Implementation Rules for the Internal Audit and Internal Control System of Electronic Payment Institutions

Link to law: http://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?PCode=G0380244

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now
Chapter 1 General Provisions

Article 1

These Rules are adopted pursuant to Article 30 of the Act Governing Electronic Payment Institutions (referred to as the "Act" hereunder) and Article 40 of the Act to which Article 30 applies mutatis mutandis.

Article 2

The terms as used in these Rules are defined as follows:
1."Electronic payment institution" shall mean specialized electronic payment institutions and electronic stored value card issuers engaging concurrently in electronic payment business.
2."Electronic payment business" shall mean businesses under the subparagraphs of Paragraph 1, Article 3 of the Act.
3."Professional training institution" shall mean a training institution recognized as such in accordance with the Guidelines for Reviewing Training Institutions for Financial Holding Companies and Banking Enterprises.

Article 3

An electronic payment institution shall establish internal control system and ensure the on-going and effective implementation of the system to promote sound operation of its business.
An electronic payment institution shall formulate overall business strategy, risk management policies and guidelines, and draft business plans, risk management procedures and execution guidelines.

Article 4

The primary purpose of an electronic payment institution's internal controls are to promote sound business operations and, through joint compliance by its board of directors, management, and all employees, to reasonably ensure that the following objectives are achieved:
1.Effectiveness and efficiency of operations
2.Reliability, timeliness, transparency and compliance of reporting; and
3.Compliance with applicable laws and regulations.
The objective of effectiveness and efficiency of operations referred to in Subparagraph 1 of the preceding paragraph includes objectives such as profits, performance, and safeguarding asset security.
The "reporting" referred to in Subparagraph 2 of Paragraph 1 includes internal and external financial reporting and non-financial reporting on the electronic payment institution, where the objectives of financial reporting for external purpose include ensuring that it is prepared in accordance with the generally accepted accounting principles (GAAP), and that transactions are made with proper approval.

Article 5

The internal control system of an electronic payment institution shall be passed by its board of directors. If any director expresses dissent or reservation, those opinions and reasons therefor shall be recorded in the meeting minutes of the board of directors, which, together with the internal control system passed by the board, shall be submitted to the supervisors or the audit committee. The preceding provision applies to revisions of the internal control system.

Chapter 2 Design and Implementation of Internal Control System

Article 6

An electronic payment institution shall establish an internal audit system, self-inspection system, regulatory compliance system, and risk management mechanism to maintain the effective and proper operation of its internal control system.

Article 7

The internal control system of an electronic payment institution shall contain the following components:
1.Control environment: The control environment is the basis for the design and implementation of the internal control system of an electronic payment institution. The control environment encompasses the integrity and ethical values of the institution, governance oversight responsibility of its board of directors and supervisors or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of code of conduct for directors and employees.
2.Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of an electronic payment institution, and with the suitability of the objectives for the institution taken into consideration. The management should consider the impact of possible changes in the external environment and within its own business model, and likely fraud scenarios that may occur. The risk assessment results can assist the institution in designing, correcting, and implementing necessary controls in a timely manner.
3.Control activities: Control activities are the actions of adopting appropriate policies and procedures by an electronic payment institution based on its risk assessment results to limit relevant risks within an acceptable range. Control activities shall be performed at all levels of the institution, at various stages of business processes, and over the technology environment, and shall include supervision and management over subsidiaries, appropriate delegation of responsibilities and not assigning conflicting responsibilities to management and employees.
4.Information and communication: Information and communication means that an electronic payment institution gathers, generates and uses relevant and quality information from both internal and external sources to support the ongoing functioning of other components of internal control, and ensure effective communication within the organization and between the institution and external parties. The internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring, provide information to those who need it in a timely manner, and ensure the retention of complete financial, operational and compliance information. An effective internal control system shall have effective communication channels in place.
5.Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by an electronic payment institution to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the institution. Separate evaluations are evaluations of other personnel conducted by internal auditors, supervisors or audit committee, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors or audit committee, and improvements shall be made in a timely manner.

