Chapter 6 Supervision and Administration of Electronic Payment Institutions
Article 40
The relevant operating procedures and guidelines of electronic payment institutions for operating e-payment businesses shall comply with the business rules or self-disciplinary rules specified in Subparagraph 2, Paragraph 1, Article 45 of the Act.
The accounting principles of electronic payment institutions shall be reported by the trade association or Electronic Payment Committee of the Bankers Association specified in Paragraph 1, Article 45 of the Act to the competent authority for approval.
An electronic payment institution conducts accounting related matters shall be in accordance with the accounting principles set out in the preceding paragraph.
Article 41
The term “purposes prescribed by the competent authority” referred to in Paragraph 4, Article 22 of the Act means the following situations:
1. Fees necessary for declaring trust or obtaining performance guarantees for the stored value funds deposited by users deduct the required reserve and for funds collected/paid as an agent in accordance with related regulations in the Act.
2. Fees for appointing an accountant for auditing in accordance with related regulations in the Act.
3. Donations that may be considered as expenses or losses in accordance with Article 36 of the Income Tax Act.
4. Funds to be set aside to the sinking fund established by electronic payment institutions in accordance with the Regulations Governing the Organization and Administration of Sinking Fund Established by Electronic Payment Institutions.
Article 42
Specialized electronic payment institutions that set up a new business presence shall, within five business days from the date of establishment, report the date of establishment, address, and scope of business of the new presence to the competent authority for recordation. The aforementioned provision also applies to the relocation or closure of business locations.
Article 43
A specialized electronic payment institution that has operated for at least three years may apply to set up a overseas presence including an overseas branch and a representative office.
An electronic payment institution applying for the establishment of an overseas presence shall submit the following documents to apply for approval to the competent authority.
1. An application form;
2. Minutes of the board of directors meeting;
3. Business plan: If the electronic payment institution plans to set up a branch, it shall specify the principles for business, internal organization structure and functions, recruitment, introduction of venues and equipment, and financial forecasts for the next three years. If the electronic payment institution plans to set up a representative office, it shall specify the organization structure and tasks of the representative office.
4. Feasibility evaluation report required for setting up a branch: The report shall specify the selection criteria for the country (or region) in which the electronic payment institution intends to establish the branch; application process and the review and approval standards for a foreign electronic payment institution to establish a branch, and business and operational restrictions hereupon; whether the competent financial authority of the ROC may collect and review data regarding the financial and operational status of the branch; a self-evaluation statement explaining the compliance of the establishment plan with local laws and regulations; and an operational risk assessment and benefit analysis for the branch to be established.
5. Other documents as may be required by the competent authority.
After the electronic payment institution establishes an overseas branch, it shall comply with the following provisions:
1. Material contingencies or incidents of fraud occur in an overseas branch shall be handled and reported in accordance with the regulations of the competent authority.
2. The electronic payment institution shall file information concerning the overseas branch into the Internet reporting system of the competent authority; all changes must be updated in the system accurately.
3. An electronic payment institution that intends to close an overseas branch shall notify the competent authority and obtain approval in advance.
4. After an overseas branch is established, any change of the location or business scope may be filed to the competent authority for reference after such changes are effected.
5. An electronic payment institution that establishes an overseas branch shall also complete the following requirements:
(1) Conduct internal audits in accordance with the Implementation Rules for the Internal Audit and Internal Control System of Electronic Payment Institutions. Business audit report, audit report of a certified public accountant, and inspection report of local financial competent authority shall be filed to the competent authority for record.
(2) It shall file data relating to their operations status into the Internet reporting system of the competent authority each quarter.
(3) It shall prepare a consolidated financial statement including its overseas branches each fiscal year, and submit it to the competent authority for record in accordance with Article 35 of the Act.
Article 44
The information system and security management operation of an electronic payment institution for conducting the electronic payment business shall be set up within the territory of the ROC. However, this provision does not apply to those that meet the requirements that the competent authority may immediate, direct, complete, and continuous access to related information, and have obtained the approval of the competent authority.
An electronic payment institution applying for the approval of the competent authority in accordance with the proviso of the preceding paragraph shall submit the following documents:
1. The written confirmation letter from the local government authority where the service provider is located. The letter shall contain the following:
(1) The government authority agrees that the competent authority of the ROC and the electronic payment institution may conduct necessary audits.
