Advanced Search

Regulations Governing Implementation of Internal Control and Auditing System of Insurance Enterprises

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
Chapter 1 General Principles

Article 1

These Regulations are enacted in accordance with Paragraph 1, Article 148-3 of the Insurance Act (the "Act").

Article 2

The term "internal control system" as used in these Regulations means a management process designed by the management, passed by the board of directors, and implemented by the board of directors, management and other employees. The purpose of internal control system is to promote sound business operations of an insurance enterprise so as to reasonably ensure that the following objectives are achieved:
1. The insurance enterprise operates its business in a prudent manner in accordance with the policies and strategies formulated by its board of directors to achieve effectiveness and efficiency in profitability and performance.
2. All transactions are properly authorized;
3. Assets are safeguarded;
4. Financial and other records provide reliable, timely, transparent, complete, accurate and verifiable information and comply with relevant rules and regulations;
5. Management can identify, assess, manage and control operational risks and maintain sufficient capital to address operational risk exposures; and
6. Compliance with applicable rules and regulations.

Article 3

The internal control system of an insurance enterprise shall be passed by its board of directors. If any director expresses reservation or dissenting opinions, those opinions and reasons therefor shall be recorded in the meeting minutes of the board of directors, which, together with the internal control system passed by the board, shall be submitted to the supervisors or the audit committee. The preceding provision applies to revisions of the internal control system.
If the insurance enterprise has independent director(s), the opinions of respective independent director should be taken into consideration fully when the internal control system is submitted to the board for discussion in accordance with the preceding paragraph. The reservation or dissenting opinions of the independent director(s) and reasons therefor shall be recorded in the meeting minutes of the board of directors.
If the insurance enterprise has established an audit committee, the adoption or revision of its internal control system shall be subject to the consent of at least the majority of the audit committee members and be submitted to the board of directors for a resolution.
Any matter under the preceding paragraph that has not been approved with the consent of at least the majority of the audit committee members may be adopted with the consent of at least two-thirds of all directors, and the resolution adopted by the audit committee shall be recorded in the meeting minutes of the board of directors.

Chapter 2 The Design and Implementation of Internal Control System

Article 4

The internal control system of an insurance enterprise shall incorporate at least the following components:
1. Control environment: The control environment is the basis for the design and implementation of the internal control system of an insurance enterprise. The control environment encompasses the integrity and ethical values of the insurance enterprise, governance oversight responsibility of its board of directors and supervisors or audit committee, organizational structure, assignment of authority and responsibility, human resources policy, performance measures and awards and discipline. The board of directors and management shall establish internal code of conduct, including the code of conduct for directors and code of conduct for employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of an insurance enterprise, and the suitability of the objectives should also be taken into consideration. The management should consider the impact of changes in the external environment and its own business model, and possible fraud scenarios that may occur. The risk assessment results can assist the insurance enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control operations: Control operations are means the actions of adopting proper policies and procedures by an insurance enterprise based on its risk assessment results to control risks within a tolerable range. Control operations shall be performed at all levels of the insurance enterprise, at various stages of business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
4. Information and communication: Information and communication means relevant and quality information that an insurance enterprise obtains, generates, and uses from both internal and external sources to support the continuous functioning of other components of internal control, and to ensure that information can be effectively communicated within and outside the organization. The internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring, and to enable timely access to information by those who need it.
5. Monitoring operations: Monitoring operations means ongoing evaluations, individual evaluations, or some combination of the two used by an insurance enterprise to ascertain whether each of the components of internal control is present and continuously functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels. Individual evaluations are evaluations conducted by different personnel such as internal auditors, supervisors or audit committee, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors or audit committee, and improvements shall be made in a timely manner.

