Chapter 3 The Inspection of Internal Control System
Section 4 Regulatory Compliance System
Article 30
The head office of an insurance enterprise shall, based on its size, business nature and organizational characteristics, establish a compliance unit directly under the general manager to take charge of the planning, management and implementation of regulatory compliance system.
The compliance unit shall establish the position of head office chief compliance officer who oversees the compliance matters and reports to the board of directors (council) and supervisors or the audit committee at least semiannually, and in case of any major regulatory violation, immediately inform the directors (council members) and supervisors, and report to the board of directors (council) on compliance matters.
The requirements for establishing a compliance unit and the position of head office chief compliance officer under the preceding two paragraphs are as follows:
1. An insurance enterprise whose total assets in the previous year as audited by a CPA exceed NTD 1 trillion shall set up a dedicated compliance unit that may also take charge anti-money laundering and combating terrorist financing (AML/CFT) affairs, but may not take charge of legal affairs unrelated to the planning, management and implementation of legal compliance system or any other affairs that may pose a conflict of interest. The head office chief compliance officer shall be a full-time job and shall not concurrently hold other positions except for concurrently serving as the head of dedicated AML/CFT unit without conflicts of interest.
2. For insurance enterprises not governed by the preceding subparagraph, their head office chief compliance officer shall be a full-time job and shall not concurrently hold other positions except for concurrently serving as the chief legal officer and the head of dedicated AML/CFT unit without conflicts of interest.
The head office chief compliance officer of an insurance enterprise shall have a position equivalent to a vice general manager and possess the leadership and the ability to effectively supervise the compliance works. The qualifications of head office chief compliance officer shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises.
The branches of foreign insurance enterprises in Taiwan, reinsurance enterprises and insurance cooperatives may appoint a high level manager to act as the head office chief compliance officer under the preceding paragraph, and insurance cooperatives are not subject to the restriction on head office chief compliance officer holding concurrently other internal positions under Paragraph 3 hereof.
Chief auditor, head of audit unit and internal auditors may not serve as the head office chief compliance officer under Paragraph 2 hereof.
The appointment and dismissal of head office chief compliance officer shall have the consent of at least the majority of all directors and be reported to competent authority for record.
The head office chief compliance officer, the head and personnel of the compliance unit of an insurance enterprise shall attend at least 20 hours of on-the-job training courses a year offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise. The training courses shall cover at least the latest regulatory amendments and new insurance products launched.
The compliance officer of the business unit, product development and management unit, fund utilization unit, information unit and asset custody unit and other units of an insurance enterprise shall attend at least 15 hours of on-the-job training a year offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise.
The compliance officer of a foreign branch of an insurance enterprise shall attend at least 15 hours of on-the-job training courses on regulatory compliance a year offered by the local competent authority or relevant institutions. If no such training course is available, the officer may attend the training courses offered by the competent authority or institutions recognized by the competent authority or held internally by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise.
The training methods for on-the-job training set forth in the preceding three paragraphs given by the insurance enterprise itself shall be approved by the board of directors (council), and the head office shall keep the attendance records of relevant personnel for reference.
When a dedicated AML/CFT compliance unit is set up under the compliance unit, the required training for AML/CFT compliance unit personnel before their appointment and the annual required training for them after their appointment shall observe the relevant AML/CFT regulations and is not subject to the provisions of Paragraph 8 of this article and Paragraph 2 of Article 33.
An insurance enterprise shall file the list of head office chief compliance officer, head and personnel of compliance unit and their reward/disciplinary records, qualifications and training records in the past three years with the competent authority via a Web-based information system.
Article 30-1
An insurance enterprise should establish counseling and communication channels for regulatory compliance matters to keep employees informed of rules and regulations, swiftly clarify any questions of the employees on rules and regulations, and ensure regulatory compliance.
When the compliance unit of an insurance enterprise makes a report to the board of directors in accordance with Paragraph 2 of the preceding article, the report should contain at least analysis of the causes of significant deficiency or malpractice in compliance matters within respective unit and as well as possible effects and recommendations for improvement.
Article 31
The regulatory compliance unit of an insurance enterprise shall establish a regulatory compliance system which will be implemented after being passed by the board of directors. The regulatory compliance unit shall also review from time to time the regulatory compliance system in line with the amendment of insurance rules and regulations, and implement the revised system after it is passed by the board of directors.
