Principal Laws and Regulations

The principal laws and regulations governing the Taiwan banking sector include:

• the Banking Act;
• the Financial Holding Company Act;
• the Central Bank of the Republic of China (Taiwan) Act;
• the Regulations Governing Foreign Exchange Business of Banking Enterprises and the foreign exchange control-related laws and regulations;
• the Consumer Protection Act; 
• the Financial Consumer Protection Act; and 
• other related laws and regulations. 

Moreover, for banks concurrently conducting other business such as acting as a trust enterprise or electronic payment institutions, the relevant laws and regulations governing such business also apply.

The Banking Act and the Financial Holding Company Act

The Banking Act is the primary law governing the Taiwan banking industry and provides rules for conducting banking business, including: 

• the setting-up and dissolution of banks;
• the scope of banking business;
• compliance requirements for banks’ business, finance, internal control and other matters; and
• administration and supervision by the regulator, etc. 

For banks that are subsidiaries of financial holding companies, another major law is the Financial Holding Company Act, which governs the establishment, business, finance, administration and supervision of financial holding companies. 

The Central Bank of the Republic of China (Taiwan) Act, the Regulations Governing Foreign Exchange Business of Banking Enterprises and the foreign exchange control-related laws and regulations

This legislation governs foreign exchange-related activity, which is regulated by the Central Bank of the Republic of China (Taiwan) (CBC). Such laws and regulations also govern banks’ business operations involving foreign exchange. For example, the Regulations Governing Foreign Exchange Business of Banking Enterprises cover the scope of (among others):

• foreign exchange business;
• requirements for managing foreign exchange business; and
• administration and supervision by the regulator. 

The Consumer Protection Act and the Financial Consumer Protection Act

The Consumer Protection Act provides the general rules and requirements for the protection of the interests of all consumers, and the Financial Consumer Protection Act focuses on the protection of consumers who deal with banks and other financial institutions. Among other matters, the Financial Consumer Protection Act provides requirements regarding:

• the advertising of financial products and services;
• contracts with consumers; and
• the procedures for financial consumer dispute resolution, in order to reasonably and effectively handle financial consumer disputes.

Regulators – Financial Supervisory Commission (FSC) and CBC

The FSC and the CBC are the major regulatory authorities regulating banks in Taiwan.

The FSC is the primary competent authority regulating the financial markets and financial institutions in Taiwan. It determines financial policy, issues regulations and rules, conducts financial examinations and supervises financial institutions. The FSC has four bureaux: 

• the Banking Bureau;
• the Securities and Futures Bureau;
• the Insurance Bureau; and 
• the Financial Examination Bureau. 

While the FSC regulates financial markets and financial institutions generally, the Banking Bureau focuses on the banking sector, and the Financial Examination Bureau is in charge of financial examination of all financial institutions regulated by the FSC.

The CBC sets monetary policy for regulating the availability of money and credit. It also regulates foreign exchange activities and business, and conducts examinations of banks.

Types of Licences

According to the Banking Act, banks in Taiwan are categorised into three different types based on the main operations and purposes of the bank: 

• commercial banks;
• banks for a special business purpose; and
• investment and trust companies. 

Commercial banks are the major and most common type of bank in Taiwan, and their principal function is to accept deposits and extend loans. Banks for a special business purpose are established primarily to facilitate the extension of specialised credit, such as:

• agricultural credits;
• export-import credits;
• credits for medium and small-sized enterprises; and
• real estate credits.

However, as such functions may also be performed by commercial banks, the establishment of banks for special business purposes has been declining gradually, and most such banks have transformed into commercial banks. 

Investment and trust companies act as trustee to accept, operate, manage and employ trust funds and manage trust properties, or act as an investment broker to invest in funds and capital markets for specific purposes. There is currently no investment and trust company, as all such companies have transformed or merged into commercial banks. Therefore, the following discussion will focus on commercial banks.

In addition, in order to support and promote international financial activities, banks may apply to the FSC and CBC for a licence to establish offshore banking units, which can engage in foreign currency-denominated financing business in Taiwan without being subject to foreign exchange-related regulations.