Article 5

An insurance enterprise shall, based on its business nature and scale, establish operating procedures for at least the following control operations according to the principles of internal check, and review and revise such procedures in a timely manner:
1. Insurance product development operation: Including risk assessment of insurance products, evaluation of premium rate adequacy and assessment of reserve adequacy.
2. Product sales operation: Including promotional materials and information to be disclosed in insurance policy, business solicitation, underwriting, contract conversion, reinstatement, conservation, fees and charges.
3. Claim operation: Including investigation of accident, review and payment operation.
4. Fund utilization operation: Including holistic investment policies, acquisition, custody and disposal of various investment assets, and rules for related party transactions.
5. Solvency assessment operation: Including assessment of all kinds of reserves to be set aside, evaluation of asset quality,the match of assets and liabilities, write-off of non-performing loans and non-accrual loans, management of investment and fund liquidity, assessment of financial conditions and capital adequacy.
6. Processing derivatives transactions operation: Including trading principles and guidelines, operating procedures, announcement and reporting procedures, accounting treatment, internal control and audit system.
7. Reinsurance operation: Including methods of reinsurance, assessment of risks and risk tolerance, reinsurance retention ratio and selection of reinsurers and reinsurance brokers.
8. Control operations of accounting, general affairs, resources, personnel management and other businesses.
9. Management of financial examination reports.
10. Management of financial consumers protection.
11. Management of the application of International Financial Reporting Standards.
12. Other matters designated by the competent authority.
Where an insurance enterprise is required to establish a remuneration committee according to law, the insurance enterprise shall design internal controls and operating procedures for the operation and management of the remuneration committee.
Where an insurance enterprise has an audit committee established, its internal control system shall also include the management of the audit committee meeting procedures.
For the stipulation, revision or abolition of all operational and management regulations mentioned in the preceding three paragraphs, it requires the participation of regulatory compliance, internal audit, and risk management agencies.

Article 6

An insurance enterprise that uses a computerized information processing system shall, in addition to clearly division of authority and responsibility of information and user departments, include at least the following control operations in its internal control system:
1. Clear division of authority and responsibility of the information processing department;
2. Control of system development and program modification;
3. System documentation control;
4. Program and data access control;
5. Data input/output control;
6. Data processing control;
7. Security control of the entrance of computer room;
8. System, files, computer and communications equipment security control;
9. Control of purchase, usage, and maintenance of hardware and system software;
10. Prevention and control of spread of computer viruses and hacker invasion;
11. Control of system recovery plan, disaster backup plan and testing procedures;
12. Control of outsourcing of core businesses;
13. Confidentiality and security control of classified data of customers and company; and
14. Prevention and control of computer crimes.

Article 7

For the purpose of maintaining effective operation of its internal control system to achieve the objectives of internal control set out in Article 2 herein, an insurance enterprise shall adopt the following measures:
1. Internal audit system: Set up an audit unit to take charge of auditing each unit and periodically evaluating the performance of self-inspection conducted by each business unit.
2. Regulatory compliance system: The chief compliance officer examines duly whether business personnel comply with relevant laws and regulations in conducting business in accordance with the compliance plan developed by the head office.
3. Self-inspection system: Members of business, financial and information units check on each other the actual implementation of internal controls under the supervision of managerial personnel or personnel at comparable position or higher as assigned by each unit to discover deficiencies early and take corrective actions in a timely manner.
4. CPA auditor system: When a certified public accountant (CPA) engaged by an insurance enterprise conducts annual audit of the enterprise, the CPA should also examine the effectiveness of its internal control system and express opinions on the accuracy of financial information the enterprise files with the competent authority and the status of implementation of internal control system and regulatory compliance system.
5. Risk management mechanism: Establish independent and effective risk management mechanism to assess and monitor the overall risk bearing capacity and current status of risks already incurred, and to determine their compliance with the risk response strategies and risk management procedures.

Article 8

An insurance enterprise shall formulate adequate risk management policies and procedures. Those policies and procedures shall be passed by the board of directors and regularly reviewed and revised.
An insurance enterprise shall establish an independent risk management task force and regularly furnish risk management reports to the board of directors;
The risk management mechanisms of an insurance enterprise shall include the following:
1. Identifying and assessing acceptable risk range based on its business scale, product features and overall economic situation.
2. Risks to be taken into consideration include underwriting risk, risks associated with reserve assessment, market risk (including interest rate risk), operational risk, compliance risk and other relevant risks.
3. The management should regularly review the risk control mechanism and adopt suitable strategies based on the actual economic circumstances.
4. Establishing a management mechanism for identifying, measuring and monitoring risks associated with money laundering and financing of terrorism, and drafting standard operating procedures for complying with anti-money laundering related regulations to reduce the risk of money laundering and financing of terrorism.

