|
3
|
Complementary measures for work-from-home management of securities firms
- Brokerage trading and transactions
- Brokerage trading personnel shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest.
- Personal computers for use at home shall all be allocated by the company. Use of a personal computer not provided by the company is subject to company approval and information security testing in advance. Relevant computer equipment may be used only for official business purposes during work-from-home hours.
- Work-from-homers may not proceed with transactions until after VPN connection and authorized log-in. All user log-ins and transactions shall be fully tracked in writing.
- Multi-factor authentication: To enhance safety of use and operation, two-factor authentication of the multi-factor authentication shall be adopted for personal account numbers and passwords (employee account number and password, dynamic password, one-time password) to verify user identity.
- A principal shall dial the brokerage order number of the place of business to have the call transferred to the mobile phone or home phone of a brokerage trading representative (the call to be recorded by company equipment). If existing company equipment cannot record the entire call, it will be recorded either by the mobile phone of, or by, said representative, with the following measures adopted: After placing the order, the representative must, as soon as possible, make an audio recording of the time and content of the order and file such recording with the recording equipment of the company or email the recording to the company and client.
- Personnel responsible for reviewing and monitoring the activities of work-from-home employees must verify the audio recordings of work-from-homers periodically to ensure both conformance to those kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such.
- Brokerage trading personnel will access the order system of the company’s personal computer through the VPN. Trading limits of principals are governed by existing mechanisms.
- Express modes of operation and management methods shall be in place for personal transactions of work-from-home employees, including communications and activities pertaining to brokerage trading etc.
- Dealer trading and transactions
- Dealer trading personnel shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest.
- Personal computers for use by dealer trading personnel at home shall all be allocated by the company, with hardware and software appropriate for the business performed by the personnel installed for management purposes.
- Work-from-homers may not proceed with transactions until after VPN connection and authorized log-in. All user log-ins and transactions shall be fully tracked in writing.
- Multi-factor authentication: To enhance safety of use and operation, two-factor authentication of the multi-factor authentication shall be adopted for personal account numbers and passwords (employee account number and password, dynamic password, one-time password) to verify user identity.
- The company shall provide sufficient computer monitors at the work-from-home space of a trader. Video equipment and headsets shall also be provided to ensure unimpeded communications. Whole transactions shall be videotaped throughout the trading hours and documented.
- A trader must remain connected to the video equipment and keep all communication channels connected at all times throughout the trading hours. The system shall have the function to close a transaction should the trader be disconnected in the course of the transaction.
- System closure during non-trading hours: In respect of work-from-homers responsible for day trading orders, the trading system shall immediately be closed after the close of the day trading session, and such personnel shall be prohibited from accessing the system to trade.
- Personnel responsible for reviewing and monitoring the activities of work-from-home employees verify the audio recordings of transactions of work-from-homers periodically to ensure both conformance to the audio recordings kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such.
- With regard to the risk exposure of a close position, the company shall be able to control trading limits and position risks, whether in the event of working at the place of business or from home.
- Control of personal transactions of work-from-homers: The company may allow or prohibit personal transactions of work-from-homers upon careful assessment in accordance with company management policies. If it so allows, the ways of control of such transactions shall include prescribing express modes of operation and management methods in regard to communications and activities pertaining to brokerage trading (e.g., stipulating that audio recordings be made of whole telephone orders, recordings be made of all electronic orders placed on computers allocated by the company).
- Clearing and reporting
- A securities firm shall complete clearing and settlement in accordance with the TWSE Operating Rules and relevant regulations and also complete all clearing procedures and the reporting that is required by laws and regulations. Said firm shall in principle handle the above at the place of business (including an outside backup place of business) or assign work-from-homers to assist in handling.
- When performing procedures pertaining to settlement of payment, non-trading activities of a credit transaction (such as demand of payment, cash repayment, return of securities), and borrowing and transfer of securities, a principal shall in principle do so at the place of business (including an outside backup place of business) or assign work-from-homers to assist in doing so.
- Clearing and settlement procedures may be performed only at the original place of business if the applicant does not apply for handling clearing from home in its work-from-home application. Said applicant shall still make an application to the TWSE for special transfer to the competent authority for approval if, after its work-from-home application, it must assign work-from-homers to handle clearing and settlement as a result of the original place of business being subject to isolation. If prevented by an emergency from making a written application according to normal procedure, a securities firm may make a report to the TWSE by special means, followed by the submission of the relevant documents to the TWSE for the record after the incident.
- Information Security
- No unauthorized expansion of capability or installation of software/hardware equipment and tools that are not required for official business is allowed in respect of computer equipment, including notebooks and tablets, used by work-from-homers.
- Log-ins to major systems and transactions by all work-from-homers shall be fully tracked and documented.
- Computers for home may be used for entering data only. No access to the data of the computer equipment of the company is allowed through computers for home use.
- To mitigate data breach risks, specific information security software shall be installed on the computer equipment of work-from-homers to control access authority of applications; non-essential service and operating systems on the computers, as well as the USB and Bluetooth devices and optical disc drives of the aforementioned equipment, shall be disabled; and the VPN shall be set up in a way as to restrict two-way file copying and transfers.
- A virtual private network that uses the Secure Sockets Layer protocol (SSL-VPN) and multi-factor authentication (employee account number and password, dynamic password, one-time password) shall be adopted. Safe channels for remote access shall be established. Log-in shall be restricted to company employees only. Operation of equipment shall be fully tracked in writing. Regulations governing the hours that access is available shall be prescribed subject to the schedule of the employees’ performance of duties.
- Firewalls shall be set up against malicious or unauthorized connection. Rules shall be established in accordance with the principle of least privilege. Non-essential ports shall be closed. Network traffic and warning and disconnection mechanisms shall be monitored.
- Functions of the work-from-home system shall be designed with differential levels of control, with settings configured to permit the lowest level of authority. Authorization for non-essential functions of the system shall be disabled. The system shall apply differential management by user. Users of work-from-home computers shall be granted differential authorization for use in accordance with the risk policy of the company. Work-from-homers may be authorized to use functions necessary for conducting business only.
- Prevention of conflicts of interest and violations of rules and regulations
- To ensure confidentiality of trading information, a work-from-homer must conduct business in an independent instead of public space, with no one allowed in the independent space during trading hours.
- A work-from-homer must properly retain all transaction related records as requested by competent authorities, the TWSE, and the company.
- The company shall appoint a senior officer as chief supervisor responsible for implementing relevant monitoring measures during trading hours.
- The work-from-home procedures of a securities firm shall be included in the scope of internal audit and internal control. Internal control systems shall also be strictly enforced.
|