The purpose of internal audit is to assist the board of directors and the managerial level to verify and evaluate whether the operation of internal control system works effectively and provide appropriate suggestions for revision, which can ensure the on-going performance of effective internal control and serve as the basis of internal control system revisions.

An insurance enterprise shall plan the organization, size and responsibilities of its internal audit unit and produce internal audit working manuals, which shall include at least the following particulars:
1. Operational process of annual audit plan;
2. Inspection and assessment of internal control system to measure the effectiveness and compliance status of existing policies and procedures and their effect on various business activities;
3. Audit items, time, procedures and methods; and
4. The contents of the formats, processing and retention of internal audit reports.
An insurance enterprise should see to it that all of its units carry out self-inspection, and have its internal audit unit review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken will serve as a basis for the board of directors,general manager, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system and to issue an internal control system statement.

An insurance enterprise should set up an internal audit unit that is directly subsidiary to the board of directors which should perform audit business honestly and independently. The chief auditor is required to report its audit business to the board of directors and supervisors or audit committee at least semiannually.
The internal audit unit shall establish a chief auditor system to manage all audit business. The qualifications of chief auditor shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises, and has the power as an vic general manager. The auditor is not allowed to take a job that will cause conflicts or limitations to the audit work.
The employment, dismissal or transfer of chief auditor shall have the consent of more than two-thirds of the board of directors and report to the competent authority for ratification.
If an insurance enterprise has an audit committee, the appointment, dismissal or transfer of chief auditor mentioned in the preceding paragraph shall first have the consent of at least the majority of all audit committee members. In the absence of the consent of the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where an insurance enterprise does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors regarding the chief auditor shall also be recorded in the meeting minutes of the board of directors.

When any of the following circumstances applies to a chief auditor in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the chief auditor to make improvements within a specified time limit, or otherwise order the insurance enterprise to release the chief auditor from duty:
1. Abusing power of office to engage in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for others, or taking advantage of the job to damage the interests of the employer or others.
2. Disclosing, delivering, or publicizing all or part of insurance examination reports on the employer to a person unrelated to such job without the consent of the competent authority.
3. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
4. Failing to notify the competent authority any material malpractice or fraud at the employer due to internal mismanagement.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
7. Having improper financial dealings with customer or counterparty of transaction involving employer's funds as evidenced by facts.
8. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of internal auditor.
9. Having committed other acts that impair the reputation or interests of the employer.

An insurance enterprise shall be staffed with an appropriate number of competent full-time internal auditors based on its scale of investment, business condition (the number of branches and business volume), management needs and applicable laws and regulations. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The appointment, dismissal, promotion, reward/discipline, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor should first consult with the personnel office and obtain the consent of the general manager before reporting the matter to the chairman for approval.
When the competent authority conducts examination of the insurance enterprise, the internal audit unit shall assign an internal auditor as the contact person and to provide relevant information and assist in the examination.

The internal auditors of an insurance enterprise shall meet the following qualification requirements:
1. Having not less than 2 years of experience in insurance examination; or having graduated from a junior college, college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than 2 years of experience in insurance business; or having not less than 5 years of experience in insurance business; or having not less than 5 years of experience in insurance business. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor in an accounting firm or a system analyst in a computer company for not less than 2 years, and has received not less than 3 months of training in insurance business and administration. However, the number of auditor with such qualification shall not exceed one third of total number of auditors;
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of a co-worker, and the demerit has been offset by other merits; and
3. An internal auditor who acts as a lead auditor shall have not less than 3 years of experience in auditing or insurance examination, or have not less than 1 year of experience in auditing and not less than 5 years of experience in insurance business.

The internal auditors of an insurance enterprise shall perform their duties in good faith, and shall not have any of the following situations:
1. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the insurance enterprises.
2. Conducting audit on operations where he/she worked on within one year or failing to disqualify him/herself from auditing cases or operations in which he/she has a stake or conflict of interest.
3. Accepting improper entertainment or gift or other improper benefits provided by people in insurance business or customers.
4. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
5. Concealing or making false or inappropriate disclosures while well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of beneficiaries, policyholders or any stakeholder.
6. Causing harm to the interests of the company, beneficiaries, policyholders or any stakeholder due to dereliction of duty.
7. Any other violation of rules or regulations, or practices prohibited by the competent authority.

