A financial holding company or a banking business shall formulate adequate risk management policies and procedures and establish operationally independent and effective risk management mechanisms, by which to assess and monitor the respective risk-bearing capacity, and current status of risks already incurred, and to determine their compliance with the risk response strategies and risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner.

A financial holding company or a banking business shall establish an independent risk management task force and regularly furnish risk management reports to the board of directors; upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable acts and regulations, it shall take immediate and adequate countermeasures and submit a report to the board of directors.
For a credit cooperative, the establishment of the independent risk management task force mentioned in the preceding paragraph can be replaced by a designated management unit in its headquarters.

The risk management mechanisms of a financial holding company shall include the following matters:
A. Monitoring the capital adequacy of the financial holding company and of all subsidiaries based on their respective business scale, credit, market, and operational risks, and future business trends.
B. Adopting adequate long- and short-term financing principles and guidelines, and establishing management mechanisms for measuring and monitoring the liquidity positions of the financial holding company and of all subsidiaries, by which to measure, monitor, and manage the liquidity risks of the financial holding company and of all subsidiaries.
C. Making various investment allocations after having considered the overall risk exposure, equity capital, and characteristics of liabilities of the financial holding company, and establishing various measures to manage investment risks.
D. Establishing uniform assessment methodologies for rating and classifying the quality of assets of the financial holding company and of all subsidiaries, calculating and controlling large risk exposures of the financial holding company and its subsidiaries, carrying out periodic reviews, and faithfully setting aside allowances or reserves for loss.
E. Building information security mechanisms and contingency plans with respect to business exchanges, transactions, or other activities between the financial holding company and its subsidiaries and between its subsidiaries.

The risk management mechanism of a banking business shall include the following principles:
A. Monitoring the capital adequacy based on its business scale, credit, market, and operational risks, and future business trends.
B. Establishing management mechanisms for measuring and monitoring the liquidity positions of the banking business, by which to measure, monitor, and manage the liquidity risks.
C. Making various investment allocations after having considered the overall risk exposure, equity capital, and characteristics of liabilities, and establishing various measures to manage investment risks.
D. Establishing uniform assessment methodologies for rating and classifying the quality of assets, calculating and controlling large risk exposures, carrying out periodic reviews, and faithfully setting aside allowances or reserves for loss.
E. Building information security mechanisms and contingency plans with respect to business, transactions, and information exchanges or other activities.

Banking businesses shall assign a manager ranked vice president or above or an individualwith equivalent powers to serve concurrently as the chief information security officer, whoshall oversee the implementation and coordination of the information security policy andresource allocation. Banking businesses shall set up a dedicated information security office,and appoint the chief officer, who shall not be appointed to other posts of information, ortasks with conflict of interest, and shall arrange suitable workforce and equipment except asotherwise provided by the competent authority with respect to the credit cooperatives andbills finance companies.
A banking business shall set up a dedicated information security office and appoint a persona level higher than associate general manager or equivalent function to be the chief officer ofsuch dedicated information security office if its total assets of the previous year as audited bya CPA have exceeded NTD 1 trillion.
The dedicated information security office is in charge of planning, monitoring, andimplementing the management processes of information security. The banking enterpriseshall submit, disclose, and publish the Internal Control System Statement in accordance withthe regulations in Paragraph 1, Article 27 and the chief information security officer shalljointly sign and issue the Statement.
The personnel of the dedicated information security office of the banking business shallattend at least fifteen (15) hours of professional courses of information security, or on-the-job training every year. The personnel of the head office, local and foreign business units,information units, financial custody unit, and other managerial units shall attend no less threehours of promotional program of information security every year.
The Bankers Association, the National Federation of Credit Cooperatives, and the BillsFinance Association shall establish and regularly review the self-disciplinary regulations ofinformation security.
Banking businesses governed by paragraph 2 shall implement the adjustments within sixmonths upon satisfaction of the applicable conditions.