Financial institutions and businesses or personnel providing virtual asset services shall adopt reasonable measures to prevent deposit accounts, electronic payment accounts, credit cards, and virtual asset accounts from being used in fraud crimes and shall promote information on fraud prevention to customers.

Financial institutions and businesses or personnel providing virtual asset services shall exercise the obligation of due care of a good administrator for deposit accounts, electronic payment accounts, and credit cards, and virtual asset accounts. Regarding abnormal deposit accounts, electronic payment accounts, credit cards, or virtual asset accounts that are suspected of being involved in fraud crimes, they shall enhance the authentication of customers and may adopt continual review of customers, suspension of deposits , withdrawals, or outward remittance of funds or virtual assets, suspension of the entire or partial transaction functions, credit card control and suspension of credit card account transaction functions, refusal of establishing business relationships, service provision, and other control measures.
When implementing operations stated in the latter part of the preceding paragraph, financial institutions and businesses or personnel providing virtual asset services may notify peers, who are required to provide relevant information.
The central competent financial authority shall establish regulations regarding the criteria for identifying abnormal deposit accounts, electronic payment accounts, credit cards, or virtual asset accounts suspected of fraud, as well as the procedures and items for notification, operational protocols, and other compliance matters..

When making arrangements according to the latter part of paragraph 1 of the preceding Article, financial institutions and businesses or personnel providing virtual asset services shall keep the data obtained from the customer authentication procedures and transaction records and may report to the judiciary police department. After the judiciary police department receives the report, it shall notify financial institutions and businesses or personnel providing virtual asset services to carry out the subsequent control or cancel the control over the abnormal accounts, credit cards, or virtual asset accounts within a reasonable timeframe.
The data and transaction records retained in accordance with the preceding paragraph shall be kept for at least five years or a longer period as otherwise required by law, from the termination of business relationships.
The central competent financial authority shall coordinate with the central competent authorities and competent legal affairs authority to discuss and establish the regulations for the scope of the preserved data and transaction records in the first paragraph, the methods to report to the judiciary police department, the subsequent control, control cancelation and other compliance matters of abnormal accounts, credit cards, or virtual asset accounts.

Financial institutions and businesses or personnel providing virtual asset services shall cooperate with the judiciary police department to form a joint defense reporting system. When receiving the reports from the judiciary police department, the receiving banks and businesses or personnel providing virtual asset services shall earmark and continue to monitor the reported funds or virtual assets and make arrangements according to paragraph 1, Article 8.
After carrying out the report in the preceding paragraph, the judiciary police department shall investigate within a reasonable timeframe and notify financial institutions and businesses or personnel providing virtual asset services to carry out subsequent alerting operations or control cancelation.
The central competent financial authority shall coordinate the central competent authorities and competent legal affairs authority to establish the regulations for the reporting system, earmarking of funds or virtual assets, operational procedures, subsequent aler operations, control cancelation, and other compliance matters.

When there are funds or virtual assets remitted (transferred) by victims in the accounts or account numbers suspended of all transaction functions that are not withdrawn as notified by the judiciary police department, financial institutions and businesses or personnel providing virtual asset services may return the remaining funds or virtual assets based on the notice of the initial notifying institution according to the latter part of paragraph 1 of Article 9.
The central competent financial authority shall coordinate the central competent authorities and competent legal affairs authority to establish the regulations for the conditions, methods, procedures, and other compliance matters regarding the return of the remaining funds or virtual assets in the accounts or account numbers.

Financial institutions and businesses or personnel providing virtual asset services are exempted from their confidentiality obligations when implementing fraud prevention measures stated in this Act. This exemption also applies to the responsible persons, directors, managers, and employees of the institutions or businesses.
Financial institutions and businesses or personnel providing virtual asset services are exempted from the compensation responsibility when causing damages to customers or third parties due to the implementation of fraud prevention measures stated in this Act or arrangements made in cooperation with the judiciary police department and the target business competent authorities.

If any of the following circumstances occur to financial institutions and businesses or personnel providing virtual asset services, the central competent authority may impose a fine of more than NT$0.2 million but less than NT$2 million and order them to make correction within a prescribed period; those who fail to make correction within the prescribed period, penalties shall be imposed per violation:
1. Failing to provide relevant information to the notifying party in violation of paragraph 2 of Article 8.
2. Failing to preserve data or transaction records in violation of paragraph 1 of Article 9.
3. Failing to preserve data or transaction records as required in violation of paragraph 2 of Article 9.
4. Failing to cooperate in forming a joint defense reporting system or fail to earmark and continuously monitor reported funds or virtual assets in violation of paragraph 1 of Article 10.
If any of the circumstances in the subparagraphs of the preceding paragraph that occur to financial institutions and businesses or personnel providing virtual asset services are severe, the central competent authority may impose a fine of more than NT$1 million but less than NT$10 million and order them to make correction within a prescribed period; those who fail to make correction within the prescribed period, penalties shall be imposed per violation.