Chapter 1 General Provisions
These Rules are adopted pursuant to Article 33 and Article 39 of the Act Governing Electronic Payment Institutions (referred to as the "Act" hereunder) and Article 40 of the Act to which Article 33 of the Act applies mutatis mutandis.
The terms as used in these Rules are defined as follows:
1."Collecting and making payments for real transactions as an agent" shall mean the business of an electronic payment institution independent of the users of real transactions accepting under the mandate of both parties to a real transaction the amount of the transaction transferred from the payor, and after certain conditions are fulfilled, or a certain period of time has arrived or receiving an instruction from the payor, transferring the amount of the real transaction to the recipient.
2."Accepting deposits of funds as stored value funds" shall mean the business of an electronic payment institution receiving funds from a user in advance and storing the funds in the user's electronic payment account (referred to as "e-payment" account hereunder) for future transfer of funds between said user and other users other than the electronic payment institution itself.
3."Transferring funds between e-payment accounts" shall mean the business of an electronic payment institution transferring funds in the e-payment account of an user according to said user's payment instruction for purposes other than any real transaction into the e-payment accounts of other users of the same electronic payment institution.
4."Electronic payment business" shall mean businesses under the subparagraphs of Paragraph 1, Article 3 of the Act.
5."E-payment account" shall mean an online account opened by a user with an electronic payment institution to keep track of his/her funds transfer and funds deposit records.
6."Users" shall mean persons who register and open an e-payment account with an electronic payment institution and use the services provided by the electronic payment institution to make funds transfer or deposit stored value funds.
7."Recipient users" shall mean users who use the service of collecting and making payments for real transactions as an agent offered by an electronic payment institution to collect payments.
8."Payment via agreed linked deposit account" shall mean the service where in conducting its electronic payment business, an electronic payment institution gives a financial institution at where an user opens his/her account (referred to as "the financial institution holding the account" hereunder) an account payment deduction instruction according to the agreement between the user and the financial institution to transfer funds from the user's deposit account with the financial institution for the electronic payment institution to collect payment from the user and record the payment amount and the fund transfer activity under the user's electronic payment account ("e-payment account"). The mechanisms of the operation are as follows:
(1)"Direct link mechanism" means the mechanism where an electronic payment institution gives a financial institution holding the account a payment deduction instruction directly to transfer funds from the user's deposit account.
(2)"Indirect link mechanism" means the mechanism where an electronic payment institution gives a dedicated deposit account bank a payment deduction instruction indirectly through the financial information service enterprise or clearing house to which the bank is connected to transfer funds from the user's deposit account with the bank.
Chapter 2 User Management
An electronic payment institution shall accept user registration in the following manners:
1.Know the identity of the user in accordance with the regulations stipulated pursuant to Paragraph 3, Article 24 of the Act, retain user identity data and verify the authenticity of user identity information; the preceding provision applies when a user changes his/her identity information;
2.Establish management mechanism for irregular applications to prevent the registration of dummy accounts; and
3.Remind users that they will be held legally responsible if they use their e-payment accounts illegally.
When an electronic payment institution accepts user's registration, the contract entered between the parties shall comply with the provisions of Article 27 of the Act, and the electronic payment institution shall enable users to inquire the contents of the contract in a manner agreed by the parties.
An electronic payment institution shall announce the followings on its website:
1.Its name and contact information;
2.Clauses of the standard form contract for its electronic payment business;
3.The manners by which the e-payment account is used, causes for termination of e-payment account, and withdrawal and refund of funds received from user;
4.Fees and charges, all possible expenses that the user may incur and calculation methods therefor explained in plain language, supplemented with specific examples;
5.Possible risks associated with using e-payment account;
6.Actions to take when the user's ID or the password of user's e-payment account is lost or stolen, and reminder for user to safekeep his/her ID, password and other related information of user identity;
7.Rights and obligations of the parties when user's e-payment account is used without user's authorization;
8.Mechanism for Customer complaint handling and dispute settlement;
9.Warning of legal consequences of illegal use of e-payment account.;
10.Other matters relating to user's rights and obligations; and
11.Other matters required of public announcement on website by the competent authority.
The announcements under the preceding paragraph should use plain and concise language, and important matters relating to user interests should be posted in a conspicuous manner.
Fees and expenses charged by an electronic payment institution to its users should reasonably reflect its costs.