Article 8

The internal control system shall cover all business activities, include the following appropriate policies and procedures, and shall be reviewed and revised in a timely manner:
1.Organizational rules and processes or management rules, including a clear organizational system, functions of various units, scope of operations for each unit, and well-defined measures for authorizations and hierarchical delegation of responsibilities.
2.Related business rules and procedural manuals, including:
(1) Management of user data confidentiality.
(2) Management of the adoption of the International Financial Reporting Standards (IFRSs), workflow of preparing accounting and financial statements and management of general affairs, information, and personnel affairs
(3) Management of operations for disclosing information externally.
(4) Management of financial examination reports.
(5) Management of protection of financial consumers.
(6) Management of outsourcing operations.
(7) Management of user identity verification.
(8) Management of the businesses of collecting and making payments for real transactions as an agent, accepting deposits of funds as stored value funds, and transferring funds between e-payment accounts.
(9) Management of information system and security management operations.
(10) Management of delineation of responsibilities between information unit and information system user units.
(11) Other business rules and operating procedures.
Where an electronic payment institution has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
Where necessary, the compliance, internal audit, risk management units and other relevant units of an electronic payment institution should participate in the establishment, revision or cancellation of operational and management rules mentioned in Paragraph 1 hereof.

Chapter 3 Inspection of Internal Control System

Section 1 Internal Audit

Article 9

The purpose of internal audit is to assist the board of directors and the management in checking and assessing whether the internal control system works effectively and to provide timely suggestions for improvements so as to reasonably ensure the ongoing and effective implementation of the internal control system and to serve as the basis for reviewing and revising the internal control system.

Article 10

An electronic payment institution should set up an internal audit unit that is directly under the board of directors and performs audits independently and honestly. The internal audit unit should report its audit business to the board of directors and supervisors or audit committee at least annually.
An electronic payment institution should, in view of its business size, business conditions and management needs, establish a chief auditor position of comparable rank to oversee the audit affairs. The chief auditor should possess sufficient leadership and ability to effectively supervise the audit work, and may not hold other positions that are in conflict or interfere with the audit work.
The employment, dismissal, or reassignment of chief auditor shall first obtain the consent of at least two-thirds of all directors.
Where an electronic payment institution has an audit committee established, the employment, dismissal or reassignment of chief auditor shall first obtain the consent of at least the majority of all audit committee members. If the matter does have the consent of at least the majority of all audit committee members, the decision of the audit committee should be recorded in the meeting minutes of the board of directors. Where an electronic payment institution does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors should also be recorded in the meeting minutes of the board of directors.
The employment, dismissal, promotion, reward and punishment, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor should first consult with the personnel office first and obtain the consent of the president before reporting the matter to the chairman for approval.

Article 11

When the chief auditor of an electronic payment institution has any of the following situations, the competent authority may, in view of the severity of the situation, issue an official reprimand, order remedial action within a specified time limit, or order the electronic payment institution to release the chief auditor from duty:
1.Abusing power of office with factual evidence showing that he/she has engaged in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for a third party, or to damage the interests of the employer, which results in damages to the employer or its subsidiary or a third party.
2.Disclosing, delivering, or publicizing all or part of the examination reports on the employer to a person unrelated to such job without the consent of the competent authority.
3.Failing to notify the competent authority of any material malpractice or fraud at the employer due to internal mismanagement.
4.Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
5.Issuing a fraudulent internal audit report after performing the internal audit work.
6.Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of the internal audit unit.
7.Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8.Having committed other acts that impair the reputation or interests of the employer.

Article 12

An electronic payment institution shall be staffed with an appropriate number of competent full-time internal auditors in accordance with the number of users, business volume, business conditions, management needs, and the requirements of other relevant laws and regulations, who shall perform their duties in an objective detached, independent, objective, and impartial manner. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The internal auditors of an electronic payment institution shall meet the following qualification requirements:
1.Having not less than 2 years of experience in financial examination; or having graduated from a college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than 2 years of experience in financial business; or having not less than 5 years of experience in financial business. An electronic payment institution must be staffed with at least one internal auditor who meets the aforementioned qualifications. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor in an accounting firm, or a programmer or system analyst in a computer company for not less than 2 years, and has received not less than 3 months of training in the business operations and management of an electronic payment institution.
2.Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of another person, and the demerit has been offset by other merits; and
3.Internal auditor who acts as a team leader should have not less than 3 years of experience in auditing or financial examination, or have not less than 1 year of experience in auditing and not less than 5 years of experience in financial business, or have not less than 1 year of experience in auditing and have worked as an auditor for an accounting firm for at least 3 years.
An electronic payment institution should check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution should order the auditor to take remedial action within two months from the date of discovery and should immediately reassign the auditor to another job if he or she fails to complete the remedial action within the specified time period.

