Press Release
FSC announces the amendment of Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation
2023-08-04
In recent years, financial institutions have actively adopted emerging technologies, such as cloud computing and cloud storage, to enhance digital transformation and increase agility and flexibility of financial services. The scope of use cases has gradually diversified. To assist financial institutions establish a comprehensive risk management framework for outsourced operations (outsourcing), and review application procedures and reporting content, the Financial Supervisory Commission (“FSC”), in reference of international practices and the opinions of financial institutions, proposed the amendment of "Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation" (hereinafter referred to as the "Regulations"), which is oriented towards the risk-based approach (RBA) supervisory.
The period of public comments of the draft was completed and the amendment will soon be promulgated. The amendment this time entails revision of 19 articles and deletion of 2 article. The key points of the amendment are as follows:
1. Specify a risk-based outsourcing management framework:
(1) Financial institutions should take the ultimate responsibility for outsourcing and manage outsourcing risk based on materiality and the risk-based approach (RBA), formulate appropriate policies and principles for outsourcing, and strengthen the risk control mechanisms for stages before, during and after outsourcing as control basis for all outsourcing matters. (Amendment of Article 4 and Article 8)
(2) The amended Paragraph 3 of Article 4 specifies: “Financial institutions take the ultimate responsibility for their outsourcing. They should evaluate the risk level and materiality of outsourced operations and the impact of outsourcing on customer interests, and adopt appropriate management measures based on the risk-based approach.” In this case, small and medium-sized financial institutions with simple business may adopt control measures commensurate with their outsourcing risk level based on the risk-based approach. This the amendment offers compliance flexibility in consideration of the business size and attributes of financial institutions.
2. Simplify outsourcing application process and documentation requirement:
(1) Paragraph 1 of Article 3 specifies the scope of business operations that financial institutions may outsource. For those that do not fall within the scope of outsourcing (new types of outsourcing), if a financial institution has applied to the competent authority for outsourcing and obtained approval, other financial institutions could conduct the approved outsourcing operation in accordance with their internal outsourcing rules. (Amendment of Article 5)
(2) The amendment deletes the existing requirements that credit card issuance marketing, consumer loan marketing, and debt collection operations shall obtain regulatory approval in advance. (Amendment of Article 11 and Article 12)
3. Adjust the scope of cross-border outsourcing and cloud outsourcing that require application to the competent authority and require enhanced rules:
(1) In consideration of the impact on financial institutions’ operations and customer interests, the FSC revised the scope of outsourcing that require approval of the competent authority to “outsourcing of retail financial business information systems that are deemed material and are outsourced to overseas” and simplify the existing application documents for cross-border outsourcing and cloud outsourcing. (Amendment of Article 18)
(2) The FSC added the provisions of enhancing rules for cross-border outsourcing and outsourcing involving cloud-based services. (Amendment of Article 17 and Article 19)
The FSC reminds that the business operations of financial institutions are approved by the competent authority. Financial institutions may outsource some of their business operations, but still take the ultimate responsibility for those operations. Thus, financial institutions must follow relevant regulations about information security and maintenance of customer data. For example, if any outsourced operation involves customer information, the financial institution must include a provision in contracts to inform customers of the outsourcing activity. If the contracts have no such a provision, the financial institution shall notify its customers in writing of the outsourcing activity, and implement control procedures in accordance with the Personal Data Protection Act and other relevant regulations.
For implying good regulatory practices to ensure transparency, consistency, and predictability in the regulatory amendment process, the FSC has taken into consideration international regulatory standards and the Taiwanese situation to align with international standards. During the public comment period, the FSC held a public hearing to fully discuss the amendment and collect opinions from all sides. As third-party risk management is a critical supervisory issue for many countries, the FSC will continue to monitor management practices and international developments to conduct a rolling review of relevant regulations.
The period of public comments of the draft was completed and the amendment will soon be promulgated. The amendment this time entails revision of 19 articles and deletion of 2 article. The key points of the amendment are as follows:
1. Specify a risk-based outsourcing management framework:
(1) Financial institutions should take the ultimate responsibility for outsourcing and manage outsourcing risk based on materiality and the risk-based approach (RBA), formulate appropriate policies and principles for outsourcing, and strengthen the risk control mechanisms for stages before, during and after outsourcing as control basis for all outsourcing matters. (Amendment of Article 4 and Article 8)
(2) The amended Paragraph 3 of Article 4 specifies: “Financial institutions take the ultimate responsibility for their outsourcing. They should evaluate the risk level and materiality of outsourced operations and the impact of outsourcing on customer interests, and adopt appropriate management measures based on the risk-based approach.” In this case, small and medium-sized financial institutions with simple business may adopt control measures commensurate with their outsourcing risk level based on the risk-based approach. This the amendment offers compliance flexibility in consideration of the business size and attributes of financial institutions.
2. Simplify outsourcing application process and documentation requirement:
(1) Paragraph 1 of Article 3 specifies the scope of business operations that financial institutions may outsource. For those that do not fall within the scope of outsourcing (new types of outsourcing), if a financial institution has applied to the competent authority for outsourcing and obtained approval, other financial institutions could conduct the approved outsourcing operation in accordance with their internal outsourcing rules. (Amendment of Article 5)
(2) The amendment deletes the existing requirements that credit card issuance marketing, consumer loan marketing, and debt collection operations shall obtain regulatory approval in advance. (Amendment of Article 11 and Article 12)
3. Adjust the scope of cross-border outsourcing and cloud outsourcing that require application to the competent authority and require enhanced rules:
(1) In consideration of the impact on financial institutions’ operations and customer interests, the FSC revised the scope of outsourcing that require approval of the competent authority to “outsourcing of retail financial business information systems that are deemed material and are outsourced to overseas” and simplify the existing application documents for cross-border outsourcing and cloud outsourcing. (Amendment of Article 18)
(2) The FSC added the provisions of enhancing rules for cross-border outsourcing and outsourcing involving cloud-based services. (Amendment of Article 17 and Article 19)
The FSC reminds that the business operations of financial institutions are approved by the competent authority. Financial institutions may outsource some of their business operations, but still take the ultimate responsibility for those operations. Thus, financial institutions must follow relevant regulations about information security and maintenance of customer data. For example, if any outsourced operation involves customer information, the financial institution must include a provision in contracts to inform customers of the outsourcing activity. If the contracts have no such a provision, the financial institution shall notify its customers in writing of the outsourcing activity, and implement control procedures in accordance with the Personal Data Protection Act and other relevant regulations.
For implying good regulatory practices to ensure transparency, consistency, and predictability in the regulatory amendment process, the FSC has taken into consideration international regulatory standards and the Taiwanese situation to align with international standards. During the public comment period, the FSC held a public hearing to fully discuss the amendment and collect opinions from all sides. As third-party risk management is a critical supervisory issue for many countries, the FSC will continue to monitor management practices and international developments to conduct a rolling review of relevant regulations.
- Visitor: 2509
- Update: 2023-08-21