Also, apart from traditional banks with physical branches, the FSC has agreed to the establishment of three online-only banks, which commenced business in 2021 and 2022.

Services and Restrictions on Licensed Banks’ Activities

According to Article 71 of the Banking Act, the main business activities of a commercial bank include:

• accepting deposits;
• issuing bank debentures;
• investing in securities;
• handling domestic and foreign remittances;
• offering loans and credit;
• providing guarantees; and
• acting as the agency bank in related banking business.

Besides the normal scope of services set forth in the Banking Act, a bank may also concurrently conduct other business upon the approval of the FSC. For instance, a bank may concurrently operate:

• trust enterprise business;
• insurance agent or insurance broker business;
• financial advisory services; and
• electronic payment business.

Statutory and Other Conditions for Authorisation

The statutory restrictions on and implications of authorisation can be found in three major aspects: 

• the paid-in capital;
• responsible persons of the bank; and 
• the ownership.

The minimum paid-in capital requirement for establishing a commercial bank is NTD10 billion (approximately USD310 million), and the contribution must be made in cash only.

According to the Regulations Governing Qualification Requirements and Concurrent Serving Restrictions and Matters for Compliance by the Responsible Persons of Banks, the general restrictions and requirements for the responsible persons of a bank include that the person must:

• not have been sentenced to imprisonment for certain financial crimes or in violation of financial regulations;
• not concurrently hold positions that may incur a conflict of interest; and
• have adequate knowledge, capability and experience in banking business.

A person must obtain the FSC’s approval before they acquire more than 10%, 25% or 50% of the issued voting shares of a bank. There is no restriction on foreign ownership and the FSC is generally receptive to foreign investors. However, PRC investors are subject to the PRC ownership restriction and a different approval process. 

Applying for Authorisation – Timelines, Costs and Engagement with the Regulators

According to the Standards Governing the Establishment of Commercial Banks, the major steps and regulatory approvals generally required for the establishment of a bank are as follows.

• Firstly, the founders of the bank should subscribe up to 80% of the total paid-in capital of the bank at the time of initiation. 
• Secondly, the founders are required to submit an application for the FSC’s approval. The application documents should include:
1. a business plan;
2. the founder’s qualification declaration;
3. the source of funds;
4. the articles of association; and
5. the paid-in capital and equity instruments of the bank. 
• After the establishment is approved by the FSC and within three months of completing the incorporation registration with the Ministry of Economic Affairs, the bank should apply to the FSC for its business licence. The licence fee is one four-thousandth of the total capital specified in the articles of association of the bank.

During the establishment process of the bank, the FSC or another competent authority may designate its personnel to examine the matters relevant to the bank establishment, and may order the applicant to provide certain supporting documents or make explanations at any time. Also, the FSC may decide not to issue the business licence to the bank if:

• the bank’s shareholders, directors, supervisors or managers do not meet the requirement;
• the bank fails to complete preparation before the start of business; or
• any condition that the FSC deems might lead to unsound and inefficient business operations of the bank occurs.

Common Ancillary Activities of Banks in Taiwan

According to Article 3 of the Banking Act, business activities of a bank also include (among others):

• managing trust funds under entrustment;
• discounting bills and notes;
• investing in securities; and
• trading in foreign currencies.

Each business activity conducted by a bank must be approved by the FSC and specified in the business licence.

The FSC has permitted banks to conduct wealth management businesses for high-asset customers since 2020. For continuing the promotion of the wealth management business towards local high asset customers, the FSC further issued a letter in 2022 allowing qualified banks in Taiwan to carry out trust investment services for high-asset customers through the trust licence, by using the entrusted assets to invest in an offshore fund that does not have the nature of a securities investment trust fund.

European Passport

There is no similar concept under Taiwan law.

Change in Control, Shareholding Thresholds and Other Restrictions

An investor in a bank would be subject to reporting requirements and/or the FSC’s prior approval if its stake reaches a certain level. 

If an investor and their spouse and children under 18 years of age (if any) in aggregate hold 1% or more of the voting shares in a bank, such investor must notify the bank of this. 