Auditors of the internal audit unit of an insurance enterprise shall, before starting the job or within half a year after starting the job, enroll in the following trainings held by institutions recognized by the competent authority:
1. When acting as an internal auditor for the first time, the auditor should participate in the audit training course or computer audit training course for more than sixty hours. The auditor should also pass the exam and obtain the completion certificate.
2. An internal auditor with leadership duty should participate in the internal auditor leader train course for more than nineteen hours.
3. The auditor manager should participate in audit manager training course for more than twelve hours.
Internal auditors, internal auditor with leadership and auditor manager in charge of audit operations shall attend more than 30 hours of insurance-related professional training offered by the aforementioned training institutions or financial holding companies or the employing insurance enterprise every year. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Insurance-related professional training courses offered by competent authority-recognized institutions shall comprise not less than one half of the required hours of training under the preceding paragraph.
For auditors stationed overseas, the training hours they have received from insurance-related training institutions established in accordance with the local laws and regulations are also recognized.
An insurance enterprise shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.

The department heads/office chiefs of an insurance enterprise or the head of its branch office or persons with comparable decision-making authority shall, before taking office or within half a year after taking office shall meet one of the following requirements:
1. Having worked as an auditor of the internal audit unit and conducted internal audit work for more than one year; or
2. Having attended an auditor, computer audit or supervisor audit training course offered by a competent authority recognized institution, and passed the exam conducted by the aforementioned training institution and obtained a completion certificate therefor. In case of a foreigner, he or she may choose to attend the internal audit training course held by the employing insurance enterprise.
The person who acts for the first time as the department head/office chief of an insurance enterprise or the head of its branch office or person with sufficient decision-making authority shall meet all of the requirements listed in the preceding paragraph. In addition, the person who meets the requirement set forth in Subparagraph 2 of the preceding paragraph shall participate in at least four times of audit practices with the internal audit unit before actually assuming the post or within six months after assuming the post. Such person shall be responsible for at least one item in each practice, audit at least four items in the audit practices, write a report on the practice, and submit it to the chief auditor for acknowledgement. The chief auditor shall issue a certificate and keep the report for further reference.

The internal audit unit of an insurance enterprise shall conduct at least a routine audit every year on its business, finance, information and other management units, and conduct special audits as needed. The audit of its overseas branches (including liaison office) may be replaced with a reporting audit or have site audit frequency adjusted flexibly.
The internal audit unit shall include the implementation status of regulatory compliance system into the routine audit or special audit of the business and management units.

An insurance company may apply to the competent authority for approval to adopt a risk-based internal auditing system. A subsidiary that was evaluated and exempted from adopting the system for implementation in accordance with Paragraph 3, Article 38 shall provide evaluation documents. The competent authority may ask an insurance company to apply for approval to adopt a risk-based internal auditing system in view of the insurance company's asset size, business risks, and other necessary conditions.
An insurance company that applies for approval to adopt a risk-based internal auditing system must meet the following criteria:
1.The insurance company's capital adequacy ratio and net worth ratio in the most recent filing to the competent authority complies with regulations regarding the capital adequacy ratio in Subparagraph 1, Paragraph 1, Article 5 of the Regulations Governing Capital Adequacy of Insurance Companies.
2. The amounts in preparatory funds based on the most recent actuarial opinions meet requirements in related regulations and adequacy requirements.
3. The insurance company has established an effective internal control system.
The provisions on auditing frequency in Paragraph 1 of the preceding article do not apply to insurance companies that have been approved to adopt a risk-based internal auditing system.
The provisions in this article do not apply to branch companies of foreign insurance companies in Taiwan, reinsurance companies, and insurance cooperatives.

