These Directions are established pursuant to Article 75, Paragraph 1, Subparagraph 9 of the Operating Rules of the Taiwan Stock Exchange Corporation (the "TWSE").
In providing trading services through electronic media such as the Internet, dedicated lines, or closed private networks, the transmission through electronic transmission media of electronic documents, including trading orders, replies and other electronic documents requiring confirmation, the securities firm shall sign with the digital signature issued by the certification institution, for identification and confirmation purposes. The securities firm and the customer shall agree on the timing of using digital signatures and the public-key certificate in writing and shall incorporate the same in the "Standard Directions for Internal Control of Securities Firms".
For the use of digital signatures, securities firms shall sign contracts with the certification institution and comply with these Directions.
Securities firms using the electronic authentication system must devise an emergency response plan in order to avoid order failures affecting the interests of investors.
Securities firms shall file the information of the designated certification institution with the TWSE through the Internet (please refer to the "Operating Manual for the Filing of Electronic Trading by Securities Firms").
Selection of the certification institution (directions):
- A company limited by shares which is incorporated under the Company Act and has completed incorporation registration and acquired approval for the relevant categories of business from the Ministry of Economic Affairs.
- Providing Internet authentication services as its main category of business.
- Acting as a third party with credibility.
- The certificates issued shall conform to the Electronic Signatures Act.
- Using the digital signature system
- The operating system shall conform to the Electronic Signatures Act.
- A signature key (public key or private key) shall be no shorter than 2048 bits. An encrypted key shall be no shorter than 128 bits.
- Certificates may be issued to customers either upon their own application to the certification institution through the Internet or as generated with the assistance of securities firms and delivered to the customers.
- Security of the computer certification system of the certification institution
- Private keys used by the certification institution for issuing certification shall be stored in hardware security modules and may in no case be output in plaintext.
- Being equipped with independent computer facilities without sharing facilities with other businesses. There shall also be strict security facilities.
- Having a backup system for the Internet, software and hardware that provides backup and system recovery in the event of malfunction in the operation of the electronic authentication system.
- The computer facilities, equipment, file storage and management of public keys etc. shall be established within the territory of the R.O.C..
- Operating system
- The certification institution shall retain records of user certification for at least five years.
- With regard to digital signatures, the certification institution may not retain users' private keys.
- The certification institution shall keep the particulars of clients properly and keep the same confidential.
- The certification institution may not consign the electronic authentication business to other institutions.
- Internal audit and control
- For all the certification procedures of the certification institution from the operation of physical equipment to the implementation of the certification system, relevant documents and audit records shall be retained.
- In addition to management and operating personnel, the certification institution shall establish a security control audit department and audit personnel responsible for auditing relevant businesses.
- Operation standards for the performance of certification
- The certification institution shall produce operation standards for the performance of certification, stating the operating procedures relevant to the electronic authentication services operated or provided by the certification institution.
- The operation standards for the performance of certification shall contain the following items:
- Responsibilities of the certification institution, registration management unit and users, and the liability for compensation of the certification institution.
- Strategies and procedures for the application, issuance, receipt, use, extension, annulment and suspension of certification.
- The electronic authentication techniques, physical control measures, operating procedures and audit system of the certification institution.
- The operation standards for the performance of certification of the certification institution shall be established according to the certification regulations enacted by the competent authority.