Chapter1 General Provisions
These Regulations are adopted pursuant to Paragraph 3,Article 165 of the Insurance Act (hereinafter referred to as the Act).
Insurance agent companies and insurance broker companies that are public companies or those with annual operating revenue reaching NT$300 million shall establish internal control and audit system as well as business solicitation system and procedures in the following year.
Banks shall establish internal control, audit system and business solicitation system and procedures in accordance with these Regulations.
The operating revenue referred to in these Regulations shall be the operating revenue as defined in Article 5 of the Financial Supervisory Commission Regulations Governing Fee Schedule for Annual Supervision Fee, Examination Fee and Fee Collection.
The term “bank” as used in these Regulations means a bank operating concurrently insurance agent business or insurance broker business with approval of the competent authority.
The term “internal control and audit system and business solicitation system and procedures” referred to in these Regulations are management processes defined by the management, approved by the board of directors (council) and implemented by the board of directors (council), the management and other employees for the purpose of promoting sound operations of the company to reasonably ensure that the following objectives are achieved:
1. Effectiveness and efficiency of operations.
2. All transactions take place under proper authorization.
3. Enhancing the skills of insurance solicitors, treating all consumers fairly and soliciting business in an explicit, fair and reasonable manner.
4. Premiums and related expenses collected from or turned in on behalf of policy proposers are safeguarded.
5. Financial and other records provide reliable, timely, transparent, complete, accurate and verifiable information and comply with relevant rules and regulations.
6. Compliance with applicable laws and regulations.
The internal control and audit system and business solicitation system and procedures of insurance agent companies, insurance broker companies or banks shall be passed by its board of directors (council), and, if any director has a reservation or dissenting opinion, the company shall state such director’s opinion and reasons in the board of directors (council) meeting minutes, and shall send the minutes together with the internal control, audit and business solicitation system and procedures passed by the board of directors (council) to each supervisor(board of supervisors) or audit committee ; the same shall apply to any amendment thereto.
If an insurance agent company, insurance broker company or bank has established an audit committee, the adoption of or any amendment to the internal control and audit systems as well as solicitation systems and procedures shall be approved by its audit committee with the consent of one-half or more of audit committee members and submitted to its board of directors (council) for a resolution.
If the adoption or amendment under the preceding paragraph is not approved by the audit committee, it may be done with the approval of at least two-thirds of the entire board of directors (council), and the resolution of the audit committee shall be recorded in the minutes of the board of directors (council) meeting.
Chapter 2 Design and Implementation of the System
The internal control system of banks as well as insurance agent companies and insurance broker companies with annual operating revenue of NT$500 million or more shall contain at least the following components:
1. Control environment: Control environment is the basis of the design and implementation of internal control system across the company. Control environment encompasses corporate integrity and ethical value of the company, governance oversight responsibility of the board of directors (council) and supervisors (board of supervisors), or audit committee organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors (council) and management shall prescribe internal standards of conduct, including the adoption of code of conduct for directors (council) and employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the company, taking into account suitability of the objectives. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective. The risk assessment results can assist the company in designing, correcting, and operating necessary control activities in a timely manner.
3. Control activities: Control activities are actions of carrying out policies and procedures taken by the company according to risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the company, at various stages within business processes, and over the technology environment, and shall include supervision and management of subsidiaries.
4. Information and communications: Information and the company obtains, generates, or uses communication mean the relevant and quality information from both internal and external sources to support functioning of other components of internal control, and to ensure effective communication of such information between the company and external parties. Internal control systems must have mechanisms of generating information necessary for planning, implementation, and monitoring and providing timely information to those who need it.
5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combinations of the two used by the company to ascertain whether each component of the internal control system exists and continues to function. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the company. Separate evaluations are evaluations conducted by internal auditors, supervisors (board of supervisors) or audit committee, or board of directors (council). Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors (council) and supervisors (board of supervisors) or audit committee, and improvements shall be made in a timely manner.
The insurance agent companies and insurance broker companies with annual operating revenue less than NT$500 million shall contain at least the following components:
1. Management oversight and control culture: The board of directors (council) shall have the responsibility for approving and periodically reviewing overall business strategies and major policies, and shall have the ultimate responsibility for ensuring that an adequate and effective internal control system is established and maintained; senior management shall have the responsibility for implementing business strategies and policies approved by the board of directors (council), for developing processes that identify, measure, monitor, and control risks incurred by the company, for setting appropriate internal control policies, and for monitoring their effectiveness and relevance.
