These Directions are established for managing the use by securities firms of pricing models that calculate capital adequacy ratios and other legally required ratios for the efficient allocation and use of capital, and also as directions for the risk management systems, self-assessment mechanisms, and internal auditing procedures that securities firms shall develop to maintain effective operation of the internal control systems.
These Directions shall apply to the scope and securities firms governed by the "Rules on Securities Firms Using Modelling in Management Operations" promulgated by the Gre-Tai Securities Market (hereinafter, "GTSM") and the Taiwan Stock Exchange Corporation (hereinafter, "TWSE").
Securities firms that use modelling in management operations shall establish risk management systems that conform to the following regulations and incorporate such systems in the internal control procedures for control purposes:
- Securities firms shall establish appropriate policies and procedures for risk management, obtain approval from their boards for such policies and procedures, and review and amend the same from time to time, in order to assess and supervise the compliance of risk control mechanisms. Contents of the policies and procedures must include, at the very least:
- The organizational structure of risk management in regard to the supervision, planning, and execution of risk management affairs, including the board, the risk management unit, business unit, and other relevant departments, with their roles and responsibilities stipulated.
- The basis of the risk control mechanisms, including the regulations (procedures), directions (or rules) etc. , with the hierarchy for proposals and approvals specified.
- The implementation of risk control procedures, including setting limits on the extent of risk to be taken, examination and monitoring, handling over-limit risk, management by exception, risk reporting and other operating procedures.
- Procedures for examining the scope of risks, function of control and, accuracy and comprehensiveness of sources of data, as shall be covered by the risk management information system.
- Procedures for regular and irregular assessments of the effectiveness of risk management execution.
- Securities firms shall set out the roles and responsibilities of the board of directors, risk management unit, and other business units as follows:
- Board of directors:
- Ensure risk management is being effectively executed, and be ultimately responsible for risk management.
- Review and approve the risk management policies.
- Decide the approval hierarchy for each risk management regulation.
- Supervise the overall execution of the risk management system.
- Risk management unit:
- Establish risk management policies.
- Ensure the execution of the risk management policies approved by the board.
- Establish various risk management rules and directions, and control the execution accordingly.
- Be responsible for the day-to-day valuation, oversight, and assessment of risk.
- Periodically (each day, each week, or each month) produce a risk management summary report and submit the same to management according to the procedures set.
- Examine the pricing models for financial products used by the business unit.
- Develop and maintain, or assist with the development and maintenance of the risk management information system.
- Business unit:
- Be involved in the establishment of risk management mechanisms, executing regular risk management and reporting for departments it is in charge of.
- Ensure that the business unit is using the pricing models at a consistently credible standard.
- Efficiently executive the internal control procedures of the business unit in compliance with laws and regulations and risk management policies.
- In order to assist the board of directors in planning and executing risk management tasks, a securities firm shall establish a risk management unit that is independent of the business unit and is at a level that is at or higher than the general manager's. The risk management unit shall regularly submit a risk control report to the board of directors. If material risk exposure is discovered that is likely to harm the sound operation of the securities firm, the risk management unit shall immediately implement appropriate measures and report to the board.
- The appointment and removal of the risk management unit manager shall be approved by the board. The risk management department manager shall be responsible for evaluating, overseeing, and assessing the day-to-day risk conditions of the securities firm and remain informed of the actual conditions of the execution of risk management policies.
- The verification and management of pricing models shall be executed by a risk management unit that is independent of the business unit.
- A securities firm shall create a suitable personnel training system according to the types of traded products and conditions of business development, in order to achieve the goal of effectively managing pricing models.
A securities firm using modelling in management operations shall establish self-assessment mechanisms that meet the following requirements and incorporate such mechanisms in the procedures for internal control for management purposes:
- The risk management unit shall regularly conduct self-assessments of the various management operations that use modelling to ensure that the calculation of the capital adequacy ratio and other legally required ratios are accurate, effective, and reliable.
- For the self-assessment operations mentioned above, working papers shall be produced and kept along with the self-assessment reports and related information for at least five years.
In order to conduct management operations that use modelling, a securities firm shall establish internal audit systems according to the following requirements and execute the relevant internal audit procedures:
- A securities firm shall establish an internal audit unit under the board. The audit manager shall have the power to lead and effectively supervise the audit work, meet the qualifications requirements in the "Regulations Governing Responsible Persons and Associated Persons of Securities Firms," rank at least as high as an assistant general manager or assistant vice president, and may not hold a concurrent position that is in conflict with or may impede audit operations.
- A securities firm shall have computer auditor to assist internal auditor in auditing the use of modelling in management operations.
- The internal audit unit shall regularly assess whether there is appropriate internal control over the use of modelling in management operations.
- The internal audit unit shall propose an audit plan for the review of the use of modelling in management operations, regularly and irregularly perform internal audit operations, produce an audit report including the working papers and relevant data, and keep relevant audit records.
- Situations discovered through the audit procedures described above shall be accurately revealed in the audit report and irregularities shall be reported to the board of directors. The internal auditor shall regularly follow and re-examine the deficiencies and irregularities mentioned in the report to ensure that the related units have taken timely and appropriate measures for improvement.