When an insurance enterprise carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary commentary, financial status, capital adequacy, business performance, asset quality, management of shares, management of the board of directors and audit committee meeting procedures, regulatory compliance, related-party transactions, control and internal management of various businesses, management of customer data confidentiality, information management, employee confidentiality education, management of sustainability information, and implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the competent authority, accountants, internal audit unit (including the internal audit unit of the financial holding company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information under the preceding paragraph shall be retained for at least 5 years.
An insurance enterprise shall, in a prescribed format and via a Web-based information system, file with the competent authority for record next year's audit plan before the end of December each year and a report on the execution of its previous year's annual audit plan before the end of February each year.
An insurance enterprise shall, by the end of each fiscal year, deliver its next year's audit plan in writing to its supervisors or audit committee for review and record the comments of supervisors or audit committee. If the insurance enterprise does not have an audit committee but independent directors, it shall deliver the audit plan to the independent directors for comments.
The audit plan under the preceding paragraph shall contain at least: a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), and frequency of audit and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit should also be noted.
The annual audit plan and changes thereof shall be approved by the board of directors.

The internal audit unit shall follow up on the status of improvements made by respective units regarding the examination opinions of or deficiencies found by competent authority, accountants, internal audit units (including the internal audit unit of the parent financial holding company) and self-check personnel, and recommendations enumerated in the statement on internal control, and produce a written follow-up report to be provided to the board of directors and the supervisors or the audit committee for review and to be used as important reference in reward/discipline decisions and performance review.
The internal audit report shall be provided to the supervisors or the audit committee for review, and unless it is otherwise stipulated by the competent authority, submitted to the competent authority within two (2) months from the date the audit is completed.
Where an insurance enterprise has independent director(s), the reports shall be simultaneously provided to the independent director(s) when an action is taken under the two preceding paragraphs.
The major points of audit task for an insurance enterprise should be prescribed by the competent authority.

An insurance enterprise shall, in the format prescribed by the competent authority and via a Web-based information system, file with the competent authority for record information on its internal auditors, including the name and years of service by the end of January each year.

An insurance enterprise shall, before the end of May each year, file with the competent authority for record the improvement actions taken for deficiencies and irregularities in its internal control system identified during the previous year's internal audit via a Web-based information system and in a format prescribed by the competent authority.

An insurance enterprise should examine at all time whether its internal auditors have violated the provisions of Article 15 herein. If an auditor is found to violate the provisions, the insurance enterprise shall reassign the auditor within one month from the date of discovery.
When filing the basic data of internal auditors according to Article 21 herein, an insurance enterprise should verify whether its auditors meet the requirements stipulated in Article 14 and Article 16 herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within 2 months, or else be reassigned to another job.

An insurance enterprise should establish a self-inspection system to strengthen internal check so as to prevent the occurrence of fraud. Its finance, business and information units shall conduct routine self-inspection at least once every year and conduct special self-inspection as needed.
For the self-inspection mentioned in the preceding paragraph, the head of the unit should assign a person other than the original handling staff to conduct the inspection and keep the inspection activity confidential beforehand.
The self-inspection report and its working papers shall be retained for at least 5 years for future reference.
An insurance enterprise should establish self-inspection training programs and continue proper training to self-inspection personnel in accordance with the business nature of each unit.

The general manager of an insurance enterprise shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, general manager, chief auditor and head office chief compliance officer shall jointly issue an internal control system statement (Attachment), which shall be submitted to the board of directors for approval, and submitted together with the annual report set forth in Article 148-1 of the Act to the competent authority before the end of March each year.
An insurance enterprise shall disclose its internal control system statement on its website.

If the annual financial report of an insurance enterprise is audited and certified by an accountant, the enterprise should also appoint the accountant to conduct an audit of on its internal control system. The accountant should also comment on the correctness of the report submitted by the insurance enterprise to the competent authority and the implementation status of internal control system and regulatory compliance system. The scope of such audit shall also cover the foreign branches of the insurance enterprise.
The competent authority may require the insurance enterprise to appoint an accountant to conduct a special audit of personal information protection and AML/CFT in accordance with the rules set forth by the competent authority.
The audit fee for the accountant may be agreed upon by the insurance enterprise and the accountant and shall be paid by the insurance enterprise.
The provisions of Paragraphs 1 and 2 do not apply to an insurance enterprise under receivership by the competent authority pursuant to law.

