Title: |
Operation Directions for Electronic Certificate Delivery by Securities Firms and Futures Commission Merchants(2007.01.12) |
Date: |
|
1
|
Securities firms and futures commission merchants act as certificate registration authorities, and an investor's or trader's initial application for a certificate shall be made in person at the securities firm or futures commission merchant's place of business. The securities firm or futures commission merchant shall factually verify the applicant's identity and retain relevant records.
|
2
|
Securities firms and futures commission merchants shall adopt certificate delivery procedures to avoid receipt of the certificate by anyone other than the applicant, and shall implement at least one of the following certificate delivery procedures:
- Delivery of the certificate download password to the investor or trader in person at the place of business of the securities firm or futures commission merchant, with subsequent delivery of the certificate based on the download password.
- Delivery of the physical certificate to the investor or trader in person at the place of business of the securities firm or futures commission merchant (e.g., delivering the certificate on disc), while retaining relevant records.
- Delivery of the certificate by other means, in which the investor's or trader's identity must first be verified and relevant records retained before the certificate can be activated.
|
3
|
The following apply when a certificate download password is chosen for the delivery procedure:
- The initial certificate download password shall be generated randomly, and shall not be related to the user's identity, account number, online (or voice-activated) order placement password, or other personal user information.
- The certificate download password shall be a strong password as defined in the TWSE Rules for Establishing Information Security Inspection Mechanisms for Securities Firms.
- The certificate download password shall be stored in encrypted form.
- The period of validity for any certificate download password may not exceed one month, and if the certificate has not been downloaded after one month, a new application for a certificate must be made in person. If, however, the securities firm or futures commission merchant can effectively verify the investor's or trader's identity and retains relevant records, it may accept an investor or trader application made over the Internet and release the certificate for downloading.
|
4
|
When a certificate download password has been entered incorrectly three times, the securities firm or futures commission merchant shall:
- Lock the downloading account and terminate the data connection, and release the lock only upon application by the investor or trader in person.
- Make a record of the failed log-in attempt.
|
5
|
When the period of validity of a certificate has expired or the certificate is canceled, the investor or trader shall appear in person to make a new application. If, however, the securities firm or futures commission merchant can effectively verify the investor's or trader's identity and retains relevant records, it may accept the investor's or trader's application for certificate renewal over the Internet.
|
6
|
If a certificate's period of validity has not expired, and the investor or trader wishes to apply for certificate renewal over the Internet, the securities firm or futures commission merchant shall simultaneously authenticate the investor's or trader's password and their original, valid certificate, verify their identity, and retain relevant records.
|
9
|
A securities firm or futures commission merchant may accept an investor's or trader's use of an alternate method approved by the certification authority's Certification Practice Statement for any matter that under these Operation Directions is to be carried out in person.
|