These Regulations are set forth in accordance with Paragraph 1, Article 45-2 of the Banking Act of The Republic of China and Article 21-1 of the Credit Cooperatives Act of The Republic of China.
A financial institution shall comply with the regulations herein with respect to security protections for its business premises, vaults, safe deposit boxes (rooms), automated teller machines, and cash transport operations.
A financial institution shall draw up operating rules for its security operations and file the rules with the competent authority for reference after they have been approved by its board of directors (or by an officer authorized by the head office in the case of a branch of a foreign bank in Taiwan) and implemented.
Any amendment to the operating rules for security operations shall be submitted to the board of directors and the competent authority for reference after it has been passed in the managing directors' meeting and implemented.
The operating rules for security operations shall contain at least the following:
1. General security protection measures.
2. Security protection measures for business premises, vaults, safe deposit boxes (rooms), automated teller machines, and cash transport operations.
3. The setup of a security supervision taskforce.
4. Reporting of material security events.
The financial institution shall designate a high-level executive (or an officer authorized by the head office in the case of a branch of a foreign bank in Taiwan) to be the convenor of the security supervision taskforce referred to in Paragraph 2 of the foregoing article to supervise over the execution of security operations and security check, security education and training as well as periodic security drills.
A financial institution shall follow the provisions below in the implementation of general security protection measures:
1. Business premises should be installed with automatic reporting system, alarm system, security system, video surveillance system, fire safety equipment and other necessary protective equipment with designated personnel in charge of their operations and monitoring.
2. Where necessary, a financial institution should assign or hire security guard at business premises to step up patrol and inspection, and promptly take response actions if any sign of irregularity is found to prevent the occurrence of security incident.
3. The automatic reporting system should be linked directly to the police station or a security service provider, and checked and tested periodically.
4. The security system should be installed with multiple lines of defense and each line is equipped with pertinent alarm sensors.
5. The reporting, alarm or security system should have long-acting battery or uninterrupted power system to maintain its normal functioning. The concealment and security of the power switch and power line for such systems should be heeded.
6. The video surveillance system should be primarily colored and cover the entrance area and corridor outside the business lobby, the entire business lobby, interior and entrance/exit of vault and safe deposit box area, automatic teller machines and other important places. Attention should be paid to the shooting angle, light source, image clarity, and display of time of surveillance equipment, and protection for surveillance equipment from moisture, dust and heat.
7. Personnel should be assigned to take charge of the operation, monitoring and management of video surveillance system, and keep a control log. The image files recorded shall be retained for at least two months (image files on new account opening counters, automatic teller machines and surrounding areas shall be retained for at least six months), and dated and put under safekeeping. Where the content of any of the image files is involved in a transaction dispute or anycivil or criminal actions, such image file shall continue tobe preserved before the case is closed.
8. A financial institution should step up employee education on confidentiality and security and require its employees to keep the internal operating procedures confidential.
9. A financial institution should keep close contact with the local police precinct, conduct support drills regularly, and improve deficiencies found in the drills.
10. The fire safety equipment should be set up in compliance with the fire safety code.
11. The use of business premises should comply with relevant building code.
A financial institution shall follow the provisions below in the implementation of security protection measures for its business premises, vaults, safe deposit boxes (rooms), automated teller machines, and cash transport operations:
1. Security protection measures for business premises
(1) The large-sum teller counter installed at the business premises should be segregated with bars made of strong material or bullet-proof glass and installed with proper security devices. The cash counter should have proper height and its drawers should have automatic locking device. Tellers should habitually put the cash received in the drawer and lock the drawer or send it to the cashier's desk.
(2) The operations department should rigorously control the entry of non-work personnel and install entry control facilities at the entrance.
(3) The business units should hire security guard, security service provider, or other guards for the watch work.
Notwithstanding the foregoing, a financial institution that has justified reasons and whose business unit has already had proper security protection measures in place may apply to the competent authority for exemption from the preceding requirement (see attached form for application format).
2. Security protection measures for vaults and safety deposit boxes (rooms) (1) Vaults and safe despot boxes (rooms) should implement rigorous entry control measures (facilities) and should not be in constantly open state.
(2) The key and password to the vault should be kept separately by at least two designated personnel. The vault door should be installed with a time lock to control the opening time.
(3) If the vault or safe deposit box (room) has flood concern, it should be installed with flood prevention, drainage and alarm systems.
3. Security protection measures for automatic teller machines
(1) When installing an automatic teller machine, a financial institution should conduct comprehensive security evaluation and carefully select the installation site. For automatic teller machines installed off the business premises, a financial institution should consider whether the location is convenient for monitoring by the local precinct and give priority to places with security system, security guard or policeman on patrol.
(2) Automatic teller machines should be installed at brightly lit places.
(3) The installed automatic teller machine should be posted with instructions and notes for transactions and equipped with anti-burglary device, facilities that prevent peeping and allows users to detect activities behind their back, illumination fixture and necessary fire safety and escape equipment.
(4) A financial institution should instruct its business units to step up the patrol the use, entrance control and other protective facilities of automatic teller machines installed on and off the business premises.
(5) A financial institution should establish a mechanism for monitoring irregular withdrawal activities at the automatic teller machine and assign staff to take charge of the monitoring activity, and take prompt and proper action if any irregularity is found. A financial institution shall also monitor its automatic teller machines from time to time to prevent criminal vandalism (the patrol is particularly important during holidays and non-business hours), and keep a record of such patrol activities.
4. Security protection measures for cash transport operations
(1) Unless with the approval of the head office for special circumstances, all branches of a financial institute shall contract a qualified professional cash transport service provider for the transport of cash (including foreign
currencies) or cash collection service for specific customers and render necessary support and assistance by performing well related control work. If a financial institution transports cash on its own, it shall use an armored vehicle or a cash-in-transit truck converted from a regular vehicle, and heed the security of cash transport.
(2) Cash-in-transit truck converted from a regular vehicle shall be equipped with engine power interruption switch and an anti-robbery and anti-theft metal cabinet with fixed password or an anti-theft cash box (bag) installed at a concealed spot in the vehicle, as well as necessary defense and alert outfits, rescue communication system, and fire extinguisher.
(3) The cash transport route and time should be kept confidential and vary, and extraordinary situations should be identified ahead of time.
A financial institution shall include the execution of its security operations as an audit item in self-inspection and internal audit.
If a security incident was averted or effectively stopped due to the good execution of security operations as mentioned in the preceding paragraph, the financial institution should award relevant personnel.
Where poor execution in the first paragraph hereof is adverse to the prevention of security event or results in a security incident, the financial institution should discipline negligent personnel as well as the executive officers of related business unit. In case of a security incident, the competent authority may bar the financial institution from establishing a new branch or adding new business for one year starting from the date of the incident.
The reporting of a material security event (ex.: robbery, major theft, vandalism of office or equipment or receipt of threat) shall follow the provisions of Scope of Material Contingencies to be Reported by Banks and Scope of Application.
With respect to the operating rules for security operations stipulated by Article 3, the Bankers Association of the Republic of China in consultation with the National Federation of Credit Cooperatives should produce a specimen and submit it to the competent authority for reference.
The Regulations herein are in force on the date of promulgation.