Chapter 3 The Inspection of Internal Control System

Section 1 Internal Audit

Article 9

The purpose of internal audit is to assist the board of directors and the managerial level to verify and evaluate whether the operation of internal control system works effectively and provide appropriate suggestions for revision, which can ensure the on-going performance of effective internal control and serve as the basis of internal control system revisions.

Article 10

An insurance enterprise shall plan the organization, size and responsibilities of its internal audit unit and produce internal audit working manuals, which shall include at least the following particulars:
1. Operational process of annual audit plan;
2. Inspection and assessment of internal control system to measure the effectiveness and compliance status of existing policies and procedures and their effect on various business activities;
3. Audit items, time, procedures and methods; and
4. The contents of the formats, processing and retention of internal audit reports.
An insurance enterprise should see to it that all of its units carry out self-inspection, and have its internal audit unit review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken will serve as a basis for the board of directors,general manager, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system and to issue an internal control system statement.

Article 11

An insurance enterprise should set up an internal audit unit that is directly subsidiary to the board of directors which should perform audit business honestly and independently. The chief auditor is required to report its audit business to the board of directors and supervisors or audit committee at least semiannually.
The internal audit unit shall establish a chief auditor system to manage all audit business. The qualifications of chief auditor shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises, and has the power as an vic general manager. The auditor is not allowed to take a job that will cause conflicts or limitations to the audit work.
The employment, dismissal or transfer of chief auditor shall have the consent of more than two-thirds of the board of directors and report to the competent authority for ratification.
If an insurance enterprise has an audit committee, the appointment, dismissal or transfer of chief auditor mentioned in the preceding paragraph shall first have the consent of at least the majority of all audit committee members. In the absence of the consent of the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where an insurance enterprise does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors regarding the chief auditor shall also be recorded in the meeting minutes of the board of directors.

Article 12

When any of the following circumstances applies to a chief auditor in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the chief auditor to make improvements within a specified time limit, or otherwise order the insurance enterprise to release the chief auditor from duty:
1. Abusing power of office to engage in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for others, or taking advantage of the job to damage the interests of the employer or others.
2. Disclosing, delivering, or publicizing all or part of insurance examination reports on the employer to a person unrelated to such job without the consent of the competent authority.
3. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
4. Failing to notify the competent authority any material malpractice or fraud at the employer due to internal mismanagement.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
7. Having improper financial dealings with customer or counterparty of transaction involving employer's funds as evidenced by facts.
8. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of internal auditor.
9. Having committed other acts that impair the reputation or interests of the employer.

Article 13

An insurance enterprise shall be staffed with an appropriate number of competent full-time internal auditors based on its scale of investment, business condition (the number of branches and business volume), management needs and applicable laws and regulations. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The appointment, dismissal, promotion, reward/discipline, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor should first consult with the personnel office and obtain the consent of the general manager before reporting the matter to the chairman for approval.
When the competent authority conducts examination of the insurance enterprise, the internal audit unit shall assign an internal auditor as the contact person and to provide relevant information and assist in the examination.

Article 14

The internal auditors of an insurance enterprise shall meet the following qualification requirements:
1. Having not less than 2 years of experience in insurance examination; or having graduated from a junior college, college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than 2 years of experience in insurance business; or having not less than 5 years of experience in insurance business; or having not less than 5 years of experience in insurance business. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor in an accounting firm or a system analyst in a computer company for not less than 2 years, and has received not less than 3 months of training in insurance business and administration. However, the number of auditor with such qualification shall not exceed one third of total number of auditors;
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of a co-worker, and the demerit has been offset by other merits; and
3. An internal auditor who acts as a lead auditor shall have not less than 3 years of experience in auditing or insurance examination, or have not less than 1 year of experience in auditing and not less than 5 years of experience in insurance business.

Article 15

The internal auditors of an insurance enterprise shall perform their duties in good faith, and shall not have any of the following situations:
1. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the insurance enterprises.
2. Conducting audit on operations where he/she worked on within one year or failing to disqualify him/herself from auditing cases or operations in which he/she has a stake or conflict of interest.
3. Accepting improper entertainment or gift or other improper benefits provided by people in insurance business or customers.
4. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
5. Concealing or making false or inappropriate disclosures while well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of beneficiaries, policyholders or any stakeholder.
6. Causing harm to the interests of the company, beneficiaries, policyholders or any stakeholder due to dereliction of duty.
7. Any other violation of rules or regulations, or practices prohibited by the competent authority.

