Chapter 2 Design and Implementation of the System
The internal control system of banks as well as insurance agent companies and insurance broker companies with annual operating revenue of NT$500 million or more shall contain at least the following components:
1. Control environment: Control environment is the basis of the design and implementation of internal control system across the company. Control environment encompasses corporate integrity and ethical value of the company, governance oversight responsibility of the board of directors (council) and supervisors (board of supervisors), or audit committee organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors (council) and management shall prescribe internal standards of conduct, including the adoption of code of conduct for directors (council) and employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the company, taking into account suitability of the objectives. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective. The risk assessment results can assist the company in designing, correcting, and operating necessary control activities in a timely manner.
3. Control activities: Control activities are actions of carrying out policies and procedures taken by the company according to risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the company, at various stages within business processes, and over the technology environment, and shall include supervision and management of subsidiaries.
4. Information and communications: Information and the company obtains, generates, or uses communication mean the relevant and quality information from both internal and external sources to support functioning of other components of internal control, and to ensure effective communication of such information between the company and external parties. Internal control systems must have mechanisms of generating information necessary for planning, implementation, and monitoring and providing timely information to those who need it.
5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combinations of the two used by the company to ascertain whether each component of the internal control system exists and continues to function. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the company. Separate evaluations are evaluations conducted by internal auditors, supervisors (board of supervisors) or audit committee, or board of directors (council). Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors (council) and supervisors (board of supervisors) or audit committee, and improvements shall be made in a timely manner.
The insurance agent companies and insurance broker companies with annual operating revenue less than NT$500 million shall contain at least the following components:
1. Management oversight and control culture: The board of directors (council) shall have the responsibility for approving and periodically reviewing overall business strategies and major policies, and shall have the ultimate responsibility for ensuring that an adequate and effective internal control system is established and maintained; senior management shall have the responsibility for implementing business strategies and policies approved by the board of directors (council), for developing processes that identify, measure, monitor, and control risks incurred by the company, for setting appropriate internal control policies, and for monitoring their effectiveness and relevance.
2. Risk recognition and assessment: An effective internal control system requires that the material risks that could adversely affect the achievement of the company goals are being identified and continually evaluated.
3. Control activities and delegation of responsibilities: Control activities shall be an integral part of the daily operations. An appropriate control structure shall be set up, with internal control processes defined at every business level. An effective internal control system requires that there is appropriate delegation of responsibilities and that management and employees are not assigned conflicting responsibilities.
4. Information and communication: an insurance agent company or insurance broker company shall maintain relevant and comprehensive financial and non-financial information related to operations, financial reports and regulatory compliance; such information shall be reliable, timely, and accessible in order to establish effective channels of communication.
5. Monitoring activities and correction of deficiencies: An insurance agent company or insurance broker company shall monitor the overall effectiveness of its internal controls on an ongoing basis. Business units, internal auditors or other internal control personnel shall promptly report any internal control deficiencies found to the appropriate management in a timely manner, and any significant internal control deficiencies shall be reported to senior management, the board of directors (council) and supervisors (board of supervisors) with corrective actions promptly taken.
Insurance agent companies, or insurance broker companies that have already established its internal control system according to paragraph 1 hereof shall stay in compliance with paragraph 1 when annual operating revenue falling below NT$500 million.
The internal control system of insurance agent companies, insurance broker companies or banks shall cover business solicitation system and procedures as well as internal control procedures established in line with the nature and size of business and based on the principle of internal checks and balances, and shall be reviewed and revised in a timely manner.
Where an insurance agent company, insurance broker company or bank has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
The business solicitation system and procedures referred to in the preceding article shall contain at least the following particulars:
1. Qualifications of insurance solicitors, insurance agents and insurance brokers, the types of insurance they may solicit, solicitation methods, on-the-job training, rewards and disciplines, and rights and obligations.
2. Management measures regarding performance review that links the commissions received by insurance solicitors to risk exposure and duration of commission payment, solicitation quality, and solicitation dispute.
3. Operations and management measures regarding collection and turn-in of premiums by insurance solicitors on behalf of customers.
4. Description of major contents of insurance products and associated rights and obligations, and disclosure of related information.
5. Advertising, promotional and sales activities and management of such activities.
6. Understanding and evaluating the insurance needs and suitability of proposers or the insured.
7. The operation and management ensuring that business personnel undertaking insurance solicitation write up solicitation reports truthfully, including conducting phone interview for special cases or conducting spot check of relevant documents.
8. Check mechanism and signature operation in place following solicitation and prior to submission of application.
9. Control and safekeeping of solicitation documents.
10. Customer complaint.
11. Other matters designated by the competent authority.
The provisions of subparagraph 7 of the preceding paragraph do not apply to the solicitation of non-life insurance business.
The internal control procedures referred to in Article 6 herein shall contain at least the following particulars:
1.Controls on accounting, information, personal data protection, anti-money laundering and countering the financing of terrorism (AML/CFT) and other operations relating to business solicitation and businesses approved by the competent authority.
2.Management of financial examination reports.
3.Mechanism for handling major contingencies.
4.Other matters designated by the competent authority.
Insurance broker companies that provide the services of risk planning, reinsurance planning and claim application must establish appropriate operating procedures for such services.
If a bank approved by the competent authority to operate concurrently insurance broker business provides risk planning and insurance claim services, it shall establish proper operating procedures for those services.
The accounting procedure referred to in Subparagraph 1 of Paragraph 1 hereof shall contain at least the following operating procedures:
1.Cashier management: Operating procedure for receipts and payments.
2.Accounting management: Operating procedure for account management and the preparation of balance sheet and income statement.
For the purpose of achieving objectives in Article 3 herein, insurance agent companies, insurance broker companies or banks shall adopt the following measures.
1. Internal audit system: Set up the post of auditor to take charge of auditing each unit and periodically evaluating the performance of self-evaluation conducted by each business unit.
2. Self-evaluation system: Members of different units check on each other the actual implementation of internal controls under the supervision of managerial personnel or personnel at comparable position or higher as assigned by each unit to discover deficiencies early and take corrective actions in a timely manner.
3. Independent auditor system: If deemed necessary, the competent authority may order an insurance agent or broker company or a bank to engage a certified public accountant (CPA) to audit its internal control system.
4. Compliance system: Set up the post of compliance officer to take charge of appraising whether business personnel comply with relevant laws and regulations while executing the business.