On 8 March 2023, the Financial Supervisory Commission announced the draft amendment to the Regulations Governing Internal Operating Systems and Procedures for Outsourcing of Financial Institution Operation (the “Regulation”) for public consultation. Comments may be provided within 60 days after the announcement. We summarize the draft amendment below:
(1) Establishing a risk-based outsourcing management structure (Article 4):
a.The financial institutions shall stipulate proper policies and principles to evaluate the risk, materiality and the effect on the operation and clients’ rights of the outsourcing matters, and adopt corresponding control measures in accordance with the Risk-Based Approach principle.
b.The scope of outsourcing matters and division of responsibilities with the service providers shall be specified in the outsourcing agreement, provided that the financial institutions shall bear the final responsibility of the outsourcing operation and protection of clients’ rights.
c.To specify five core regulations, including the duty of the board meeting, requirement of sufficient resources and expertise for outsourcing operation control, materiality identification operation, due diligence on service providers and inspection right of the competent authority.
(2)強Enhancing the emergency response capability of financial institutions (Article 8):
For the circumstances which will cause a material effect on the financial institution’s normal operation and clients’ rights, financial institutions shall specify the relevant responsibility of the service providers and the obligation of the service providers to jointly handle the accidents, and the enhanced control and emergency response measures, which are subject to a periodical drill.
(3)Simplifying the application procedure and documents for the outsourcing operation (Articles 5, 11 and 12):
a.To remove the current requirement that the marketing of credit card issuance, marketing of consumer loans and collection of debts are subject to the approval from the competent authority.
b.For the new-type outsourcing item applied for by the financial institutions, after being approved and announced to the public by the competent authority, other financial institutions need not apply to the competent authority for approval again.
(4)Adopting the risk-based supervision and adjusting the application scope of offshore outsourcing and cloud outsourcing (Articles 17 to 19):
a.To amend so that only outsourcing of material consumer banking information system offshore is subject to the approval from the competent authority.
b.To enhance the regulation for improvement of client data protection and ensuring a safe and sound cloud technology application, and to consolidate the current application documents.
(5)Establishing a complete outsourcing operation report mechanism (Paragraph 3, Article 3):
To enhance the detail of the outsourcing operation report form and the updating obligations so as to obtain the specific information of the content, service providers and control status of financial institutions’ outsourcing operation, for the purpose of facilitating the competent authority’s review of the enforcement effectiveness of financial institutions’ outsourcing operation.
(6)Enhancing the supervisory measures of the competent authority (Article 22):
If the service provider breaches the Regulation or other laws and regulations, the competent authority may request the financial institution to adopt necessary measures.
Stacy Lo