Article 16

Auditors of the internal audit unit of an insurance enterprise shall, before starting the job or within half a year after starting the job, enroll in the following trainings held by institutions recognized by the competent authority:
1. When acting as an internal auditor for the first time, the auditor should participate in the audit training course or computer audit training course for more than sixty hours. The auditor should also pass the exam and obtain the completion certificate.
2. An internal auditor with leadership duty should participate in the internal auditor leader train course for more than nineteen hours.
3. The auditor manager should participate in audit manager training course for more than twelve hours.
Internal auditors, internal auditor with leadership and auditor manager in charge of audit operations shall attend more than 30 hours of insurance-related professional training offered by the aforementioned training institutions or financial holding companies or the employing insurance enterprise every year. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Insurance-related professional training courses offered by competent authority-recognized institutions shall comprise not less than one half of the required hours of training under the preceding paragraph.
For auditors stationed overseas, the training hours they have received from insurance-related training institutions established in accordance with the local laws and regulations are also recognized.
An insurance enterprise shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.

Article 17

The department heads/office chiefs of an insurance enterprise or the head of its branch office or persons with comparable decision-making authority shall, before taking office or within half a year after taking office shall meet one of the following requirements:
1. Having worked as an auditor of the internal audit unit and conducted internal audit work for more than one year; or
2. Having attended an auditor, computer audit or supervisor audit training course offered by a competent authority recognized institution, and passed the exam conducted by the aforementioned training institution and obtained a completion certificate therefor. In case of a foreigner, he or she may choose to attend the internal audit training course held by the employing insurance enterprise.

Article 18

The internal audit unit of an insurance enterprise shall conduct at least a routine audit every year on its business, finance, information and other management units, and conduct special audits as needed. The audit of its overseas branches (including liaison office) may be replaced with a reporting audit or have site audit frequency adjusted flexibly.
The internal audit unit shall include the implementation status of regulatory compliance system into the routine audit or special audit of the business and management units.

Article 19

When an insurance enterprise carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary commentary, financial status, capital adequacy, business performance, asset quality, management of shares, management of the board of directors and audit committee meeting procedures, regulatory compliance, related-party transactions, control and internal management of various businesses, management of customer data confidentiality, information management, employee confidentiality education, and implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the competent authority, accountants, internal audit unit (including the internal audit unit of the financial holding company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information under the preceding paragraph shall be retained for at least 5 years.
An insurance enterprise shall, in a prescribed format and via a Web-based information system, file with the competent authority for record next year's audit plan before the end of December each year and a report on the execution of its previous year's annual audit plan before the end of February each year.
An insurance enterprise shall, by the end of each fiscal year, deliver its next year's audit plan in writing to its supervisors or audit committee for review and record the comments of supervisors or audit committee. If the insurance enterprise does not have an audit committee but independent directors, it shall deliver the audit plan to the independent directors for comments.
The audit plan under the preceding paragraph shall contain at least: a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), and frequency of audit and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit should also be noted.
The annual audit plan and changes thereof shall be approved by the board of directors.

Article 20

The internal audit unit shall follow up on the status of improvements made by respective units regarding the examination opinions of or deficiencies found by competent authority, accountants, internal audit units (including the internal audit unit of the parent financial holding company) and self-check personnel, and recommendations enumerated in the statement on internal control, and produce a written follow-up report to be provided to the board of directors and the supervisors or the audit committee for review and to be used as important reference in reward/discipline decisions and performance review.
The internal audit report shall be provided to the supervisors or the audit committee for review, and unless it is otherwise stipulated by the competent authority, submitted to the competent authority within two (2) months from the date the audit is completed.
Where an insurance enterprise has independent director(s), the reports shall be simultaneously provided to the independent director(s) when an action is taken under the two preceding paragraphs.

