The amendments aim to strengthen risk management, audit independence, cybersecurity, and sustainability practices across banks and financial holding companies.
Taiwan’s Financial Supervisory Commission (FSC) has released draft amendments to strengthen internal control and audit system rules for banks and financial holding companies.
In a statement, the FSC said the aim to align Taiwan’s regulatory standards with international best practices while strengthening risk management, cybersecurity, and sustainability governance in the financial sector.
The proposed revisions are the most comprehensive update to the Regulations Governing Internal Control and Audit Systems of Financial Holding Companies and the Banking Industry since their introduction in 2010.
The updated regulations incorporate the “Three Lines of Defence” model, a global standard for internal control, and reflect supervisory trends from jurisdictions including the US, UK and Singapore.
The revisions also respond to evolving challenges such as cyber threats, pandemics, and climate change, which have significantly reshaped the risk landscape for financial institutions, the FSC said.
Stronger internal controls
One of the most notable changes is the requirement for banks with assets over TWD 1 trillion (USD 30.8 billion) to appoint a Chief Risk Officer (CRO), tasked with overseeing the institution’s entire risk management function.
The draft also mandates that internal control manuals incorporate business continuity planning (BCP) and protocols to manage emerging risks, in line with updated guidance from the Basel Committee on Banking Supervision (BCBS).
On cybersecurity, financial holding companies are required to establish dedicated cybersecurity units and appoint Chief Information Security Officers (CISOs) with clearly defined responsibilities.
Internal audit functions
On internal audit functions, the regulations provide improved guidelines, including on the qualifications and training requirements for internal auditors.
To maintain the independence of internal audit units, the FSC proposes shifting responsibility for overseeing self-audit planning from internal auditors (third line) to risk and compliance teams (second line). Banks using risk-based internal audits may define the frequency and scope of self-audits based on their own risk assessments.
Additionally, overlapping requirements for compliance self-checks and self-assessments may now be consolidated to reduce operational burden.
Under the draft, any changes to the head of internal audit must be reported to the FSC within five days, with affected individuals also being notified. The regulations also call for stronger communication channels between independent directors and internal auditors.
Embedding FSC priorities
The proposed revisions also emphasise sustainability disclosures, requiring banks and financial holding companies to integrate sustainability information into internal control processes and audit reports.
The amendments further embed existing FSC priorities, such as ethical conduct, fair customer treatment, and accountability mapping, into the internal control environment and operational manuals of banks and financial institutions.
The new regulations also enhance reporting requirements, including the disclosure of internal control weaknesses and the implementation of corrective actions; and require stronger protections for whistleblowers, ensuring their identities and concerns are kept confidential and addressed appropriately.
Acknowledging the significant operational adjustments required, the FSC is providing a six-month transition period for institutions to reorganise their structures, allocate resources, and revise internal rules to align with the updated regulations.
Specific provisions, including those on sustainability reporting and CPA assurance, will take effect on 1 January 2026. The draft revisions are open for consultation for 60 days.