These Rules are enacted pursuant to Paragraph 1, Article21 of the Credit Cooperatives Act of the Republic of China (referred to as the Act hereunder).

A credit cooperative shall establish internal control and audit systems and ensure the continuing and effective implementation of such systems to promote the sound development of the cooperative and uphold financial stability.

The basic purpose of internal controls is to promote the sound operations of a credit cooperative. The board of directors, supervisors and all employees of the credit cooperative shall comply with such internal controls to ensure the attainment of following objectives:
1. Operational performance and efficiency.
2. Reliability of financial reporting.
3. Compliance with relevant laws and regulations.
The objective of “operational performance and efficiency” depicted in subparagraph 1 of the preceding paragraph pertains to profit, business performance and assurance of asset security.

A credit cooperative’s internal control system shall be based on the following principles:
1. Management’s supervisory and control culture: The board of directors (the board) shall be responsible for approving and periodically reviewing overall business strategies and major policies, and the board has the ultimate responsibility for ensuring the establishment and maintenance of a suitable and effective internal control system. Senior management shall be responsible for carrying out the business strategies and policies approved by the board, developing procedures for identifying, measuring, supervising and controlling the credit cooperative’s risks, setting up proper internal control policies and supervising the efficiency and adequacy thereof;
2. Risk identification and evaluation: An effective internal control system shall facilitate the identification and continuous evaluation of material risks that may adversely affect the likelihood of the cooperative achieving its goals, and determine how to respond to related risk to keep it within acceptable range;
3. Control activities and segregation of duties: Control activities shall be a part of a credit cooperative’s daily overall operations. A complete control structure should be established with internal control processes defined at every level. An effective internal control system should contain appropriate segregation of duties, and management and employees shall not be given conflicting responsibilities;
4. Information and communication: A credit cooperative shall keep pertinent and complete financial, operations and compliance information; such information shall be reliable, up to date, easily accessible, and provided in a uniform format. An effective internal control system shall have effective communication channels; and
5. Monitoring activities and remediation of deficiencies: A credit cooperative should continuously monitor the overall effectiveness of its internal control system. The business units, internal auditors and other internal control personnel shall, upon the discovery of deficiencies in such system, report to the appropriate management. Material internal control deficiencies shall be reported to senior management and the board, and be addressed promptly.

A credit cooperative’s internal control system shall cover all business activities with the following policies and operating procedures established and timely reviewed:
1. Organization charter or management rules, which shall include a clear organizational system, functions and responsibility of respective department, and clear rules governing authorizations and hierarchy responsibilities.
2. Related business rules, procedures and operational manuals, including:
(1) Cashiers, deposits, extension of credit, and exchange.
(2) Investment guidelines.
(3) Confidentiality of customer data.
(4) Transactions with stakeholders.
(5) Accounting and financial statement preparation process, general affairs, information and human resources (including rules for rotation and vacation).
(6) Management of information disclosure.
(7) Management of outsourcing operation.
(8) Other business rules and operating procedures.
Where necessary, the credit cooperative’s compliance and internal audit units should participate in the drafting, revision or abolishing of operational and management rules and procedures mentioned above.

A credit cooperative shall set up a compliance system, a risk management mechanism, an internal audit system, and a self-inspection system to maintain the effective and proper operations of its internal control system.

A credit cooperative’s internal control system shall be approved by its board of directors. If any of the directors expresses a dissenting view which is documented or comes with a written statement, the credit cooperative shall submit the dissenting view together with the internal control system approved by the board to its supervisors; the preceding provisions apply when the credit cooperative revises its internal control system.

For the purpose of regulatory compliance, a credit cooperative shall designate a head office administration unit directly under the board of directors or president to take charge of the planning, management and implementation of a compliance system, and appoint a senior executive to be the chief compliance officer in charge of the compliance issues. The chief compliance officer shall report to the board of directors and supervisors at least once every half a year.
The credit cooperative’s head office, its business units, information unit, asset management unit, and other administrative units shall each appoint a compliance officer in charge of compliance matters; the compliance officer shall hold the position of assistant manager or above.
The chief compliance officer shall receive in each year at minimum ten hours of finance-related professional training sponsored by training institutions designated by the competent authority.
The credit cooperative shall report the name of its chief compliance officer as mentioned in the preceding paragraph directly to the Department of Finance of the municipal government or the county (city) and file the same with the central competent authority via the Internet information system for reference.