Article 13

The internal auditors of an electronic payment institution shall perform their duties in good faith, and shall not have any of the following situations:
1.Concealing or making false or inappropriate disclosures while well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of any stakeholder.
2.Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the employer.
3.Causing damages to the employer or harming the interests of stakeholders due to negligence in duties.
4.Conducting audit on a department where he/she worked within the past one year.
5.Failing to disqualify him/herself from auditing previously handled business or cases or from auditing cases in which he/she has a stake.
6.Accepting any improper entertainment or gift or other improper benefits provided by the employer or its employees or customers.
7.Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8.Engaging in other acts that violate rules or regulations, or are prohibited by the competent authority.
An electronic payment institution should check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution should reassign the auditor to another job within one month from the date of discovery.

Article 14

The internal audit unit shall undertake the following tasks:
1.Plan the organizational structure, size and responsibilities of the internal audit unit and produce internal audit working manuals and working papers, which shall include at least assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide suggestions for improvement.
2.Supervise the formulation of self-inspection contents and procedures by respective units, and the implementation of self-inspection by each unit.
3.Formulate annual audit plans and draw up the audit plans for respective unit based on the business risk profile of and implementation of internal audits by each unit.
An electronic payment institution should see to it that all of its units carry out self-inspection, and have its internal audit unit review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken will serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system and to issue the statement on internal control.

Article 15

The internal audit unit of an electronic payment institution shall conduct a routine audit and a special audit at least annually on its business, finance, asset safekeeping and information units, and a special audit at least annually on other management units.
The internal audit unit should include the execution status of the regulatory compliance system into the routine audit or special audit of the business and management units.

Article 16

When the internal audit unit of an electronic payment institution carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1.Scope of audit, summary review of audit, financial status, business performance, asset quality, management of the board of directors and audit committee meeting procedures, regulatory compliance, internal controls, the control and internal management of various businesses, management of user data protection, information management, employee confidentiality education, protection measures for financial consumers, and implementation of self-inspection, and an evaluation of the above matters.
2.Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3.The examination opinions or deficiencies identified by the financial examination agency, accountants, internal audit unit (including the internal audit unit of the parent company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information shall be retained for at least 5 years.

Article 17

Where an electronic payment institution has a significant fraudulent event occurred as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent company), the personnel involved shall be held responsible for dereliction of duties. An electronic payment institution should reward its internal auditors who identify any significant fraud or negligence and thereby avert material loss to the institution.
When a significant deficiency or fraudulent event arises within a unit of an electronic payment institution, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in the internal audit report.

Article 18

An electronic payment institution should deliver its internal audit report to its supervisors or audit committee for review and, submit same to the competent authority within 2 months following completion of the audit. The internal audit report should also be delivered to the independent directors if such positions are set up by the electronic payment institution.

Article 19

The first-time internal auditors of an electronic payment institution shall attend at least 80 hours of audit-related professional training courses held by professional training institutions designated by the competent authority within six months from the date they start the audit work.
The internal auditors (including chief auditor) of an electronic payment institution shall attend professional training related to electronic payment business offered by competent authority-designated professional training institutions or by the electronic payment institution itself every year. The minimum number of training hours shall be 10 hours for chief auditor and 15 hours for the other internal auditors. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Professional training courses related to electronic payment business offered by competent authority-designated professional training courses shall comprise not less than one half of the total hours of training under the preceding paragraph.
An electronic payment institution should formulate self-inspection programs every year and continuously provide proper training to self-inspection personnel in accordance with the business nature of each unit.
An electronic payment institution shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.

Article 20

An electronic payment institution shall file the data on its internal auditors with the competent authority for record before the end of January every year via an Web-based information system and in a format prescribed by the competent authority.
When filing the basic data of internal auditors according to the preceding paragraph, an electronic payment institution should verify whether these auditors have met the requirements stipulated in Paragraph 2, Article 12 and the preceding article herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within 2 months, or else be reassigned to another job.