(2) The government authority agrees not to collect customer information in Taiwan.
2. An inspection report issued by an independent third party specializing in information technology, indicating that the information system of the offshore service provider is not below the domestic information security standards.
3. A contingency plan in the event that the offshore information system fails to provide services, and an assessment report issued by an independent third party specializing in information technology, indicating that such plan meets the following requirements:
(1) The electronic payment institution shall ensure the restoration of normal functions for existing customers within four hours after the offshore information system fails to provide services, and ensure the proper management of financial and business risks; and
(2) If it is evaluated that the offshore information system could not be functional within a short period of time due to a natural disaster, the electronic payment institution shall ensure the functional operations of its main businesses within the territory of the ROC within seven days of the incident, through activation of the backup system, installation of (temporary) information server or other means.
4. An ordinary supervision plan with the following particulars:
(1) The setup of a supervisory unit or committee consisting personnel of compliance, internal audit, operational risk management, and information management to effectively carry out the ordinary supervision; and
(2) An outsourcing operation’s supervision mechanism including: the log file of customer information accession, authorization of system access, non-routine operations, with the detailed descriptions of the operational contents, methods, and processes along with the deficiency resolving mechanism.
5. An evaluation report on the cost benefit and the reasonableness of expense allocation within the group that has been passed by the board of directors.
An electronic payment institution applying for approval in accordance with the preceding two paragraphs must meet the following requirements:
1. Not having been subject to sanction by the competent authority due to violation of financial regulations in the previous year, or having made concrete improvement actions recognized by the competent authority over the violation.
2. All deficiencies as redressed by the competent authority or the Central Bank before the end of year preceding application have been effectively remedied; and
3. Not having any major breach of information security that is not yet remedied in the past year.
Article 45
Where a specialized electronic payment institution outsources part of the business items specified in its business permission or operations related to users information to other parties, the outsourcing shall be limited to the following:
1. Collection of funds paid by users in cash in New Taiwan Dollar.
2. Safekeeping and transport of cash payments received from users and stored value cards.
3. Outsourcing the process of sales and refund of bearer stored value cards.
4. Value storing in stored value cards.
5. Data processing: Including the data entry, processing, and output of information system, the development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the business of an electronic payment institution.
6. Safekeeping of documents such as forms, statements and certificates.
7. User services, including automated voice systems, reply to and handling of user’s e-mails, inquiries of and assistance in matters related to the electronic payment business.
8. Engaging an outsourced service provider to perform the identity verification operation of users and contracted institutions.
9. Processing work of receipt/payment information, including using the terminal equipment or application programs of other electronic payment institutions, credit card acquirers, contracted institutions to integrate and convey receipt/payment information.
10. Installation, tests, maintenance, training, and inspections of the terminal equipment system.
11. Shared use of the terminal equipment systems of other electronic payment institutions, credit card acquirers, contracted institutions, or stored value institutions.
12. Production and coding of stored value cards.
13. Over-the-air downloading and issuance of stored value cards through a trusted service manager platform.
14. Promotion of e-payment accounts or stored value card acquirer services, and the audit for the contracted institutions of the electronic payment account or stored value cards carried out by banks, other electronic payment institutions, or credit card acquirers. However, the electronic payment institution is still required to sign a contract with the contracted institutions.
15. Transaction clearing operations carried out by other electronic payment institutions and credit card acquirers that provide the shared terminal equipment system.
16. Other operations approved by the competent authority for outsourcing.
Except the outsourcing business in Subparagraphs 5, 8, and 16 of the preceding paragraph, which must be reported to the competent authority to obtain approval in advance, the remaining outsourcing business specified in the preceding paragraph shall be filed to the competent authority for record within five business days since the first-time operation commencement.
Electronic payment institutions shall comply with the following rules when outsourcing the operations specified in Subparagraph 1 of Paragraph 1:
1. Electronic payment institutions shall formulate security control and management plans with outsourced service providers and establish payment account reconciliation mechanisms to immediate deliver, confirm, and check payment collection information when outsourced service providers receive payment from users. Except where the Ministry of Finance promulgates other regulations on the maximum cap of tax payments in convenience stores been on behalf of authorities, the maximum payment collection amount for outsourced service providers in each transaction is NTD 20,000 or its equivalent.
