The purpose of internal audit is to assist the board of directors and the management in checking and assessing whether the internal control system works effectively and to provide timely suggestions for improvements so as to reasonably ensure the ongoing and effective implementation of the internal control system and to serve as the basis for reviewing and revising the internal control system.

A specialized electronic payment institution shall set up an internal audit unit that is directly under the board of directors and performs audits independently and honestly. The internal audit unit shall report its audit business to the board of directors and supervisors or audit committee at least annually.
A specialized electronic payment institution shall, in view of its business size, business conditions and management needs, establish a chief auditor position of comparable rank to oversee the audit affairs. The chief auditor shall possess sufficient leadership and ability to effectively supervise the audit work, and may not hold other positions that are in conflict or interfere with the audit work.
The employment, dismissal, or reassignment of chief auditor shall first obtain the consent of at least two-thirds of all directors.
Where a specialized electronic payment institution has an audit committee established, the employment, dismissal or reassignment of chief auditor shall first obtain the consent at least the majority of all audit committee members. If the matter does have the consent of at least the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where a specialized electronic payment institution does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors shall also be recorded in the meeting minutes of the board of directors.
The employment, dismissal, promotion, reward and punishment, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor shall first consult with the personnel office and obtain the consent of the president before reporting the matter to the chairman for approval.

When the chief auditor of a specialized electronic payment institution has any of the following situations, the competent authority may, in view of the severity of the situation, issue an official reprimand, order remedial action within a specified time limit, or order the specialized electronic payment institution to release the chief auditor from duty:
1. Abusing power of office with factual evidence showing that he/she has engaged in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for a third party, or to damage the interests of the employer, which results in damages to the employer or its subsidiary or a third party.
2. Disclosing, delivering, or publicizing all or part of the examination reports to a person unrelated to such job without the consent of the competent authority.
3. Failing to notify the competent authority of any material malpractice or fraud at the employer due to internal mismanagement.
4. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of the internal audit unit.
7. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8. Having committed other acts that impair the reputation or interests of the employer.

A specialized electronic payment institution shall be staffed with an appropriate number of competent full-time internal auditors in accordance with the number of users and contracted institutions, business volume, business conditions, management needs, and the requirements of other relevant laws and regulations, who shall perform their duties in an objective detached independent, objective and impartial objective manner. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The internal auditors of a specialized electronic payment institution shall meet the following qualification requirements:
1. Having not less than two years of experience in financial examination; or having graduated from a college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than two years of experience in financial business; or having not less than five years of experience in financial business. A specialized electronic payment institution must be staffed with at least one qualified internal auditor who meets the aforementioned qualifications. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor or an auditor in an accounting firm, or a programmer or system analyst in a computer company for not less than two years, and has received not less than three months of training in the business operations and management of a specialized electronic payment institution.
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of another person, and the demerit has been offset by other merits; and
3. Internal auditor who acts as a team leader shall have not less than three years of experience in auditing or financial examination, or have not less than one year of experience in auditing and not less than five years of experience in financial business, or have not less than one year of experience in auditing and have worked as an auditor for an accounting firm for at least three years.
A specialized electronic payment institution shall check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution shall order the auditor to take remedial action within two months from the date of discovery and shall immediately reassign the auditor to another job if he or she fails to complete the remedial action within the specified time period.

The internal auditors of a specialized electronic payment institution shall perform their duties in good faith and shall not have any of the following situations:
1. Concealing or making false or inappropriate disclosures while being well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of any stakeholder.
2. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the employer.
3. Causing damages to the employer or harming the interests of stakeholders due to negligence in duties.
4. Conducting audit on a department where he/she worked within the past one year.
5. Failing to disqualify him/herself from auditing previously handled business or cases or from auditing cases in which he/she has a stake.
6. Accepting any improper entertainment or gift or other improper benefits provided by the employer or its employees or customers.
7. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8. Engaging in other acts that violate rules or regulations, or are prohibited by the competent authority.
A specialized electronic payment institution shall check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution shall reassign the auditor to another job within one month from the date of discovery.

The internal audit unit shall undertake the following tasks:
1. Plan the organizational structure, size and responsibilities of the internal audit unit and produce internal audit working manuals and working papers, which shall include at least assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide suggestions for improvement.
2. Supervise the formulation of self-inspection contents and procedures by respective units, and the implementation of self-inspection by each unit.
3. Formulate annual audit plans and draw up the audit plans for respective unit based on the business risk profile of and implementation of internal audits by each unit.
A specialized electronic payment institution shall ensure that all of its units carry out self-inspection, and assign its internal audit unit to review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken, will serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system, and to issue the statement on internal control.

The internal audit unit of a specialized electronic payment institution shall conduct a routine audit and a special audit at least annually on its business, finance, asset safekeeping and information units, and a special audit at least annually on other management units.
The internal audit unit shall include the execution status of the regulatory compliance system into the routine audit or special audit of the business and management units.

