any conflict of interest after such matter has been communicated with and confirmed by the local competent authority and reported to the competent authority for recordation.
The head office chief compliance officer and personnel of the compliance unit of an insurance enterprise as well as the compliance officer of the business unit, product development and management unit, fund utilization unit, information unit, asset custody unit, other management units and foreign branches shall meet one of the following qualification requirements prior to his/her appointment or within half a year after appointment:
1. Having worked as a compliance personnel or chief at any financial institution for at least a total of five years.
2. Having attended not less than 30 hours of courses offered by institutions recognized by the competent authority, passed the exams and received completion certificates therefor.
3. The compliance officer of a foreign branch who is employed locally has been evaluated by the insurance enterprise in accordance with its internal evaluation procedure passed by the board of directors (council) or reviewed and recognized by the local competent authority, which suffices to show his/her familiarity with local laws and regulations and his competence in related matters.
4. The compliance officer of the business unit, product development and management unit, fund utilization unit, information unit, asset custody unit and other management units of an insurance enterprise may take relevant training courses and exams not less than 30 hours held by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise in accordance with the specific training plan developed by the insurance enterprise, which suffices to show his familiarity with laws and regulations applicable to the respective unit and his competence in related matters.
Respective unit should draw up a compliance manual, which will be implemented after being approved by the head office chief compliance officer and the general manager.
The regulatory compliance manual shall contain at least the following particulars:
1. Regulatory compliance procedures to be adopted by each business;
2. Rules and regulations to be complied with by each business;
3. Procedures for handling violation of rules and regulations;
4. Self-evaluation procedure for regulatory compliance operation; and
5. Name list of regulatory compliance officers.
Where an insurance enterprise has a foreign branch, the regulatory compliance unit shall supervise the foreign branch conducting the following matters:
1. Gathering information on local insurance laws and regulations, fully implementing the self-evaluation of the regulatory compliance business and ensuring the competency of the compliance officer and the adequacy of compliance resources (including personnel, equipment and training), to ensure the compliance with local laws and regulations by the foreign branches.
2. Establishing the self-evaluation and monitoring mechanism for compliance risks; for foreign branches with larger business size, higher business complexity or higher risks involved, they shall commission a local independent expert to verify the effectiveness of their self-evaluation and monitoring mechanism for compliance risks.
An insurance enterprise should, based on its regulatory compliance plan, design the working papers for self-evaluation of regulatory compliance and perform self-evaluation at least semiannually. The self-evaluation results should be sent to the regulatory compliance unit for future reference. The head of a unit should designate a specific staff to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least 5 years.
Chapter 4 Supplementary Principles
An insurance enterprise shall set out in its internal control system penalties for violations of these Regulations or its internal control rules by management and relevant personnel.
Where an insurance enterprise has a significant fraudulent event occurred as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent financial holding company), the personnel involved shall be held responsible for dereliction of duties.
An insurance enterprise should commend its internal auditors who identify any significant malpractice or negligence and thereby avert material loss to the enterprise.
When a significant deficiency or malpractice event arises within the management or business unit of an insurance enterprise, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in an internal audit report.
The internal auditors and chief compliance officer of an insurance enterprise shall immediately produce a report for submission to the competent authority, with a notice to the supervisors or audit committee and independent directors (if applicable), when their recommendations for improvements regarding significant deficiencies or noncompliance in internal controls are not accepted by management, as a result the insurance enterprise might incur a material losses.
After the examination conducted by the competent authority or the local competent authority governing a foreign branch is completed or after an examination report is received by an insurance enterprise, the internal audit unit of the head office shall, based on the principle of materiality, promptly inform the directors and supervisors, and make a report to the forthcoming meeting of the board of directors. The report items should include the content of the meeting for the examination communication, major deficiencies found in the examination and improvement action plans required by the competent authority or possible disciplinary actions to be taken.
An insurance enterprise shall appoint an adequate number of corporate governance personnel with appropriate qualifications based on the size of the enterprise, business conditions and management needs, and appoint a chief corporate governance officer as the most senior officer to be in charge of corporate governance affairs. However, this restriction shall not apply to branches of foreign insurance enterprises in Taiwan and insurance cooperatives.
