An insurance enterprise shall set out in its internal control system penalties for violations of these Regulations or its internal control rules by management and relevant personnel.
Where an insurance enterprise has a significant fraudulent event occurred as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent financial holding company), the personnel involved shall be held responsible for dereliction of duties.
An insurance enterprise should commend its internal auditors who identify any significant malpractice or negligence and thereby avert material loss to the enterprise.
When a significant deficiency or malpractice event arises within the management or business unit of an insurance enterprise, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in an internal audit report.

The internal auditors and chief compliance officer of an insurance enterprise shall immediately produce a report for submission to the competent authority, with a notice to the supervisors or audit committee and independent directors (if applicable), when their recommendations for improvements regarding significant deficiencies or noncompliance in internal controls are not accepted by management, as a result the insurance enterprise might incur a material losses.

After the examination conducted by the competent authority or the local competent authority governing a foreign branch is completed or after an examination report is received by an insurance enterprise, the internal audit unit of the head office shall, based on the principle of materiality, promptly inform the directors and supervisors, and make a report to the forthcoming meeting of the board of directors. The report items should include the content of the meeting for the examination communication, major deficiencies found in the examination and improvement action plans required by the competent authority or possible disciplinary actions to be taken.

An insurance enterprise shall appoint an adequate number of corporate governance personnel with appropriate qualifications based on the size of the enterprise, business conditions and management needs, and appoint a chief corporate governance officer as the most senior officer to be in charge of corporate governance affairs. However, this restriction shall not apply to branches of foreign insurance enterprises in Taiwan and insurance cooperatives.
The corporate governance matters specified in the preceding paragraph shall include at least the following content:
1. Handling matters relating to board meetings and shareholders meetings according to laws.
2. Producing minutes of board meetings and shareholders meetings.
3. Assisting in onboarding and continuing education of directors and supervisors.
4. Furnishing information required for business execution by directors and supervisors.
5. Assisting directors and supervisors with legal compliance.
6. Other matters set out in the articles of corporation or contracts.
The chief corporate governance officer specified in Paragraph 1 must be a managerial officer of the company. Unless otherwise specified by laws, the appointment of the chief corporate governance officer shall be processed in accordance with the following requirements:
1. The chief corporate governance officer shall be a qualified, practice-eligible lawyer or CPA or have been in a managerial position for at least three years in an insurance, securities, futures, or finance related institution or a public company in handling legal affairs, legal compliance, internal audit, finance, stock affairs, or corporate governance affairs.
2. The chief corporate governance officer of the enterprise shall take at least 18 hours of continuing education in the first year he/she takes on this role and take at least 12 hours in each subsequent year. The training courses shall include at least corporate governance related topics such as business, legal affairs, finance, accounting, corporate social responsibilities, risk management, and internal controls. The qualified continuing education institutions and the conduct of continuing education shall be subject mutatis mutandis to the provisions of the Directions for the Implementation of Continuing Education for Directors and Supervisors of TWSE Listed and TPEx Listed Companies, as jointly adopted by the Taiwan Stock Exchange and the Taipei Exchange, with respect to the continuing education system.
Unless otherwise provided by laws and regulations, other personnel of the enterprise may serve concurrently as the chief corporate governance officer. Where the role of the corporate governance officer is filled concurrently by other personnel, the enterprise shall ensure the effective implementation of their original roles and concurrent roles and shall not permit conflicts of interest or violation of the internal control system.
Where the chief corporate governance officer resigns or is dismissed, the enterprise shall reappoint a chief corporate governance officer within one month of the occurrence.

The branch of a foreign insurance enterprise in Taiwan shall carry out internal control and audit in compliance with these Regulations. However, if the internal control and audit systems of a branch in Taiwan are prescribed by the head office based on regulations with higher or equivalent standards, the branch is allowed to implement such systems by submitting a comparison report which compares the standards that head office adopts and the system requirements in Taiwan and is signed by the branch's responsible person to the competent authority for record.
An insurance cooperatives may, in view of its business scope and size and within six months from the date of promulgation of these Regulations amended on March 17, 2010, carry out internal control and audit in accordance with these Regulations, or report to the competent authority for record as provided in the preceding paragraph by describing the facts, reasons and the content of internal control and audit system to be adopted.

An insurance enterprise should establish necessary controls for its subsidiaries in its internal control system and urge its subsidiaries to establish internal control system in consideration of local rules and regulations at where each subsidiary is located and the actual nature of the subsidiary's operations.
An insurance enterprise shall establish a group-wide AML/CFT program, including information sharing policies and procedures for the purpose of AML/CFT under the laws and regulations of the jurisdiction where such foreign branch (or subsidiary) is located.
An insurance enterprise shall establish audit plans targeted at each subsidiary in its annual audit plans based on the business risk profile and implementation of internal audits by each subsidiary.
All subsidiaries of an insurance enterprise shall submit to the parent company their board meeting minutes, CPA audit reports, examination reports issued by the financial examination agency, and other relevant materials. For subsidiaries having established an internal audit unit, audit plans and reports on significant deficiencies identified in internal audit and the status of improvements thereof shall also be submitted. The parent company shall review such documents and monitor the improvement actions taken by each subsidiary.
The chief auditor of an insurance enterprise shall periodically evaluate the effectiveness of the internal control activities of a subsidiary, and after having reported to the board of directors, send the evaluation results to the subsidiary's board of directors for their reference in personnel evaluations.

An insurance enterprise shall ensure the confidentiality of its financial examination reports. Unless otherwise provided by law or consented by the competent authority, its responsible persons or employees are not allowed to read or disclose, deliver, make public all or part of the financial examination report to persons unrelated to the performance of duties.

Insurance enterprises that do not comply with the provisions in Paragraph 1 of Article 33 regarding the full-time and concurrent posts shall make adjustments to become compliant within six months after the promulgation of these Regulations amended on October 19, 2017.
Persons having held the positions as regulatory compliance personnel or chief without compliance with Paragraph 2 of Article 33 prior to October 19, 2017 when these Regulations were amended shall make adjustments to become compliant with the requirements of such Paragraph within one year.

These Regulations shall be in force on the date of promulgation.
Except for the part on management of financial consumers’ protection in these Regulations which has been in force since December 30, 2011, the provisions of Article 5 amended and promulgated on February 4, 2012 shall enter into force three months after the date of promulgation.
The provisions of Article 32-2 of these Regulations amended and promulgated on May 29, 2018 shall take effect six months after promulgation.
The provisions of these Regulations amended and promulgated on August 20, 2020 shall have been in force since December 31, 2020.
The provisions of these Regulations amended and promulgated on May 7, 2024 shall have been in force since January 1, 2025.