June 2026
Organizational Structure and Functional Changes Under the Three Lines Model of Internal Control for Financial Holding Companies and the Banking Industry (Taiwan)
Drawing reference from supervisory guidelines issued by international organizations, the Financial Supervisory Commission updated the three lines of defense for financial holding companies and the banking industry into the "Three Lines Model," and amended the Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and the Banking Industry (hereinafter referred to as the "Rules") on May 6, 2026. Among these amendments, specific regulations governing the organizational structure of the second line model for financial holding companies and the banking industry are detailed as follows:
1. Regulatory Compliance: A dedicated regulatory compliance unit shall be established, and a person at the level of vice president or higher, or an individual with equivalent responsibilities, shall be appointed to serve as the "Chief Compliance Officer." To implement a normalized anti-fraud function, the Chief Compliance Officer may concurrently serve as the head of the "dedicated anti-fraud unit" (Article 16).
2. Risk Management: A dedicated risk management unit subordinate to the president shall be established and shall not concurrently engage in other business operations that present a conflict of interest with its duties; furthermore, a person at the level of vice president or higher, or an individual with equivalent responsibilities, shall be appointed to serve as the "Chief Risk Officer" (Article 21).
3. Information Security: A dedicated information security unit subordinate to the president shall be established, and a person at the level of vice president or higher, or an individual with equivalent responsibilities, shall be appointed to serve as the "Chief Information Security Officer" (Article 24).
In response to their respective functional variations, the scope of duties for the second-line units has been adjusted following the amendment of the Rules, with key points outlined as follows:
1. Regulatory Compliance: Responsible for establishing mechanisms to identify, assess, monitor, and independently report regulatory compliance risks, as well as supervising the institutional design and execution effectiveness of regulatory compliance self-audits across all units. Following this amendment, the requirement for the banking industry to establish a dedicated unit is universally mandated, no longer limited to banks with total assets reaching NT$1 trillion; additionally, banks are required to submit the bank-wide regulatory compliance risk management and supervisory framework to the competent authority for recordation within two years from the establishment of said dedicated unit (Articles 17 and 18).
2. Risk Management: In response to potential emerging risks, the unit shall identify, measure, assess such risks, and adopt corresponding response strategies (Articles 22 and 23).
3. Information Security: Responsible for the planning, management, and execution of the information security system, supervising the implementation of information security across all units, and establishing reporting and related mechanisms for information security incidents (Article 25).
It should be noted that management must designate a unit possessing second-line functions to supervise the first-line units in formulating the contents and procedures for self-audits, and to review the execution status of self-audits across all units (Article 14).
Furthermore, Article 27 of the Rules has been newly added to stipulate that when a Chief Auditor changes, financial holding companies and the banking industry must report the reasons for the change to the competent authority within five days to ensure the independence of the audit function.
With respect to the aforementioned requirements to appoint dedicated personnel and establish dedicated units, although the Rules provide a transitional grace period until December 31, 2027, our Firm nonetheless recommends that financial institutions promptly initiate an inventory of their organizational structures and re-examine internal processes such as self-audits to ensure that the powers and responsibilities of the dedicated units comply with regulatory standards.
1. Regulatory Compliance: A dedicated regulatory compliance unit shall be established, and a person at the level of vice president or higher, or an individual with equivalent responsibilities, shall be appointed to serve as the "Chief Compliance Officer." To implement a normalized anti-fraud function, the Chief Compliance Officer may concurrently serve as the head of the "dedicated anti-fraud unit" (Article 16).
2. Risk Management: A dedicated risk management unit subordinate to the president shall be established and shall not concurrently engage in other business operations that present a conflict of interest with its duties; furthermore, a person at the level of vice president or higher, or an individual with equivalent responsibilities, shall be appointed to serve as the "Chief Risk Officer" (Article 21).
3. Information Security: A dedicated information security unit subordinate to the president shall be established, and a person at the level of vice president or higher, or an individual with equivalent responsibilities, shall be appointed to serve as the "Chief Information Security Officer" (Article 24).
In response to their respective functional variations, the scope of duties for the second-line units has been adjusted following the amendment of the Rules, with key points outlined as follows:
1. Regulatory Compliance: Responsible for establishing mechanisms to identify, assess, monitor, and independently report regulatory compliance risks, as well as supervising the institutional design and execution effectiveness of regulatory compliance self-audits across all units. Following this amendment, the requirement for the banking industry to establish a dedicated unit is universally mandated, no longer limited to banks with total assets reaching NT$1 trillion; additionally, banks are required to submit the bank-wide regulatory compliance risk management and supervisory framework to the competent authority for recordation within two years from the establishment of said dedicated unit (Articles 17 and 18).
2. Risk Management: In response to potential emerging risks, the unit shall identify, measure, assess such risks, and adopt corresponding response strategies (Articles 22 and 23).
3. Information Security: Responsible for the planning, management, and execution of the information security system, supervising the implementation of information security across all units, and establishing reporting and related mechanisms for information security incidents (Article 25).
It should be noted that management must designate a unit possessing second-line functions to supervise the first-line units in formulating the contents and procedures for self-audits, and to review the execution status of self-audits across all units (Article 14).
Furthermore, Article 27 of the Rules has been newly added to stipulate that when a Chief Auditor changes, financial holding companies and the banking industry must report the reasons for the change to the competent authority within five days to ensure the independence of the audit function.
With respect to the aforementioned requirements to appoint dedicated personnel and establish dedicated units, although the Rules provide a transitional grace period until December 31, 2027, our Firm nonetheless recommends that financial institutions promptly initiate an inventory of their organizational structures and re-examine internal processes such as self-audits to ensure that the powers and responsibilities of the dedicated units comply with regulatory standards.
