Banking Regulation 2025

TAIWAN Law and Practice Contributed by: James Huang, Eddie Hsiung and Maggie Huang, Lee and Li, Attorneys-at-Law

a person at a level higher than associate general manager (or equivalent function) as chief officer of such dedicated information security office.

• establish plans to respond to termination of an outsourcing agreement with cloud service providers; and • basically store customer data of material, retail finance business information systems within the territory of Taiwan – if stored off - shore, backups of important customer data should be retained in Taiwan unless otherwise approved by the FSC.

Strengthening Information Security Governance of Financial Institutions

In 2019 and 2023, in response to the trend of applying technologies to financial operations, the FSC amended the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Opera - tion by establishing a risk-based cloud outsourc - ing management framework. Banks are required to assess the risk level, significance, and impact on operations and customer rights of outsourced matters, and to implement appropriate controls and risk-based measures. According to the amendments, financial institu - tions should: • adopt appropriate risk control measures, such as ensuring the diversity of cloud ser - vice providers; • be ultimately responsible for the supervision of cloud service providers, and may engage professional third parties to assist in supervis - ing the operations of the cloud service provid - ers; • adopt customer data encryption, tokenisation or other effective protection measures, and establish appropriate encryption key man - agement mechanisms when transmitting and storing customer data with a cloud service provider; • retain complete ownership of the data out - sourced to cloud service providers for pro - cessing, and prevent the data from being used for purposes other than the outsourced operations; • retain the right to designate the location for the processing and storage of the data;

11. Horizon Scanning 11.1 Regulatory Developments Artificial Intelligence (AI) Application

Following the release of the Core Principles and Related Promotion Policies for the Use of Arti - ficial Intelligence (AI) by the Financial Industry in 2023, the FSC issued the Guidelines for the Use of Artificial Intelligence (AI) in the Financial Industry (the “AI Guidelines”) on 20 June 2024. The AI Guidelines stipulate that, while using AI systems, financial institutions should implement the core principles based on risk and should assess the risk levels of using AI systems after considering various risk assessment factors. Financial institutions should also have supervi - sory measures when engaging third parties for introduction of AI systems, such as establishing appropriate data or system migration mecha - nisms in the event of termination. The core prin - ciples of the AI Guidelines are detailed in the corresponding six chapters. Chapter I: Establish Governance and Accountability Mechanisms Financial institutions should have a clear struc - ture and risk management policies for manag - ing AI systems. Internally, financial institutions should be able to clearly explain the operational logic of the system; externally, they should be

603 CHAMBERS.COM

Powered by