A report to the FSC will be required if an investor (together with their related parties provided under the Banking Act) acquires or holds more than 5% of the voting shares of a bank. Any subsequent change in the shareholding by more than 1% is also required to be reported to the FSC. 

A person (together with their related parties) must obtain the FSC’s approval before their acquisition of 10%, 25% or 50% of the issued voting shares of a bank. 

In addition, the shares held by a third party for or on behalf of the investor or their related parties in trust, by mandate or through other types of contract, agreement or authorisation should be aggregated with the shareholdings held by such investor or the related parties. 

Regulatory Filings and Related Obligations

The application documents sent to the FSC for the acquisition of 10% or more of the issued voting shares of a bank should include documents and information regarding: 

• the investor’s existing shareholding;
• the proposed acquisition;
• the source of funds; and 
• other documents and information that may be required by the FSC on a case-by-case basis. 

Additional documents and information would be required in an application for the acquisition of 25% or 50% of the issued voting shares of a bank, including documents and information regarding the following. 

• In an application for a 25% acquisition:
1. the investor’s business and finance conditions by which the investor may improve the soundness of the operation of the bank and its management strategy;
2. the investment structure;
3. an evaluation of the effect on the bank’s business and finance condition within three fiscal years after the acquisition; and
4. the CPA-audited financial statements of the investor (including their related parties) or alternative financial information for the last three fiscal years.
• In an application for a 50% acquisition, in addition to the aforementioned application documents required for a 25% acquisition:
1. a business plan;
2. the proposed management team; and 
3. protection of the bank’s employees’ interests.

Ongoing Requirements Regarding Supervision

Once an investor (together with their related parties provided under the Banking Act) acquiring or holding more than 5% of the voting shares of a bank has reported to the FSC, any subsequent change in the shareholding by more than 1% is also required to be reported to the FSC.

Relevant Statutory and Regulatory Requirements

In addition to the board of directors, a bank must set up an audit committee comprised of its independent directors to review important matters and transactions (including related parties’ transactions). Also, according to the Banking Act and the Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries, a bank should establish an internal audit system and internal control system comprising three main elements: 

• a self-inspection system; 
• a legal compliance system; and 
• a risk management mechanism to ensure effective corporate governance. 

The internal control system of a bank should be approved by its board of directors. It should cover all banking business activities and incorporate five major components.

The first element and the basis for the implementation of an internal control system is the “control environment”, which encompasses: 

• the integrity and ethical values of the bank;
• the supervision responsibilities of the directors and supervisors;
• the organisational structure;
• the assignment of authority and responsibility;
• human resources policies;
• performance measurements;
• awards and discipline; and 
• the code of conduct for all directors and employees. 

Secondly, the internal control system should adopt a “risk assessment” procedure, the results of which can assist the bank in designing, correcting and implementing the necessary controls in a timely manner.

Thirdly, the internal control system should include various “control operations”, namely to implement proper policies and procedures at all levels, business processes and subsidiaries of the bank based on the risk assessment results to control risks.

Fourthly, the internal control system should ensure an effective internal and external “information sharing and communication” mechanism.

Last but not least, the bank should constantly “monitor” all operations. Any findings of deficiencies by the internal control system should be reported to the appropriate management levels.

To implement the internal control system, a bank should establish an internal audit unit and have sufficient and competent personnel as full-time internal auditors performing internal control duties independently and impartially. The internal audit unit is directly under the board of directors, and is required to report its audit matters to the board of directors and audit committee at least every six months.

In addition, a bank should appoint a chief auditor to manage all audit matters. The chief auditor is not allowed to take a job that will cause conflicts or limitations to the audit work. The employment, dismissal or transfer of the chief auditor should be approved by the consent of the majority of audit committee members as well as by the consent of more than two thirds of the board of directors, and should be reported to the FSC for ratification.

According to the Banking Act, a bank that fails to establish or diligently implement the internal control and audit systems should be subject to an administrative fine of between NTD2 million and NTD50 million.