Article 21

An insurance enterprise shall, in a prescribed format and via a Web-based information system, file with the competent authority for record information on its internal auditors, including name, age, education background, work experience, years of service, and training received by the end of January each year.

Article 22

An insurance enterprise shall, before the end of May each year, file with the competent authority for record the improvement actions taken for deficiencies and irregularities in its internal control system identified during the previous year's internal audit via a Web-based information system and in a format prescribed by the competent authority.

Article 23

An insurance enterprise should examine at all time whether its internal auditors have violated the provisions of Article 15 herein. If an auditor is found to violate the provisions, the insurance enterprise shall reassign the auditor within one month from the date of discovery.
When filing the basic data of internal auditors according to Article 21 herein, an insurance enterprise should verify whether its auditors meet the requirements stipulated in Article 14 and Article 16 herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within 2 months, or else be reassigned to another job.

Section 2 Self-inspection and Internal Control System Statement

Article 24

An insurance enterprise should establish a self-inspection system to strengthen internal check so as to prevent the occurrence of fraud. Its finance, business and information units shall conduct routine self-inspection at least once every year and conduct special self-inspection as needed.
For the self-inspection mentioned in the preceding paragraph, the head of the unit should assign a person other than the original handling staff to conduct the inspection and keep the inspection activity confidential beforehand.
The self-inspection report and its working papers shall be retained for at least 5 years for future reference.
An insurance enterprise should establish self-inspection training programs and continue proper training to self-inspection personnel in accordance with the business nature of each unit.

Article 25

The general manager of an insurance enterprise shall supervise all units to carefully assess and review the implementation status of its internal control system. The chairman, general manager, chief auditor and head office chief compliance officer shall jointly issue an internal control system statement (see attached), which shall be submitted to the board of directors for approval, and submitted together with the annual report set forth in Article 148-1 of the Act to the competent authority before the end of March each year.
An insurance enterprise shall disclose its internal control system statement on its website.

Section 3 Audit by an Accountant

Article 26

If the annual financial report of an insurance enterprise is audited and certified by an accountant, the enterprise should also appoint the accountant to conduct an audit of on its internal control system. The accountant should also comment on the correctness of the report submitted by the insurance enterprise to the competent authority and the implementation status of internal control system and regulatory compliance system.

Article 27

Where necessary, the competent authority may invite an insurance enterprise and its appointed accountant to discuss audit related matters under the preceding article. If the competent authority finds the accountant appointed by the insurance enterprise not sufficiently competent for the audit work, the competent authority may demand the insurance enterprise to replace its accountant and appoint another accountant to re-conduct the audit work.

Article 28

When an accountant conducts audit provided in Article 26 herein, the accountant should inform the competent authority immediately when the following conditions are found:
1. During the course of audit, the insurance enterprise fails to provide the accountant with requested reports, certificates, account books and meeting minutes, or refuses to make further explanation on the inquiries made by the accountant, or the accountant is unable to continue the audit work as constrained by other objective circumstances.
2. There are false, forged or missing data of serious nature in its accounting or other records.
3. Its assets are insufficient to pay its debts or its financial condition deteriorates significantly.
4. There is evidence indicating that certain transactions may cause material impairment of its net assets.
If an audited insurance enterprise has a situation provided in Subparagraphs 2 ~ 4 of the preceding paragraph, the accountant should submit in advance a summary report based on the audit results to the competent authority.

Article 29

When an insurance enterprise appoints an accountant to conduct audit under Article 26 herein, the enterprise shall, before the end of March each year, submit an independent auditor's report of the previous year to the competent authority for record.
When the competent authority inquires the contents of the independent auditor's report, the accountant should provide detailed and relevant information and explanations.