2. Risk recognition and assessment: An effective internal control system requires that the material risks that could adversely affect the achievement of the company goals are being identified and continually evaluated.
3. Control activities and delegation of responsibilities: Control activities shall be an integral part of the daily operations. An appropriate control structure shall be set up, with internal control processes defined at every business level. An effective internal control system requires that there is appropriate delegation of responsibilities and that management and employees are not assigned conflicting responsibilities.
4. Information and communication: an insurance agent company or insurance broker company shall maintain relevant and comprehensive financial and non-financial information related to operations, financial reports and regulatory compliance; such information shall be reliable, timely, and accessible in order to establish effective channels of communication.
5. Monitoring activities and correction of deficiencies: An insurance agent company or insurance broker company shall monitor the overall effectiveness of its internal controls on an ongoing basis. Business units, internal auditors or other internal control personnel shall promptly report any internal control deficiencies found to the appropriate management in a timely manner, and any significant internal control deficiencies shall be reported to senior management, the board of directors (council) and supervisors (board of supervisors) with corrective actions promptly taken.
Insurance agent companies, or insurance broker companies that have already established its internal control system according to paragraph 1 hereof shall stay in compliance with paragraph 1 when annual operating revenue falling below NT$500 million.
The internal control system of insurance agent companies, insurance broker companies or banks shall cover business solicitation system and procedures as well as internal control procedures established in line with the nature and size of business and based on the principle of internal checks and balances, and shall be reviewed and revised in a timely manner.
Where an insurance agent company, insurance broker company or bank has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
The business solicitation system and procedures referred to in the preceding article shall contain at least the following particulars:
1. Qualifications of insurance solicitors, insurance agents and insurance brokers, the types of insurance they may solicit, solicitation methods, on-the-job training, rewards and disciplines, and rights and obligations.
2. Management measures regarding performance review that links the commissions received by insurance solicitors to risk exposure and duration of commission payment, solicitation quality, and solicitation dispute.
3. Operations and management measures regarding collection and turn-in of premiums by insurance solicitors on behalf of customers.
4. Description of major contents of insurance products and associated rights and obligations, and disclosure of related information.
5. Advertising, promotional and sales activities and management of such activities.
6. Understanding and evaluating the insurance needs and suitability of proposers or the insured.
7. The operation and management ensuring that business personnel undertaking insurance solicitation write up solicitation reports truthfully, including conducting phone interview for special cases or conducting spot check of relevant documents.
8. Check mechanism and signature operation in place following solicitation and prior to submission of application.
9. Control and safekeeping of solicitation documents.
10. Customer complaint.
11. Other matters designated by the competent authority.
The provisions of subparagraph 7 of the preceding paragraph do not apply to the solicitation of non-life insurance business.
The internal control procedures referred to in Article 6 herein shall contain at least the following particulars:
1.Controls on accounting, information, personal data protection, anti-money laundering and countering the financing of terrorism (AML/CFT) and other operations relating to business solicitation and businesses approved by the competent authority.
2.Management of financial examination reports.
3.Mechanism for handling major contingencies.
4.Other matters designated by the competent authority.
Insurance broker companies that provide the services of risk planning, reinsurance planning and claim application must establish appropriate operating procedures for such services.
If a bank approved by the competent authority to operate concurrently insurance broker business provides risk planning and insurance claim services, it shall establish proper operating procedures for those services.
The accounting procedure referred to in Subparagraph 1 of Paragraph 1 hereof shall contain at least the following operating procedures:
1.Cashier management: Operating procedure for receipts and payments.
2.Accounting management: Operating procedure for account management and the preparation of balance sheet and income statement.
For the purpose of achieving objectives in Article 3 herein, insurance agent companies, insurance broker companies or banks shall adopt the following measures.
1. Internal audit system: Set up the post of auditor to take charge of auditing each unit and periodically evaluating the performance of self-evaluation conducted by each business unit.
2. Self-evaluation system: Members of different units check on each other the actual implementation of internal controls under the supervision of managerial personnel or personnel at comparable position or higher as assigned by each unit to discover deficiencies early and take corrective actions in a timely manner.
3. Independent auditor system: If deemed necessary, the competent authority may order an insurance agent or broker company or a bank to engage a certified public accountant (CPA) to audit its internal control system.
4. Compliance system: Set up the post of compliance officer to take charge of appraising whether business personnel comply with relevant laws and regulations while executing the business.