Voluntary Codes and Industry Initiatives

The Bankers Association of Taiwan (BA) may issue various disciplinary rules based on the authorisation of the applicable laws and regulations. Such rules should be submitted to the FSC for ratification. A bank that fails to meet the requirements under the disciplinary rules would be deemed by the FSC as failing to establish or diligently implement the internal control and audit systems, and should be subject to the administrative fine as mentioned above.

Diversity Requirements

According to the Corporate Governance Best Practice Principles for TWSE/TPEx Listed Companies, the composition of the board of directors of a listed company is recommended to take diversity and basic values such as gender, age, nationality and culture into consideration; it is also advisable that the number of female directors account for at least one third of all the directors. The FSC also encourages banks to have an appropriate number of female directors.

Bankers’ Oath or Equivalent Binding Rules of Conduct for Bank Employees

Under the Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries, the board of directors of a bank should adopt its code of conduct for employees. Further, according to the Internal Control Operation Principle Related to Preventing Financial Consultants from Misappropriating Customers’ Funds issued by the BA, a bank should conduct due diligence when hiring new financial consultants and establish appropriate mechanisms to understand the employee’s character, expertise, credit score and financial position. Additionally, the code of conduct for financial advisors adopted by the bank should stipulate that employees are not allowed to keep customers’ seals, stamps or passbooks, nor should they engage in unauthorised transactions or improper solicitation.

Directors’ and Senior Managers’ Designation, and the Regulatory Approval of Appointments

The Banking Act and the Regulations Governing Qualification Requirements and Concurrent Serving Restrictions govern the designation of the responsible persons of a bank (including board members and senior managers). Generally, the responsible persons of a bank should have good moral character and full competence for serving in their positions, and must not have been sentenced to imprisonment for certain crimes. 

Chairperson of Board of Directors, and Directors

Directors of the bank are elected by shareholders. Although it is not required to obtain prior approval from the FSC to be nominated or elected as the director of the bank, the FSC has stipulated relevant requirements to ensure that the chairperson of the board and the directors are capable of managing and operating a bank. 

In the supervision of chairpersons and directors, one of the FSC’s main focuses is the restriction on holding concurrent positions. The chairperson may not concurrently act as the general manager of the same bank nor act as the chairperson of another financial institution (bank, financial holding company, insurance company, securities firm, etc), nor may they act as the chairperson, general manager or equivalent role of a non-financial institution, unless otherwise approved by the FSC. If the chairperson is allowed to hold concurrent positions in other companies, they must ensure that all positions are managed effectively, without any conflict of interest. 

In addition – except for banks that are 100% owned by the government or a single corporate shareholder – at least two of the directors of the bank must meet any of the following qualifications: 

• having at least five years’ banking experience and having served as a vice-manager or higher or equivalent position of the bank’s head office;
• having three years’ banking experience and having served as a manager or higher or equivalent position of the bank’s head office; or 
• having five years’ experience of working in financial administration or management, and having held the position of civil service-recommended appointment grade eight or higher, or equivalent, with a good performance record. 

The minimum number of directors required to meet said qualifications would increase according to the total number of directors and the total assets held by the bank.

Senior Managers

The general manager of the bank must meet any of the following qualifications: 

• having a bachelor’s degree or an equivalent degree with at least nine years’ banking experience, and having served at least three years in a management position; or 
• having at least five years’ banking experience and having served as a vice-general manager or higher or equivalent position for at least three years, with a good performance record. 

The relevant qualification documents should be submitted to the FSC for approval before the appointment of the general manager of a bank. 

Other senior managers, such as a vice-general manager, assistant vice-general manager or manager, are subject to other applicable qualification requirements regarding experience and expertise.

Directors’ and Senior Managers’ Roles and Accountability Requirements

The board of directors shall be responsible for the bank’s overall business strategies and major policies, supervising the senior managers, and shall be accountable to all shareholders. The board of directors is also responsible for the implementation and supervision of the bank’s internal control system. 

Senior managers are appointed by and under the supervision of the board of directors. The general manager is responsible for handling the general operation of a bank. Other senior managers are delegated certain authority to assist the general manager in managing and operating the bank. 