2. The payment information of user payments which collected by outsourced service providers shall not fully display the user’s ID number, account number, or other personal information.
3. Electronic payment institutions shall ensure that outsourced service providers and their personnel cannot obtain or identify the user's ID number, account number, and other related personal information by means of the payment information to prevent leaks of user information.
A Specialized electronic payment institution shall comply with the following rules when outsourcing their operations:
1. An electronic payment institution shall establish internal operating systems and procedures governing the scope of matters that can be outsourced, protection of users rights and interests, risk management, and internal control principles, and those operating systems and procedures and any revisions thereto shall be approved by the board of directors.
2. An electronic payment institution shall ensure the outsourced service providers meet its requirements for operational security and risk management.
3. An electronic payment institution shall demand that its outsourced service providers comply with the mandatory or prohibitory provisions of laws.
4. An electronic payment institution shall demand that its outsourced service providers agree to give the competent authority and the Central Bank access to data or reports relating to the outsourced providers and allow them to conduct financial examination.
5. An electronic payment institution shall be held jointly liable as provided by law for users whose interests are damaged by the intentional act or negligence of an outsourced service provider or its employees.
A dual-status electronic payment institution that outsources its operations involving electronic payment business or operations relating to users’ information shall comply with the provisions in Paragraph 1 hereof with respect to the scope of outsourcing, and in addition, comply with the regulations governing the outsourcing of its core business.
Article 46
Where the paid-in capital of a specialized electronic payment institution reaches NT$500 million or more, it shall file for classification as a public company within one year of commencing business. A specialized electronic payment institution and an electronic stored value cards issuer that engage concurrently in the businesses of an electronic payment institution prior to the promulgation of the amendment to the Act on January 27 of 2021, implementation on July 1 shall file for classification as a public company within one year of the promulgation of the amendment to the Act on July 1 of 2021.
Article 47
A specialized electronic payment institution shall not invest in other enterprises, unless it is a subsidiary that the investment in which has been approved by the competent authority, as well as the business of the subsidiary is closely related to the said institution, and in which the said institution holds more than fifty percent (50%) of the issued shares of the subsidiary.
The total investment made by a specialized electronic payment institution shall not exceed ten percent (10%) of the balance of its paid-in capital at the time of investment deduct the minimum paid-in capital as stipulated under the Act and accumulated loss.
A specialized electronic payment institution shall establish internal guidelines for the utilization of own funds and submit the guidelines and subsequent revisions thereto to the board of directors for approval.
A specialized electronic payment institution may not provide guarantees for others.
If deemed necessary, the competent authority may set limits to the debt ratios of a specialized electronic payment institution.
Article 48
Electronic payment institutions shall file periodic reports on their electronic payment business with JCIC.
JCIC will determine the scope of information to be reported and inquired by electronic payment institutions and rules for the filing and inquiry operations, fee schedule, operations management, data disclosure deadline, information security management, and audit procedures, and submit same to the competent authority for approval.
JCIC's activities of collecting, processing or using information reported by electronic payment institutions according to Paragraph 1 hereof are considered necessary for fulfillment of the legal obligation provided under Subparagraph 2, Paragraph 2, Article 8 of the Personal Information Protection Act and hence are exempted from giving notice provided under Paragraph 1, Article 9 of the Personal Information Protection Act.
Electronic payment institutions shall ensure the information reported and disclosed according to Paragraph 1 hereof is accurate and free of false statement or representation.
Article 49
An electronic payment institution that applies for engaging in more other businesses pursuant to Paragraph 1, Article 4 of the Act shall submit two copies of the business plan to the competent authority for permission.
Where an electronic payment institution engages in a business specified in Subparagraphs 5 and 6, Paragraph 2, Article 4 of the Act, it shall submit a business plan to the competent authority for permission before the first-time operation. Where an electronic payment institution has already operated a business specified in Subparagraphs 5 and 6, Paragraph 2, Article 4 of the Act, it shall submit an adjusted business plan before December 31 of 2021 and file to the competent authority for record. Where the permitted or reviewed and recorded item is changed, the electronic payment institution shall, within fifteen days after the change, submit the original permission or review and record letter and an elaboration of the changed items to the competent authority for record.
