TAIWAN Law and Practice Contributed by: Robin Chang, Sarah Wu and Eddie Hsiung, Lee & Li
It is important to highlight, as mentioned in 6.1 Permis- sible Trading Platforms and 6.7 Rules of Payment for Order Flow , that as to security tokens/security token offerings (STOs), the platform operator is required to obtain a securities dealer licence rather than a securi - ties underwriter licence. According to the STO regu - lations, after receipt of the application for issuance of an STO, a platform operator (ie, securities dealer) will need to conduct a due diligence investigation and confirm that the issuer meets certain conditions, which include, among others, the following: (a) the issuer has established an internal control system and implements it effectively; (b) the accounting treatment complies with the Business Entity Accounting Act; (c) the fundraising items and the business items operated by the issuer comply with the law; (d) the fundraising plan and its effects/benefits are necessary, reasonable and feasible; and (e) any programmed auto-execution that is done with respect to the security tokens offered is consistent with the description in the prospectus. 2.10 Significant Enforcement Actions Enforcement actions often occur during criminal investigation procedures. News reports indicate that certain peer-to-peer lending platforms and cryptocur - rency operators have been involved in illegal deposit- taking. Additionally, offences such as fraud and mon - ey laundering may be associated with e-payment and crypto-related activities. 2.11 Implications of Additional, Non- Financial Services Regulations In Taiwan, the Personal Data Protection Act (PDPA) governs the collection, use and processing of per - sonal data. According to the PDPA, unless specified otherwise by law, a business entity must notify and obtain consent from an individual before collecting, processing or using his or her personal data, subject to certain exemptions. Therefore, if a fintech company will collect, process or use personal data, it must com - ply with the obligations specified in the PDPA. Different financial service entities or their products and services may be subject to various cybersecu - rity regulations or standards. For example, if a fintech business operates in the e-payment sector, it must meet the relevant licensing requirements and adhere
to security control rules specific to this type of busi - ness. Also, according to the Cyber Security Management Act (CSMA), financial services firms classified as “criti - cal infrastructure providers” (CIPs) by the Taiwanese government have certain obligations to fulfil. These include maintaining specific security levels, establish - ing internal information security rules, and reporting cybersecurity incidents to the government. While it is less likely for a fintech business to be designated as a CIP, the CSMA still applies if the financial service entities conducting these activities are regulated by the FSC and designated as CIPs by the Taiwanese government. 2.12 Review of Industry Participants by Parties Other Than Regulators The requirements regarding the involvement of accounting/auditing firms or other vendors would depend on the individual fintech applications. For example, e-payment operators are required to place funds from their users in a bank’s trust account in full or obtain a full performance guarantee from a bank for the stored-value funds, and an accountant must be appointed to conduct quarterly audits of the state of compliance. As regards cryptocurrency, any VASP would be required to register with the FSC for AML purposes before such VASP may officially carry out its virtual asset-related business in Taiwan, and an accountant’s report on the VASP’s internal control should be attached to the filing for the registration. In Taiwan, various self-regulatory organisations (SROs) exist for different sectors, and the relevant SRO for a fintech company depends on the specific activities it engages in. For instance: (1) e-payment institutions fall under the Electronic Payment Association of R.O.C., and FSC-licensed e-payment firms must adhere to its self-regulations; (2) for VASPs, the appropriate SRO is the VASP Association. 2.13 Conjunction of Unregulated and Regulated Products and Services In general, financial services companies are prohibited from providing unregulated (non-financial) products or services, making it generally impractical to engage in such practices.
834 CHAMBERS.COM
Powered by FlippingBook