Individuals Subject to Remuneration Requirements

According to the Corporate Governance Best-Practice Principles for Banks issued by the BA and ratified by the FSC, banks in Taiwan are advised to establish a remuneration committee led by and consisting of independent directors. In practice, all banks in Taiwan have independent directors serving on the board of directors, and most banks have set up a remuneration committee, whose primary responsibility is to establish performance appraisal standards and remuneration standards for managers and salespersons, as well as the remuneration structure and system for directors.

Relevant Remuneration Principles

The remuneration standard and payment should be based on performance, and adjusted considering future risks and the long-term profitability challenges facing the banking industry and shareholders’ interests to avoid inappropriate loss to the bank. Moreover, a significant proportion of a remuneration reward should be paid in deferred or equity-related payment. Also, when assessing the contribution of individual directors, managers and employees, an overall assessment of the banking industry should be carried out to clarify that such profits are not due to advantages such as the lower capital cost of the banking industry. 

The remuneration system should not incentivise directors, managers and employees to engage in acts that exceed the risk appetite of the banking industry in order to pursue remuneration. Last but not least, the remuneration system and performance should be reviewed regularly.

Regulators’ Supervisory Approach

A bank is required to disclose the remuneration of directors, supervisors, general managers, vice-general managers, chairpersons of the board and general managers rehired as consultants by disclosing the aggregate remuneration information (with the name(s) indicated for each remuneration bracket), or to disclose the name of each individual and the corresponding remuneration amount (as applicable) in its annual report.

Consequences of Breaching the Requirements

A bank that fails to comply with the disclosure requirement for the annual report should be subject to an administrative fine of between NTD500,000 and NTD10 million.

Principal Laws and Regulations

In Taiwan, the primary regulators for anti-money laundering (AML) and countering terrorism financing (CTF) are the Investigation Bureau under the Ministry of Justice (IBMOJ) and the FSC. The FSC has promulgated specific regulations governing AML and CFT in the banking sector, including:

• the Regulations Governing Anti-Money Laundering of Financial Institutions; and
• the Regulations Governing Internal Audit and Internal Control System of Anti-Money Laundering and Countering Terrorism Financing of Banking Business and Other Financial Institutions.

Know-Your-Customer (KYC) Requirements

Firstly, a bank should conduct due diligence on both new and existing customers, taking a risk-based approach. The bank should properly identify and verify the identity of the customer as well as its beneficial owner, and should keep records on all relevant information. In particular, when the customer is a juristic person, the bank should understand the business nature, equity structure and controlling person of the customer. 

Under a higher-risk circumstance, the bank should conduct enhanced customer due diligence. For ongoing customer due diligence, the bank should regularly update all information at least once a year to ensure that the business relationship with the customer is consistent with the bank’s risk profile. The bank should also understand the customer’s source of funds when necessary. 

In addition, the bank should verify the identity of the customer and keep relevant records of large cash transactions, as well as report such transactions to the IBMOJ, with certain exceptions for government departments and fund arrangements between financial institutions. 

Suspicious Activity and Transaction Reporting

The bank should report all suspicious transactions to the IBMOJ, including attempted transactions. When reporting to the IBMOJ, the bank should use the Suspicious Activity Report (SAR) form prescribed by the IBMOJ, covering the following information: 

• the transaction details (eg, the type, currency and amount of the transaction); 
• a statement of the reason for suspicion, including who, what, when and where; and 
• the warning signs of money-laundering activities. 

If a transaction triggers the red flags (see below), it should be reviewed under the risk-based assessment to decide whether it is a SAR transaction. If the financial institution holds the view that such red-flagged transaction has nothing to do with any AML and CTF activity based on the relevant facts and its assessment, it is not required to report the transaction to the IBMOJ. However, it must retain records of the determination and assessment of such transaction.

The BA has implemented the red flags list for suspicious money-laundering and terrorism-financing transactions, though such items are not exhaustive in their coverage. To identify a red flag transaction concerning potential money laundering/terrorism financing, a bank should select or create suitable red flags based on its:

• assets scale;
• geographic areas;
• business profile;
• customer-base profile;
• characteristics of transactions;
• internal money-laundering/terrorism-financing risk assessment; or
• information on daily transactions.