An electronic payment institution shall establish mechanisms for recipient user management with respect to credit checking, contract signing and periodic review, and observe the following rules:
1.The contract should contain an agreement that the business of the recipient user shall not be involved in financial products or services to which the competent authority has not approved receipts and payments processed by an agent and in other transactions prohibited by law or according to the notices of central government authorities in charge of certain industry.
2.The contract should contain an agreement that if the recipient user sells or provides deferred products or services, the user shall obtain performance guarantee or declare trust and disclose such performance guarantee or trust information to the buyer users.
3.The contract should contain an agreement that the recipient user will observe the following provisions on safekeeping and inquiries of transaction records:
(1)The recipient user shall properly retain relevant transaction data, documents and forms for at least 5 years; and
(2)The recipient user shall provide transaction related information as requested by the electronic payment institution, including but not limited to the terms of transaction, method of performance, transaction results, as well as business items operated by the recipient user and its qualifications. With regard to information requested by the electronic payment institution, the recipient user should provide detailed descriptions and necessary documentation.
An electronic payment institution should adopt the following measures for risk management of recipient users:
1.Establishing credit checking mechanism and process for recipient users and assigning staff to take charge of recipient user review, approval and management operations;
2.Establishing risk rating mechanism for recipient users and adopting measures such as limiting transaction amounts, strengthening transaction monitoring, conducting field visits, charging deposits, requiring the provision of other guarantees or delayed settlement for recipient users at higher risk level to reduce transaction risk;
3.Establishing the recipient user investigation, evaluation or field visit mechanisms, and based on the risk level of recipient user, conducting investigation, evaluation or field visit at proper frequency and in a proper manner, and retaining relevant records; and
4.Other risk management measures required by the competent authority.
Chapter 3 User's Payment Instructions
Unless it is otherwise provided by other laws or these Rules or it is otherwise agreed between the user and the electronic payment institution, an electronic payment institution shall carry out funds transfer operation according to the instructions of users, and may not freeze the funds of users in their e-payment accounts at will.
A user payment instruction shall include the following information:
1.Payor's name and his/her e-payment account number;
2.Recipient's name and his/her e-payment account number;
3.The exact dollar amount and currency of payment;
4.Time for transfer of funds; if the transfer is not effected immediately, the conditions and time period for the transfer to take place or manner of payment instructed by payor; and
5.Other information required by the competent authority.
Upon receiving a payment instruction from a user, an electronic payment institution shall notify the user in a manner agreed by the user for reconfirmation and notify the user of the result after executing user's payment instruction.
The payment services provided by an electronic payment institution at physical channels are not subject to the provisions of Subparagraphs 1 and 2 of Paragraph 2 and the preceding paragraph regarding reconfirmation.
An electronic payment institution should, in a manner agreed with the user, provide free services, allowing the user to inquire his/her transaction records within the past year at any time, and at user's request, providing transaction records that are more than one year old but less than five years.
An electronic payment institution shall promptly notify its users when it becomes unable to execute users' payment instructions due to the breakdown of its information system or other reasons.
Chapter 4 Business Management and Operations of Electronic Payment Institutions
Funds may not be transferred between the e-payment accounts of different electronic payment institutions, regardless whether the accounts are opened by the same user or not.
The transfer of funds between electronic payment institutions and between an electronic payment institution and an entity that engages in the business of collecting and making payments for real transactions as an agent must be effected through a financial institution that they may not open an e-payment account with each other or go through other electronic payment institutions or entities engaging in the business of collecting and making payments for real transactions as an agent.
Electronic payment institutions shall not use bonus, gift or other offers to absorb stored value funds.
An electronic payment institution may not accept deposit of funds or funds transfer between e-payment accounts by a user via a credit card.
If an electronic payment institution provides the service of payment via agreed linked deposit account, the operations of both the electronic payment institution and the financial institution at where the user opens his/her account (referred to as "the financial institution holding the account" hereunder) shall comply with the regulations stipulated pursuant to Paragraph 2, Article 29 of the Act and relevant provisions of the Standards for the Security Management Operation of Electronic Banking Business of Financial Institutions.
