These Regulations are adopted pursuant to Article 6, paragraph 3, Article 7, paragraph 4, Article 8, paragraph 3, and Article 10, paragraph 3 of the Money Laundering Control Act (hereinafter, "the Act") and Article 7, paragraph 5 of the Counter-Terrorism Financing Act.
Terms used in these Regulations are defined as follows:
1. "Certified public accountant (CPA)" shall mean a person who has acquired qualification to practice as a CPA and practices as a CPA, pursuant to Article 8 of the Certified Public Accountant Act, and prepares for or carries out any of the transactions in the items under Article 5, paragraph 3, subparagraph 3, or transactions designated under subparagraph 5, of the Act.
2. "CPA firm" shall mean a firm that a CPA referred to in the preceding subparagraph has established or joined, pursuant to Article 8 of the Certified Public Accountant Act.
3. "Beneficial owner" shall mean a natural person who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted, including those persons who exercise ultimate effective control over a legal person or arrangement.
4. "Risk-based approach" (RBA) shall mean conduct risk assessment, risk mitigation and risk monitoring measures.
5. "High risk country or region" shall mean a country or region as described in Article 11, paragraph 2 of the Act.
A CPA and his or her affiliated CPA firm shall take appropriate steps to identify, assess, and understand their money laundering/terrorist financing (ML/TF) risks, including at least the customers, countries or geographic areas, products and services, transactions or delivery channels, and in accordance with the following provisions:
1. Prepare risk assessment reports.
2. Consider all the relevant risk factors before determining what is the level of overall risk and the appropriate mitigation measures to be applied, including the results of national risk assessment.
3. Make the risk assessment reports available and update them.
4. Provide risk assessment reports when requested by the Financial Supervisory Commission (FSC).
A CPA and affiliated CPA firm shall comply with the following provisions:
1. Have policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified by the country or by themselves.
2. Monitor the implementation of those controls and enhance them if necessary.
3. Take enhanced measures to manage and mitigate the risks where higher risks are identified.
A CPA and affiliated CPA firm shall establish internal control and audit systems based on their ML/TF risks and business scale, and the systems shall include the following:
1. Operations and control procedures of anti-money laundering and countering the financing of terrorism (AML/CFT).
2. Holding or participating in on-the-job training related to AML regularly.
3. The responsible person or a designated dedicated person shall be responsible for coordinating and monitoring the implementation of subparagraph 1.
4. Making risk assessment reports available and updating them regularly.
5. Audit procedures.
The number of hours, course certification and reporting methods for the on-the-job training referred to in subparagraph 2 of the preceding paragraph shall be separately prescribed by the FSC.
The audit procedures referred to in subparagraph 5 of paragraph 1 shall, based on the ML/TF risks and business scale of the CPA firm, be conducted by means of self-review or internal audit.
The FSC shall annually assign personnel to conduct sample audits of the implementation of the systems referred to paragraph 1. The audit methods include on-site and off-site inspection. It furthermore may appoint the National Federation of Certified Public Accountants Association of the R.O.C. (NFCPAA) to carry out the inspection.
When the FSC or NFCPAA conducts the inspection of the preceding paragraph, it may order the CPA and affiliated CPA firm to present relevant account books, documents, electronic data files, or other relevant materials. The aforesaid materials shall be provided regardless of their means of storage, whether hard copies, electronic files, emails, or any other form or means of storage whatsoever, and the CPA and affiliated CPA firm may not evade, refuse, or obstruct the audit for any reason.
A CPA and affiliated CPA firm shall assess the ML/TF risks prior to development of new products, new services and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products or services, and take appropriate measures to manage and mitigate those risks.
A CPA shall comply with the following provisions in undertaking customer due diligence (CDD) measures:
1. A CPA shall not accept anonymous customers or customers in fictitious names for establishing or maintaining business relations.
2. A CPA shall undertake CDD measures when:
A. establishing business relations with any customer;
B. carrying out occasional transactions, including situations where the transaction is carried out in a single operation or in several operations that appear to be linked;
C. there is a suspicion of money laundering or terrorist financing; or
D. the CPA has doubts about the veracity or adequacy of previously obtained customer identification data.
3. The CDD measures to be taken by a CPA are as follows:
A. Identifying the customer and verifying that customer's identity using reliable, independent source documents, data or information. In addition, a CPA shall retain copies of the customer's identity documents or record the relevant information thereon.
B. Verifying that any person purporting to act on behalf of the customer is so authorized, and identifying and verifying the identity of that person using reliable, independent source documents, data or information. In addition, the CPA shall retain copies of the person's identity documents or record the relevant information thereon.
C. Taking reasonable measures to identify and verify the identity of the beneficial owner of a customer, including using reliable source data or information.
