October 2023
Astrid Chou
In recent years, the transformation towards digitalization has emerged as a strong trend in financial institutions. This has increased demand for third-party services, including cloud technologies and services provided by overseas entrusted entities. For instance, cloud service providers or overseas information technology operators are often involved in data processing or storage. Although outsourcing of operations by financial institutions has been practiced for years, and significant management experiences in operation outsourcing have been accumulated, these new forms of outsourcing have brought forth various challenges and risks from both practical and regulatory perspectives. This necessitated regulatory authorities to revise and reconsider existing regulations, primarily in two aspects. Firstly, to enhance the service efficiency and quality of financial institutions, simplified and flexible administrative control measures are needed. Secondly, the unique characteristics of cloud technologies require different considerations compared to traditional outsourcing, particularly in terms of consumer protection, information security, the privacy of customer personal data, and even geopolitical risks, as well as variations in information security and personal data protection regulations across different regions.
Recognizing these challenges, the Financial Supervisory Commission (hereinafter, the “FSC”) announced the Amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation (hereinafter, the “Regulations”) on August 25, 2023. The Amendments encompass various changes concerning internal outsourcing requirements and operating requirements for cross-border and cloud outsourcing. Apart from narrowing the scope requiring the FSC approval and simplifying the application procedures, the most significant change in the Amendments is the adjustment of the existing outsourcing regulation framework to a “Risk-based Approach (RBA)” to enhance the risk governance of financial institutions.
As financial institution operations are highly specialized, not all outsourced business operations carry the same level of risk. To efficiently allocate resources and bolster risk management, the Amendments to the Regulations specifically require financial institutions to establish appropriate policies and principles for managing outsourcing risks. They include assessments of outsourcing decisions, risk management mechanisms, decision-making levels, governance structures, etc., and the introduction of the concept of “materiality.” Financial institutions are required to create procedures and management measures sufficient for identifying, assessing, monitoring, and controlling outsourcing-related risks. In addition, financial institutions bear ultimate responsibility for outsourcing and safeguarding customer rights and interests to ensure that the risk governance mechanisms are effectively enforced. On the other hand, to enforce personal data protection in cases involving the use of cloud services, the Amendments incorporate international information security and privacy protection standards into relevant regulations. They also require that material consumer financial business information systems that store customer data should, in principle, be located in Taiwan.
The adjustment period is one year from the date of enforcement of the Amendments. This means that the outsourcing framework’s overall review, adjustments, and reporting must be completed before August 25, 2024. As the Amendments involve strengthening the overall outsourcing risk management framework for financial institutions and encompass a wide range of areas, and the relevant responsibilities must be incorporated in contracts with outsourcing entities, financial institutions that have already implemented relevant outsourcing operations should take note of this adjustment period. For those planning to engage in outsourcing operations or implement cloud technology projects in the future, it is essential to construct a comprehensive risk management framework in compliance with the Regulations.
The contents of all materials (Content) available on the website belong to and remain with Lee, Tsai & Partners. All rights are reserved by Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Lee, Tsai & Partners.