When the internal audit unit of a specialized electronic payment institution carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary review of audit, financial status, business performance, asset quality, management of the board of directors and audit committee meeting procedures, regulatory compliance, internal controls, the control and internal management of various businesses, management of data protection for users and contracted institutions, information management, employee confidentiality education, protection measures for financial consumers, implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the financial examination agency, accountants, internal audit unit (including the internal audit unit of the parent company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information shall be retained for at least 5 years.

Where a significant fraudulent event occurs at a specialized electronic payment institution as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent company), the personnel involved shall be held responsible for dereliction of duties. A specialized electronic payment institution shall reward its internal auditors who identify any significant fraud or negligence and thereby avert material loss to the institution.
When a significant deficiency or fraudulent event arises within a unit of a specialized electronic payment institution, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in the internal audit report.

A specialized electronic payment institution shall deliver its internal audit report to its supervisors or audit committee for review. Unless otherwise prescribed by the competent authority, it shall submit the internal audit report to the competent authority within two months following completion of the audit. The internal audit report shall also be delivered to the independent directors if such positions are set up by the specialized electronic payment institution.

The first-time internal auditors of a specialized electronic payment institution shall attend at least eighteen hours of audit-related professional training courses held by professional training institutions designated by the competent authority within six months from the date they start the audit work.
The internal auditors (including the chief auditor) of a specialized electronic payment institution shall attend professional training related to electronic payment business offered by competent authority-designated professional training institutions or by the specialized electronic payment institution itself every year. The minimum number of training hours shall be ten hours for the chief auditor, and fifteen hours for the other internal auditors. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Professional training courses related to electronic payment business offered by competent authority-designated professional training courses shall comprise not less than one half of the total hours of training under the preceding paragraph.
A specialized electronic payment institution shall formulate self-inspection programs every year and continuously provide proper training to self-inspection personnel in accordance with the business nature of each unit.
A specialized electronic payment institution shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.

A specialized electronic payment institution shall file the data on its internal auditors with the competent authority for record before the end of January every year via a web-based information system and in a format prescribed by the competent authority.
When filing the basic data of internal auditors according to the preceding paragraph, a specialized electronic payment institution shall verify whether these auditors have met the requirements stipulated in Paragraph 2 of Article 13 and the preceding article herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within two months, or else be reassigned to another job.

A specialized electronic payment institution shall file the next year's audit plan to the competent authority for record by the end of each fiscal year, and a report on the execution of its preceding year's annual audit plan within two months from the end of each fiscal year, in a prescribed format stipulated by the competent authority via a web-based information system.
A specialized electronic payment institution shall deliver its next year's audit plan in writing to the supervisors or audit committee for review and record the comments of supervisors or audit committee by the end of each fiscal year. If the institution does not have an audit committee, it shall deliver the audit plan to its independent directors for comments. The annual audit plan and changes thereof shall be approved by the board of directors.
The audit plan mentioned in the preceding paragraph shall contain at least a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), frequency of audit, and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit shall also be noted.

A specialized electronic payment institution shall file the deficiencies, irregularities, and improvement of internal audit of the previous year to the competent authority for record in a format prescribed by the competent authority via a web-based information system within five months after the end of each fiscal year.

A specialized electronic payment institution shall establish a self-inspection system. Its business, finance, asset safekeeping and information units shall conduct a routine self-inspection and a special self-inspection at least semi-annually.
For the self-inspection mentioned in the preceding paragraph, the head of the unit shall assign a person other than the original handling staff to conduct the inspection and keep the inspection activity confidential before implementation.
The self-inspection report under Paragraph 1 hereof shall include working papers, and along with the relevant information shall be retained for at least five years for future reference.

The internal audit unit of a specialized electronic payment institution shall continually conduct follow-up reviews on the examination opinions or audit deficiencies brought up by the financial examination authority, accountants, or the internal audit unit (including the internal audit unit of parent company), or in self-inspection conducted by internal units, and on matters requiring improvements as specified in the statement on internal control. It shall submit a written report on the follow-up of improvement actions taken to the board of directors, and deliver a copy of the report to the supervisors or audit committee, which shall be used as an important reference in reward, punishment, and performance evaluation of respective units.

The president of a specialized electronic payment institution shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, president, chief auditor, and chief compliance officer shall jointly issue a statement on internal control (see attached), which shall be submitted to the board of directors for approval. The specialized electronic payment institution shall disclose its statement on internal control on its website and publish it on a website designated by the competent authority within three months after the end of each fiscal year.

• Attachment Statement on Internal Control.pdf

If the annual financial report of a specialized electronic payment institution is audited and certified by an accountant, the institution shall also engage the accountant to conduct an audit of its internal control system. The accountant shall also express an opinion on the accuracy of reports submitted by the specialized electronic payment institution to the competent authority, and the appropriateness of the implementation status of internal control system and regulatory compliance system.
The competent authority may request the specialized electronic payment institution to authorize an accountant to conduct a targeted examination of its personal data protection and AML/CFT mechanisms.
The audit fees for the accountant shall be negotiated and agreed between the specialized electronic payment institution and the accountant, and paid by the specialized electronic payment institution.