Article 21

An electronic payment institution shall, in a prescribed format and via an Web-based information system, file with the competent authority for record next year's audit plan by the end of each fiscal year and a report on the execution of its preceding year's annual audit plan within 2 months from the end of each fiscal year via the Web-based information system and in a format prescribed by the competent authority.
An electronic payment institution shall, by the end of each fiscal year, deliver its next year's audit plan in writing to the supervisors or audit committee for review and record the comments of supervisors or audit committee. If the institution does not have an audit committee, it should deliver the audit plan to its independent directors for comments. The annual audit plan and changes thereof shall be approved by the board of directors.
The audit plan mentioned in the preceding paragraph shall contain at least: a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), and frequency of audit and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit should also be noted.

Article 22

An electronic payment institution shall, within 5 months after the end of each fiscal year, file with the competent authority for record the improvement actions taken for deficiencies and irregularities in its internal control system identified during the previous year's internal audit via an Web-based information system and in a format prescribed by the competent authority.

Section 2 Self-inspection and Statement on Internal Control

Article 23

An electronic payment institution shall establish a self-inspection system. its business, finance, asset safekeeping and information units should conduct a routine self-inspection and a special self-inspection at least semi-annually.
For the self-inspection mentioned in the preceding paragraph, the head of the unit should assign a person other than the original handling staff to conduct the inspection and keep the inspection activity confidential beforehand.
The self-inspection report under Paragraph 1 hereof and its working papers and relevant information shall be retained for at least 5 years for future reference.

Article 24

The internal audit unit of an electronic payment institution shall continually conduct follow-up reviews on the examination opinions or audit deficiencies brought up by the financial examination authority, accountants, or the internal audit unit (including the internal audit unit of parent company) or in self-inspection conducted by internal units, and on matters requiring improvements as specified in the statement on internal control, and submit a written report on the follow-up of improvement actions taken to the board of directors, and deliver a copy of the report to the supervisors or audit committee, which should be used as an important reference in deliberating reward or punishment and in the performance evaluation of respective units.

Article 25

The president of an electronic payment institution shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, president and chief compliance officer shall jointly issue a statement on internal control (see attached), which shall be submitted to the board of directors for approval. The electronic payment institution should, within three months after the end of each fiscal year, disclose its statement on internal control on its website and publish same on a website designated by the competent authority.

Attachment:Statement on Internal Control.doc

Section 3  Audit of Electronic Payment Institutions by Accountants

Article 26

If the annual financial report of an electronic payment institution is audited and certified by an accountant, the institution should also engage the accountant to conduct an audit of its internal control system. The accountant should also express opinion on the accuracy of reports submitted by the electronic payment institution to the competent authority and the appropriateness of the implementation status of internal control system and regulatory compliance system.
The audit fees for the accountant should be negotiated and agreed between the electronic payment institution and the accountant, and paid by the electronic payment institution.

Article 27

Where necessary, the competent authority may invite an electronic payment institution and its appointed accountant to discuss audit related matters under the preceding article. If the competent authority finds the accountant appointed by the electronic payment institution not sufficiently competent for the audit work, the competent authority may order the electronic payment institution to replace its accountant and appoint another accountant to re-conduct the audit work.

Article 28

When an accountant conducts audit provided in Article 26 herein, the accountant should inform the competent authority immediately when the electronic payment institution being audited has any of the following situations:
1.During the course of audit, the electronic payment institution fails to provide the accountant with requested reports, certificates, account books and meeting minutes, or refuses to make further explanation on the inquiries made by the accountant, or the accountant is unable to continue the audit work as constrained by other objective circumstances.
2.There are false, forged or missing data of serious nature in its accounting or other records.
3.Its assets are insufficient to pay its debts or its financial condition deteriorates significantly.
4.There is evidence indicating that certain transactions may cause great damage to its net asset.
If an audited electronic payment institution has a situation provided in Subparagraphs 2 ~ 4 of the preceding paragraph, an accountant should submit in advance a summary report based on the audit results to the competent authority.

Article 29

When an electronic payment institution appoints an accountant to conduct audit under Article 26 herein, the institution shall, before the end of April every year, submit the accountant's audit report of the previous year to the competent authority for record. The audit report should describe at least the scope, basis, procedure, and results of the audit.
When the competent authority inquires the contents of the audit report, the accountant should provide truthfully relevant information and explanations.

Section 4 Regulatory Compliance System

Article 30

An electronic payment institution shall assign a management unit directly under the president to take charge of the planning, management and implementation of regulatory compliance system, and appoint a high level manager to act as the chief compliance officer who oversees the compliance matters and report to the board of directors and supervisors or audit committee at least semiannually.
The chief compliance officer and personnel of the compliance unit shall attend at least 15 hours of training a year offered by competent authority-designated professional training institutions or their employer. The training courses shall cover at least the latest regulatory amendments.
An electronic payment institution shall file the list of chief compliance officer and personnel of compliance unit and their training records with the competent authority via a Web-based information system.

