AmCham Taiwan Healthy Aging Forum:
2025健康台灣樂齡論壇:公私協力促進全人健康
AmCham Taiwan Healthy Aging Forum:
2025健康台灣樂齡論壇:公私協力促進全人健康
Committee Events & Luncheons
The Committee thanks the government for paying extra attention to our recommendations in the 2023 White Paper and taking meaningful responsive action. Gratifying progress was made on the suggestions to relax amount caps on foreign bank branch and subsidiary bond repo transactions, risk-manage foreign currency bond reverse repo exposure, and exempt Formosa Bond liquidation providers from two-way quote requirements.
The government is also considering our suggestion to loosen the identity verification requirements under the Regulations Governing the Declaration of Foreign Exchange Receipts and Disbursements or Transactions for current customers. We believe this issue could be resolved shortly.
In this year’s White Paper, we ask the government to 1) allow financial institutions to use electronic storage of accounting-related documents, 2) relax identification and verification requirements for authorized traders from securities-dealing counterparties that are financial institutions, and 3) revise password management regulations to provide greater security and flexibility for the banking industry.
It is possible for all these objectives to be met within the coming year. We look forward to continued liberalization that will attract more foreign institutions to participate in this market and bring further business opportunities to Taiwan from neighboring financial markets such as Hong Kong and Singapore. The result will be enhanced competitiveness for Taiwan’s financial sector and a greater ability to retain talent and develop the industry.
Suggestion 1: Allow financial institutions to support Taiwan’s net-zero transformation goals by using electronic storage of accounting-related documents.
As energy conservation, decarbonization, and net-zero transformation have become major goals of governments worldwide, the National Taxation Bureau has revised Article 27 of the “Regulations Governing the Accounting Books and Vouchers of Profit-seeking Enterprises Managed by the Competent Tax Authorities” to help promote the digitization of tax declarations and permit the use and recordkeeping of electronic invoices.
However, given the breadth of the financial services sector and the various types of authorities involved – including securities exchanges and industry associations, in addition to other relevant government agencies – there is a need for clear guidance regarding the allowable mode of recordkeeping for accounting-related documents (such as invoices or certificates) under existing laws and regulations.
The Committee therefore urges the Financial Supervisory Commission to take steps to expressly permit Taiwan’s financial institutions to use electronic means to keep accounting-related documents in accordance with Article 27, Paragraph 3, as above, instead of using and keeping paper copies. Doing so would support the government’s net-zero carbon emissions goals.
Suggestion 2: Relax identification and verification requirements for authorized traders from securities-dealing counterparties that are financial institutions.
The conflicting definitions of “agents” in banking and securities regulations cause confusion in the implementation of the Anti-Money Laundering and Countering-Terrorism Financing Act (AML/CFT) requirements. In the FAQ of “Model Guidelines Governing Anti-Money Laundering and Combating the Financing of Terrorism by the Banking Sector” (the Model Guidelines), an agent is defined as someone delegated to represent the authorized person of a client. Hence, authorized signers are not considered clients’ agents. However, in the FAQ of the “Template for Guidelines Governing Anti-Money Laundering and Countering Terrorism Financing of Securities Firms” (the Securities Guidelines), an authorized trader from a securities-dealing counterparty is categorized as an agent of the counterparty for purposes of identification and verification (ID&V). This discrepancy between banking and securities regulations creates confusion as to what is required to meet AML/CFT obligations.
Moreover, given the data-protection sensitivity of handling ID documents, collecting each trader’s identity information from securities counterparties can be a challenge, and given that financial institutions are highly regulated entities subject to strict internal controls, there is less AML/CFT-related risk when it comes to authorized traders from a financial institution.
To resolve this inconsistency, the Committee proposes taking a risk-based approach by amending the FAQ of the Securities Guidelines to state that dealing counterparties who are authorized traders of financial institutions are excluded from the ID&V requirements in view of those institutions’ internal controls and strict regulations. Aligning the definition of an agent across the banking and securities sectors would alleviate the difficulties currently encountered for compliance.