Where necessary, the competent authority may invite an insurance enterprise and its appointed accountant to discuss audit related matters under the preceding article. If the competent authority finds the accountant appointed by the insurance enterprise not sufficiently competent for the audit work, the competent authority may demand the insurance enterprise to replace its accountant and appoint another accountant to re-conduct the audit work.

When an accountant conducts audit provided in Article 26 herein, the accountant should inform the competent authority immediately when the following conditions are found:
1. During the course of audit, the insurance enterprise fails to provide the accountant with requested reports, certificates, account books and meeting minutes, or refuses to make further explanation on the inquiries made by the accountant, or the accountant is unable to continue the audit work as constrained by other objective circumstances.
2. There are false, forged or missing data of serious nature in its accounting or other records.
3. Its assets are insufficient to pay its debts or its financial condition deteriorates significantly.
4. There is evidence indicating that certain transactions may cause material impairment of its net assets.
If an audited insurance enterprise has a situation provided in Subparagraphs 2 ~ 4 of the preceding paragraph, the accountant should submit in advance a summary report based on the audit results to the competent authority.

When an insurance enterprise appoints an accountant to conduct audit under Paragraph 1 of Article 26 herein, the enterprise shall, before the end of March each year, submit an independent auditor's report of the previous year to the competent authority for record.
When the competent authority inquires the contents of the independent auditor's report, the accountant should provide detailed and relevant information and explanations.

The head office of an insurance enterprise shall, based on its size, business nature and organizational characteristics, establish a compliance unit directly under the general manager to take charge of the planning, management and implementation of regulatory compliance system.
The compliance unit shall establish the position of head office chief compliance officer who oversees the compliance matters and reports to the board of directors (council) and supervisors or the audit committee at least semiannually, and in case of any major regulatory violation, immediately inform the directors (council members) and supervisors, and report to the board of directors (council) on compliance matters.
The requirements for establishing a compliance unit and the position of head office chief compliance officer under the preceding two paragraphs are as follows:
1. An insurance enterprise whose total assets in the previous year as audited by a CPA exceed NTD 1 trillion shall set up a dedicated compliance unit that may also take charge anti-money laundering and combating terrorist financing (AML/CFT) affairs, but may not take charge of legal affairs unrelated to the planning, management and implementation of legal compliance system or any other affairs that may pose a conflict of interest. The head office chief compliance officer shall be a full-time job and shall not concurrently hold other positions except for concurrently serving as the head of dedicated AML/CFT unit without conflicts of interest.
2. For insurance enterprises not governed by the preceding subparagraph, their head office chief compliance officer shall be a full-time job and shall not concurrently hold other positions except for concurrently serving as the chief legal officer and the head of dedicated AML/CFT unit without conflicts of interest.
The head office chief compliance officer of an insurance enterprise shall have a position equivalent to a vice general manager and possess the leadership and the ability to effectively supervise the compliance works. The qualifications of head office chief compliance officer shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises.
The branches of foreign insurance enterprises in Taiwan, reinsurance enterprises and insurance cooperatives may appoint a high level manager to act as the head office chief compliance officer under the preceding paragraph, and insurance cooperatives are not subject to the restriction on head office chief compliance officer holding concurrently other internal positions under Paragraph 3 hereof.
Chief auditor, head of audit unit and internal auditors may not serve as the head office chief compliance officer under Paragraph 2 hereof.
The appointment and dismissal of head office chief compliance officer shall have the consent of at least the majority of all directors and be reported to competent authority for record.
The head office chief compliance officer, the head and personnel of the compliance unit of an insurance enterprise shall attend at least 20 hours of on-the-job training courses a year offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise. The training courses shall cover at least the latest regulatory amendments and new insurance products launched.
The compliance officer of the business unit, product development and management unit, fund utilization unit, information unit and asset custody unit and other units of an insurance enterprise shall attend at least 15 hours of on-the-job training a year offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise.
The compliance officer of a foreign branch of an insurance enterprise shall attend at least 15 hours of on-the-job training courses on regulatory compliance a year offered by the local competent authority or relevant institutions. If no such training course is available, the officer may attend the training courses offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise.
The training methods for on-the-job training set forth in the preceding three paragraphs given by the insurance enterprise itself shall be approved by the board of directors (council), and the head office shall keep the attendance records of relevant personnel for reference.
When a dedicated AML/CFT compliance unit is set up under the compliance unit, the required training for AML/CFT compliance unit personnel before their appointment and the annual required training for them after their appointment shall observe the relevant AML/CFT regulations and is not subject to the provisions of Paragraph 8 of this article and Paragraph 2 of Article 33.
An insurance enterprise shall file the list of head office chief compliance officer, head and personnel of compliance unit and their reward/disciplinary records, qualifications and training records in the past three years with the competent authority via a Web-based information system.