The agreement entered between an electronic payment institution and the financial institution holding the account on the service of payment via agreed linked deposit account shall contain the following particulars. However, the preceding provision does not apply when the financial institution holding the account is an institution engaging concurrently in electronic payment business or Chunghwa Post Co, Ltd.:
1.The scope, manner and procedure of agreed linked deposit account operation;
2.The content of payment deduction instruction and the manner of giving such an instruction;
3.Method for handling dispute;
4.Method for handling irregular transaction flow;
5.Distinction of sources of payment deduction instructions;
6.Other important rights and obligations of the parties and method of cost sharing;
7.Method for handling user denial of agreed linkage;
8.Obligations of the user's bank to check the agreed data and notify the user after completing fund transfer; and
9.Other items prescribed by the competent authority.
The agreement entered between an electronic payment institution and a dedicated deposit account bank on the service of payment via agreed linked deposit account shall contain items provided in Subparagraphs 1 ~ 6 and 9 of the preceding paragraph. However, the preceding provision does not apply when the dedicated deposit account bank is an institution engaging concurrently in electronic payment business or Chunghwa Post Co, Ltd.
When an electronic payment institution adopts indirect link mechanism to provide the service of payment via agreed linked deposit account, the institution may agree to observe the rules or operating requirements of the financial information service enterprise or clearing house that contain items provided under Paragraph 3 hereof in lieu of entering an agreement with the financial institution holding the account.
When an electronic payment institution provides automatic deposit of stored value funds service through the agreed linked deposit account, the institution shall agree with the user on the limits of automatically deposited funds per deposit and per day, and provide a mechanism for the user to adjust such limits and stop the automatic deposit.
When an electronic payment institution refunds funds received from a user, it shall, depending on the payment method originally used by the user, return the funds into the user's original e-payment account, original deposit account or original credit card account.
Except where the funds were originally paid by the user via a credit card, an electronic payment institution that is approved to engage in the business accepting deposits of funds as stored value funds may convert the refunds under the preceding paragraph into stored value funds as agreed with the user, where the balance of stored value funds is still subject to the provisions of Paragraph 1, Article 15 of the Act.
Where an electronic payment institution is unable to carry out refunds according to the preceding two paragraphs, the institution should agree with the user on a deposit account of the user that may be used for the refund operation and transfer the relevant funds into said deposit account without making the refund in cash.
Electronic payment institutions may not set a time limit for the users to use their funds.
Electronic payment institutions may not offer users overdraft service or loans or other credit lines for their e-payment accounts. Nor shall an electronic payment institution make advances for a user when the amount of payment instructed by the user exceeds the balance in his/her e-payment account.
Electronic payment institutions shall bear the burden of proof in dispute over fraudulent transaction involving e-payment account, and shall bear the loss arising from the transaction if the user is not found at fault.
When the contractual relationship between a user and an electronic payment institution is terminated or ceases to exist, the electronic payment institution should return the balance of withdrawable funds of the user within a reasonable period of time.
When the electronic payment institution returns funds according to the preceding paragraph, it may not pay in cash, but shall transfer the returned funds into a deposit account of the user.
When a specialized electronic payment institution or an electronic stored value card issuer that engages concurrently in electronic payment business obtains full guarantee from a bank for the stored value funds deposited by users less the required reserve and for the amount of funds collected/paid as an agent in accordance with Article 20 of the Act, the bank that signs the performance guarantee agreement shall meet the following requirements:
1.The bank's ratio of regulatory capital to risk-weighted assets in the most recent quarter as reported to the competent authority complies with Article 5 of the Regulations Governing the Capital Adequacy Ratio of Banks;
2.The bank's average non-performing loan ratio in the past three months is below 2%; and
3.The bank does not have consecutive accumulated deficit in the past two years as audited and certified by an accountant.
If an electronic payment institution finds that a user's ID or e-payment account password is missing or stolen or there are other substantial evidences suggesting that a user's e-payment account may be or has been used without authorization, the electronic payment institution should suspend further processing of said user's e-payment account and notify said user the same.
In case a user has any of the following circumstances, an electronic payment institution may suspend all or part of its business services available to the user; if the circumstance is of serious nature, the electronic payment institution should immediately terminate the contract entered with the user:
1.The user refuses to cooperate in verifying or re-verifying his/her identity.
2.There is concern that the user may have provided false identity information.
3.Substantial evidence shows that the user uses his/her e-payment account to engage in fraudulent activities, money laundering or other illegal activities, or the user is suspected of engaging in such illegal activities.