Chapter 3 Evaluation of system
Section 1 Internal Audit
The purpose of the internal audit system is to assist the board of directors(council) and management in checking and assessing whether the internal control system operates effectively, and to provide timely recommendations for improvement so as to ensure the on-going and effective implementation of the internal control system and provide the basis for reviewing and revising internal control system.
Insurance agent companies, insurance broker companies or banks shall plan the organization structure, staffing and functions of internal audit unit and draft internal audit manual.
An internal audit manual shall contain at least the following particulars:
1. Operating process for annual audit plan.
2. Audit and assessment of internal control system to measure the effectiveness and the level of compliance of existing policies and procedures, and the effect on various operating activities.
3. Audit items, time, procedures and methods.
4. Format, handling and preservation of internal audit report.
Insurance agent companies, insurance broker companies or banks shall see to it that all of its internal units carry out self-evaluation and have its internal audit unit review the self- evaluation reports; the self- evaluation reports, together with deficiencies and irregularities found by auditors and improvement actions taken will serve as a basis for the board of directors(council), management, auditors, and compliance officer to evaluate the overall effectiveness of the internal control system and for the issue of a statement on internal controls.
Insurance agent companies, insurance broker companies or banks shall appoint an appropriate number of qualified auditors directly under the board of directors (council) to take charge of the audit operations. Auditors shall not serve concurrently in positions that are in conflict with or will handicap their audit works set out in Article 13 herein and shall report the audit operation to the board of directors (council) and supervisors (board of supervisors) or audit committee at least once every year.
The appointment, dismissal or transfer of auditors of insurance agent companies and insurance broker companies must be passed by the board of directors (council) and reported to the competent authority in a manner designated by the competent authority with confirmation document and record filed and saved.
The appointment, dismissal or transfer of auditors of banks shall be effected in accordance with the Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries and reported to the competent authority in a manner designated by the competent authority with confirmation document and record filed and saved.
To put the internal control system into effect, strengthen the professional abilities of the deputy of the auditor and to further improve and maintain the quality of audit and its implementation result, an insurance agent or broker company shall have a deputy in place for auditor.
The provisions in Articles 14 ~ 16 and Article 20 herein shall apply mutatis mutandis to the deputy mentioned in the preceding paragraph.
To ensure that the company maintains proper and effective internal audit system, the duties of auditors in performing the tasks of internal audit shall include at least the following:
1. The audit of business solicitation mentioned in Article 7.
2. The audit of operations mentioned in Subparagraph 1, Paragraph 1 of Article 8.
3. In charge of liaison works when the competent authority performs financial examination and provide related information and assist in the examination works.
4. The audit of financial examination report management.
5. Other matters designated by the competent authority.
The auditors of insurance agent companies, insurance broker companies or banks shall possess one of the following qualifications:
1. Having the qualification of an insurance agent or broker and having actually served as a signatory for at least two years.
2. Having at least five years of experience in supervision works relating to insurance enterprise, an insurance agent company or insurance broker company.
3. Having graduated from a junior college, college, or university and passed a senior civil service examination or an examination equivalent to a senior civil service examination, or the examination of Certified Internal Auditor (CIA), and having at least two years of experience in related business of insurance enterprise, an insurance agent company or insurance broker company or other finance-related businesses.
4. Having at least five years of work experience in related businesses of insurance enterprise, an insurance agent company or insurance broker company.
5. Having at least two years of work experience as an auditor in an accounting firm, or a system analyst in a computer company, or a professional in similar capacity and having received not less than three months of training in insurance business and management in an insurance agent company or insurance broker company; however the number of internal auditor, auditors with such qualification shall not exceed one half of the company’s total number of internal auditors.
Qualified auditors according to the preceding paragraph shall be free of any record of demerit or more serious offense from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of a co-worker, and the demerit has been offset by other merits.
The auditors of an insurance agent or insurance broker company shall perform their duties in good faith, and shall be free of the following situations:
1. Act beyond the scope of audit functions or engage in other improper activities, or disclose externally any acquired information, attempt to profit therefrom, or otherwise use the information against the interest of the company.
2. Fail to recuse himself or herself from auditing of cases or businesses within the scope of his or her duties or matters in the past year or in which he or she has personal interests or interest conflicts.
3. Directly or indirectly provide, promise, request, or accept, unreasonable gifts, entertainment, or any other improper benefits in whatever form.