D. The CDD measures shall include understanding and, as appropriate, obtaining information on, the purpose and intended nature of the business relationship.
4. When the customer is a legal person, an organization or a trustee, a CPA shall, in accordance with the preceding subparagraph, understand the business nature of the customer or trust (including trust-like legal arrangements) and obtain at least the following information to identify the customer or the trust and verify its identity:
A. Name, legal form and proof of existence of customer or trust.
B. The charter or similar power documents that regulate and bind the customer or trust, except under any of the following circumstances:
a. For customers/entities listed under item C of subparagraph 5 hereof.
b. For a customer that is an organization that confirms it does not have a charter or similar power document.
C. Names of relevant persons having a senior management position in the customer.
D. The address of the registered office of the customer, and if different, the address of its principal place of business.
E. Understand whether the customer issues bearer shares and apply appropriate measures for customers that have issued bearer shares, to ensure that the information on their beneficial owners is kept up-to-date.
5. When the customer is a legal person, an organization or a trustee, a CPA shall, in accordance with item C of subparagraph 3 hereof, understand the ownership and control structure of the customer or the trust, and obtain the following information to identify the beneficial owners of the customer and take reasonable measures to verify the identity of such persons:
A. For customers that are legal persons or organizations:
a. The identity of the natural person(s) who ultimately has a controlling ownership interest in the legal person. A controlling ownership interest refers to owning directly and/or indirectly more than 25 percent of the legal person's shares or capital; a CPA may ask the customer to provide its list of shareholders or other documents to assist in the identification of persons holding controlling ownership interest.
b. To the extent that no natural person exerting control through ownership interests is identified under sub-item a or that there is doubt as to whether the person(s) with the controlling ownership interest are the beneficial owner(s), the identity of the natural person(s) (if any) exercising control of the customer through other means.
c. Where no natural person is identified under sub-item a or b above, a CPA shall identify the identity of a natural person who holds the position of senior managing official.
B. For customers that are trustees: the identity of the settlor(s), the trustee(s), the trust supervisor, the trust beneficiaries, and any other person(s) exercising effective control over the trust, or the identities of persons in equivalent or similar positions to those above.
C. Unless otherwise provided for in the proviso of subparagraph 3 of Article 10 herein or where the customer has issued bearer shares, a CPA is not subject to the requirements of identifying and verifying the identity of beneficial owner(s) of a customer set out under item C. of subparagraph 3 hereof if the customer or the person with controlling power is:
a. a R.O.C government entity;
b. an enterprise owned by the R.O.C government;
c. a foreign government entity;
d. a public company or its subsidiaries;
e. an entity listed on a stock exchange outside of the R.O.C. that is subject to regulatory disclosure requirements of its principal shareholders, and the subsidiaries of such entity;
f. a CPA supervised by the R.O.C. government, and an investment vehicles managed by such institution;
g. a CPA incorporated or established outside the R.O.C. that is subject to and supervised for compliance with AML/CFT requirements consistent with the standards set by the Financial Action Task Force on Money Laundering (FATF), and an investment vehicle managed by such institution;
h. a fund administered by a R.O.C. government entity; or
i. an employee stock ownership trust or an employee savings trust.
6. A CPA shall not establish a business relationship or conduct occasional transactions with a customer before completing the CDD measures. However, a CPA may first obtain information on the identity of the customer and its beneficial owner(s) and complete the verification after the establishment of a business relationship, provided that:
A. The ML/TF risks are effectively managed, including adopting risk management procedures with respect to the circumstances under which a customer may utilize the business relationship to complete a transaction prior to verification;
B. This is essential not to interrupt the normal conduct of business with the customer; and
C. Verification of the identities of the customer and its beneficial owner(s) will be completed as soon as reasonably practicable after the establishment of a business relationship. The business relationship must be terminated if verification cannot be completed within a reasonably practicable time limit, and the CPA shall notify its customer in advance of this requirement.
7. Where a CPA is unable to complete the required CDD process on a customer, the CPA shall consider filing a suspicious transaction report (STR) on money laundering or terrorist financing in relation to the customer.
8. If a CPA forms a suspicion of money laundering or terrorist financing and reasonably believes that performing the CDD process will tip-off the customer, it is permitted not to pursue that process and file a suspicious transaction report instead.
