Title:Guidelines for the Work-From-Home Application by Securities Firms in Response to Severe Communicable Diseases(2023.10.03)
Categories:
Market Supervision > Regulation of Securities Firms


1
I Conditions for securities firms to initiate a work-from-home program
    For purposes of these Guidelines, "severe communicable diseases" refer to the notifiable diseases defined by theTaiwan Centers for Disease Control, Ministry of Health and Welfare (such as COVID-19) or special infectious diseases which the Executive Yuan determines trigger on an emergency basis control andmanagement measures.
    A securities firm shall first seek other places of business (including outside backup places of business) to work in unless:
  1. the Central Epidemic Command Center declares a major epidemic (e.g., community-acquired infections)in concert with the Executive Yuan (Ministry of Health and Welfare)
  2. any employee of the place of businessbecomes a confirmed case
  3. any major business personnel and agent of the place of business must undergo home isolation, home quarantine, or self-health monitoring, or be subject to other control and management measures adopted by the competent authority
2
II Securities firm work-from-home application processand application documents
  1. Application process
  2. (1) A securities firm applying for the first time for working from home to handle brokerage trading and transactions,dealer trading and transactions, and clearing and reporting etc. shall make the application to the Taipei Stock Exchange Corporation for special transfer to the competent authority for approval. Notwithstanding, the securities firm may prepare the relevant documents to apply to the TWSE for preliminary examination to shorten the application procedure;if prevented by an emergency (e.g., lockdown, any confirmed case among employees etc.) from making a written application according to normal procedure, said firm may make a reportto the TWSEby special means (e.g., email),followed by the submission of the relevant documents to the TWSE for the record after the incident.
    (2) The period of work-from-home sought by a securities firm may not exceed three months, provided an applicationwith good cause may be made prior to expiration to the TWSE for approval of a three-month extension. If it is deemed necessaryupon assessment to continue with the work-from-home arrangement upon expiration of the extension, an application may be made to the TWSE in accordance with the process in (1) above.
  3. Application documents
  4. A securities firm applying for working from home shall make a special application to the TWSE in advance, with a contingency plan and case list (as attached) containing the following presented:
    (1) Availability period: The period of work-from-home arrangement being sought.
    (2) Personnel deployment: Information pertaining to personnel deployment. A senior officer must be designated as a point of contact.
    (3) Business activities: Businesses handled during the work-from-home period are limited to those stated in the application (e.g., transactions, clearing). If the work-from-home application is to handle transactions only, clearing not covered by the application may be handled at the place of business only. If changes are necessary, an applicationshall be made to the TWSE for special transfer to the competent authority for approval.If prevented by an emergency from making a written application according to normal procedure, a securities firm may make a report to the TWSE by special means, followed by the submission of the relevant documents to the TWSE for the record after the incident.
    (4) Operation and procedure: The operation and procedure of work-from-home must expressly describe the differences with working at the place of business.
    (5) Control measures on transactions and employee conduct:
    1. The company shall establish measures to monitor the activities and communications of employees working from home. Work-from-home activities are limited to those approved by the company. Stricter reviewsshall be conducted of the personal transactions of work-from-home employees, including thatmethods for managing the employees’ communications and activities in connection with brokerage trading etc. shall be expressly prescribed. In principle no personnel responsible for reviewing and monitoring the activities of work-from-home employees may work from home, unless such personnel’s review and monitoring will not be hindered by their working from home.
    2. The company shall inform work-from-homers of their rights and obligations and explain the importance of legal compliancefully.
    3. The company shall adopt measures to protect and expressly prescribe management measures for client privacy and the safety of client data and records etc.
    4. The company must verify client identity (e.g., when accepting orders) and step up measures to manage client accounts.
    5. The company shall publish an outline of the work-from-home arrangement on the company website (home page) and assist clients in understanding company operations and risk of suspension of transactions etc.
    6. Control measures for brokerage trading, dealer trading, settlement, and declaration procedures include audio or video recording or relevant alternative measures.
    (6) Test report: The company must first test the remote access system for work-from-home purposes and ensure employees may access the company system only through safe connection.
    (7) Information security control measures:
    1. The company must develop safe remote access systems (such asvirtual private network, VPN, virtual desktop infrastructure, VDI), including the following security measures:adoptingmulti-factor authentication (employee account number and password, dynamic password, one-time password), secure connection, the principle of least privilege (PoLP), retaining complete operation and audit trails of users, monitoring and cautioning against irregularities, updating security vulnerabilities etc., and must further educate work-from-homers on cyber vigilance etc.
    2. The company must establish safe channels for remote access, restrict log-in to company employees only, fully track in writing operation of equipment, and prescribe regulations governing the hours that connection is available subject to the schedule ofthe employees’ performance of duties.
    3. The company must set up firewalls against malicious or unauthorized connection, devise rules n accordance with the principle of least privilege, close non-essential ports, and monitor network traffic, anomaly alerts, and disconnection mechanisms.
    4. The company must employ differentiation in managing the access authority of users in accordance with the principle of least privilege. Work-from-homers are authorized to access functions only to the extent required for business execution. Authorizations with regard to non-essential systems and functions must be disabled.
    (8) Issue a statement on the Establishment of Information Security Inspection Mechanisms.
    (9) Measuresfor the prevention ofconflicts of interest and violations of rules and regulations: Prescribe comprehensive and express measures to prevent conflicts of interest and violations of rules and regulations by work-from-homers.
    (10) Minutes of the board of directors’ meeting where the board of directors agrees to the work-from-home, or in lieu thereof, the consent of the head office or regional center of the group. Subsequent ratification is acceptable in the event of emergency preventing the procurement of advance consent of the board of directors.
