A financial holding company or a banking business should establish three lines of defense in internal control system, including self-inspection system, legal compliance system and risk management mechanism, and internal audit system to ensure their on-going and effective operation. The procedure for implementing the code of practice for three lines of defense in internal control system established by banks will be set out by The BankersAssociation of The Republic of China and filed with the competent authority for recordation.

The internal control system of a financial holding company (including its subsidiary company) and a banking business shall incorporate the following components:
A. Control Environment: Control environment is the basis for the design and implementation of internal control systems across a financial holding company or banking business. It encompasses the integrity and ethical values of a financial holding company or banking business, governance oversight responsibility of its board of directors (or the council) and supervisors (board of supervisors) or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures, and awards and disciplines. The board of directors (or the council) and management should establish internal code of conduct, including code of conduct for directors and code of conduct for employees.
B. Risk Assessment: A precondition to risk assessment is the identification of objectives, linked at different levels of the financial holding company or banking business, and the suitability of the objectives should also be taken into consideration. The management shall consider the impact of changes in the external environment and within its own business model and possible fraud scenarios. The risk assessment results can assist the financial holding company or banking business in designing, correcting, and implementing necessary controls in a timely manner.
C. Control Operations: Control operations means the actions of adopting proper policies and procedures by a financial holding company or banking business based on the risk assessment results to control risks within a tolerable range. Control operations shall be performed at all levels of a financial holding company or business, at various stages of business processes, and over the technological environment, and shall include supervision and management of subsidiaries, appropriate segregation of duties and that management and employees are not assigned conflicting responsibilities.
D. Information and Communication: Information and communication means relevant and quality information that a financial holding company or banking business obtains, generates, or uses from both internal and external sources to support the continuous functioning of other components of internal control, and to ensure that information can be effectively communicated within and outside the organization. The internal control system must have mechanisms to generate information necessary for planning, implementation, and supervision and to enable timely access to information by those who need it, and the system should maintain comprehensive internal financial, operational and compliance data. An effective internal control system shall also establish effective channels of communication.
E. Monitoring Operations: Monitoring operations means ongoing evaluations, individual evaluations, or combination of the two undertaken by a financial holding company or banking business to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels. Individual evaluations are evaluations conducted by different personnel such as internal auditors, supervisors (or board of supervisors) or audit committee, or the board of directors (or the council). Findings of deficiencies of the internal control system shall be communicated to management of appropriate levels, the board of directors (or the council), and supervisors (board of supervisors) or audit committee, and improvements shall be made in a timely manner.

The code of conduct for directors (council members) mentioned in Subparagraph 1 of the preceding article shall contain at least the rules that when a director (council member) discovers that the financial holding company or banking business is in danger of sustaining material loss or damage, the director (council member) should promptly take appropriate actions and immediately notify the audit committee or independent director members of the audit committee or supervisors (board of supervisors), and report to the board of directors (or the council), and supervise the financial holding company or banking business to report to the competent authority.

The internal control system shall cover all business activities, include appropriate policies and procedures as follows, and shall be reviewed and revised in a timely manner:
1. Organizational chart or corporate rules and bylaws, including a clear organizational system, unit functions, scope of operations for each unit, and rules governing authorizations and hierarchical delegation of responsibilities.
2. Related operational guidelines and procedural manuals, including:
(1)Investment guidelines.
(2)Customer data confidentiality.
(3)Regulation on interested party transactions.
(4)Shares management.
(5)Management of the preparation process of financial statements, including management of the application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates.
(6)Management of administration of general affairs, information, and personnel affairs (for banking business, it should contain regulations for regular transfer and vacation).
(7)Management of operations for disclosing information externally.
(8)Management of financial examination report.
(9)Management of protection of financial consumers.
(10) Mechanism for handling major contingencies.
(11)Mechanism for anti-money laundering and combating the financing of terrorism (AML/CFT) and management of compliance with relevant laws and regulations, including the management mechanism for identifying, assessing, and monitoring AML/CFT risks.
(12) Other operational guidelines and operating procedures.
The business regulations and handling guides of a financial holding company shall also include the management and collaborated marketing management of its subsidiary company.
The business regulations and handling guides of a banking business should also include affairs concerning cashier, savings, exchange, loaning, foreign currency, new financial products, and outsourcing task management.
The business regulations and handling guides of a credit cooperative should also include affairs concerning cashier, savings, loaning, exchange, and outsourcing task management.
The business regulations and handling guides of a bills business should also include business such bills, bonds, and new financial products.
The template for the operation guides of a trust business should be stipulated by the trust association of R.O.C with contents specifying business operation procedure, accounting operation procedure, computer operation procedure, personnel management system, and other items. A trust business should establish its operation guidelines based on the reference template and make regular revisions in accordance with the alterations in legal regulations, business items, and business procedure.
The internal control system of a financial holding company or banking business whose stock is listedon the stock exchange or traded over the counter shall include the management of the operations of the remuneration committee.
The internal control system of a financial holding company or banking business that has an audit committee set up shall include management of the operation of the audit committee.
A financial holding company or banking business should set up the control tasks on their subsidiary companies in their internal control system. If the subsidiary company resides in a foreign country, the mother company should consider the local applicable regulations issued by the government where the subsidiary company is in and the actual nature of its operation in order to supervise the subsidiary company to establish its own internal control system.
Financial holding companies and banking businesses shall establish a group-level AML/CFT program, which shall include intra-group information sharing policies and procedures for AML/CFT purposes, based on the laws and regulations of countries or jurisdictions where the foreign branches (or subsidiaries) are located.
For the stipulation, revision, or abolition of all operational and management regulations mentioned in the preceding ten paragraphs, it requires the participation of legal compliance, internal audit, and risk management agencies.