Title:Operation Directions for Electronic Certificate Delivery by Securities Firms and Futures Commission Merchants(2022.09.06)
Categories:
Information Operations


1
    Where a securities firm or futures commission merchant acting as a certificate registration authority processes an investor's or trader's initial application for a certificate shall effectively verify the applicant's identity and retain relevant records.
    The above-mentioned application may be made in person or electronically.
2
    Securities firms and futures commission merchants shall adopt certificate delivery procedures to avoid receipt of the certificate by anyone other than the applicant, as follows:
  1. Delivery of the electronic transaction password in person or electronically, in which the certificate shall be subsequently delivered based on the password, coupled with the multifactor authentication mechanism with various factors entered (such as OTP, SIM verification), and relevant records shall be retained.
  2. Delivery of the certificate by other means, in which the investor's or trader's identity must first be verified and relevant records retained by the securities firm or futures commission merchantbefore the certificate can be activated.
3
    The following apply in case of electronic password:
  1. The initial electronic password shall be generated randomly, and shall not be related to the user's identity, account number, or other personal user information.
  2. The electronic password shall be a strong password as defined in the TWSE Rules for Establishing Information Security Inspection Mechanisms for Securities Firms.
  3. The electronic password shall be stored in encrypted form.
  4. The period of validity for any electronic password to be activated may not exceed one month, and if the password has not been activated after one month, a new application for a password must be made. The securities firm or futures commission merchant shall effectively verify the investor's or trader's identity and retain relevant records, before it may accept the investor or trader application.
4
    When an electronic password has been entered incorrectly three times, the securities firm or futures commission merchant shall record the failed log-in attempts, lock the account to be logged in and terminate the data connection.
    In the event of an application by the investor or trader for releasing the lock, the securities firm or futures commission merchant shall effectively verify the investor's or trader's identity and retain relevant records before it may release the lock.
5
    When the period of validity of a certificate has expired or the certificate is canceled, the investor or trader shall make a new application for a certificate. The securities firm or futures commission merchant shall adopt the authentication mechanism for the delivery of certificates in Point 2 to effectively verify the investor's or trader's identity and retain relevant records before it may accept the investor's or trader's application.
6
    If a certificate's period of validity has not expired, and the investor or trader wishes to apply for certificate renewal over the Internet, the securities firm or futures commission merchant shall simultaneously authenticate the investor's or trader's password and their original, valid certificate, verify their identity, and retain relevant records.
7
    Access authorization settings for certificate download hosting sites and certificate registration servers of the securities firm or futures commission merchant shall be reviewed and approved by an authorized supervisor; the hosting sites and servers shall be operated and maintained by authorized management personnel, and relevant management procedures shall be established in order to prevent inappropriate use or disclosure of data to external parties.
8
    The securities firm or futures commission merchant shall at regular and appropriate intervals scan their certificate download hosting sites and certificate registration servers and repair any security holes found; they shall also establish appropriate management and control mechanisms and firewalls, take measures to prevent intrusion by hackers or malware, and retain relevant records.
9
    (deleted)
^