With respect to compliance issues, a credit cooperative’s head office and branch offices shall establish a counseling and communication channel to effectively convey regulatory requirements so any of employee’s questions concerning compliance issue is quickly clarified, and laws and regulations are vigorously observed.　

The credit cooperative’s regulatory compliance unit shall undertake the following tasks:　
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of compliance matters;
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements;　
3. Drafting the content and procedure for evaluating regulatory compliance and overseeing the periodic implementation of self-evaluation by respective units;
4. Providing pertinent regulatory training to employees; and
5. The compliance officers of the administrative and business units shall publicize to the employees financial regulations and code of ethics at least once a week and keep a log of such activities for future reference.
Self-evaluation of regulatory compliance shall be conducted at least once every half a year and the results thereof shall be submitted to the regulatory compliance unit for reference. The head of each unit shall designate a staff to take charge of the self-evaluation operation.
The working papers and data on the aforementioned self-evaluation work shall be retained for at least five (5) years.

A credit cooperative shall draw up pertinent risk management policy and process and set up an independent and effective risk management mechanism to evaluate and monitor its risk bearing capacity, current status of risk exposures, risk response strategies and compliance with risk management process.
The aforementioned risk management policy and process shall be approved by the board of directors, and reviewed and modified at opportune time.

A credit cooperative shall set up an independent risk control unit or designate an administrative unit of the head office to take charge of risk control and submit a risk control report to the board of directors on a regular basis, and take prompt and proper measures and report to the board of directors upon discovery of material exposure that might imperil the credit cooperative’s finance, business or compliance.

A credit cooperative’s risk control mechanism shall contain the following principles:
1. Monitoring of capital adequacy by scale of business, the status of credit risk, market risk and operational risk, and future business trends;
2. Establishment of management mechanism for measuring and monitoring liquidity position to measure, monitor and control liquidity risk;
3. Carrying out asset allocation and establishing risk management for each business in consideration of overall exposure, own capital and liability characteristics;
4. Establishing methods for assessing the quality and classification of cooperative’s assets, calculating and controlling large-sum exposures, and periodically examining and truthfully setting aside loss provisions; and
5. Establishing information security mechanism and emergency response plan for cooperative’s businesses, transactions, and use of information.

The purposes of the internal audit system are to inspect and evaluate the effectiveness of internal control system and provide timely suggestions for improvement to ensure that the system will continue to be effective and to assist the board of directors and the management in performing their duties.

A credit cooperative shall establish an internal audit unit under its board of directors that performs its duties with independent spirit and objectivity, and reports to the boards of directors and supervisors regularly at least once every half a year.
A credit cooperative shall establish the position of chief auditor who oversees the audit business. The chief auditor should have leadership and the capability to effectively oversee the audit work. The qualifications of chief auditor shall comply with the Regulations Governing the Qualifications and Election/Appointment of Membership Representatives, Directors, Supervisors and Managerial Officers of Credit Cooperatives, and such position shall be equivalent to a vice president.
The chief auditor shall not hold concurrent positions other than those specified below:
1. Chief of audit unit.
2. Compliance officer.
3. Officer in charge of money laundering prevention.
The appointment, dismissal or transfer of the chief auditor shall have the consent of at least two third (2/3) of the members of the board of directors and the prior approval of the central competent authority. The appointment, discharge, promotion, reward, punishment, transfer and performance review of audit personnel will be handled by the chief auditor and take effect after approval by the board of directors and subject to the consent of the board of supervisors. Where such action involves the personnel of other administrative or business units, the chief auditor shall first consult the personnel office to seek the consent of the president and then final approval from the chairman of the board.

Internal auditors shall perform their duties based on the principles of honesty and credibility and stay free of the following conducts:
1. Concealing knowledge of cooperative’s business activity, financial reporting and compliance status that directly impairs the interests of stakeholders, or making untruthful or improper disclosure.
2. Engaging in conduct exceeding the bounds of audit authority or other illicit activity by disclosing privileged information to others for personal gain or damaging the interests of the credit cooperative.
3. Not withdrawing from audit cases involving business he or she used to perform or is having an interest in.　
4. Accepting unjustified entertainment or gratuity or other illicit benefits from credit cooperative employee or customer. Failing to carry out audit or provide related information as instructed by the competent authority.
5. Engaging in activities that violate laws and regulations or is prohibited by the competent authority.