The regulatory compliance system shall include at least the following particulars:
1. Decision making process of board of directors and control functions of directors;
2. Preservation of board meeting minutes;
3. Operation monitoring functions of supervisors;
4. Code of regulatory compliance for directors’ conduct;
5. Establishment of regulatory compliance evaluation standards;
6. Formulation of annual regulatory compliance plan;
7. Creation of a regulatory compliance environment;
8. The audit of regulatory compliance operations and handling of regulatory violation;
9. Regulatory compliance organization and duties; and
10. Drafting of regulatory compliance manual.
Article 32
The regulatory compliance unit should draw up an annual regulatory compliance plan, which will be implemented after being passed by the board of directors.
The annual regulatory compliance plan shall contain at least the following particulars:
1. Evaluation plan for regulatory compliance by respective unit;
2. Review of handling results for regulatory violation cases in the previous year;
3. Management of changes in insurance related laws and regulations;
4. Training and promotion of regulatory compliance matters; and
5. Review and improvement of regulatory compliance system.
The regulatory compliance unit of an insurance enterprise should conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of rules and regulations.
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3. Before an insurance enterprise introduces a service, a new insurance product or an insurance product which is deemed to constitute material change by the competent authority and requires approval by the competent authority before marketing, or undertakes specific or major use of funds, the head office chief compliance officer shall issue and sign an opinion statement undertaking that the service, product or use of funds complies with applicable regulations and internal rules.
4. Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the general manager, will be used as reference in the performance evaluation of respective units.
5. Providing pertinent regulatory training to personnel of various units.
6. Supervising the introduction, establishment and implementation of relevant internal rules by the compliance officer of respective unit.
The internal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.
Article 32-1
An insurance enterprise governed by Subparagraph 1, Paragraph 3 of Article 30 shall establish a company-wide compliance risk management and supervision framework. The basis of such framework, functions and responsibilities are as follows:
1. The compliance unit shall establish procedures, plans and mechanisms for identifying, assessing, controlling, measuring, monitoring, and independently reporting any compliance risk in order to fully control, supervise, and support each domestic or foreign department, branch, and subsidiary with respect to individual business unit, cross-department and cross-border regulatory compliance matters.
2. The compliance unit shall set up an adequate number of professional units based on the classification of business or the focus of regulatory compliance to monitor, implement and support the regulatory compliance matters of the domestic or foreign business units related to that business or regulations.
3. The compliance unit may assess the appointment and enhance the independence of compliance officer under respective units using a risk-based approach. Notwithstanding to the requirements in the front section of Paragraph 1 of Article 33, units with lower compliance risk may not need to have a separate compliance officer but may be charged by the head office chief compliance officer.
4. The compliance unit shall establish the mechanism of independent reporting, assessment and response to compliance risk alert.
5. The compliance unit shall evaluate the management of compliance risks with respect to key operating activities, products and services, fund utilization or business projects, and major customer complaints where regulatory violation may be involved on a regular and ad-hoc basis, and shall establish the horizontal communication mechanism with other second lines of defense.
6. The compliance unit may request each unit to provide relevant information in order to understand the compliance risks across the company.
7. The compliance unit shall include the evaluation of management and department heads into its opinion on their implementation of regulatory compliance program.
8. An insurance enterprise and its compliance unit shall fully understand the compliance requirements applicable to the foreign business units, and the criteria required by the local competent authority, and provide full resources and support.
9. The compliance unit shall specify the weakness of compliance risk management, and supervise the improvement plans and schedules with respect to domestic and foreign operations across the company when reporting compliance affairs to the board of directors (council) and supervisors or audit committee at least semiannually pursuant to Paragraph 2, Article 30. The board of directors (council) shall provide sufficient resources and appropriate mechanism of rewards and disciplines applicable to the business units in order to progressively establish a company-wide culture of compliance.
10. The chief auditor shall include the performance of the compliance office and the assessment opinion of the compliance status across the company when reporting the audit business to the board of directors (council) and supervisors or audit committee at least once every half year pursuant to Paragraph 1 of Article 11.
An insurance enterprise governed by the preceding paragraph shall established a dedicated compliance unit and appoint the chief compliance officer at the head office pursuant to Subparagraph 1, Paragraph 3 of Article 30 within six months after meeting the applicable conditions set forth therein, and report the adjusted company-wide compliance risk management and supervision framework to the competent authority, and file the evaluation reports under Subparagraphs 5 and 9 of the preceding paragraph with the competent authority by the end of every April pursuant to Article 148-1 of the Act.
Article 32-2
In order to promote sound operation, an insurance enterprise shall set up a whistleblower system, and designate a unit at the head office with independent functions to accept and investigate the reported cases.
An insurance enterprise shall protect the whistleblower as follows:
1. The whistleblower’s identity shall be kept confidential; no information that may be used to identify that person shall be disclosed.
