The head office of a financial holding company or a banking business shall set up a compliance unit under the president to take charge of the planning, management, and execution of the regulatory compliance system. Another high level manager shall also be assigned to act as chief compliance officer for the head office to conduct compliance affairs. The chief compliance officer shall make a report to the board of directors (council), supervisors (board ofsupervisors) or the audit committee at least semiannually, and in case of major regulatory violation or rating downgrade by the financial competent authority, immediately inform the directors (council members) and supervisors (board of supervisors), and report to the board of directors (or the council) on compliance matters.
The requirements for setting up the foregoing compliance unitand the chief compliance officer for the head office are as follows:
1. A banking business, if the total assets of the previous year as audited by a CPA have exceeded NTD 1 trillion,shall set up a dedicated compliance office that may be in charge of AML/CFT, but shall not be in charge of legal affairs unrelated to the planning, management, and implementation of the legal compliance system, or any affairswith conflict of interest.The chief compliance officerof its head office may be appointed as the AML/CFT compliance officer but shall not serve as the chief officer of legal affairs or other internal posts.
2. The chief compliance officer at a financial holding company or the head office of a banking business that is not governed by the foregoing paragraph cannot be appointed to internal posts other than chief legal officer or chief AML/CFT compliance officer, except as otherwise provided by the competent authority with respect to the credit cooperatives and bills finance companies.
The chief compliance officer at a financial holding company or the head office of a banking institution shall hold a post comparable to that of vice president and meet the qualification requirements set out respectively in the Regulations Governing Qualification Requirements for the Promoter or Responsible Persons of Financial Holding Companies and Concurrent Serving Restrictions and Matters for Compliance by the Responsible Persons of a Financial Holding Company and in the Regulations Governing Qualification Requirements and Concurrent Serving Restrictions and Matters for Compliance by the Responsible Persons of Banks.
The compliance unit of the head office, domestic and foreign business units, information unit, assets safekeeping unit, and other management units of a financial holding company or a banking business shall each assign the personnel to act as the compliance officer to take charge of related affairs. Arranging the compliance officer position in the foreign business unit shall comply with the local regulations and the requirements of the local authorities and the compliance officer should not hold other posts except in any of the following situations:
1.The compliance officer serves concurrently as the AML/CFT compliance officer.
2.The compliance officer holds concurrent posts that do not constitute a conflict of interest according to the local regulations.
3.It is not strictly prohibited in the local regulations regarding the holding of concurrent posts, provided the holding of concurrent pots does not result or potentially result in conflict of interest and the matter has been communicated with and confirmed by the local competent authority and reported to the competent authority for recordation.
The chief officer and personnel of thecompliance unitof a financial holding company or the head office of a banking business, as well as the compliance officer of its domestic and foreign business units, information department, assets management department, and other management departments shall meet one of the following qualification requirements:
1.Having worked as personnel or chief officer of legal compliance office at any financial institute forfive years in aggregate.
2.Having attended not less than 30 hours of courses offered by institutions recognized by the competent authority, passed the exams and received completion certificates therefor.
3.The compliance officer of a foreign business unitwho is hired locally,has shown his/her familiarity with local regulations and competence in related matters according to the self-assessment of the assessment procedures resolved by the board of directors, or the review and acknowledgement by the local competent authority.
The chief compliance officer and personnel of the compliance unit of a financial holding company or the head office of a banking institution as well as the compliance officer of its domestic and foreign business units, information department, assets safekeeping department, and other management departments shall attend at least fifteen (15) hours of training a year offered by institutions recognized by the competent authority or held internally by the financial holding company (including its subsidiaries) or the banking business (including its parent company), and the training courses shall cover at least the latest regulatory amendments, new businesses or new financial products launched.
The compliance officer of a foreign business unit shall attend at least fifteen (15) hours of on-the-job training courses a year offered by the local competent authority or relevant institutions, or the training courses offered by the competent authority, the institutions recognized by the competent authority, or held by the employing financial holding company (including its subsidiaries) or the banking business (including the parent company).
The training methods for the on-the-job training as set forth in the foregoing two paragraphs held by the company itself shall be approved by the board of directors.
The head office shall keep the attendance records of relevant personnel for review.When a dedicated AML/CFT compliance unit is set up under the legal compliance unit, the required training for AML/CFT compliance unit personnel before their appointment/assignment and every year shall observe the relevant AML/CFT regulations and is not subject to the provisions of Paragraph 5 and Paragraph 6 hereof.
Financial holding companies and banking businesses shall file the list of head office chief compliance officers, the chief officers and personnel of the compliance unitas well as their training records with the competent authority via an online information system.

The head office and branches of a financial holding company or banking business should establish advisory and communication channels for regulatory compliance matters to keep employees informed of rules and
regulations, swiftly clarify any questions of the employees on rules and regulations, and ensure regulatory compliance.
When the legal compliance unit of a financial holding company or banking business makes a report to the board of directors in accordance with Paragraph 1 of the preceding paragraph, the report should contain at least an analysis of the causes of significant deficiency or malpractice in compliance matters within respective departments as well as recommendations for improvement.

