||Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets(2018.05.30)
In addition to setting out control activities for different operating cycles based on the nature of its business, a service enterprise shall also consider its actual needs and include controls over the following activities in its internal control system:
In addition to controls over the activities under the preceding paragraph, a service enterprise that is a public company, or that is designated by the competent authority, shall also include in its internal control system the management of procedure for board of directors meetings and the management of shareholder services.
- Seal use management.
- Management of the receipt and use of negotiable instruments.
- Budget management.
- Property management.
- Management of endorsements/guarantees.
- Management of liability commitments and contingencies.
- Delegation of duties and implementation of deputy system.
- Management of financial and non-financial information.
- Management of related party transactions.
- Management of the preparation process of financial statements, including management of the application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates.
- Supervision and management over subsidiaries.
- Compliance system.
- Management of financial examination reports.
- Management of protection of financial consumers, provided this does not apply to the enterprises that are excluded under Article 3, paragraph 2 of the Financial Consumer Protection Act.
- Management of personal information protection.
- Handling of material events (e.g. a material violation, or a likelihood of suffering material loss).
- Whistleblower system.
The internal control system of a service enterprise that has established an audit committee pursuant to the provisions of the Securities and Exchange Act shall include the management of audit committee meeting operations.
The internal control system of an enterprise whose stocks are already listed or traded over-the-counter at securities firms shall include controls over the following operations:
If a service enterprise is a financial institution as defined in the Money Laundering Control Act, its internal control system shall include mechanisms for preventing money laundering and countering terrorism financing, and shall include management of compliance with applicable laws and regulations, including mechanisms for managing the identification and measurement of, and monitoring for, money laundering and terrorism financing.
- Management of the operations of the remuneration committee.
- Management of the prevention of insider trading.
A service enterprise under the preceding paragraph which has established a domestic or foreign branch office (or subsidiary) shall formulate an overall group plan for preventing money laundering and countering terrorism financing, including policies and procedures for information sharing within the group for the purpose of preventing money laundering and countering terrorism financing that are in accordance with the laws and regulations of the place where the branch office (or subsidiary) is located.
A unit responsible for legal and regulatory compliance shall carry out the following activities:
If a service enterprise has established a foreign branch office, the unit responsible for overseeing legal compliance matters shall supervise the foreign branch office in handling the following matters:
- Establish clear and adequate systems of advocacy of laws and regulations, consultation, coordination, and communication.
- Ensure that procedural and managerial bylaws are updated in a timely manner in response to applicable laws and regulations, so that operations are in compliance with all laws and regulations.
- Formulate the content of and procedures for assessing compliance with laws and regulations and monitor the periodic self-assessment of the implementation thereof by each unit.
- Administer adequate and proper legal training on laws and regulations to personnel of each unit.
- Monitor the compliance by domestic and foreign branch offices with the laws and regulations of the country in which they are located.
- Carry out such other activities as may be required by the competent authority.
Self-assessment of compliance with laws and regulations shall be performed no less frequently than annually, with the results delivered to the compliance unit for future reference. The head of a unit shall designate a person responsible for performing self-assessment within that unit.
- Matters to ensure compliance with local laws and regulations, including collecting information on local financial laws and regulations, implementing self-assessment of compliance with laws and regulations faithfully, ensuring suitability of the chief compliance officer and the adequacy of resources (including personnel, equipment, and training) for compliance with laws and regulations.
- Establishment of a mechanism for self-assessment and monitoring of legal compliance risks. If the scale of business is large, or the complexity or the degree of risk is high, a local external independent expert shall be engaged to verify the effectiveness of the mechanism for self-assessment and monitoring of legal compliance risks.
Working papers and materials in connection with the self-assessment under the preceding paragraph shall be retained for no less than 5 years.
To promote sound corporate operations, a service enterprise shall set up a whistleblower system, and designate a unit with independent exercise of powers, to be responsible for the processing and investigation of whistleblower reports.
A service enterprise shall provide the following protections for whistleblowers:
Any person with a conflict of interest shall recuse himself or herself from the processing and investigation of the reported case.
- The identity information of the whistleblower shall be kept confidential, and no information may be disclosed that could be used to identify the whistleblower.
- The whistleblower may not be terminated, dismissed, demoted/relocated, or receive a reduction in pay, or impairment of any rightful entitlement under law or regulation, contract, or custom, or other unfavorable disposition due to the reported case.
The whistleblower system under paragraph 1 shall at least include the following matters, and be resolved by the board of directors:
If the alleged perpetrator is a director, supervisor, or management personnel at a level equivalent to or higher than vice president, the investigation report shall be submitted to and reviewed by the supervisors or the audit committee.
- The express provision that anyone who discovers any potential crime, misconduct, or legal violation may file a whistleblower report.
- The types of reports that will be accepted for processing.
- The establishment and making public of the channels for reporting.
- The procedures for investigation and collaborative support, rules of recusal, and standard operating procedures for follow-up and disposition of cases.
- Whistleblower protection measures.
- The documentation and preservation of records covering the acceptance of reported cases, the investigation process, investigation results, and the preparation of relevant documents.
- That the whistleblower shall be given appropriate notice in writing or by other means with respect to the progress of the reported case.
The service enterprise shall take the initiative to file a report or an information with the relevant authorities if any material contingency or legal violation is discovered in the investigation.
The service enterprise shall hold regular awareness programs and education and training in the whistleblower system for its personnel.
A service enterprise shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The competent authority may, after having considered the size, business nature, and organizational characteristics of the services enterprise, order service enterprises to establish a dedicated information security (i.e., cybersecurity) unit, chief officer, and other personnel.
Each year, the service enterprise's highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue a written statement on the overall implementation of information security in the preceding fiscal year, and submit it to the board of directors within 3 months after the end of the fiscal year.
The service enterprise's information security officer and personnel shall attend at least 15 hours of information security professional courses or functional training every year. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year.
The Securities Association, National Futures Association, and Securities Investment Trust and Consulting Association of the R.O.C. shall adopt and regularly review self-disciplinary regulations relating to information security.
These Regulations shall enter into force from the date of issuance.
The 21 December 2011 amendments shall enter into force 3 months after the date of issuance, except Article 8, paragraph 1, subparagraph 14 and Article 14, paragraph 3, which shall enter into force from 30 December 2011.
The provisions amended and issued on 22 September 2014 shall enter into force from 1 January 2015.
Article 28-1 introduced in the 30 May 2018 amendments shall enter into force 6 months after the date of issuance.