DGS Requirements, and Administrator of the DGS

The Deposit Insurance Act mainly governs the depositor protection regime in Taiwan. The Central Deposit Insurance Corporation (CDIC) was established on 27 September 1985 and is responsible for the management of the deposit insurance system. The CDIC implements a deposit insurance mechanism pursuant to which the CDIC provides compensation to depositors within the maximum insured amount of NTD3 million, in order to protect the rights and interests of depositors and to maintain financial stability in the event of a financial institution being ordered to cease operations by the FSC. 

Classes of Deposits Covered by the Depositor Protection Scheme

Currently, the following deposits are covered by deposit insurance:

• checking accounts; 
• demand deposits; 
• time deposits; 
• deposits required by law to be deposited in certain financial institutions; and
• any other deposits approved by the FSC.

Limits on the Amount of the Depositor Protection Scheme

If an insured institution is ordered to cease its business operations or is unable to pay off its deposits, the CDIC compensates each depositor for up to NTD3 million, including principal and interest. 

Funding of the Depositor Protection Scheme

The share capital of the CDIC is provided by the Ministry of Finance, the CBC and the insured financial institutions. The total capital provided by the Ministry of Finance and the CBC exceeds 50%. Financial institutions duly authorised to take deposits must take part in deposit insurance provided by the CDIC, and must pay premiums for deposit insurance. 

Adherence to Basel III Standards

The principal rule regarding the capital adequacy of a bank is contained in the Regulations Governing the Capital Adequacy and Capital Category of Banks, which adopted a number of elements of the Basel III framework. 

Risk Management Rules

A bank is required to self-assess its capital adequacy and to establish its strategy for maintaining its capital adequacy. Based on a bank’s self-assessment, the FSC may request that a bank improve its risk management. If the bank fails to comply with such request, the FSC may order the bank to adjust its regulatory capital and risk-weighted assets, or to submit a capital restructuring plan within a certain period.

Capital Requirements

The minimum paid-in capital for establishing a commercial bank in Taiwan is NTD10 billion. The promoters of the bank should subscribe up to 80% of the total paid-in capital of the bank, and the remaining shares should be publicly offered; the capital contribution should be made in cash. 

Subject to certain exceptions, a branch of a foreign bank in Taiwan must allocate a minimum operating capital of NTD250 million if the Taiwan branch plans to conduct retail deposit business.

Capital Adequacy Requirements

The current capital adequacy requirements are generally in line with the standards under the Basel III framework, including:

• Common Equity Tier 1 Ratio (ie, net Common Equity Tier 1 divided by total risk-weighted assets) of 7%;
• Tier 1 Capital Ratio (ie, net Tier 1 Capital divided by total risk-weighted assets) of 8.5%; and
• Total Capital Adequacy Ratio (ie, aggregate amount of net Tier 1 Capital and net Tier 2 Capital divided by total risk-weighted assets) of 10.5%.

Countercyclical Capital Buffers

To enhance the risk-bearing capacity and international competitiveness of domestic banks, the FSC has authorised the implementation of countercyclical capital buffers. The FSC will consult with the CBC and other relevant authorities, when necessary, to impose on banks an additional provision of a countercyclical capital buffer of up to 2.5%.

Liquidity Requirements

To enhance banks’ short-term liquidity recovery ability, the FSC implemented the liquidity coverage ratio (LCR) framework in 2015. The LCR is calculated by dividing a bank’s high-quality liquid assets by its total net cash flows over a 30-day period. Since 1 January 2019, banks incorporated under the laws of Taiwan must maintain an LCR of at least 100%. 

The LCR requirement is not applicable to a branch office of a foreign bank in Taiwan. However, a foreign bank applying to establish a branch office in Taiwan must specify the liquidity risk management framework adopted by the head office and the liquidity risk management measures applicable to the Taiwan branch.

