The internal control system of an insurance enterprise shall incorporate at least the following components:
1. Control environment: The control environment is the basis for the design and implementation of the internal control system of an insurance enterprise. The control environment encompasses the integrity and ethical values of the insurance enterprise, governance oversight responsibility of its board of directors and supervisors or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures and awards and discipline. The board of directors and management shall establish internal code of conduct, including the code of conduct for directors and code of conduct for employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of an insurance enterprise, and the suitability of the objectives should also be taken into consideration. The management should consider the impact of changes in the external environment and its own business model, and possible fraud scenarios that may occur. The risk assessment results can assist the insurance enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control operations: Control operations are means the actions of adopting proper policies and procedures by an insurance enterprise based on its risk assessment results to control risks within a tolerable range. Control operations shall be performed at all levels of the insurance enterprise, at various stages of business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
4. Information and communication: Information and communication means relevant and quality information that an insurance enterprise obtains, generates, and uses from both internal and external sources to support the continuous functioning of other components of internal control, and to ensure that information can be effectively communicated within and outside the organization. The internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring, and to enable timely access to information by those who need it.
5. Monitoring operations: Monitoring operations means ongoing evaluations, individual evaluations, or some combination of the two used by an insurance enterprise to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels. Individual evaluations are evaluations conducted by different personnel such as internal auditors, supervisors or audit committee, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors or audit committee, and improvements shall be made in a timely manner.

The code of conduct for directors specified in Subparagh 1 of the preceding article shall contain at least the rules that when a director discovers that the insurance enterprise is in danger of suffering material loss or damage, he shall handle the matter properly as soon as possible, immediately notify the audit committee or the independent directors or supervisors, report it to the board of directors and supervise the insurance enterprise to report to the competent authority.

An insurance enterprise shall, based on its business nature and scale, establish operating procedures for at least the following control operations according to the principles of internal check, and review and revise such procedures in a timely manner:
1.Insurance product development and management operation: Including risk assessment of insurance products, evaluation of premium rate adequacy, assessment of reserve adequacy and the product management operation.
2.Product sales operation: Including promotional materials and information to be disclosed in insurance policy, business solicitation, underwriting, contract conversion, reinstatement, conservation, fees and charges.
3.Claim operation: Including investigation of accident, review and payment operation.
4.Fund utilization operation: Including holistic investment policies, acquisition, custody and disposal of various investment assets, and rules for related party transactions.
5.Solvency assessment operation: Including assessment of provisions for various kinds of reserves, evaluation of asset quality, the match of assets and liabilities, resolution of overdue loans and non-accrual loans, management of investment and fund liquidity, assessment of financial conditions and capital adequacy, insurance enterprise risk management and assessment of the insurance enterprise’s self risks and solvency.
6.Processing derivatives transactions operation: Including trading principles and guidelines, operating procedures, announcement and reporting procedures, accounting treatment, internal control and audit system.
7.Reinsurance operation: Including methods of reinsurance, assessment of risks and risk tolerance, reinsurance retention ratio and selection of reinsurers and reinsurance brokers.
8.Control operations of accounting, general affairs, resources, personnel management and other businesses.
9.Management of financial examination reports.
10.Management of financial consumers protection.
11.Management of the application of International Financial Reporting Standards.
12.Mechanism for handling major contingencies.
13.Mechanism for anti-money laundering and combating the financing of terrorism (AML/CFT) and management of compliance with relevant laws and regulations, including the management mechanism for identifying, assessing, and monitoring AML/CFT risks.
14.Management of sustainability information
15.Other matters designated by the competent authority.
Where an insurance enterprise is required to establish a remuneration committee according to law, the insurance enterprise shall design internal controls and operating procedures for the operation and management of the remuneration committee.
Where an insurance enterprise has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
For the stipulation, revision or abolition of all operational and management regulations mentioned in the preceding three paragraphs, it requires the participation of regulatory compliance, internal audit, and risk management agencies.