Section 4 Regulatory Compliance System

Article 30

An insurance enterprise shall, based on its size, business nature and organizational characteristics, establish a compliance unit directly under the general manager to take charge of the planning, management and implementation of regulatory compliance system.
The compliance unit shall establish the position of head office chief compliance officer who oversees the compliance matters and reports to the board of directors and supervisors or audit committee at least semiannually. The head office chief compliance officer whose position is equivalent to a vice general manager may not hold internal positions other than the chief legal officer and should possess leadership and ability to effectively supervise the compliance works. The qualifications of head office chief compliance officer shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises.
The branches of foreign insurance enterprises in Taiwan, reinsurance enterprises and insurance cooperatives may appoint a high level manager to act as the head office chief compliance officer under the preceding paragraph, and insurance cooperatives are not subject to the restriction on head office chief compliance officer holding concurrently other internal positions under the preceding paragraph.
Chief auditor, head of audit unit and internal auditors may not serve as the head office chief compliance officer under Paragraph 2 hereof.
The appointment and dismissal of head office chief compliance officer shall have the consent of at least the majority of all directors and be reported to competent authority for record.
The head office chief compliance officer and personnel of the compliance unit of an insurance enterprise shall attend at least 20 hours of training a year offered by institutes recognized by the competent authority or financial holding companies or the employing insurance enterprise. The training courses shall cover at least the latest regulatory amendments and new insurance products launched.
An insurance enterprise shall file the list of head office chief compliance officer and personnel of compliance unit and their reward/disciplinary records, qualifications and training records in the past three years with the competent authority via a Web-based information system.

Article 30-1

An insurance enterprise should establish counseling and communication channels for regulatory compliance matters to keep employees informed of rules and regulations, swiftly clarify any questions of the employees on rules and regulations, and ensure regulatory compliance.
The compliance unit of an insurance enterprise should analyze the causes of significant deficiency or malpractice in compliance matters within respective unit and propose recommendations for improvement. The report produced thereof shall be signed off by the general manager and then submitted to the board of directors for approval.

Article 31

The regulatory compliance unit of an insurance enterprise shall establish a regulatory compliance system which will be implemented after being passed by the board of directors. The regulatory compliance unit shall also review from time to time the regulatory compliance system in line with the amendment of insurance rules and regulations, and implement the revised system after it is passed by the board of directors.
The regulatory compliance system shall include at least the following particulars:
1. Decision making process of board of directors and control functions of directors;
2. Preservation of board meeting minutes;
3. Operation monitoring functions of supervisors;
4. Code of regulatory compliance for directors’ conduct;
5. Establishment of regulatory compliance evaluation standards;
6. Formulation of annual regulatory compliance plan;
7. Creation of a regulatory compliance environment;
8. The audit of regulatory compliance operations and handling of regulatory violation;
9. Regulatory compliance organization and duties; and
10. Drafting of regulatory compliance manual.

Article 32

The regulatory compliance unit should draw up an annual regulatory compliance plan, which will be implemented after being passed by the board of directors.
The annual regulatory compliance plan shall contain at least the following particulars:
1. Evaluation plan for regulatory compliance by respective unit;
2. Review of handling results for regulatory violation cases in the previous year;
3. Management of changes in insurance related laws and regulations;
4. Training and promotion of regulatory compliance matters; and
5. Review and improvement of regulatory compliance system.
The regulatory compliance unit of an insurance enterprise should conduct the following tasks:
1. Establishing a system for clear and adequate conveyance, consultation, coordination and communication of rules and regulations.
2. Keeping operating and management rules and procedures updated in line with relevant regulations to make sure all business activities comply with regulatory requirements.
3. Before an insurance enterprise introduces a service, a new insurance product or an insurance product which is deemed to constitute material change by the competent authority and requires approval by the competent authority before marketing, or undertakes specific or major use of funds, the head office chief compliance officer shall issue and sign an opinion statement undertaking that the service, product or use of funds complies with applicable regulations and internal rules.
4. Drafting the details of evaluation and procedures for evaluating regulatory compliance, overseeing the periodic self-evaluation conducted by respective units, and assessing the compliance self-evaluation conducted by respective units and producing a report thereon, which, after being signed off by the general manager, will be used as reference in the performance evaluation of respective units.
5. Providing pertinent regulatory training to personnel of various units.
The internal audit unit may draft the details of evaluation and procedures for evaluating compliance by its subordinate units and perform self-evaluation of the compliance status of its subordinate units, to which the provisions in Subparagraph 4 of the preceding paragraph do not apply.