Article 31

An electronic payment institution should establish advisory and communication channels for compliance matters to keep employees informed of relevant rules and regulations, swiftly clarify any questions its employees may have on compliance matters, and ensure regulatory compliance.
The compliance unit of an electronic payment institution should analyze the causes of significant deficiency or fraud in compliance matters within respective unit and propose suggestions for improvement. The report produced thereof shall be signed off by the president and then submitted to the board of directors for approval.

Article 32

The compliance unit of an electronic payment institution should conduct the following tasks:
1.Establishing a system for clear and adequate conveyance, consultation, coordination and communication of compliance matters.
2.Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3.Before an electronic payment institution introduces a new product or service, or applies to the competent authority for approval to offer a new business, the chief compliance officer shall issue and sign an opinion statement undertaking that the new product, service or business complies with applicable regulations and internal rules.
4.Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the president, will be used as reference in the performance evaluation of the unit.
5.Providing pertinent regulatory training to personnel at various units.
Thrnal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.
An electronic payment institution should perform self-evaluation of compliance at least semiannually. The results should be sent to the compliance unit for future reference. The head of a unit should designate a specific staff to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least 5 years.

Section 5 Risk Management Mechanism

Article 33

An electronic payment institution shall formulate proper risk management policies and procedures and establish independent and effective risk management mechanism, by which to assess and monitor the overall risk bearing capacity, and current status of risks already incurred, and to determine their compliance with the risk response strategies and risk management procedures.
The risk management policies and procedures under the preceding paragraph shall be passed by the board of directors and be reviewed and revised in a timely manner.

Article 34

An electronic payment institution shall establish a risk management unit and regularly submit risk management reports to the board of directors. Upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable acts and regulations, the electronic payment institution shall take immediate and adequate measures and submit a report to the board of directors.
The risk management unit under the preceding paragraph can be replaced by a designated management unit.

Article 35

The risk management mechanisms of an electronic payment institution shall include the following:
1.Establishing a fraud prevention mechanism to uphold transaction security and better control fraud risk.
2.Establishing the examination and control mechanism for operating procedures and establishing information security mechanism and emergency response plan.
3.Establishing a management mechanism for identifying, measuring and monitoring risks associated with money laundering and financing of terrorism, and drafting standard operating procedures for complying with anti-money laundering related regulations to reduce the risk of money laundering and financing of terrorism..
4.Establishing user management mechanism.
5.Establishing exit mechanism for circumstances when business or finance deteriorates significantly.
6.Establishing user funds management mechanism.
7.Establishing user identity verification mechanism.
8.Establishing user information protection mechanism.
9.Establishing outsourcing management mechanism.
10.Establishing financial consumer protection mechanism.

Chapter 4 Supplemental Provisions

Article 36

An electronic payment institution shall ensure the confidentiality of its financial examination reports. Unless otherwise provided by law or consented by the competent authority, its responsible persons or employees are not allowed to read or disclose, deliver, make public all or part of the financial examination report to persons irrelevant to the performance of duties.
An electronic payment institution should draft internal management rules and operating procedures relating to the financial examination report in compliance with the requirements of the competent authority and submit them to the board of directors for approval.

Article 37

An electronic payment institution shall set out in its internal control system penalties for violations of these Rules or its internal control rules by managers and relevant personnel.

Article 38

The internal auditors and chief compliance officer of an electronic payment institution shall immediately prepare a report for submission, with a notice to the independent directors and supervisors or audit committee and report to the competent authority when their recommendations for improvements regarding significant deficiencies or noncompliance identified in internal controls are not accepted by management, which will cause the electronic payment institution to incur material losses.

Article 39

Internal auditors of electronic payment institutions who do not meet the provisions in Subparagraph 1, Paragraph 2, Article 12 herein shall make adjustment to become compliant within nine months after the promulgation of these Rules.
The internal auditor of an electronic payment institution who acts as a team leader but does not meet the provisions in Subparagraph 3, Paragraph 2, Article 12 herein shall make adjustment to become compliant within three months after the promulgation of these Rules.

Article 40

These Rules shall be in force on May 3, 2015.