The management of financial information system shall not be outsourced to overseas service providers in the future

For the purpose of protecting the personal information of Taiwan citizens and enhancing the regulation on outsourcing the establishment or operation of financial information systems by financial institutions,

Financial Supervisory Commission of Executive Yuan, R.O.C. (hereinafter “FSC”) has passed the newly amended Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation (hereinafter the “Regulations”) on January 19, 2012.  Once the Regulations has been in force, domestic banks shall not outsource data processing items including the data entry, processing, and output of information system, the development, monitoring, control, and maintenance of information system, and logistical support for data processing in connection with the financial institution’s business, and so on.  In other words, after the amendment of the Regulations is in force, domestic banks shall not outsource the establishment and operation of financial information system to overseas service providers.  The domestic banks which are in violation of such regulations shall adjust their operation for compliance within 4 years after the enforcement of the Regulations.

FSC indicates, this amendment is to monitor the management of financial information system of banks for preventing the related information from being disclosed, while this amendment will make an impact on those subsidiaries of foreign banks which are incorporated in Taiwan, because such bank may not outsource the operation of financial information system to overseas service providers and can only outsource the same to domestic service providers or manage such system by themselves.

The English translation of the content of the amended Article 18 of the Regulations is as below.  The amended texts are underlined. 

(Please noticed that this translation is not an official translation from FSC and is provided by PRIMORDIAL LAW FIRM. Please refer to the original Chinese version for the accuracy.  )

Article 18 of the Regulations:

After the submission of the application with the following documents and receipt of the approval from the competent authority, a financial institution may outsource its operations to overseas service providers :

1.The financial institution shall obtain a letter of consent on supervisory cooperation from the foreign competent authority.  The letter of consent shall contain the following:

A.The foreign competent authority is aware of the matter and agrees the service provider to perform the outsourced services.

B.The foreign competent authority agrees the competent authority in Taiwan may request the service provider to provide documents and information related to the outsourced items.

C.The foreign competent authority allows the competent authority in Taiwan and the outsourcing financial institution to conduct the necessary examination of the outsourced items.

D.The foreign competent authority shall inform the competent authority in Taiwan in advance if it plans to examine the outsourced items.

E.The foreign competent authority commits not to acquire the customer data of Taiwan without consent of the competent authority in Taiwan.

2.The internal outsourcing rules drafted according to Section 2, Article 4 of the Regulations.

3.A record on the resolution made by its board of directors, or a letter of consent signed by an officer authorized by the head office in the case of the branch of a foreign bank in Taiwan.

4.Necessity and compliance analysis of outsourcing on business operations, which shall include the evaluation on whether the service provider complies the relevant regulations governing the protection of customer data.

5.Describing measures for the protection of customer data and whether customers have given their consent to the outsourcing to ensure the quality of outsourcing service and the interests of customers.

6.The branch of a foreign bank in Taiwan shall acquire a letter of consent on usage of information, safety control, and supervisory cooperation of Taiwan, issued by the head office.

Where the financial institution is unable to acquire the letter of consent as described in the preceding paragraph from the foreign competent authority, such financial institution shall submit the following documents:

1.A letter of consent from the service provider, agreeing that where necessary, a person designated by the financial institution may examine the outsourced items. The aforesaid designated person may also be assigned by the competent authority at the expense of the financial institution.

2.A review of the service provider’s internal control system and relevant operating procedures.

3.A legal opinion issued by attorney indicating that the protection of customer data in the foreign country is the same as that in Taiwan.

4.The latest financial report of the service provider, audited and certified by the CPA.

5.A statement issued by the service provider stating that no event of maladministration and privacy infringement within the past three years happened.

Where the branch of a foreign bank in Taiwan assigns the operation to its head office or their overseas branches due to internal division of work, such branch shall apply for approval according to the preceding two paragraphs.

A domestic bank shall not outsource the input, process and output of consumer financial information system to the overseas service providers.

The domestic banks which are in violation of such regulations (before or) on the time of the enforcement of the Regulations shall adjust their operation for compliance within four years after the enforcement of the Regulations.

SHARE