Fintech 2025

TAIWAN Law and Practice Contributed by: Robin Chang, Sarah Wu and Eddie Hsiung, Lee & Li

sonable and feasible; and (e) any programmed auto-execution that is done with respect to the security tokens offered is consistent with the description in the prospectus. 2.10 Significant Enforcement Actions Enforcement actions often occur during criminal investigation procedures. News reports indicate that certain peer-to-peer lending platforms and cryptocurrency operators have been involved in illegal deposit-taking. Additionally, offences such as fraud and money laundering may be associated with e-payment and crypto-related activities. 2.11 Implications of Additional, Non- Financial Services Regulations In Taiwan, the Personal Data Protection Act (PDPA) governs the collection, use and process - ing of personal data. According to the PDPA, unless specified otherwise by law, a business entity must notify and obtain consent from an individual before collecting, processing or using his or her personal data, subject to certain exemptions. Therefore, if a fintech company will collect, process or use personal data, it must comply with the obligations specified in the PDPA. Different financial service entities or their prod - ucts and services may be subject to various cybersecurity regulations or standards. For example, if a fintech business operates in the e-payment sector, it must meet the relevant licensing requirements and adhere to security control rules specific to this type of business. Also, according to the Cyber Security Manage - ment Act (CSMA), financial services firms classi - fied as “critical infrastructure providers” (CIPs) by the Taiwanese government have certain obliga - tions to fulfil. These include maintaining specific

security levels, establishing internal information security rules, and reporting cybersecurity inci - dents to the government. While it is less likely for a fintech business to be designated as a CIP, the CSMA still applies if the financial service entities conducting these activities are regulated by the FSC and designated as CIPs by the Taiwanese government. 2.12 Review of Industry Participants by Parties Other than Regulators The requirements regarding the involvement of accounting/auditing firms or other vendors would depend on the individual fintech applications. For example, e-payment operators are required to place funds from their users in a bank’s trust account in full or obtain a full performance guar - antee from a bank for the stored-value funds, and an accountant must be appointed to con - duct quarterly audits of the state of compliance. As regards cryptocurrency, any VASP would be required to register with the FSC for AML pur - poses before such VASP may officially carry out its virtual asset-related business in Taiwan, and an accountant’s report on the VASP’s internal control should be attached to the filing for the registration. In Taiwan, various self-regulatory organisations (SROs) exist for different sectors, and the rel - evant SRO for a fintech company depends on the specific activities it engages in. For instance: (1) e-payment institutions fall under the Bankers Association of the Republic of China, and FSC- licensed e-payment firms must adhere to its self- regulations; (2) for VASPs, the appropriate SRO is the VASP Association. 2.13 Conjunction of Unregulated and Regulated Products and Services In general, financial services companies are pro - hibited from providing unregulated (non-finan -

847 CHAMBERS.COM

Powered by