2. A whistleblower shall not be terminated, dismissed, downgraded/relocated, given a reduction in pay, impairment to any entitlement under the law, contract or customs, or other unfavorable disposition due to the reported case.
Any person with conflict of interest shall recuse himself/herself from the acceptance and investigation of the reported case.
The whistleblower system under Paragraph 1 shall at least cover the following particulars and be approved by the board of directors (council):
1. The system expressly declares that anyone may file a report when discovering any crime, corruption, or potential legal violation.
2. The types of reported cases that will be accepted.
3. The system establishes and publishes the channels of reporting.
4. The process of investigation and cooperation in investigation, rules of recusal and the standard operating procedure of subsequent disposition mechanism.
5. Whistleblower protection measures.
6. Acceptance of reported case, investigation process, investigation results, records and retention of relevant documentation.
7. The whistleblower shall be given appropriate notice in writing or by other means with respect to the progress of the reported case.
If the alleged perpetrator is a director (council member), supervisor (member of the board of supervisor), or a managerial officer in a position equivalent to a vice general manager or higher, the investigation report shall be reviewed by the supervisors (board of supervisors) or the audit committee.
An insurance enterprise shall report to or inform relevant authorities any material incident or violation discovered following an investigation.
An insurance enterprise shall regularly introduce the whistleblower system to its employees and provide relevant training.
Article 33
The head office compliance unit, business unit, product development and management unit, fund utilization unit, information unit, asset custody unit, other management units and foreign branches of an insurance enterprise shall assign personnel to act as the compliance officer of the unit to take charge of compliance matters. The position of the compliance officer in the foreign branches shall be arranged in compliance with the local laws and regulations and the requirements by the local authorities, and the compliance officer shall not hold other posts concurrently except in any of the following situations:
1. The compliance officer serves concurrently as the AML/CFT compliance officer.
2. The compliance officer may hold concurrent posts that do not constitute any conflict of interest according to local laws and regulations.
3. Where it is not clearly prescribed in local laws and regulations regarding whether or not compliance officers may hold concurrent posts, the compliance officer may hold other concurrent posts that do not result in any conflict of interest after such matter has been communicated with and confirmed by the local competent authority and reported to the competent authority for recordation.
The head office chief compliance officer and personnel of the compliance unit of an insurance enterprise as well as the compliance officer of the business unit, product development and management unit, fund utilization unit, information unit, asset custody unit, other management units and foreign branches shall meet one of the following qualification requirements prior to his/her appointment or within half a year after appointment:
1. Having worked as a compliance personnel or chief at any financial institution for at least a total of five years.
2. Having attended not less than 30 hours of courses offered by institutions recognized by the competent authority, passed the exams and received completion certificates therefor.
3. The compliance officer of a foreign branch who is employed locally has been evaluated by the insurance enterprise in accordance with its internal evaluation procedure passed by the board of directors (council) or reviewed and recognized by the local competent authority, which suffices to show his/her familiarity with local laws and regulations and his competence in related matters.
4. The compliance officer of the business unit, product development and management unit, fund utilization unit, information unit, asset custody unit and other management units of an insurance enterprise may take relevant training courses and exams not less than 30 hours held by the financial holding company which is the parent company of the insurance enterprise or the insurance enterprise in accordance with the specific training plan developed by the insurance enterprise, which suffices to show his familiarity with laws and regulations applicable to the respective unit and his competence in related matters.
Respective unit should draw up a compliance manual, which will be implemented after being approved by the head office chief compliance officer and the general manager.
The regulatory compliance manual shall contain at least the following particulars:
1. Regulatory compliance procedures to be adopted by each business;
2. Rules and regulations to be complied with by each business;
3. Procedures for handling violation of rules and regulations;
4. Self-evaluation procedure for regulatory compliance operation; and
5. Name list of regulatory compliance officers.
Where an insurance enterprise has a foreign branch, the regulatory compliance unit shall supervise the foreign branch conducting the following matters:
1. Gathering information on local insurance laws and regulations, fully implementing the self-evaluation of the regulatory compliance business and ensuring the competency of the compliance officer and the adequacy of compliance resources (including personnel, equipment and training), to ensure the compliance with local laws and regulations by the foreign branches.
2. Establishing the self-evaluation and monitoring mechanism for compliance risks; for foreign branches with larger business size, higher business complexity or higher risks involved, they shall commission a local independent expert to verify the effectiveness of their self-evaluation and monitoring mechanism for compliance risks.
Article 34
An insurance enterprise should, based on its regulatory compliance plan, design the working papers for self-evaluation of regulatory compliance and perform self-evaluation at least semiannually. The self-evaluation results should be sent to the regulatory compliance unit for future reference. The head of a unit should designate a specific staff to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least 5 years.