The FSC introduced amendments to 6 articles and 3 new articles to the Regulations on March 31, 2018, in order to increase the completeness of targets of financial groups’ anti-money laundering and combating the financing of terrorism (AML/CFT) activities, improve the assessment effectiveness of risk-oriented internal audit systems adopted by banks, impose different requirements for legal compliance risk management mechanism of banks with assets sizes above a certain level, establish financial institutions’ internal reporting systems and require the banking industry to attach more importance to information security. Key points are as the following:
1.Banks with domestic subsidiaries are required to prepare AML/CFT plans at group level.
2.Regarding the regulatory requirements that risk-oriented internal audit system of domestic bank shall meet, the text of “the bank has not had gross negligence in implementation of internal control measures in the recent year or the situation has been substantially improved” is removed, in order to evaluate the effectiveness of the overall internal control system of banks in a more comprehensive manner. 
3.In order to improve the legal compliance effectiveness of domestic big banks, headquarters of banks with total assets over NTD one trillion as audited by an CPA are required to set up legal  compliance units, which may also engage in AML/CFT activities but are not allowed to carry out legal activities that are not related to planning, management, and implementation of a legal  compliance system or other activities in conflict with their responsibilities. Legal compliance officers at bank headquarters may concurrently assume the position of the leader of AML/CFT unit, but shall not concurrently assume the position of legal affairs officer or other internal positions. In order to increase flexibility of the system, the requirements for qualifications and on the job training of regulatory compliance officers of foreign business units have been changed.
4.Considering that foreign business units have different sizes and activities, the requirement of setting up a local regulation database for these business units is removed for practical considerations.
5.Big banks are required to establish an overall regulatory compliance risk management and supervision structure, lay down specific principles for such a structure and introduce rules about related authority/responsibilities, including establishment of overall regulatory compliance risk management and supervision structure and independent regulatory compliance unit and its authority/responsibilities, preparation of informative regulatory compliance effectiveness report and implementation of supervision.
6.Financial holding companies and banks are required to establish an internal reporting system and designate a unit that can exercise authority independently in the headquarters to take charge of review and investigation of reported cases in order to foster a business culture of transparency and integrity and promote sound operating practices. Considering that these companies need some time to make adjustment for establishment of the reporting mechanism, a specific timeline is set up for such compliance.
7.In order to make banks attach more importance to information security, banks are required to establish an information security unit, appoint a delegate to take charge of information security activities and introduce differential management practices based on their size.