The corporate governance matters specified in the preceding paragraph shall include at least the following content:
1. Handling matters relating to board meetings and shareholders meetings according to laws.
2. Producing minutes of board meetings and shareholders meetings.
3. Assisting in onboarding and continuing education of directors and supervisors.
4. Furnishing information required for business execution by directors and supervisors.
5. Assisting directors and supervisors with legal compliance.
6. Other matters set out in the articles of corporation or contracts.
The chief corporate governance officer specified in Paragraph 1 must be a managerial officer of the company. Unless otherwise specified by laws, the appointment of the chief corporate governance officer shall be processed in accordance with the following requirements:
1. The chief corporate governance officer shall be a qualified, practice-eligible lawyer or CPA or have been in a managerial position for at least three years in an insurance, securities, futures, or finance related institution or a public company in handling legal affairs, legal compliance, internal audit, finance, stock affairs, or corporate governance affairs.
2. The chief corporate governance officer of the enterprise shall take at least 18 hours of continuing education in the first year he/she takes on this role and take at least 12 hours in each subsequent year. The training courses shall include at least corporate governance related topics such as business, legal affairs, finance, accounting, corporate social responsibilities, risk management, and internal controls. The qualified continuing education institutions and the conduct of continuing education shall be subject mutatis mutandis to the provisions of the Directions for the Implementation of Continuing Education for Directors and Supervisors of TWSE Listed and TPEx Listed Companies, as jointly adopted by the Taiwan Stock Exchange and the Taipei Exchange, with respect to the continuing education system.
Unless otherwise provided by laws and regulations, other personnel of the enterprise may serve concurrently as the chief corporate governance officer. Where the role of the corporate governance officer is filled concurrently by other personnel, the enterprise shall ensure the effective implementation of their original roles and concurrent roles and shall not permit conflicts of interest or violation of the internal control system.
Where the chief corporate governance officer resigns or is dismissed, the enterprise shall reappoint a chief corporate governance officer within one month of the occurrence.
The branch of a foreign insurance enterprise in Taiwan shall carry out internal control and audit in compliance with these Regulations. However, if the internal control and audit systems of a branch in Taiwan are prescribed by the head office based on regulations with higher or equivalent standards, the branch is allowed to implement such systems by submitting a comparison report which compares the standards that head office adopts and the system requirements in Taiwan and is signed by the branch's responsible person to the competent authority for record.
An insurance cooperatives may, in view of its business scope and size and within six months from the date of promulgation of these Regulations amended on March 17, 2010, carry out internal control and audit in accordance with these Regulations, or report to the competent authority for record as provided in the preceding paragraph by describing the facts, reasons and the content of internal control and audit system to be adopted.
An insurance enterprise should establish necessary controls for its subsidiaries in its internal control system and urge its subsidiaries to establish internal control system in consideration of local rules and regulations at where each subsidiary is located and the actual nature of the subsidiary's operations.
An insurance enterprise shall establish a group-wide AML/CFT program, including information sharing policies and procedures for the purpose of AML/CFT under the laws and regulations of the jurisdiction where such foreign branch (or subsidiary) is located.
An insurance enterprise shall establish audit plans targeted at each subsidiary in its annual audit plans based on the business risk profile and implementation of internal audits by each subsidiary.
All subsidiaries of an insurance enterprise shall submit to the parent company their board meeting minutes, CPA audit reports, examination reports issued by the financial examination agency, and other relevant materials. For subsidiaries having established an internal audit unit, audit plans and reports on significant deficiencies identified in internal audit and the status of improvements thereof shall also be submitted. The parent company shall review such documents and monitor the improvement actions taken by each subsidiary.
The chief auditor of an insurance enterprise shall periodically evaluate the effectiveness of the internal control activities of a subsidiary, and after having reported to the board of directors, send the evaluation results to the subsidiary's board of directors for their reference in personnel evaluations.
An insurance enterprise shall ensure the confidentiality of its financial examination reports. Unless otherwise provided by law or consented by the competent authority, its responsible persons or employees are not allowed to read or disclose, deliver, make public all or part of the financial examination report to persons unrelated to the performance of duties.
Insurance enterprises that do not comply with the provisions in Paragraph 1 of Article 33 regarding the full-time and concurrent posts shall make adjustments to become compliant within six months after the promulgation of these Regulations amended on October 19, 2017.
Persons having held the positions as regulatory compliance personnel or chief without compliance with Paragraph 2 of Article 33 prior to October 19, 2017 when these Regulations were amended shall make adjustments to become compliant with the requirements of such Paragraph within one year.
These Regulations shall be in force on the date of promulgation.
Except for the part on management of financial consumers’ protection in these Regulations which has been in force since December 30, 2011, the provisions of Article 5 amended and promulgated on February 4, 2012 shall enter into force three months after the date of promulgation.
The provisions of Article 32-2 of these Regulations amended and promulgated on May 29, 2018 shall take effect six months after promulgation.
The provisions of these Regulations amended and promulgated on August 20, 2020 shall have been in force since December 31, 2020.