4. Fail to audit items according to the instructions of the competent authority or fail to provide relevant information.
5. Conceal or make false or inappropriate disclosures of any of the company’s business or compliance activities while knowing such activity directly harms the applicant proposer, the insured or the beneficiary.
6. Damage the interests of the company, applicant proposer, the insured or beneficiary due to dereliction of duties.
7. Have other conducts prohibited by laws and regulations or the competent authority
An auditor shall attend the following training:
1. Pre-job training: First-time auditors and auditors of insurance agent companies, insurance broker companies and banks who return to the job after a hiatus of three years or longer shall attend at least 30 hours of audit-related professional courses offered by competent authority-ratified training institutions and pass the tests given by the aforementioned training institutions and receive a course completion certificate therefor before starting the job or within half a year after starting the job.
2. On-the-job training: An internal auditor shall attend at least 12 hours of audit-related professional courses offered by competent authority-ratified training institutions every year, or internal audit courses offered by government agencies, or at least 12 hours of internal audit related courses at an university or higher and receive credits or a course completion certificate therefor.
An internal auditor who has received the certification of Certified Internal Auditor (CIA) may be exempt from the aforementioned training requirements in the year of receiving the certification.
Not less than one half of the training hours that an internal auditor attends as required in the preceding paragraph shall be from insurance agent or broker related professional trainings held by a competent authority-ratified institution.
Auditors shall conduct a routine audit on different management units of the company at least once every year, and a special audit as deemed necessary. However, this requirement does not apply to banks that have been approved to adopt a risk-based internal auditing system by the competent authority in accordance with Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries.
Auditors shall include the implementation status of compliance system into the routine audit or special audit of business and management units.
The internal audit report prepared by an auditor for a routine audit shall disclose at least the following information:
1. Scope of audit, summary review of audit, financial and business conditions, regulatory compliance, control and internal management of various businesses, management of customer information confidentiality, training, measures for the protection of consumer interests, and implementation of self-evaluation, and the evaluation of those items.
2. Opinions on material violation, deficiency or fraud that has taken place, and recommendations for punishment of derelict employees.
3. Status of improvement measures taken in response to the examination opinions given or deficiencies identified by the competent authority, independent auditor, internal auditor, or self-evaluation personnel, or matters requiring further improvement efforts as specified in the statement on internal controls.
The internal audit report mentioned in the preceding paragraph and its working papers and related information shall be preserved for at least five (5) years.
Insurance agent companies, insurance broker companies or banks shall, by the end of each fiscal year, deliver its next year's audit plan in writing to the supervisors (board of supervisors) or audit committee for review and make record of the review.
The audit plan mentioned in the preceding paragraph shall contain at least a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), and frequency of audit and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit should also be noted.
Annual audit plan and any revisions thereto must be approved by the board of directors (council).
An auditor shall report matters specified in the second subparagraph of Paragraph 1 hereof to the competent authority after confirming the facts.
Auditors shall continually follow up on any examination opinions or audit deficiencies brought up by the competent authority, independent auditor, or auditors, or self-evaluation, and on matters requiring further improvement as specified in the statement on internal controls, and submit a written report on the status of improvement actions taken to the management, board of directors (council) and supervisors(board of supervisors),or audit committee and include those items as important factors for consideration in determining reward/disciplinary for and performance evaluation of each unit.
Internal audit reports shall be submitted to the supervisors (board of supervisors), or audit committee for review. In addition, a company shall, within five months after the end of each fiscal year, submit a report on the irregularities and deficiencies found in previous year’s internal audits as well as improvement actions taken to the competent authority. However in case a material violation or irregularity is found in an internal audit, the company shall submit the related internal audit report to the competent authority within one month from the end of the audit.
Insurance agent companies, insurance broker companies or banks shall, in a format designated by the competent authority, file with the competent authority information on the name, age, educational background, work experience, years of service, and training of its auditors by the end of January each year.
Insurance agent companies, insurance broker companies or banks shall from time to time check whether there is any violation of Article 15 herein by its auditors, and, upon discovery of any such violation, shall adjust the position of the auditor within one month from the date of discovery.
When filing basic information of auditors under Article 20 herein, insurance agent companies ,insurance broker companies or banks shall check whether or not the auditors have met the requirements set forth in Articles 14 and 16 herein; if not, the auditor shall take remedial actions within two months, failing which, the company shall promptly adjust the auditor’s position.
Section 2 Self-evaluation and Statement on Internal Controls
Insurance agent companies, insurance broker companies or banks shall establish a self-evaluation system, and shall conduct self-evaluation at least annually and a special self-evaluation as deemed necessary.