Suggestion 3: Revise password management regulations to provide greater security and flexibility for the banking industry.
As information security has become one of the most important issues in financial industry operations and management, the banking industry is committed to improving information security control mechanisms to reduce the risks that may arise from cyberattacks on corporate information systems and databases.
However, current information security regulations in the banking industry predominantly mandate regular password changes (a practice many users forget or neglect) without considering more effective alternative security measures that are readily available.
These more effective security control mechanisms include regular review of the bank’s internal system password management policy to ensure that relevant policies and controls comply with approved technical standards. Beyond the traditional single-factor authentication and the mandate for users to change their eight-character passwords every three months, more advanced control methods are now available. One of these is to increase the length of the password from 8 characters to 12 for greater complexity. This change significantly increases the time it takes for hackers to crack passwords from the current 1-8 hours to an estimated 34,000 years and eliminates the need for users to change their passwords every three months.
Banks could also adopt other strategies to enhance password security. For example, passwords meeting a 12-character requirement could still be required to include at least three of the following four types of characters: lowercase letters, uppercase letters, numbers, and special symbols. The bank could also set up a control system that detects weak constructions that may not be used as passwords, such as those based on common words in the dictionary, birthdays, and names.
Another approach would enable access to user workstations only through multi-factor authentication, such as a combination of employee identification chip card and password control, together with regular employee education and training.
Given the need to ensure that information security protection operations keep up with the rapid advances in technology, we urge the government to revise regulations to permit use of alternative security measures that replace the current mandatory password change requirements if the alternative measures are more advanced and secure. Doing so would provide greater security, flexibility, and convenience for the benefit of both consumers and the banking industry while providing effective information security.