If there exists any of the following situations in the CDD process, a CPA shall consider declining to establish a business relationship or carry out any transaction with the customer:
1. The customer is suspected of opening an anonymous account or using a fake name, a nominee, a shell firm, or a shell corporation or entity to conduct a transaction;
2. The customer refuses to provide the required documents for identifying and verifying its identity;
3. A person acts on behalf of a customer to conduct a transaction, and it is difficult to check and verify the fact of authorization and identity-related information;
4. The customer uses forged or altered identification documents;
5. The customer provides only photocopies of the identification documents. However, this does not apply to business for which a photocopy or image file of the identification document supplemented with other control measures are acceptable under applicable rules;
6. Documents provided by the customer are suspicious or unclear, or the customer refuses to provide other supporting documents, or the documents provided cannot be authenticated;
7. The customer procrastinates in providing identification documents in an unusual manner;
8. The customer is an individual, a legal person or an organization sanctioned under the Counter-Terrorism Financing Act, or a terrorist or terrorist group identified or investigated by a foreign government or an international anti-money laundering organization. However, this does not apply to payments made under subparagraphs 1 to 3, paragraph 1, Article 6 of the Counter-Terrorism Financing Act; or
9. Other unusual circumstances exist in the process of establishing a business relationship or conducting transactions and the customer fails to provide reasonable explanations.
A CPA shall comply with the following provisions in their watch list filtering programs on customers and connected parties of transactions:
1. The CPA shall establish policies and procedures for watch list filtering, based on a risk-based approach, to detect, match, and screen whether customers, senior managerial officers or beneficial owners of customers, or connected parties of transactions, are individuals, legal persons, or organizations sanctioned under the Terrorism Financing Prevention Act or terrorists or terrorist groups identified or investigated by a foreign government or an international organization.
2. The CPA's policies and procedures for watch list filtering of customers and connected parties of transactions shall include at least matching and screening logics, implementation procedures, and evaluation standards, and shall be documented.
3. The CPA shall document their watch list filtering operations and maintain the records for a time period in accordance with Article 15.
A CPA shall conduct ongoing due diligence on the business relationship and observe the following provisions:
1. A CPA shall scrutinize transactions undertaken throughout the business relationship to ensure that the transactions being conducted are consistent with the CPA's knowledge of the customer, its business and risk profile, including, where necessary, the source of funds.
2. A CPA shall periodically review the existing records to ensure that documents, data or information of the customer and its beneficial owner(s) collected under the CDD process are kept up-to-date, particularly for higher risk categories of customers, whose reviews shall be conducted at least once every year.
3. A CPA shall apply CDD requirements to existing customers on the basis of materiality and risk, and after taking into account whether and when CDD measures have previously been undertaken and the adequacy of data obtained, conduct due diligence on such existing relationships at appropriate times, including when learning of any material change to the customer's identity and background information.
4. A CPA may rely on existing customer records to undertake identification and verification. Therefore, a CPA is allowed to carry out transactions without repeatedly identifying and verifying the identity of an existing customer. However, a CPA shall conduct CDD measures again in accordance with Article 7 herein if he or she has doubts about the veracity or adequacy of the records, such as, where there is a suspicion of money laundering in relation to that customer, or where there is a material change in the way that the customer's transactions or account are operated, which is not consistent with the customer's business profile.
A CPA shall determine the extent of applying CDD and ongoing due diligence measures under subparagraph 3 of Article 7 and the preceding article using a risk-based approach (RBA):
1. For higher risk circumstances, a CPA shall perform enhanced CDD or ongoing due diligence measures by adopting additionally at least the following enhanced measures:
A. Obtaining the approval of senior management before establishing or entering a new business relationship;
B. Taking reasonable measures to understand the sources of wealth and the source of funds of the customer; in case the source of funds is deposits, understanding further the source of deposits; and
C. Conducting enhanced ongoing monitoring of business relationship.
2. For customers from high risk countries or regions or customers on the sanction list published by the Ministry of Justice pursuant to the Counter-Terrorism Financing Act, a CPA shall conduct enhanced CDD measures consistent with the risks identified.
3. For lower risk circumstances, a CPA may apply simplified CDD measures, which shall be commensurate with the lower risk factors. However simplified CDD measures are not allowed in any of the following circumstances:
A. Where the customers are from high risk countries or regions; or
B. Where there is a suspicion of money laundering or terrorist financing in relation to the customer or the transaction.
A CPA shall perform his or her own CDD operations. However if it is otherwise permitted by law or the FSC that a CPA may reply on third parties to perform the identification and verification of the identities of customers, agents and beneficial owners or the purpose and intended nature of the business relationship, the CPA relying on the third party shall still bear the ultimate responsibility for CDD measures and comply with the following provisions:
1. A CPA relying on a third party shall be able to immediately obtain the necessary CDD information.
2. A CPA shall take adequate steps to satisfy itself that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay.
3. A CPA shall make sure that the third party he or she relies on is regulated, supervised or monitored, and has appropriate measures in place for compliance with CDD and record-keeping requirements.
4. A CPA shall make sure that the jurisdiction where the third party that the CPA relies on is located has AML/CFT regulations in place that are consistent with the standards set out by the FATF.