The internal audit unit shall undertake the following tasks:
1. A credit cooperative should outline the organization, organizational structure and responsibility of its internal audit unit, and draft the internal audit manual and working papers. The internal audit manual shall contain at least the evaluation of established internal control requirements and business procedures to determine whether the existing requirements and procedures are properly controlled and whether the administrative units and business units faithfully implement internal control and the outcome of implementation is reasonably effective, and to make suggestions for improvement whenever needed.
2. Drawing up the content and procedure for self-inspection and overseeing the self-inspection carried out by respective units.
3. Drafting an annual audit plan and audit plans for individual units in view of the risk exposures and internal audit implementation of respective units.
The credit cooperative should urge respective units to undertake self-inspection. The internal audit unit will review the self-inspection reports produced by respective units, which, together with the internal control deficiencies discovered by the internal audit unit and results of improvement actions taken, will be used as basis for the board of directors, president, chief auditor and compliance officers to assess the effectiveness of the credit cooperative’s internal control system and issue an internal control statement.

The duties of an internal auditor include the following:
1. The audit of business and accounting books;
2. The audit of assets and liabilities;
3. The audit of contracts, receipts, bills, rules and statements.
4. Inventory taking of stock and articles in custody.
5. Investigation of internal fraud.
6. Follow-up of improvement actions taken against deficiencies found in financial examination and items to be rectified under the order of the competent authority.
7. Inspection of documents handed over during handover of job.
8. Planning, supervision and audit of self-inspection operation and follow-up of improvement actions taken against deficiencies found in self-inspection.
9. Supervision and investigation of construction projects, large-sum acquisitions, orders, and disposal of assets with respect to price negotiation, price comparison, bidding and award of bid.
10. Audit of clearing of non-performing loans and non-accrual loans, and write-off of bad debt.
11. Follow-up and supervision over forwarding cases involving personnel suspected of business violation to law enforcement and actions of recourse and preservation of properties.
12. Other audit related matters.
The clean-up of past due loans and receivables on demand, and write-off of bad debt mentioned in Subparagraph 10 of the preceding paragraph shall be handled in accordance with the regulations and instructions of the central competent authority.

A credit cooperative’s internal audit report in general audit shall, by the nature of the audited unit, disclose the following:
1. The scope of audit, summary evaluation, financial status, capital adequacy, business performance, asset quality, regulatory compliance, internal control, transactions with related parties, procedural control and internal management for respective business, security management of customer data, information management, employee’s education concerning confidentiality, and status of self-inspection; and
2. A status report with regard to status of improvement and inactions by each business unit in response to the examination opinions of or deficiencies found by financial examiner, accountant, or internal auditor or self-inspection personnel, and recommendations enumerated in the internal control statement.

The internal audit unit shall conduct general audit and target audit of the business, asset management, and information units at least once a year, and conduct target audit of other administrative units at least once each year.
The credit cooperative’s internal audit unit should include the implementation of regulatory compliance system into the general audit or target audit of business and administrative units.
The internal audit report, working papers and relevant data in the first paragraph shall be retained for at least five years.

A credit cooperative shall allocate qualified and a suitable number of full time internal auditors commensurate with the number of business units and the size of such businesses, and such auditors (include computer auditors if the cooperative has an information unit) should perform their duties in an independent, objective and impartial manner.
The credit cooperative’s internal auditors shall meet the following requirements:
1. Having graduated from a college or university and minimum two years of experience in financial business or financial examination; or having graduated from a senior high school or vocational school and minimum three years of experience in financial business or financial examination; or have minimum five years of experience in financial business; or having minimum two years of professional experience as an auditor in a accounting firm, or a programmer or systems analyst in a computer firm and having received minimum three months of training in financial business and management;
2. Free of any record of demerit from employer in the last three years, unless the demerit record was a result of joint disciplinary action on account of the violation or offense of a colleague, and the demerit has been offset by other merits; and
3. The lead auditor shall have minimum three years of experience in audit or insurance examination, or minimum one year of audit experience and five years of experience in financial business.

The auditors, lead auditor, and chief and assistant chief of the internal audit unit shall attend at least one session of auditor training class, computer auditing training class, lead auditor training class or chief and assistant chief training class sponsored by a training institution designated by the competent authority. New auditors shall pass the examination of aforesaid training institution and receive a certificate of class completion.
Internal auditors shall attend more than thirty (30) hours of finance-related professional training sponsored by a training institution designated by the competent authority, or the employer credit cooperative each year.
The hours of finance-related professional training received from training institutions designated by the competent authority shall make up at least half of the required training hours specified in the foregoing paragraph.
A credit cooperative shall have a plan for continuous and proper training of personnel involved in self-inspection.