Additional Requirements for Systemically Important Banks

In 2019, the FSC announced the supervisory measures for systemically important banks in Taiwan, which are required to meet 4% additional capital buffer requirements with their Common Equity Tier 1 capital in the four years after designation. The 4% additional capital buffer includes a 2% additional regulatory capital buffer and a 2% bank’s internal capital buffer.

Systemically important banks in Taiwan are required every year to submit their contingency action plans for dealing with situations where the capital is not sufficient. They are also required to conduct and report two-year stress test results to the FSC.

Six banks are currently designated as systemically important banks: 

• CTBC Bank;
• Cathay United Bank;
• Taipei Fubon Commercial Bank;
• Mega International Commercial Bank;
• Taiwan Cooperative Bank; and 
• First Commercial Bank.

Principal Means of Resolving a Failing Bank

The FSC may take over a bank if:

• there is a concern that a bank might not be able to pay its debts when due or there might be a detriment to the depositors’ interests because of obvious deterioration in the bank’s business or financial condition; 
• a bank’s capital is graded as being seriously inadequate and 90 days have lapsed since the date the bank was so graded (however, if a bank is ordered by the FSC to undertake capital restructuring or a merger within a prescribed period and fails to do so, the 90 days should be calculated from the day subsequent to the prescribed period); or
• the losses of a bank exceed one third of the bank’s capital and the bank fails to make up such deficit within three months. 

If the FSC places a bank in receivership, the duties and powers of the bank’s shareholders’ meeting, board of directors, directors, supervisors and audit committee shall be suspended. The receiver appointed by the FSC has the power to manage the bank’s business and to dispose of the bank’s properties. 

The FSC has the power to resolve failing banks in an orderly manner. In local practice, seven banks were placed under receivership from 2006 to 2008. The FSC divided their assets into non-performing assets and other assets, and sold them separately. The non-performing assets were sold to asset management companies while the other assets were sold to other banks, with a certain amount of compensation agreed to be paid by the FSC. The depositors, employees and non-deposit creditors suffered little harm.

FSB Key Attributes of Effective Resolution Regimes

Following the crisis management guidance under the FSB Key Attributes of Effective Resolution Regimes, systemically important banks in Taiwan are required to annually submit their contingency action plans for dealing with situations where the capital is not sufficient. They are also required to conduct two-year stress tests and report the results to the FSC. However, there is no special resolution regime for systemically important banks in Taiwan. 

Insolvency Preference Rules Applicable to Deposits

If the failing bank is ordered by the FSC to cease its business operations, deposit debts shall precede non-deposit debts.

To enhance environmental, social and governance (ESG) information disclosure, the annual report of a bank should specify how it supports sustainable development. If the bank is listed on the Taiwan Stock Exchange or the Taipei Exchange, the annual report should also disclose any deviation from compliance with the Sustainable Development Best Practice Principles for TWSE/TPEx Listed Companies. Under those Principles, listed companies are encouraged to report their carbon footprint, waste management practices, gender diversity, etc, to improve the availability of domestic ESG data for investors. 

The FSC has also promulgated:

• the Guideline on Financial Disclosure of Climate Risks for Local Banks, under which banks should disclose financial information on climate-related risks from 2023; and
• the Guideline for Preventing Greenwashing by Financial Institutions (the Greenwashing Prevention Guidelines) in May 2024.

The Greenwashing Prevention Guidelines stipulate five principles for financial institutions to implement for prevention of greenwashing. In particular, the statement issued by the financial institutions on sustainability should be:

• true and correct;
• supported by evidence that is sufficient, relevant and publicly verifiable when it is made; and
• reviewed and updated regularly.

In 2022, the FSC released the Financial Cybersecurity Action Plan 2.0, providing guidance on ensuring uninterrupted operation of the financial system and focusing on:

• strengthening information security supervision by competent authorities;
• strengthening information security governance of financial institutions; and
• improving the resilience of financial institutions’ information security operations.

Strengthening Information Security Supervision by Competent Authorities

According to the Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries, banks should assign a manager, ranked vice-president or above, or an individual with equivalent powers to serve concurrently as the chief information security officer, who shall oversee the implementation and co-ordination of the information security policy as well as resource allocation.