Article 33

The business unit, the funds utilized unit, information unit, asset management unit and other management units of an insurance enterprise should assign personnel to act as the compliance officer of the unit to take charge of compliance matters.
Respective unit should draw up a compliance manual, which will be implemented after being approved by the head office chief compliance officer and the general manager.
The regulatory compliance manual shall contain at least the following particulars:
1. Regulatory compliance procedures to be adopted by each business;
2. Rules and regulations to be complied with by each business;
3. Procedures for handling violation of rules and regulations;
4. Self-evaluation procedure for regulatory compliance operation; and
5. Namelist of regulatory compliance officers.
If an insurance enterprise has a foreign branch, the compliance unit should monitor the compliance with local rules and regulations by the foreign branch.

Article 34

An insurance enterprise should, based on its regulatory compliance plan, design the working papers for self-evaluation of regulatory compliance and perform self-evaluation at least semiannually. The self-evaluation results should be sent to the regulatory compliance unit for future reference. The head of a unit should designate a specific staff to carry out the unit's self-evaluation.
The working papers and information on the self-evaluation work under the preceding paragraph shall be retained for at least 5 years.

Chapter 4 Supplementary Principles

Article 35

An insurance enterprise shall set out in its internal control system penalties for violations of these Regulations or its internal control rules by management and relevant personnel.
Where an insurance enterprise has a significant fraudulent event occurred as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent financial holding company), the personnel involved shall be held responsible for dereliction of duties.
An insurance enterprise should commend its internal auditors who identify any significant malpractice or negligence and thereby avert material loss to the enterprise.
When a significant deficiency or malpractice event arises within the management or business unit of an insurance enterprise, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in an internal audit report.

Article 36

The internal auditors and chief compliance officer of an insurance enterprise shall immediately produce a report for submission to the competent authority, with a notice to the supervisors or audit committee and independent directors (if applicable), when their recommendations for improvements regarding significant deficiencies or noncompliance in internal controls are not accepted by management, as a result the insurance enterprise might incur a material losses.

Article 37

The branch of a foreign insurance enterprise in Taiwan shall carry out internal control and audit in compliance with these Regulations. However, if the internal control and audit systems of a branch in Taiwan are prescribed by the head office based on regulations with higher or equivalent standards, the branch is allowed to implement such systems by submitting a comparison report which compares the standards that head office adopts and the system requirements in Taiwan and is signed by the branch's responsible person to the competent authority for record.
An insurance cooperatives may, in view of its business scope and size and within six months from the date of promulgation of these Regulations amended on March 17, 2010, carry out internal control and audit in accordance with these Regulations, or report to the competent authority for record as provided in the preceding paragraph by describing the facts, reasons and the content of internal control and audit system to be adopted.

Article 38

An insurance enterprise should establish necessary controls for its subsidiaries in its internal control system and urge its subsidiaries to establish internal control system in consideration of local rules and regulations at where each subsidiary is located and the actual nature of the subsidiary's operations.
An insurance enterprise shall establish audit plans targeted at each subsidiary in its annual audit plans based on the business risk profile and implementation of internal audits by each subsidiary.
All subsidiaries of an insurance enterprise shall submit to the parent company their board meeting minutes, CPA audit reports, examination reports issued by the financial examination agency, and other relevant materials. For subsidiaries having established an internal audit unit, audit plans and reports on significant deficiencies identified in internal audit and the status of improvements thereof shall also be submitted. The parent company shall review such documents and monitor the improvement actions taken by each subsidiary.
The chief auditor of an insurance enterprise shall periodically evaluate the effectiveness of the internal control activities of a subsidiary, and after having reported to the board of directors, send the evaluation results to the subsidiary's board of directors for their reference in personnel evaluations.

Article 39

An insurance enterprise shall ensure the confidentiality of its financial examination reports. Unless otherwise provided by law or consented by the competent authority, its responsible persons or employees are not allowed to read or disclose, deliver, make public all or part of the financial examination report to persons unrelated to the performance of duties.

Article 40

Insurance enterprises that do not meet the provisions in Article 30, or Subparagraph 3 or 4, Paragraph 3 of Article 32 herein shall make adjustment to become compliant within six months after the promulgation of these Regulations amended on August 8, 2014.

Article 41

These Regulations shall be in force on the date of promulgation.
Except for the part on management of financial consumers protection which has been in force since December 30, 2011, the provisions of Article 5 amended on February 4, 2012 shall enter into force three months after the date of promulgation.