An insurance enterprise should establish counseling and communication channels for regulatory compliance matters to keep employees informed of rules and regulations, swiftly clarify any questions of the employees on rules and regulations, and ensure regulatory compliance.
When the compliance unit of an insurance enterprise makes a report to the board of directors in accordance with Paragraph 2 of the preceding article, the report should contain at least analysis of the causes of significant deficiency or malpractice in compliance matters within respective unit and as well as possible effects and recommendations for improvement.

The regulatory compliance unit of an insurance enterprise shall establish a regulatory compliance system which will be implemented after being passed by the board of directors. The regulatory compliance unit shall also review from time to time the regulatory compliance system in line with the amendment of insurance rules and regulations, and implement the revised system after it is passed by the board of directors.
The regulatory compliance system shall include at least the following particulars:
1. Decision making process of board of directors and control functions of directors;
2. Preservation of board meeting minutes;
3. Operation monitoring functions of supervisors;
4. Code of regulatory compliance for directors’ conduct;
5. Establishment of regulatory compliance evaluation standards;
6. Formulation of annual regulatory compliance plan;
7. Creation of a regulatory compliance environment;
8. The audit of regulatory compliance operations and handling of regulatory violation;
9. Regulatory compliance organization and duties; and
10. Drafting of regulatory compliance manual.

The regulatory compliance unit should draw up an annual regulatory compliance plan, which will be implemented after being passed by the board of directors.
The annual regulatory compliance plan shall contain at least the following particulars:
1. Evaluation plan for regulatory compliance by respective unit;
2. Review of handling results for regulatory violation cases in the previous year;
3. Management of changes in insurance related laws and regulations;
4. Training and promotion of regulatory compliance matters; and
5. Review and improvement of regulatory compliance system.
The regulatory compliance unit of an insurance enterprise should conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of rules and regulations.
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3. Before an insurance enterprise introduces a service, a new insurance product or an insurance product which is deemed to constitute material change by the competent authority and requires approval by the competent authority before marketing, or undertakes specific or major use of funds, the head office chief compliance officer shall issue and sign an opinion statement undertaking that the service, product or use of funds complies with applicable regulations and internal rules.
4. Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the general manager, will be used as reference in the performance evaluation of respective units.
5. Providing pertinent regulatory training to personnel of various units.
6. Supervising the introduction, establishment and implementation of relevant internal rules by the compliance officer of respective unit.
The internal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.