An electronic payment institution that terminates the contract entered with a user pursuant to Subparagraph 2 or 3 of the preceding paragraph shall report the matter to the Joint Credit Information Center ("JCIC")
In conducting electronic payment business, an electronic payment institution shall comply with the Money Laundering Control Act and relevant regulations, establish the following measures, draw up money laundering prevention guidelines and procedures in accordance with Article 6 of the Money Laundering Control Act and file same with the central competent authority in charge of the industry for record:
1.Establishing electronic surveillance mechanism to automatically monitoring and analyzing suspicious money laundering transactions.
2.Establishing mechanism for handling transactions that show signs of money laundering activities.
3.Dutifully retaining necessary transaction records.
4.Designating a specific unit to take charge of drafting money laundering prevention policies and internal control procedures.
5.Periodically conducting anti-money laundering audit.
Chapter 5 Supervision and Administration of Electronic Payment Institutions
Specialized electronic payment institutions that set up a new business location shall, within 5 business days from the date of setup, report the date of setup, address, and scope of business of the new outlet to the competent authority for record. The preceding provision applies to the relocation or closing of business locations.
The information system and security management operation of an electronic payment institution for its electronic payment business shall comply with the regulations prescribed by the competent authority pursuant to Paragraph 2, Article 29 of the Act, and shall be examined by an accountant with an evaluation report on the information system and security management operation produced at the time the electronic payment institution submits its application for approval and before the end of April each year thereafter.
The information system and its backup system for the electronic payment business of specialized electronic payment institutions shall be set up within the territory of the Republic of China.
Where a specialized electronic payment institution plans to outsource part of its electronic payment business to a third party, it shall obtain the prior approval of the competent authority.
When a specialized electronic payment institution outsources its business items stated in its business license or operations relating to users' information, the outsourcing shall be limited to the following:
1.Collection of funds paid by users in cash; notwithstanding the foregoing, the outsourced service provider must be an entity already approved by the competent authority to provide such service.
2.Safekeeping and transport of cash payments received from users.
3.Data processing: Including the data entry, processing, and output of information system, the development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the business of the electronic payment institution.
4.Safekeeping of documents such as forms, statements and certificates.
5.User services, including automated voice systems, reply to and handling of user's e-mails, inquiries of and assistance in matters related to the electronic payment business.
6.Engaging an offshore outsourced service provider to perform the identity verification operation of offshore users.
7.Other operations approved by the competent authority for outsourcing.
Electronic payment institutions shall comply with the following rules when outsourcing their operations:
1.An electronic payment institution shall adopt internal operating systems and procedures covering the scope of matters that can be outsourced, protection of user rights and interests, risk management, and internal control principles, and those operating systems and procedures and any subsequent revisions thereto shall be approved by the board of directors
2.An electronic payment institution shall make sure the outsourced service providers meet its requirements for operational security and risk management.
3.An electronic payment institution shall demand that its outsourced service providers comply with the mandatory or prohibitory provisions of laws.
4.An electronic payment institution shall demand that its outsourced service providers agree to give the competent authority and the Central Bank access to data or reports relating to the outsourced operations and allow them to conduct financial examination.
5.An electronic payment institution shall be held jointly liable as provided by law for users whose interests are damaged by the intentional act or negligence of an outsourced service provider or its employees.
A dual-status electronic payment institution that outsources its business items involving electronic payment business or operations relating to user s' information shall comply with the provisions in Paragraph 2 hereof with respect to the scope of outsourcing, and in addition, comply with the regulations governing the outsourcing of its core business operations.
Specialized electronic payment institutions shall not invest in other enterprises, unless it is a subsidiary that the investment in which has been approved by the competent authority, the business of the subsidiary is closely related to that of the issuer, and in which the issuer holds more than fifty percent (50%) of the issued shares of the subsidiary.
The total investment made by a specialized electronic payment institution shall not exceed 10 percent of the balance of its paid-in capital at the time of investment less the minimum paid-in capital as stipulated under the Act and accumulated loss.
Specialized electronic payment institutions shall establish internal guidelines for the utilization of own funds and submit the guidelines and subsequent revisions thereto to the board of directors for approval.
Specialized electronic payment institutions may not provide guarantees for others.
If deemed necessary, the competent authority may set limits to the debt ratios of a specialized electronic payment institution.
Electronic payment institutions shall file periodic reports on their electronic payment business with JCIC.
JCIC will determine the scope of information to be reported and inquired by electronic payment institutions and rules for the filing and inquiry operations, fee schedule, operations management, data disclosure deadline, information security management, and audit procedures, and submit same to the competent authority for approval.