When conducting CDD measures, a CPA shall query the customer and also use an external database or information obtained from external sources to determine whether a customer or its beneficial owner is a person who is or has been entrusted with a prominent function by a domestic government, a foreign government or an international organization (referred to as politically exposed persons (PEPs) hereunder):
1. For a customer or the beneficial owner determined to be a current PEP of a domestic or foreign government or international organization, a CPA shall treat the customer directly as a high-risk customer, and adopt enhanced CDD measures under subparagraph 1, paragraph 1 of Article 10 herein.
2. The preceding subparagraph also applies to family members and close associates of PEPs. The scope of family members and close associates mentioned above will be determined in the manner stipulated in the latter section of paragraph 4, Article 7 of the Act.
The provisions of the preceding paragraph do not apply when the beneficial owner or senior managerial officer of a customer specified under sub-items a to c, and h, of item C, subparagraph 5 of Article 7 herein is a PEP.
A CPA shall report to the Investigation Bureau of the Ministry of Justice (referred to as the Investigation Bureau hereinafter) pursuant to Article 10, paragraph 1 of the Act when a transaction includes any of the following circumstances, which raise suspicion of ML/TF:
1. The remuneration or the transaction amount exceeds NT$500,000, and the customer, without due reason, pays or demands to pay an amount slightly lower than NT$500,000 in cash, multiple times or consecutively.
2. The remuneration or the transaction amount exceeds NT$500,000, and the customer, without due reason, pays in cash, cash in a foreign currency, or by traveler's check, draft in a foreign currency, or other bearer financial instrument.
3. Without due reason, the customer asks to purchase a real property or a business entity immediately.
4. The customer is a natural person, legal person or group that has been announced and sanctioned by the Ministry of Justice pursuant to the Counter-Terrorism Financing Act, or a country announced by the Ministry of Justice, or a terrorist organization or a terrorist recognized or investigated by an international organization.
5. The transaction is suspected to be involved with any terrorist activity, terrorist organization, terrorism financing or financing of proliferation.
6. When the CPA prepares for, or carries out, a transaction designated under Article 5, paragraph 3, subparagraph 5 of the Act for the customer, and the customer cannot provide a concrete explanation, or the explanation provided is obviously not true.
7. After the relationship of engagement of the CPA is ended, the CPA discovers that the customer denies the relationship, or that no such customer exists, or that there are sufficient facts to prove that the customer's name was falsely used by someone else.
8. Other transactions which raise suspicion of money laundering or terrorist financing.
CPAs shall file suspicious transaction reports in accordance with following provisions for transactions suspected of involving ML/TF:
1. Within 2 business days upon recognition of a suspicious transaction, a CPA shall file a report to the Investigation Bureau.
2. For obviously significant suspicious transactions of an urgent nature, a CPA shall file a report immediately to the Investigation Bureau by fax or other available means and follow it up with a written report. However, the CPA is not required to submit a follow-up written report if the Investigation Bureau has acknowledged receipt of the report by sending a reply by fax. In such event, the CPA shall retain the faxed reply.
3. The formats of the suspicious transaction report and faxed reply mentioned in the preceding two subparagraphs shall be prescribed by the Investigation Bureau.
4. The data reported to the Investigation Bureau and relevant transaction records shall be kept in accordance with Article 15 herein.
A CPA shall keep records on all business relations and transactions with the CPA's customers in hard copy or electronic form and in accordance with the following provisions:
1. A CPA shall maintain all necessary records on transactions, both domestic and international, for at least five years or for a longer period as otherwise required by law.
2. A CPA shall keep all the following information for at least five years, or for a longer period as otherwise required by law, after the business relationship is ended, or after the date of the occasional transaction:
A. All records obtained through CDD measures, such as copies or records of official identification documents such as passports, identity cards, driving licenses, national health insurance card or similar documents.
B. Bank account files, proof of payment, or contract files.
C. Business correspondence, including inquiries to establish the background and purpose of complex, unusual large transactions, and the information obtained and the results of any analysis undertaken.
3. Transaction records maintained by a CPA must be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity.
4. A CPA shall ensure that transaction records and CDD information will be available swiftly to the competent authorities when such requests are made with appropriate authority.
A CPA shall pay attention to the sanctions list announced by the Ministry of Justice referred to in Article 4 and 5 of the Counter-Terrorism Financing Act, and comply with paragraph 1 of Article 7 of the same law, including for attempted transactions.
When a CPA, in the course of business relations, discovers that he or she holds or manages any property or property interests of a designated individual, legal person or entity, or discovers the place where any property or property interests of a designated individual, legal person or entity are located, the CPA shall immediately report to the Investigation Bureau.
The reporting records of the preceding paragraph and relevant transaction records shall be kept in accordance with preceding Article.
These Regulations shall be enforced from the date of issuance.