When a unit of the company conducts self-evaluation mentioned in the preceding paragraph, the unit chief shall assign personnel other than the original handling staff to carry out the evaluation and keep the evaluation activity confidential beforehand.
The self-evaluation report and its working papers shall be preserved for at least five (5) years.
Insurance agent companies, insurance broker companies or banks shall establish a self-evaluation training program to provide self-evaluation personnel with proper training on a continual basis.
The general manager of insurance agent companies and insurance broker companies shall oversee that each unit carefully evaluates and reviews the implementation of internal control system. The company’s chairman of the board (council chairman), general manager and relevant officers shall jointly sign a statement on internal controls (the attached Form), which shall be submitted to the board of directors (council) for approval and filed in a manner designated by the competent authority before the end of April each year.
A bank shall include its insurance agent or broker business in its statement on internal control in accordance with Article 27 of the “Implementation Rules of Internal Audit and Internal Control System of Financial HoldingCompanies and Banking Industries”.
Section 3 Audit by Independent Auditor and Compliance
If deemed necessary, the competent authority may order an insurance agent company, insurance broker company or bank to engage a CPA to audit its internal control system and express opinions on the accuracy of the statements, reports, and other information of the company or bank submitted to the competent authority, as well as the status of implementation of the company’s internal control system and compliance system.
The audit fees of the CPA in the preceding paragraph are to be agreed upon between the insurance agent company ,the insurance broker company or the bank and the CPA, and shall be borne by the company or the bank.
Where necessary, the competent authority may invite insurance agent companies, insurance broker companies or banks and its CPA to discuss matters with respect to the audit mentioned in the preceding article. If the CPA engaged by the insurance agent or broker company is found to be incompetent for the audit works, the competent authority may order the insurance agent company, the insurance broker company or the bank to change its CPA and appoint another CPA to re-conduct the audit works.
A CPA performing an audit as described in Article 24 herein shall promptly report to the competent authority in case of any of the following circumstances:
1. During the course of an audit by the CPA, the company or the bank refuses to provide the required financial statements, supporting vouchers, account books, or meeting minutes, or otherwise refuses to answer the questions of the CPA, or the CPA is unable to continue the audit works due to the constraint of other objective circumstances.
2. There is any material misstatement, forgery or omission of information of serious nature in the accounting or other records of the audited company or the bank.
In case an audited company or bank has a situation described in subparagraph 2 of the preceding paragraph, the CPA shall first submit a summary report based on the audit result to the competent authority.
When insurance agent companies, insurance broker companies or banks engage a CPA to conduct the audit specified in Article 24 herein, the company or the bank shall submit the CPA’s audit report to the competent authority or an agency designated by it within the time period specified by the competent authority.
When the competent authority inquires the contents of the audit report, the CPA shall provide relevant information and explanations in details.
The compliance system provided in subparagraph 4 of Article 9 herein shall be established and implemented in accordance with the Regulations Governing Insurance Agents or the Regulations Governing Insurance Brokers.
Chapter 4 Supplemental Provisions
The branch of a foreign insurance agent company or insurance broker company in Taiwan that meets the conditions set out in Paragraph 1 of Article 2 herein shall carry out internal control and audit in compliance with these Regulations. However, if the internal control and audit system and business solicitation system and procedures of the branch are drawn up based on the relevant rules and systems of its head office and such rules are not lower than the standards set out in these Regulations, the branch in Taiwan is allowed to report its situation to the competent authority and carry out internal control and audit according to such systems after the branch has provided detail descriptions of the systems adopted by its head office and a report comparing the head office’s systems and the systems provided herein, which is signed by the responsible person of the branch in Taiwan.
In case an insurance agent or insurance broker company is a limited company matters that must be reported to the board of directors (council) or resolutions to be adopted or charged by the board of directors (council) under these Regulations shall be reported to or decided by all directors; matters that should be reported to supervisors( board of supervisors) or audit committee shall also be reported to shareholders that are not involved in the execution of business.
For an insurance agent company or insurance broker company that has met criteria for annual operating revenue in Paragraph 1, Article 2 and has established internal control and audit system and business solicitation system and procedures, if its operating revenue has not reached the amount set out in Paragraph 1, Article 2 herein for three consecutive years, it may be exempt from these Regulations with the approval of the competent authority.
These Regulations shall enter into force on the date of promulgation.