JCIC's activities of collecting, processing or using information reported by electronic payment institutions according to Paragraph 1 hereof are considered necessary for fulfillment of the legal obligation provided under Subparagraph 2, Paragraph 2, Article 8 of the Personal Information Protection Act and hence are exempted from giving notice provided under Paragraph 1, Article 9 of the Personal Information Protection Act.
Electronic payment institutions shall ensure the information reported and disclosed according to Paragraph 1 hereof is accurate and free of false statement or representation.
Electronic payment institutions that apply for approval to conduct other businesses pursuant to Paragraph 1, Article 3 of the Act shall submit a business plan to the competent authority for approval.
The business plan in the preceding paragraph shall contain the following particulars:
1.Purpose for conducting such business;
2.Agreements or templates therefor among relevant parties regarding their respective rights and obligations;
3.Business rules, business processes and risk management; and
4.Market prospects, and risk/benefit evaluation.
Where an electronic payment institution plans to terminate part of its business, it shall apply to the competent authority for approval by submitting a plan.
Where an electronic payment institution plans to suspend part of its business operations, it shall submit a plan which describes the duration of suspension and other necessary information to the competent authority for approval. The electronic payment institution shall also report to the competent authority for record when it plans to resume the business operation at a later date.
The plans in the preceding two paragraphs shall contain thefollowing particulars:
1.The reason for the planned termination or business suspension; and
2.A concrete description of how the rights and obligations of existing users will be handled or alternative methods for providing services.
A specialized electronic payment institution having any of the situations below shall report to the competent authority for prior approval:
1.Change of articles of incorporation.
2.Undergoing merger or acquisition.
3.Transferring all or major part of operations or assets to others.
4.Receiving the transfer of all or major part of operations or assets from others.
5.Change of capital.
6.Change of business place.
7.Other matters that require prior approval as prescribed by the competent authority.
A specialized electronic payment institution having any of the following situations shall report to the competent authority within one day after becoming aware of the event by stating the particulars of the event and providing related information, and send a copy of the same to the Central Bank of the ROC:
1.Filing a petition with a court for reorganization or filing for or being filed for declaration of bankruptcy by itself or by a stakeholder.
2.Engaging in business equivalent to businesses under the subparagraphs of Paragraph 1, Article 3 of the Act by itself or in cooperation with a foreign institution outside the ROC, whereas the local government takes any of the following actions:
(1)Revoking, suspending or terminating the business permit of the electronic payment institution or the foreign institution.
(2)Disallowing the electronic payment institution or the foreign institution to continue its business operations or halting its business operations.
3.The securities or other financial products invested by the specialized electronic payment institution using the stored funds pursuant to Paragraph 3, Article 21 of the Act are cancelled or seriously impaired in value.
4.Transfer of equity or change of equity structure involving more than ten percent (10%) of its ownership.
5.Having the incidence of bounced check due to insufficient funds, being denied services by banks, or having other events that cause loss of good credit standing.
6.Having a litigious or non-litigious event, or an administrative disposition or administrative lawsuit that has material impact on the finance or business of the institution.
7.Having a situation provided in Subparagraph 1, Paragraph 1, Article 185 of the Company Act.
8.Having a fraud or material deficiency in internal controls.
9.Having an information security breach that results in damage to the interests of users or affects the sound operation of the institution.
10.An director, supervisor or managerial officer has any of the following situations:
(1)Being sentenced to imprisonment for the offense of forging instruments or seals, counterfeiting currency or valuable securities, misappropriation, fraud or breach of trust.
(2)Being sentenced to imprisonment for violating the Banking Act, Financial Holding Company Act, Trust Enterprise Act, Act Governing Bills Finance Business, Financial Assets Securitization Act, Real Estate Securitization Act, Insurance Act, Securities and Exchange Act, Futures Trading Act, Securities Investment Trust and Consulting Act, Foreign Exchange Control Act, Credit Cooperatives Act, Agricultural Finance Act, Farmers' Association Act, Fishermen's Association Act, Money Laundering Control Act or other laws regulating financial activity.
11.Other significant events that are sufficient to affect the operations of the electronic payment institution or the interests of its shareholders or users.
Chapter 6 Supplemental Provisions
These Rules shall be in force on May 3, 2015.
The amended provisions of these Regulations shall be in force on the date of implementation.