A credit cooperative shall affirm that its internal auditors meet the qualifications as stipulated in the Rules herein. The affirmation documents and records shall be filed and saved for future reference.

To enhance internal check and balance so as to prevent the occurrence of fraud, a credit cooperative shall establish a self-inspection system. The business, asset management and information units of the credit cooperative shall conduct general self-inspection at least once every half a year, and special self-inspection at least once every month. Notwithstanding the foregoing, special self-inspection is not required in the month when a general self-inspection has been conducted, or when a general business audit has been conducted by the internal audit unit of the credit cooperative or the financial holding company, or when a general business examination has been conducted by the financial examiner, or when the audit department has conducted a full business audit, or when a self-evaluation of regulatory compliance has been conducted.
When conducting self-inspection, the chief of the business, asset management or information units shall assign a personnel other than the one who handles the work to carry out self-inspection, and keep the self-inspection operation confidential beforehand.
The self-inspection report, its working papers and related data shall be retained for at least five years.

Officers of a credit cooperative at various levels with the authority to approve cooperative’s business or transactions shall meet any of the requirements below prior to taking office:
1. Having minimum one year of practical experience in conducting internal audits as an employee of the internal audit unit;
2. Having passed the examination and received a certification of course completion in an auditor or computer auditor training course offered by an institution designated by the competent authority.
3. Having passed the test for of banking internal control and internal audit and received a certificate therefore from an institution designated by the competent authority. The content of the test should be comparable to the training course and examination mentioned in the preceding subparagraph.
First-time business unit manager of a credit cooperative shall, in addition to meeting a requirement as provided in the first paragraph hereof and provisions in the Regulations Governing the Qualifications and Election/Appointment of Membership Representatives, Directors, Supervisors and Managerial Officers of Credit Cooperatives, participate in the audit internship of the internal audit unit at least four times in the first half year of appointment. The aforesaid internship shall cover at least one audit item in each audit and at least four audit items cumulatively. The intern shall also produce an internship report for the perusal of the chief auditor. The chief auditor, after approving the report, will issue a certificate and preserve it along with other documents for future reference.

When a credit cooperative engages an accountant to audit its annual financial statements, it shall also ask the same accountant to audit its internal control system and express opinion regarding the accuracy of information provided in the financial statements as well as the implementation of the credit cooperative’s internal control system, regulatory compliance system, and the appropriateness of credit cooperative’s bad debt reserve policy.
The accountant’s audit fees will be at the expense of the credit cooperative as agreed between the credit cooperative and the accountant.
Paragraph 1 does not apply to a credit cooperative which is taken over by the competent authority pursuant to laws.

Where necessary, the competent authority may order the credit cooperative and its accountant to provide explanations regarding the audit as described in the preceding article, and ask the credit cooperative to replace its accountant to conduct another audit if the competent authority deems that the accountant is incompetent for the audit work.

In carrying out audit as described in Article 26 herein, the accountant shall inform the competent authority immediately in case of any of the following situations:
1. In the process of audit, the accountant was unable to continue the audit work because the credit cooperative did not provide the statements, supporting documents, account books or meeting minutes asked by the accountant or refuse to provide explanation to the inquires of the accountant, or due to the other objective circumstances.
2. The credit cooperative under audit is found to contain untruthful information in its accounting or other records, falsify, or omit accounting or other records, and the situation is of serious nature.
3. The credit cooperative under audit does not have adequate assets to cover its liabilities or its financial conditions markedly deteriorate.
4. Evidence indicates that a transaction of the credit cooperative might bring about material loss to its net assets.
Where the credit cooperative under audit is found to be in any of the situations described in subparagraphs 2 ~ 4 of the preceding paragraph, the accountant shall first submit a summary report to the competent authority based on the audit results.

A credit cooperative shall, before the end of April every year, file the previous year’s audit report of its accountant regarding the audits described in Article 26 herein with the Department of Finance of the municipal government or the county (city) government, who will also forward a copy of the report to the central competent authority. Such audit report shall contain at least information on the scope and basis of audit, audit procedure and results.
The accountant of a credit cooperative is obliged to provide relevant information and explanations to the questions raised by the competent authority regarding the audit report.

If a credit cooperative conceals the fact about its poor internal management, lack of internal control, inadequate implementation of its internal audit system and regulatory compliance system, or results of improvement actions taken in response to the comments of financial examiner, or its internal audit unit conceals the audit findings that results in material fraud, relevant personnel involved shall take the responsibility for negligence of duties. The credit cooperative should commend internal auditors whose discovery of major fraud or omission saves the credit cooperative from material loss.　　
Where the administrative unit or business unit of a credit cooperative is found to commit major omission or fraud, the internal audit unit has the right to recommend disciplinary actions and shall make full disclosure in the internal audit report personnel responsible for the major omission.