A bank whose total assets of the previous year exceed NTD1 trillion should set up a dedicated information security office, and should appoint a person at a level higher than associate general manager (or equivalent function) as chief officer of such dedicated information security office.

Strengthening Information Security Governance of Financial Institutions

In 2019 and 2023, in response to the trend of applying technologies to financial operations, the FSC amended the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation by establishing a risk-based cloud outsourcing management framework. Banks are required to assess the risk level, significance, and impact on operations and customer rights of outsourced matters, and to implement appropriate controls and risk-based measures.

According to the amendments, financial institutions should:

• adopt appropriate risk control measures, such as ensuring the diversity of cloud service providers;
• be ultimately responsible for the supervision of cloud service providers, and may engage professional third parties to assist in supervising the operations of the cloud service providers;
• adopt customer data encryption, tokenisation or other effective protection measures, and establish appropriate encryption key management mechanisms when transmitting and storing customer data with a cloud service provider;
• retain complete ownership of the data outsourced to cloud service providers for processing, and prevent the data from being used for purposes other than the outsourced operations;
• retain the right to designate the location for the processing and storage of the data;
• establish plans to respond to termination of an outsourcing agreement with cloud service providers; and
• basically store customer data of material, retail finance business information systems within the territory of Taiwan – if stored offshore, backups of important customer data should be retained in Taiwan unless otherwise approved by the FSC.

Artificial Intelligence (AI) Application

Following the release of the Core Principles and Related Promotion Policies for the Use of Artificial Intelligence (AI) by the Financial Industry in 2023, the FSC issued the Guidelines for the Use of Artificial Intelligence (AI) in the Financial Industry (the “AI Guidelines”) on 20 June 2024.

The AI Guidelines stipulate that, while using AI systems, financial institutions should implement the core principles based on risk and should assess the risk levels of using AI systems after considering various risk assessment factors. Financial institutions should also have supervisory measures when engaging third parties for introduction of AI systems, such as establishing appropriate data or system migration mechanisms in the event of termination. The core principles of the AI Guidelines are detailed in the corresponding six chapters.

Chapter I: Establish Governance and Accountability Mechanisms

Financial institutions should have a clear structure and risk management policies for managing AI systems. Internally, financial institutions should be able to clearly explain the operational logic of the system; externally, they should be able to communicate the overall policy and the individual/specific AI system-related information that the consumers may need to know.

Chapter II: Emphasise Fairness and Human-Centric Values

When using AI systems, financial institutions should assess fairness, avoid bias and prevent discrimination. For instance, if a financial institution uses generative AI developed by a third party while not being able to control the training process or to ensure fairness in data or results, the financial institution should still have its personnel manage and control the risks associated with the output information objectively and professionally.

Chapter III: Protect Privacy and Customer Rights

Financial institutions should protect customer privacy, avoid risk of data leakage and follow the principle of data minimisation to avoid collecting excessive or unnecessary sensitive information. Further, they should ensure that customers are able to choose whether to use AI services.

Chapter IV: Ensure System Robustness and Security

Financial institutions should ensure system robustness and security, establishing and implementing cybersecurity measures. When using AI systems developed or operated by third parties for financial services, appropriate risk management and supervision of such third-party vendors are necessary.

Chapter V: Implement Transparency and Explainability

Financial institutions should ensure the “transparency” of AI system operations. For example, financial institutions may proactively disclose information through reports, technical documents or website postings to inform stakeholders about their AI system practices. As to “explainability”, financial institutions should be able to clearly explain the logic of the AI systems operation.

Chapter VI: Promote Sustainable Development

Financial institutions should align their development strategies and implementation with sustainable development principles, such as reducing redundant hardware set-ups and saving energy when using AI systems. Appropriate education and training for employees should also be provided to help them adapt to new work environments.

The AI Guidelines should serve as a reference for financial institutions in the introduction, use and management of AI. According to the FSC, the AI Guidelines are administrative guidance in nature. If no such self-regulations are established by relevant industry associations in the financial industry, financial institutions are advised to follow the AI Guidelines for AI-related matters.