An insurance enterprise governed by Subparagraph 1, Paragraph 3 of Article 30 shall establish a company-wide compliance risk management and supervision framework. The basis of such framework, functions and responsibilities are as follows:
1. The compliance unit shall establish procedures, plans and mechanisms for identifying, assessing, controlling, measuring, monitoring, and independently reporting any compliance risk in order to fully control, supervise, and support each domestic or foreign department, branch, and subsidiary with respect to individual business unit, cross-department and cross-border regulatory compliance matters.
2. The compliance unit shall set up an adequate number of professional units based on the classification of business or the focus of regulatory compliance to monitor, implement and support the regulatory compliance matters of the domestic or foreign business units related to that business or regulations.
3. The compliance unit may assess the appointment and enhance the independence of compliance officer under respective units using a risk-based approach. Notwithstanding to the requirements in the front section of Paragraph 1 of Article 33, units with lower compliance risk may not need to have a separate compliance officer but may be charged by the head office chief compliance officer.
4. The compliance unit shall establish the mechanism of independent reporting, assessment and response to compliance risk alert.
5. The compliance unit shall evaluate the management of compliance risks with respect to key operating activities, products and services, fund utilization or business projects, and major customer complaints where regulatory violation may be involved on a regular and ad-hoc basis, and shall establish the horizontal communication mechanism with other second lines of defense.
6. The compliance unit may request each unit to provide relevant information in order to understand the compliance risks across the company.
7. The compliance unit shall include the evaluation of management and department heads into its opinion on their implementation of regulatory compliance program.
8. An insurance enterprise and its compliance unit shall fully understand the compliance requirements applicable to the foreign business units, and the criteria required by the local competent authority, and provide full resources and support.
9. The compliance unit shall specify the weakness of compliance risk management, and supervise the improvement plans and schedules with respect to domestic and foreign operations across the company when reporting compliance affairs to the board of directors (council) and supervisors or audit committee at least semiannually pursuant to Paragraph 2, Article 30. The board of directors (council) shall provide sufficient resources and appropriate mechanism of rewards and disciplines applicable to the business units in order to progressively establish a company-wide culture of compliance.
10. The chief auditor shall include the performance of the compliance office and the assessment opinion of the compliance status across the company when reporting the audit business to the board of directors (council) and supervisors or audit committee at least once every half year pursuant to Paragraph 1 of Article 11.
An insurance enterprise governed by the preceding paragraph shall established a dedicated compliance unit and appoint the chief compliance officer at the head office pursuant to Subparagraph 1, Paragraph 3 of Article 30 within six months after meeting the applicable conditions set forth therein, and report the adjusted company-wide compliance risk management and supervision framework to the competent authority, and file the evaluation reports under Subparagraphs 5 and 9 of the preceding paragraph with the competent authority by the end of every April pursuant to Article 148-1 of the Act.

In order to promote sound operation, an insurance enterprise shall set up a whistleblower system, and designate a unit at the head office with independent functions to accept and investigate the reported cases.
An insurance enterprise shall protect the whistleblower as follows:
1. The whistleblower’s identity shall be kept confidential; no information that may be used to identify that person shall be disclosed.
2. A whistleblower shall not be terminated, dismissed, downgraded/relocated, given a reduction in pay, impairment to any entitlement under the law, contract or customs, or other unfavorable disposition due to the reported case.
Any person with conflict of interest shall recuse himself/herself from the acceptance and investigation of the reported case.
The whistleblower system under Paragraph 1 shall at least cover the following particulars and be approved by the board of directors (council):
1. The system expressly declares that anyone may file a report when discovering any crime, corruption, or potential legal violation.
2. The types of reported cases that will be accepted.
3. The system establishes and publishes the channels of reporting.
4. The process of investigation and cooperation in investigation, rules of recusal and the standard operating procedure of subsequent disposition mechanism.
5. Whistleblower protection measures.
6. Acceptance of reported case, investigation process, investigation results, records and retention of relevant documentation.
7. The whistleblower shall be given appropriate notice in writing or by other means with respect to the progress of the reported case.
If the alleged perpetrator is a director (council member), supervisor (member of the board of supervisor), or a managerial officer in a position equivalent to a vice general manager or higher, the investigation report shall be reviewed by the supervisors (board of supervisors) or the audit committee.
An insurance enterprise shall report to or inform relevant authorities any material incident or violation discovered following an investigation.
An insurance enterprise shall regularly introduce the whistleblower system to its employees and provide relevant training.