The internal audit unit of a credit cooperative should continuously follow up on the examination opinions of or deficiencies found by financial examiner, accountant, internal auditor or business unit, and recommendations enumerated in the internal control statement, and report the status of improvement actions taken to the board of directors and supervisors in writing, and include them as major items in the performance review of the administrative units and business units.　
The central competent authority will set forth guidelines for evaluating the audit work of a credit cooperative.

The general manager of a credit cooperative shall oversee respective units to carefully evaluate and review their implementation of the internal control system. The credit cooperative’s president, together with the general manager, the chief auditor and the chief compliance officer of the head office, shall jointly sign and issue an internal control statement (attached form), which, subsequent to the approval of the board of directors, shall be filed with the Department of Finance of the municipal government or the county (city) government, disclosed on the cooperative’s website and filed with the central competent authority through a designated website in four months after the end of each fiscal year.
The internal control statement in the foregoing paragraph shall be published in the annual report as required.
Paragraph 1 does not apply to a credit cooperative which is taken over by the competent authority pursuant to laws.

The internal audit report shall be given to the supervisors for perusal and filed with the Department of Finance of the municipal government or the county (city) government and the central competent authority in two months from the date the audit ends.

The credit cooperative shall, before the end of January every year, file the data on the name, age, education, work experience, years of service of its internal auditors and training received by them with the Department of Finance of the municipal government or the county (city) government in a format specified by the central competent authority and file the same with the central competent authority via the Internet information system.

Where their suggestions regarding material deficiencies or violation in internal control were not accepted by the management that the inaction might bring about material losses to the credit cooperative, the internal auditor or chief compliance officer shall immediately produce a report and inform the supervisors as well as the Department of Finance of the municipal government or the county (city) government and the central competent authority.

A credit cooperative shall file the audit plan for the following year before the end of each fiscal year and file a report on the implementation status of the previous year’s audit plan in two months after the end of each fiscal year with the Department of Finance of the municipal government or the county (city) government in a format specified by the central competent authority and file the same with the competent authority through the Internet information system.　

A credit cooperative shall, in five months after the end of each fiscal year, file a report on the deficiencies of internal control system found in previous year’s internal audit and status of corrective actions taken with the Department of Finance of the municipal government or the county (city) government in a format specified by the central competent authority and file the same with the central competent authority through the Internet information system.

Where an internal audit conducted under the direction of the chief auditor has any of the following situations, the competent authority may, depending on the severity of the case, demand rectification by ordering the credit cooperative to remedy the situation within a prescribed time period or to dismiss its chief auditor:
1. Factual evidence shows that the chief auditor has engaged in improper lending practice, grossly violated the guidelines for extension of credit or has improper financial relationship with customer.
2. Factual evidence shows that the chief auditor abuses his/her authority to engage in illicit activity or profit self or others, or takes advantage of his/her position to damage the interests of the credit cooperative or others.
3. Disclosing or delivering information or making public the whole or any part of the financial examination report to people unrelated to the execution of audit work without the approval of the competent authority.
4. Failing to notify the competent authority regarding major fraud inside the credit cooperative due to poor management.
5. Failing to disclose in the internal audit report serious deficiencies in cooperative’s finance or business.
6. Issuing an untruthful audit report on findings in internal audit.
7. Failing to discover serious deficiencies in the finance or business of the credit cooperative due to the inadequate assignment or incompetence of internal auditor.
8. Failing to follow the instructions of competent authority in handling the audit work or providing relevant information.
9. Engaging in other conduct that impairs the reputation or interest of the credit cooperative.

A credit cooperative shall specify punishment to be meted out to manager and relevant personnel for violating the Rules herein or the internal control rules of the credit cooperative.
The credit cooperative should constantly examine the incident of violation of Article 16 herein by internal auditors, and any transgression is discovered, reassign the violator to another position within one month from the date of discovery.
The credit cooperative should check whether its internal auditors comply with the provisions in Article 20 and Article 21 when filing the basic information of internal auditors in accordance with Article 34 herein, and if non-compliance is found, demand remediation in two months or else immediately reassign the non-complying auditor to another position.

The central competent authority will set forth formats specified in the Rules herein.

The Rules herein shall be in force on the date of promulgation.