The competent authority should consult with the Central Bank before granting permission for businesses set out in the preceding two paragraphs; where business involve foreign exchange business, they must be approved by the Central Bank before commencement.
The business plan prescribed in Paragraphs 1 and 2 of this Article shall contain the following particulars:
1. Purpose for conducting such business;
2. Agreements or templates therefor among relevant parties regarding their respective rights and obligations;
3. Business rules, business processes and risk management; and
4. Market prospects, and risk/benefit evaluation.
An electronic payment institution that engages in business specified in Subparagraphs 1 to 4 and Subparagraphs 7 to 9, Paragraph 2, Article 4 of the Act shall file to the competent authority for record within five business days after the first-time operation. However, this requirement does not apply to businesses already started prior to July 1 of 2021.
Article 50
Where an electronic payment institution intends to terminate part of its business, it shall apply to the competent authority for approval by submitting a plan.
Where an electronic payment institution plans to suspend part of its business, it shall submit a plan which describes the duration of suspension and other necessary information to the competent authority for approval. The electronic payment institution shall also file to the competent authority for record when it plans to resume the business operation at a later date.
The plans in the preceding two paragraphs shall contain the following particulars:
1. The reason for the planned termination or business suspension; and
2. A concrete description of how the rights and obligations of existing users will be handled or alternative methods for providing services.
Article 51
A specialized electronic payment institution having any of the situations below shall report to the competent authority for prior approval:
1. Change of articles of incorporation.
2. Undergoing merger or acquisition.
3. Transferring all or major part of operations or assets to others.
4. Receiving the transfer of all or major part of operations or assets from others.
5. Change of capital.
6. Change of business place.
7. Other matters that require prior approval as prescribed by the competent authority.
Article 52
A specialized electronic payment institution having any of the following situations shall report to the competent authority within one day after becoming aware of the event by stating the particulars of the event and providing related information, and send a copy of the same to the Central Bank of the ROC:
1. Filing a petition with a court for reorganization or filing for or being filed for declaration of bankruptcy by itself or by a stakeholder.
2. Engaging in business equivalent to businesses under the subparagraphs of Paragraph 1, Article 4 of the Act by itself or in cooperation with a foreign institution outside the ROC, whereas the local government takes any of the following actions:
(1) Revoking, suspending or terminating the business permit of the electronic payment institution or the foreign institution.
(2) Disallowing the electronic payment institution or the foreign institution to continue its business or halting its business.
3. The securities or other financial products invested by the specialized electronic payment institution using the payment funds pursuant to Paragraph 2, Article 22 of the Act are canceled or seriously impaired in value.
4. Transfer of equity or change of equity structure involving more than ten percent (10%) of its ownership.
5. Having the incidence of bounced check due to insufficient funds, being denied services by banks, or having other events that cause loss of good credit standing.
6. Having a litigious or non-litigious event, or an administrative disposition or administrative lawsuit that has material impact on the finance or business of the institution.
7. Having a situation provided in Subparagraph 1, Paragraph 1, Article 185 of the Company Act.
8. Having a fraud or material deficiency in internal controls.
9. Having an information security breach that results in damage to the interests of users or affects the sound operation of the institution.
10. A director, supervisor or managerial officer has any of the following situations:
(1) Being sentenced to imprisonment for the offense of forging instruments or seals, counterfeiting currency or valuable securities, misappropriation, fraud or breach of trust.
(2) Being sentenced to imprisonment for violating the Act, Banking Act, Financial Holding Company Act, Trust Enterprise Act, Act Governing Bills Finance Business, Financial Assets Securitization Act, Real Estate Securitization Act, Insurance Act, Securities and Exchange Act, Futures Trading Act, Securities Investment Trust and Consulting Act, Foreign Exchange Control Act, Credit Cooperatives Act, Agricultural Finance Act, Farmers’ Association Act, Fishermen’s Association Act, Money Laundering Control Act or other laws regulating financial activity.
11. Other significant events that are sufficient to affect the operations of the electronic payment institution or the interests of its shareholders or users.