A compliance unit should conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of rules and regulations.
2.Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3.Before a banking business introduces a new product or service, or applies to the competent authority for approval to offer a new business, the chief compliance officer shall issue and sign an opinion statement undertaking that the new product, service or business complies with applicable regulations and internal rules.
4.Drafting rules and procedures for evaluating regulatory compliance and overseeing the periodic implementation of self-evaluation by respective units; assessing the compliance self-evaluation operations of respective units and producing a report thereon, which, after being signed off by the president, will be used as reference in the performance evaluation of the unit.
5.Providing pertinent regulatory training to employees.
6.Supervising the introduction, establishment and implementation of relevant internal rules by the compliance officer of respective department.
The internal audit unit may draft the rules and procedures for evaluation of compliance by its subordinate units and perform self-evaluation of compliance by its subordinate units, to which the provisions in Subparagraph D of the preceding paragraph do not apply.
If a banking business has a foreign business unit, the legal compliance unit should supervise the following tasks of the foreign business unit:
1.Collecting data on local financial regulations, conducting self-evaluation of compliance operation, and ensuring the suitability of compliance officer and the adequacy of compliance resources (including personnel, equipment and training) so as to ensure compliance with the laws and regulations of the host country or jurisdiction.
2. Establishing self-evaluation and monitoring mechanism for compliance risks, and for large business operation, highly complex business or business involving higher risk, engaging a local, outside, independent expert to verify the effectiveness of the self-evaluation and monitoring mechanism.
A financial holding company or banking business should perform self-evaluation of compliance at least semiannually. The results should be sent to the compliance unit for further reference. The head of a unit should designate a specific person to conduct the self-evaluation affair in each unit.
The self-evaluation draft and information for the preceding affairs should be kept at least five (5) years.Article 35

A banking business governed by subparagraph 1, paragraph 2 of Article 32 shall establish a bank-wide risk-based management and supervision framework for legal compliance. The basis of such framework, functions and responsibilities are specified as follows:
1.The compliance unit shall set up the procedures, plans and mechanisms for identifying, assessing, controlling, measuring, monitoring, and independently reporting any compliance risk in order to generally control, supervise, and support each domestic or foreign department, branch, and subsidiary with respect to individual business unit, cross-department, and cross-territorial legal compliance.
2.The compliance unitshall set up an adequate number of professional units based on the classification or business, or points of legal compliance to monitor, implement and support the legal compliance the local or foreign business units related to that business or legislation.
3.The compliance unit may asses the appointment, and enhances the independence of each chief compliance officer by risk-based approach. Notwithstanding to the requirements in the first part of paragraph 4 of Article 32, an independent chief compliance officer is not required, and the legal compliance office of the head office will be responsible for a unit with lower compliance risk.
4.The compliance unit shall establish the mechanism of independent reporting, assessment and disposition of compliance risk alert.
5.The compliance unit shall assess the risk management of legal compliant for the primary operating activities, products and services, credit or business projects, and critical customer complaints subject to potential legal violation on a regular and ad-hoc basis, and shall establish the horizontal communication mechanism with other second lines of defense.
6.The compliance unit may request each unit to provide relevant information in order to understand the compliance risks across the bank.
7.The compliance unit shall consider the evaluation of the management board, and each chief officer of department to form the opinion of their implementation of legal compliance.
8.The banking business and its compliance unit shall fully understand the compliance procedures applicable to the foreign business units, and the criteria required by the local competent authority, and provide full resources and support.
9.The compliance unit shall specify the weakness of the compliance risk management, and supervise the improvement plans and schedules with respect to the local and foreign operations across the bank when reporting the legal compliance to the board of directors (or the council), and the supervisors or audit committee at least once every half year pursuant to paragraph 1 of Article 32; the board of directors (or the council) shall provide sufficient resources and appropriate mechanism of rewards and sanctions applicable to the business units in order to progressively establish a bank-wide culture of legal compliance.
10.The internal audit unit shall include the performance of the compliance office, and the assessment opinion of the compliance status across the bank when reporting the audit tasks to the board of directors (or the council), and the supervisors or audit committee at least once every half year pursuant to paragraph 1 of Article 10.
A banking business governed by the foregoing paragraph shall set up the dedicated compliance office and appoint the chief compliance officer at the head office pursuant to subparagraph 1, paragraph 2 of Article 32 within six months upon satisfaction of the applicable conditions, and report the adjusted risk-based management and supervision framework for legal compliance across the bank to the competent authority, and file the assessment reports under subparagraphs 5 and 9 in the foregoing paragraph with the competent authority by the end of every April.

In order to promote a robust operation, financial holding companies and banking businesses shall set up the whistleblower system, and designate a unit with independent functions at the head office to accept and investigate the reported issues.
A financial holding company or a banking business shall protect the whistleblower as below:
1.The whistleblower’s identity shall be kept confidential; no information that may be used to identify that person shall be disclosed.
2.The whistleblower shall not be terminated, dismissed, downgraded/relocated, given a reduction in pay, impairment to any entitlement under the law, contract or customs, or other unfavorable disposition due to the reported case.
Any interested person shall recuse himself from the acceptance and investigation of the reported case.
The whistleblower system, in paragraph 1, shall at least cover the following procedures, and be resolved by the board of directors (or the council):
1.Expressly specifies that anyone may file the report when discovering any crime, corruption, or potential legal violation.
2.The types of reporting that willbe accepted.
3.Establishes and publishes the channel of reporting.
4.The procedures of investigation and collaborative support, rules of recusal and the standard operating procedure of subsequent disposition mechanism.
5.Whistleblower protection measures.
6.Acceptance of reported case, investigation process, investigation results, records and retention of relevant document preparation.
7.The whistleblower shall be given appropriate notice in writing or by other means with respect to the progress of the reported case.
If the alleged perpetrator is a director (or council member), supervisor (or member of the board of supervisor), or a managerial officer of an equivalent level higher than vice president, the investigation report shall be reviewed by the supervisors (or members of the supervisory board, or the supervisory board), or the audit committee.
The financial holding company or the banking business shall report or file the critical incident, or material violation discovered in the investigation with relevant authorities.
A financial holding company or banking business shall hold regular promotional program and education training of the whistleblower system for its personnel.