Where necessary, the competent authority may invite a specialized electronic payment institution and its appointed accountant to discuss audit-related matters under the preceding article. If the competent authority finds the accountant appointed by the specialized electronic payment institution not sufficiently competent for the audit work, the competent authority may order the specialized electronic payment institution to replace its accountant and appoint another accountant to re-conduct the audit work.

When an accountant conducts an audit specified in Article 27 herein, the accountant shall inform the competent authority immediately when the audited specialized electronic payment institution has any of the following situations:
1. During the course of audit, the specialized electronic payment institution fails to provide the accountant with requested reports, certificates, account books and meeting minutes, or refuses to make further explanation on the inquiries made by the accountant, or the accountant is unable to continue the audit work as constrained by other objective circumstances.
2. There are false, forged or missing data of serious nature in its accounting or other records.
3. Its assets are insufficient to pay its debts or its financial condition deteriorates significantly.
4. There is evidence indicating that certain transactions may cause great damage to its net asset.
If an audited specialized electronic payment institution has a situation provided in Subparagraphs 2 to 4 of the preceding paragraph, an accountant shall submit in advance a summarized report based on the audit results to the competent authority.

When a specialized electronic payment institution appoints an accountant to conduct audit under Article 27 herein, the institution shall submit the accountant's audit report of the previous year to the competent authority for record before the end of April every year. The audit report shall describe at least the scope, basis, procedure, and results of the audit.
When the competent authority inquires the contents of the audit report, the accountant shall provide full and accurate information and elaboration.

A specialized electronic payment institution shall assign a management unit directly under the president to take charge of the planning, management and implementation of regulatory compliance system, and appoint a high-level manager to act as the chief compliance officer who oversees the compliance matters and report to the board of directors, supervisors, or audit committee at least semiannually. If any major violation of regulations is discovered, the chief compliance officer shall immediately report to the directors and supervisors, and report the compliance related matters to the board of directors.
The chief compliance officer and personnel of the compliance unit shall attend at least fifteen hours of training a year offered by competent authority-designated professional training institutions or their employer. The training courses shall cover at least the latest regulatory amendments.
A specialized electronic payment institution shall file the list of chief compliance officer and personnel of compliance unit and their training records to the competent authority via a web-based information system.

A specialized electronic payment institution shall establish advisory and communication channels for compliance related matters to keep employees informed of relevant rules and regulations, swiftly clarify any questions its employees may have on compliance matters, and ensure regulatory compliance.
The compliance unit of a specialized electronic payment institution shall analyze the causes of significant deficiency or fraud in compliance related matters within respective unit, and propose suggestions for improvement. The report produced thereof shall be signed off by the president and then submitted to the board of directors for approval.

The compliance unit of a specialized electronic payment institution shall conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of compliance matters.
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3. Before a specialized electronic payment institution introduces a new product or service, or applies to the competent authority for approval to offer a new business, the chief compliance officer shall issue and sign an opinion statement undertaking that the new product, service or business complies with applicable regulations and internal rules.
4. Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the president, will be used as reference in the performance evaluation of the unit.
5. Providing pertinent appropriate regulatory training to personnel at various units.
The internal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.
A specialized electronic payment institution shall perform self-evaluation of compliance at least semiannually. The results shall be sent to the compliance unit for future reference. The head of a unit shall designate a dedicated person to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least five years.

A specialized electronic payment institution shall formulate proper risk management policies and procedures, and establish independent and effective risk management mechanism, by which to assess and monitor the overall risk bearing capacity, current status of risks already incurred, and to determine the risk response strategies and the compliance framework of the risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner.

A specialized electronic payment institution shall establish a risk management unit and regularly submit risk management reports to the board of directors. Upon identifying a significant risk exposure that might adversely affect its financial, or business status, or compliance with applicable acts and regulations, the specialized electronic payment institution shall take immediate and adequate measures and submit a report to the board of directors.
The risk management unit under the preceding paragraph may be replaced by a designated management unit.

The risk management mechanisms of a specialized electronic payment institution shall include the following:
1. Establishing a fraud prevention mechanism to uphold transaction security and better control fraud risk.
2. Establishing the examination and control mechanism for operating procedures and establishing information security mechanism and emergency response plan.
3. Establishing users and contracted institutions management mechanism.
4. Establishing exit mechanism for circumstances when business or finance deteriorates significantly.
5. Establishing users’ funds of payment management mechanism.
6. Establishing users’ and contracted institutions’ identity verification mechanism.
7. Establishing users’ and contracted institutions’ information protection mechanism.
8. Establishing outsourcing management mechanism.
9. Establishing financial consumer protection mechanism.