The Financial Supervisory Commission (FSC) is the competent authority responsible for development, supervision, regulation and examination of financial markets and financial service enterprises in Taiwan. There are four bureaus under the FSC:

• Banking Bureau
• Securities and Futures Bureau
• Insurance Bureau
• Financial Examination Bureau

To develop fintech/insurtech in Taiwan, in September 2015, the FSC established the Financial Technology Office (as the coordinator among
various bureaus) and the Financial Technology Advisory Committee (as consulting committee).

Activities involving insurance companies, insurance agents or brokers and insurance businesses may be regulated under the Insurance Act, the Regulations Governing Insurance Agents, the Regulations Governing Insurance Brokers, relevant rulings and rules and guidelines promulgated by the Non-Life Insurance Association, the Life Insurance Association, the Insurance Agents Association and the Insurance Brokers Association.

Payment and settlement systems may be regulated under the Banking Act, the Act Governing Issuance of Electronic Stored Value Cards, the Act Governing Electronic Payment Institutions and relevant regulations and rulings.

Fund remittance businesses will be subject to the Banking Act, the Act Governing Electronic Payment Institutions and the Foreign Exchange Regulation Act.

Virtual currencies (for example, Bitcoin) are not recognized by Taiwan governments. On 30 December 2013, the Central Bank of Taiwan issued a press release warning against the risks of using Bitcoin.

Activities involving investments of securities, the dealing of securities, fund management, trading in futures contracts, among others, will be regulated under the Securities Exchange Act, the Futures Trading Act and the Securities Investment Trust and Consulting Act.

On 12 January 2017, the FSC published the Draft Bill of the Act of Financial Technology Innovation Experiment (the Draft Fintech Act), which sets out the guidelines to launch and implement a regulatory sandbox in Taiwan. The Draft Fintech Act was approved by the Executive Yuan on May 4, 2017, and it will be submitted to the Legislative Yuan for its first reading in Autumn 2017. The purpose of the Draft Fintech Act is to encourage financial institutions and fintech service providers to improve the efficiency and quality of financial services by developing innovative technologies. The Draft Fintech Act offers a financial institution or a fintech service provider, which is approved by the FSC under the Draft Fintech Act (the Applicant), regulatory flexibilities and a safe environment to conduct innovative fintech experiment (the Innovative Experiment) within a maximum period of 12 months. During such period, the applicant will be exempted from certain administrative and criminal liabilities under current financial regulations.

To engage fintech/insurtech innovation by the financial institutions, the FSC adopted the following policies:

• Allowing financial industry to invest in fintech/insurtech enterprises – The FSC has announced the relevant regulation, allowing banks and financial holding companies to invest in financial technology companies, including companies specializing in big data, cloud computing, biometrics, robo-adviser, among others, and to hold up to 100% of the equity shares of the companies. The FSC has allowed insurance companies, securities firms, securities investment trust enterprises (SITEs), securities investment consulting enterprises (SICEs) and domestic futures commission merchants, within certain limits, to invest in business-related or auxiliary to fintech/insurtech-related business.
• Promoting fintech/insurtech development
  • Publishing of the Financial Technology Development Policy White Paper –To master the development of network and international trend of financial technology application, the FSC published the Financial Technology Development Policy White Paper in January 2015 as Taiwan's fintech blueprint revealing the international trend, the current domestic situation, policy goals and strategies.
  • Promoting the e-payment ratio multiplication five-year plan – In order to enhance the efficiency of payment, save the cost of cash payment processing, stimulate economic growth through consumer spending, reduce the scale of the underground economy, increase financial transparency, reduce the circulation of false money, and lower the crime rate, the FSC is promoting the domestic e-payment. Through both government and private sector, and the combination of finance and technology, the ratio of e-payment will be doubled in the next five years, compared to recent 26% ratio.
  • Encouraging insurance companies to design innovation products by using big data, such as usage-based insurance

The licenses required will depend on the specific activities contemplated. We recommend seeking the advice of local counsel. In brief overview:

• Payment Services. An entity must obtain an Electronic Payment Institution license (EPS License) if it would like to offer electronic payment services, including (i) collection and paying agent for actual transactions; (ii) stored-value services for online/and online to offline transaction; and (iii) fund transfer among electronic payment accounts, by providing an electronic payment platform through the Internet.
• Store-Value Facilities. Issuer must obtain an Electronic Stored-Value Card License (E-SVC License) if it would like to issue open-loop stored-value cards that can be used for multiple purposes (to purchase products and services provided not only by the issuer but also by any third party).
• Remittance Business. If anyone wishes to conduct remittance service, it must have a banking license or an EPS License.
• Equity Crowdfunding. A securities brokerage license is required for an equity crowdfunding platform.
• Moneylending. If the lender is an individual (P2P lending), a license is not required. However, such P2P lending shall not include any activities in relation to issue of securities/instruments (which requires approval by the FSC) or deposit taking (which requires a banking license).

Except for the Personal Data Protection Act, there are no specific regulations for the use of telematics or biometrics on its own. Insurance companies should ensure that such use is compliant with any existing regulations or conduct of business requirements.