    (11) Risk assessment of enforcement: Where a work-from-home period as applied for lasts a consecutive year or more, whether the content of the contingency plan conforms to the current situation shall be reviewed (at lease once a year), and possible new risks that may arise out of a long-term work-from-home arrangement shall be assessed (risk assessment should cover cybersecurity risk, legal risk, operational risk, personal data risk, and financial crime risk, etc.).
    (12) Records of work-from-home education and training and awareness programs (at least semiannual).
3
III Complementary measures for work-from-home management of securities firms
  1. Brokerage trading and transactions
  2. (1) Brokerage trading personnel shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest.
    (2) Personal computers for use at home shall all be allocated by the company. Use of a personal computer not provided by the company is subject to company approval and information security testing in advance. Relevant computer equipment may be used only for official business purposes during work-from-home hours.
    (3) Work-from-homers may not proceed with transactions until after authorized log-in through a safe remote access system. All user log-ins and transactions shall be fully tracked in writing.
    (4) A principal shall dial the brokerage order number of the place of business to have the call transferred to the mobile phone or home phone of abrokerage trading representative (the call to be recorded by company equipment). If existing company equipment cannot recordthe entire call, it will be recorded either by the mobile phone of, or by, saidrepresentative, with the following measures adopted: After placing the order, the representative must, as soon as possible,make an audiorecording of the time and content of the order and file such recordingwith the recording equipment of the companyor email the recording to the company and client.
    (5) Personnel responsible for reviewing and monitoring the activities of work-from-home employees must verify the audio recordings of work-from-homers periodically to ensure both conformance to those kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such.
    (6) Brokerage trading personnel will access the order system of the company’s personal computer through a safe remote access system. Trading limits of principals are governed by existing mechanisms.
    (7) Express modes of operation and management methods shall be in place for personal transactions of work-from-home employees, including communications and activities pertaining to brokerage trading etc.
  3. Dealer trading and transactions
  4. (1) Dealer trading personnel shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest.
    (2) Personal computers for use by dealer trading personnel at home shall all be allocated by the company, with hardware and software appropriate for the business performed by the personnel installed for management purposes.
    (3) Work-from-homers may not proceed with transactions until after authorized log-in through a remote access system. All user log-ins and transactions shall be fully tracked in writing.
    (4) The company shall install video equipment at the work-from-home space of a trader,andensure unimpeded communications andvideotape and document whole transactionsthroughout the trading hours. If videotaping is difficult in practice, the company may, upon risk evaluation, adopt other appropriate measures (for example by turning on the camera multiple times a day or conducting online meetings, at scheduled hours etc.). The company shall further strengthen inspection to ensure work-from-home traders comply strictly with their duty of confidentiality during their decision-making process in regard to trading and neither engage in trading of TWSE- or TPEx-listed securities nor perform other acts against securities laws and regulations with news they become aware of in their performance of duties.
    (5) Such personnel shall be prohibited from accessing the system during non-trading hours or their off hours.
    (6) Personnel responsible for reviewing and monitoring the activities of work-from-home employeesverify the audio recordings of transactions of work-from-homers periodically to ensure both conformance to the audio recordings kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such.
    (7) With regard to the risk exposure of a close position, the company shall be able to control trading limits and position risks, whether in the event of working at the place of business or from home.
    (8) Controlof personal transactions of work-from-homers: The company may allow or prohibit personal transactions of work-from-homers upon careful assessment in accordance with company management policies. If it so allows,the ways of control of such transactions shall include prescribing express modes of operation and management methods in regard to communications and activities pertaining to brokerage trading (e.g., stipulating that audio recordings be made of whole telephone orders, recordings be made of all electronic orders placed on computers allocated by the company).
  5. Clearing and reporting
  6. (1) A securities firm shall complete clearing and settlement in accordance with the TWSE Operating Rules and relevant regulations and also complete all clearing procedures and the reporting that is required by laws and regulations. Said firm shall in principle handle the above at the place of business (including an outside backup place of business) or assign work-from-homers to assist in handling.
    (2) When performing procedures pertaining to settlement of payment, non-trading activities of a credit transaction (such as demand of payment, cash repayment, return of securities), and borrowing and transfer of securities, a principal shall in principle do so at the place of business (including an outside backup place of business) or assign work-from-homers to assist in doing so.
  7. Information Security
  8. (1) The company shall provide work-from-homers with access in accordance with the information security control measures in force at the time of application.
    (2) Specific information security software shall be installed on computer equipment, including notebooks and tablets, used by work-from-homers, to control access authority to applications. Authorizations for non-essential services and operating systems on the computer shall be disabled. For remote work, a mechanism whereby technical means is employed to prohibit transmission and saving of files to work-from-homers’ computer equipmentshall be implemented to mitigate the risk of data breaches.
    (3) Log-insto major systems and transactions by all work-from-homers shall be fully tracked and documented.
    (4) Control of remote access security shall be strengthened where a work-from-homer is required to conduct a video conference.
  9. Prevention of conflicts of interest and violations of rules and regulations
  10. (1) To ensure confidentiality of trading information, a work-from-homer mustconduct business in an independent instead of public space
    (2) A work-from-homer must properly retain all transaction related records as requested by competent authorities, the TWSE, and the company.
    (3) The company shall appoint a senior officer as chiefsupervisor responsible for implementing relevant monitoring measures during trading hours.
    (4) The company shall ascertain whether a work-from-homer is in violation of measures to prevent conflicts of interest and violations of rules and regulations.
  11. In regard to the work-from-home procedures of a securities firm, appropriate control mechanisms and inspection procedures shall be devised in the company’s internal controlsystems.Work-from-home related data shall be properly kept to facilitate audits.
^