An insurance enterprise that uses a computerized information processing system shall, in addition to clearly delineating the authority and responsibility of information and user departments, include at least the following control operations in its internal control system and observe the self-regulatory rules established by the trade association it belongs to:
1. Clear division of authority and responsibility of the information processing department;
2. Control of system development and program modification;
3. System documentation control;
4. Program and data access control;
5. Data input/output control;
6. Data processing control;
7. Security control of the entrance of computer room;
8. System, files, computer and communications equipment security control;
9. Control of purchase, usage, and maintenance of hardware and system software;
10. Prevention and control of spread of computer viruses and hacker invasion;
11. Control of system recovery plan, disaster backup plan and testing procedures;
12. Control of outsourcing of core businesses;
13. Confidentiality and security control of classified data of customers and company; and
14. Prevention and control of computer crimes.
The Life Insurance Association of the Republic of China and The Non-Life Insurance Association of the Republic of China shall establish and periodically review self-regulatory rules for information security.

An insurance enterprise shall set up a dedicated information security unit and appoint a chief information security officer that may not handle concurrently information operation or other affairs that may pose a conflict of interest, and shall be allocated with proper manpower resources and equipment, except as otherwise provided by the competent authority with respect to insurance cooperatives.
An insurance enterprise whose total assets in the previous year as audited by a CPA exceed NTD 1 trillion shall appoint a person at the level of vice president or higher or a person in an equivalent position to serve concurrently as the chief information security officer, who shall oversee the implementation of information security policies and allocation of resources. It shall also set up a dedicated information security unit with independent function and appoint a person at the level of associate general manager or higher or a person in an equivalent position to be the chief officer of such dedicated information security unit.
The dedicated information security unit of an insurance enterprise is in charge of planning, monitoring and implementing information security management operation. The chief information security officer (the supervisor of the dedicated information security unit if no chief information security officer is appointed) shall, together with personnel specified in Paragraph 1, Article 25, jointly issue an internal control system statement to the board of directors (council) for approval.
The personnel of the dedicated information security unit of an insurance enterprise shall attend at least 15 hours of professional courses on information security, or on-the-job training every year. The personnel of the head office, domestic and foreign business units, product development management unit, fund utilization unit, information units, asset custody unit, and other management units shall attend at least 3 hours of information security courses every year.
Insurance enterprises governed by Paragraph 2 hereof shall make adjustment to become compliant within six months after it meets the applicable condition set forth therein.

For the purpose of maintaining effective operation of its internal control system to achieve the objectives of internal control set out in Article 2 herein, an insurance enterprise shall establish such three defense lines for internal control, including a self-inspection system, a regulatory compliance system and risk management mechanism and an internal audit system.
To implement the regulations in the foregoing paragraph, the insurance enterprise shall adopt the following measures:
1. Internal audit system: an audit unit shall be set up to take charge of auditing each unit and periodically evaluating the performance of self-inspection conducted by each business unit.
2. Regulatory compliance system: The chief compliance officer examines duly whether business personnel comply with relevant laws and regulations in conducting business in accordance with the compliance plan developed by the head office.
3. Self-inspection system: Members of business, financial and information units check on each other the actual implementation of internal controls under the supervision of managerial personnel or personnel at comparable position or higher as assigned by each unit to discover deficiencies early and take corrective actions in a timely manner.
4. CPA auditor system: When a certified public accountant (CPA) engaged by an insurance enterprise conducts annual audit of the enterprise, the CPA should also examine the effectiveness of its internal control system and express opinions on the accuracy of financial information the enterprise files with the competent authority and the status of implementation of internal control system and regulatory compliance system.
5. Risk management mechanism: Establish independent and effective risk management mechanism to assess and monitor the overall risk bearing capacity and current status of risks already incurred, and to determine their compliance with the risk response strategies and risk management procedures.
The execution procedures for the three defense lines for the internal control system of an insurance enterprise have been collectively established by the Life Insurance Association of the Republic of China and the Non-Life Insurance Association of the Republic of China and have been filed with the competent authority for record.

(deleted)