Yes, there can be different standards of regulation. For example, under the Electronic Payment Institutions Act, if the daily balance of the funds in the third-party payment service provider's account during the past one-year period does not exceed NTD 1 billion (approximately
USD 303 million), such service provider is not required to obtain an electronic payment institution license from the FSC.

According to the Guidelines for Insurance Enterprise to Conduct Electronic Commerce promulgated by FSC, an insurer licensed to conduct e-commerce shall obtain the international standard verification of information security management system (ISO27001) by 1 July 2017. If
the insurer fails to obtain and maintain the ISO27001 verification before the deadline, it will be prohibited from operating the e-commerce business.

In addition, the licensed insurer shall also comply with the Guideline for Life Insurance Enterprises to Conduct Security Assessments on Computer System/Information Security and the Guideline for Non-Life Insurance Enterprises to Conduct Security Assessments on Computer System/Information Security to conduct the technology risk assessment and management.

Taiwan's Personal Data Protection Act (amended on 30 December 2014)(TPDPA) and relevant regulations and rulings apply to government authorities, all organizations in the private sector and individuals. The TPDPA regulates the collection, use, process and cross-border transfer of personal data in Taiwan.

The TPDPA provides the definition for "use," "process" and "cross-border transfer." "Process" means in order to establish or use the personal data, to record, input, storage, edit, correct, duplicate, index, delete, output, link or transfer for internal use the personal data. "Use" means to use the collected personal data in ways other than the "use." "Cross-border transfer" means to process or use the data subject across border.

The Insurance Act of Taiwan regulates the collection and use of sensitive personal data. Under the Insurance Act, the following person/entity may collect, process or use sensitive personal data (medical records, medical treatment or health examination of individuals), with
the written consent of the data subject:

• insurance enterprises, insurance agents, brokers and surveyors that operate or conduct business in accordance with the Insurance Act
• juristic persons commissioned by insurance enterprises to provide assistance in confirming or performing their obligations under an insurance contract
• insurance-related foundations established with the permission of the competent authority to handle disputes and matters relating to compensation for victims of motor vehicle accidents

Yes. According to the TPDPA, the Taiwan government may prohibit an individual/entity from conducting cross-border transfer of the personal data under one of the following circumstances:

• where substantial national interests are involved
• where international treaties or agreements specify otherwise
• where the rights and interests of the data subject are likely to be damaged as a result that the data recipient country does not have appropriate laws and regulations to protect personal data
• where the TPDPA may be avoided because the personal data is transmitted or used by way of indirect transmissions to a third country or area

In addition, according to the Directions for Operation Outsourcing by Insurance Enterprises, an insurance enterprise shall obtain the FSC's prior approval for outsourcing to an offshore service provider (such as a data center outside Taiwan).

Taiwan does not have specific or special law governing cybersecurity. However, under the Criminal Code of Taiwan:

• Article 318-1 provides that "a person without reason discloses the secrets of another which he knows or possesses through the use of a computer or other relating equipment shall be sentenced to imprisonment of not more than two years, short-term imprisonment, or a fine not more than five thousand yuan."
• Article 339-3 provides that "a person who for purpose to exercise unlawful control over other's property for himself or for a third person takes property of another by entering false data or wrongful directives into a computer or relating equipment to create the
  records of acquisition, loss or alteration of property ownership shall be sentenced to imprisonment for not more than seven years; in addition thereto, a fine of not more than seven hundred thousand yuan may be imposed."
• Articles 358 to 363 are offenses against the computer security.

In addition, regulated financial institutions (including insurance companies) are required to have risk management systems and policies and disaster recovery plans in relation to cybersecurity risk.

In October 2015, the FSC allowed insurance companies, within certain limits, to invest in business-related or auxiliary to financial technology-related business (such as big data analysis, software design and Internet of Things).

With regard to P2P lending, the FSC issued a news release on 28 April 2016 questioning the following:

• guarantee of fixed return and taking funds from the lender before a loan agreement is signed may constitute deposit taking regulated under the Banking Act
• investment return shall not exceed 20% per annum (the maximum annual interest rate permitted under the Civil Code)
• high return with low cost and low risk could constitute fraudulent advertisement regulated by the Fair Trade Act
• membership with high return may constitute multilevel marketing regulated by the Fair Trade Act

• Heavy regulations and high capital requirements for start-ups to obtain the relevant licenses impose a high cost on development and innovation
• No special cybersecurity laws or regulations (only general criminal liabilities under the Criminal Code)
• Lack of patent and know-how to develop fintech

Traditional financial products or services may be replaced by new products or services provided by start-ups or multinational high-tech or companies.

Taiwan insurance companies are discussing how to use big data to conduct risk analysis and offer new products to customers. They are also considering downsizing their sales force and selling products through banks and digital channels.

The existing sales channels of insurance (such as insurance solicitors, brokers and agents) may be reduced. From KYC (Know Your Customer) to KYDC (Know Your Digital Customer), Taiwan insurers need to develop new technology to know digital customers.