感謝政府關注去年銀行業委員會所提的建議,議題如「放寬外國銀行在台分行/在台子行於進行債券交易時,以附買回條件賣出之債券交易餘額的限額」、「放寬國際債券流動量提供者提供買賣雙向確定報價之規定」皆已取得具體進展。主管機關亦著手研議委員會所提出「放寬銀行業依《銀行業輔導客戶申報外匯收支或交易應注意事項》對既有客戶進行身分查驗之要求」之建議,委員會相信該題亦能及時解決。
今年度的白皮書將聚焦於三項議題,包含(1)允許我國金融業使用電子方式保存會計相關發票或憑證以落實我國政府淨零轉型目標、(2)當證券業務交易對手為金融機構時,放寬對相關授權交易人員之身分驗證要求、及(3)修正資訊系統密碼管理相關規定,使銀行業能採取更安全且彈性的資訊安全管理方式。
我們相信上述目標能於明年獲得改善,綜觀金融監督管理委員會(金管會)擴展金融市場及增加就業機會之目標,委員會期盼主管機關持續鬆綁相關法規,以吸引更多香港、新加坡等鄰近金融市場的商機轉向台灣,同時提升金融產業的競爭力,並增進人才留任和產業發展之能力。
建議一:允許我國金融業使用電子方式保存會計相關發票或憑證,以落實我國政府淨零轉型目標
由於節能減碳與淨零轉型已成為國際上各國政府欲落實之目標,因此我國國稅局已修改了《稅捐稽徵機關管理營利事業會計帳簿憑證辦法》第27條,並開始推動稅務申報E化並且使用電子發票。我國金融業者因業務項目不同,對應許多不同之金融主管機關(如各交易所、公會,及相關政府機構等),對於保留會計相關紙本資料(如發票或憑證)之相關法令尚需明確指引。
委員會建請金融監督管理委員會允許我國金融業者亦可依據《稅捐稽徵機關管理營利事業會計帳簿憑證辦法》第27條第三項,使用電子方式保存發票或憑證而不需留存紙本,以落實我國政府之淨零轉型目標。
建議二:當證券業務交易對手為金融機構時,放寬對相關授權交易人員之身分驗證要求
由於銀行和證券法規中對於代理人的定義並不一致,在相關法規實施過程中可能產生混淆。如在《銀行防制洗錢及打擊資恐注意事項範本及相關規定問答集─金融機構篇》即說明「代理人係指,倘授權人無法親自至銀行建立業務關係或交易時,經授權人委託,於授權期間及授權範圍內,可全權代理授權人之被授權人。」爰此,一般法人之有權交易人屬授權人而非代理人;然《證券商防制洗錢及打擊資恐相關規定問答集》則定義「代理人,包括代理客戶(法人或自然人)開立證券帳戶之代理人及被授權交易之人,故法人客戶之有權交易人員亦屬代理人」。上揭銀行業和證券業監管機構的代理人範圍有所不同,此類差異使金融機構對於其防制洗錢及打擊資助恐怖主義應負之責任有所混淆。此外,由於身分證件屬於敏感文件,從證券交易對手收集和獲取交易授權人身分資訊有其困難;同時,金融機構一般為受到高度監管的實體,並有嚴格的內部控制,因此,受金融機構指派的交易授權人員較不可能為防制洗錢及打擊資助恐怖主義之高風險人員。
為消弭此監管差異,基於金融機構內部控制的健全性和其嚴格的監管制度規定,委員會提案以風險為基礎考量,建請修定《證券商防制洗錢及打擊資恐相關規定問答集》,排除對金融機構交易對手的授權交易人員之相關身分驗證要求。我們期盼修改規定後,可以調和兩業別間的監管差異,亦同時減少業務進行上之困擾,緩解合規時所遇到的挑戰。
建議三:修正資訊系統密碼管理相關規定,使銀行業能採取更安全且彈性的資訊安全管理方式
由於資通安全已成為金融業經營與管理最重要的議題之一,銀行業無不致力於提升資訊安全控管機制,以降低企業內資訊系統及資料庫遭受網路駭客攻擊之風險。然而現行銀行業資安規定,主要為強制相關人員定期進行密碼變更,而未考量其他可行且有效的替代方案。其他較有效之安全控管機制尚包括定期審核銀行內部系統之密碼管理政策,以確保相關政策及控管能符合經認可的技術標準等。
其中針對資訊系統密碼管理政策,除了傳統的單一因子控管方式與規定使用者的8字符密碼應每三個月須更換乙次外,目前尚有其他較新的控管方式,包含將密碼字元由8字符提升為12字符,以增加複雜度,此變更將大幅增加駭客破解密碼所需花費時間,由原本的1至8小時提升至約34,000年的時間。由於破解密碼所需時間大幅超越一般人的生命自然年限,每三個月變更密碼的必要性即大幅降低,此舉也將降低使用者因頻繁變更密碼而忘記密碼所導致之作業風險。
除了上述規則外,銀行尚可考慮其他增強密碼安全性的方式,例如嚴格要求12字符之密碼組合,仍須符合下列四種類型字符中之三種組合的規則,包括:英文字母小寫、英文字母大寫、數字及其他特殊符號。此外,銀行亦可透過系統設定以偵測與控管強度較弱之密碼,如密碼是否含有字典上的常用字、生日或名字等。另外一種控管方式則為使用者僅能使用多重因子認證方式進入電腦系統/工作站,如使用員工識別晶片卡加密碼組合的控管方式,並定期進行員工教育訓練。
由於目前資訊科技技術日新月異且變化快速,為能與時俱進的提升資訊安全防護作業之需求,委員會建請相關主管機關能增修法規,使銀行業能使用更先進與安全的資訊安全控管技術,替代現行強制定期更換密碼之管理方式。如此不僅能使消費者與銀行業受益於更安全、彈性與便利的管理方式,亦能有效滿足資訊安全之需求。