The head office compliance unit, business unit, product development and management unit, fund utilization unit, information unit, asset custody unit, other management units and foreign branches of an insurance enterprise shall assign personnel to act as the compliance officer of the unit to take charge of compliance matters. The position of the compliance officer in the foreign branches shall be arranged in compliance with the local laws and regulations and the requirements by the local authorities, and the compliance officer shall not hold other posts concurrently except in any of the following situations:
1. The compliance officer serves concurrently as the AML/CFT compliance officer.
2. The compliance officer may hold concurrent posts that do not constitute any conflict of interest according to local laws and regulations.
3. Where it is not clearly prescribed in local laws and regulations regarding whether or not compliance officers may hold concurrent posts, the compliance officer may hold other concurrent posts that do not result in any conflict of interest after such matter has been communicated with and confirmed by the local competent authority and reported to the competent authority for recordation.
The head office chief compliance officer and personnel of the compliance unit of an insurance enterprise as well as the compliance officer of the business unit, product development and management unit, fund utilization unit, information unit, asset custody unit, other management units and foreign branches shall meet one of the following qualification requirements prior to his/her appointment or within half a year after appointment:
1. Having worked as a compliance personnel or chief at any financial institution for at least a total of five years.
2. Having attended not less than 30 hours of courses offered by institutions recognized by the competent authority, passed the exams and received completion certificates therefor.
3. The compliance officer of a foreign branch who is employed locally has been evaluated by the insurance enterprise in accordance with its internal evaluation procedure passed by the board of directors (council) or reviewed and recognized by the local competent authority, which suffices to show his/her familiarity with local laws and regulations and his competence in related matters.
4. The compliance officer of the business unit, product development and management unit, fund utilization unit, information unit, asset custody unit and other management units of an insurance enterprise may take relevant training courses and exams not less than 30 hours held by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise in accordance with the specific training plan developed by the insurance enterprise, which suffices to show his familiarity with laws and regulations applicable to the respective unit and his competence in related matters.
Respective unit should draw up a compliance manual, which will be implemented after being approved by the head office chief compliance officer and the general manager.
The regulatory compliance manual shall contain at least the following particulars:
1. Regulatory compliance procedures to be adopted by each business;
2. Rules and regulations to be complied with by each business;
3. Procedures for handling violation of rules and regulations;
4. Self-evaluation procedure for regulatory compliance operation; and
5. Name list of regulatory compliance officers.
Where an insurance enterprise has a foreign branch, the regulatory compliance unit shall supervise the foreign branch conducting the following matters:
1. Gathering information on local insurance laws and regulations, fully implementing the self-evaluation of the regulatory compliance business and ensuring the competency of the compliance officer and the adequacy of compliance resources (including personnel, equipment and training), to ensure the compliance with local laws and regulations by the foreign branches.
2. Establishing the self-evaluation and monitoring mechanism for compliance risks; for foreign branches with larger business size, higher business complexity or higher risks involved, they shall commission a local independent expert to verify the effectiveness of their self-evaluation and monitoring mechanism for compliance risks.

An insurance enterprise should, based on its regulatory compliance plan, design the working papers for self-evaluation of regulatory compliance and perform self-evaluation at least semiannually. The self-evaluation results should be sent to the regulatory compliance unit for future reference. The head of a unit should designate a specific staff to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least 5 years.

An insurance company shall establish suitable risk management policies and procedures, which shall be passed by the board of directors and be regularly reviewed.
An insurance company shall establish an independent risk management task force and regularly report to the board of directors; upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable acts and regulations, it shall take immediate and adequate countermeasures and submit a report to the board of directors.

The risk management mechanisms of an insurance company shall include the following principles:
1. Identifying and evaluating the acceptable scope of risks based on the business scale, product characteristics, and overall economic conditions.
2. Risks that must be considered include market risks (including interest rate risks), credit risks, liquidity risks, operational risks, insurance risks, asset liability matching risks, and other risks. Related risk management mechanisms shall also be established.
3. The management must regularly review the risk management mechanism and the own risk and solvency assessment (ORSA) mechanisms in accordance with relevant laws and regulations, self-regulatory guidelines, and actual economic conditions, and adopt appropriate strategies
An insurance company shall consider the nature, scale, and complexity of its business risks based on its risk management framework and develop ORSA operation processes that are suitable for its organizational structure and risk management system.

The risk management mechanisms established by an insurance company shall include at least the following matters:
1. The risk management framework shall include risk governance, risk management organizational framework and duties, risk identification, risk measurement, risk response, risk monitoring and information, communication, and documentation.
2.The risk management mechanisms shall incorporate the business management and corporate culture of the insurance company, which adopts qualitative and quantitative technologies in accordance with the risk management policies it established to manage relevant risks that can be reasonably anticipated by the insurance company.
3. The insurance company shall set its risk appetite and specify the risk level it is willing to accept to attain strategic objectives and business plans. It must also set main risk limits for regular monitoring and management.