- The reporting procedures of the internal audit unit shall be independent of trading activities, back office operations and the risk management system. The depth, breadth, and frequency of internal audits shall be strengthened where irregularities are found or there is a material change in the product types, use of modelling, or internal control of the securities firm.
Personnel operating or executing risk management procedures in the risk management unit shall meet at least one of the following qualifications and register as risk management personnel on the "Securities Firm Filing Web-Entry" of the TWSE:
- Internationally certified as a Financial Risk Manager (FRM) or a Professional Risk Manager (PRM).
- Passed and received certification from the Taiwan Academy of Banking and Finance for the "Banking and Finance Personnel Risk Management Professional Skills Examination."
- Received a master's degree from a university in or outside of Taiwan, and attended a total of 36 hours or more of a derivatives or risk management course from an institution or unit mentioned in the fourth paragraph and received course credits or certification of completion within the past three years.
- Received a college degree in or outside of Taiwan, and attended a total of 60 hours or more of a derivatives or risk management course from an institution or unit mentioned in the fourth paragraph and received course credits or certification of completion within the past three years.
In lieu of the course hours attended in the last three years under Subparagraph 3 or 4 of the previous paragraph, the name and hours of a course taken or certification of a school credit course taken or grade transcript within the past three years may be submitted, subject to the special review and confirmation of the TWSE or GTSM that comparable hours of training have been completed; where the "Banking and Finance Personnel Risk Management Professional Skills Examination" of the Taiwan Academy of Banking and Finance is passed and certification received, six of the course hours mentioned in Subparagraph 3 or 4 of the previous paragraph may be deducted; provided, however, that personnel meeting the requirements in Subparagraph 3 or 4 of the previous paragraph are no longer subject to review and determination of their course hours if they return to office within three years after departure.
Risk management unit personnel in charge of verifying pricing models shall possess qualifications appropriate for the position, meet all the following qualifications, and register as pricing model verification personnel on the "Securities Firm Filing Web-Entry" of the TWSE:
- Satisfying the risk management personnel requirements of Paragraph 1; or providing relevant documents issued by the securities firm to which such personnel belong proving they are qualified for the position to the TWSE or GTSM for special approval and then to the competent authority for recordation.
- A representation issued by the securities firm to which such personnel belong allowing them to engage in verification of pricing models.
The personnel mentioned in Paragraph 1 or the preceding paragraph shall continue to obtain on-the-job training and attend derivatives or risk management courses held by banking and finance, securities, and futures related institutions or academic research units (for example the Taiwan Academy of Banking and Finance, Chung-Hua Institution for Economic Research, Taiwan Securities Association, Securities and Futures Institute, Accounting Research and Development Foundation, graduate school or above etc.), for at least 12 hours every year (meaning the current year or one-year period starting from the date of registration) or 24 hours over a two-year period, with credits or certification of completion obtained.
Personnel in charge of internally auditing the use of modelling in management operations shall meet the following qualifications in addition to the qualifications under the "Regulations Governing Responsible Persons and Associated Persons of Securities Firms":
- Have at least two years of internal auditing experience; or have at least two years of experience as a professional such as computer systems analyst, program designer, or auditor in an accounting firm.
- Attended at least 36 hours of a derivatives, risk management, computer audit, or other relevant course at a banking and finance, securities, or futures related institution or academic research unit in the past three years, with course credits or certification of completion obtained, except personnel in charge of internally auditing the use of modelling in management operations who return to office within three years after departure.
Personnel in charge of internally auditing the use of modelling in management operations mentioned above shall continue to obtain on-the-job training, including derivatives, risk management, computer auditing or related courses, for at least 12 hours every year (meaning the current year or one-year period from the date of registration) or 24 hours over a two-year period, and, in the case of registration for two or more years, for at least six hours every year or 12 hours over a two-year period, always with credits or certification of completion obtained, to improve audit quality and capability.
Securities firms using modelling in management operations shall put in writing regulations (procedures) for the use of modelling in management operations, rules (or directions) and related management rules and implement the same upon approval from the manager of the responsible unit. The content of the rules shall at least include principles for the management of models (verification scope and period, sample data period, use, revision and abolition of models and its parameters), responsibilities of relevant units (model development and use unit, risk management departments, IT department, and internal audit unit), model verification process, approval and reporting hierarchy, and internal audit rules etc.
Appropriate application procedures and required documents for addition or change to the pricing models mentioned in the previous article shall be established, including, at the very least, product literature, contract templates, basic hypothetical and actual formulas, the definition and form of parameters, and other information for reference. The responsible unit shall keep the relevant records and documents for reference.
The risk management unit shall regularly and irregularly review the reliability of using pricing models. The verification and approval procedures shall include, at the very least, the appropriateness of the method employed, reasonableness of the usage parameters, correctness of the mathematical equations, comprehensiveness of the technical documents, and other related operational rules. The responsible unit shall keep the relevant records and documents for reference.
These Directions are adopted by the TSWE and GTSM and shall take effect after having been submitted to and approved by the competent authority. Subsequent amendments thereto shall be effected in the same manner.