Cloud Compliance Center

Taiwan

Select a Topic
Quick Links
Start Comparison

Taiwan

This content was last reviewed around November 2023.

Cloud-neutral

Consequences of regulatory breach1. Are financial institutions legally permitted to use cloud services?

Yes, there is no prohibition on using cloud services under applicable regulatory laws.

Rules for cloud outsourcing

2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes. Banks and insurance companies are permitted to outsource their operations to cloud service providers pursuant to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation ("Regulations", applicable to outsourcing of banks and credit cooperatives) and the Directions for Operation Outsourcing

by Insurance Enterprises ("Directions", applicable to outsourcing of insurance companies). Notably, the Taiwanese regulators are in the process of revising the Regulations. The amendments to the Regulations ("Draft Amendments") are expected to become effective either in the third or fourth quarter of this year. In contemplation of the Draft Amendments, the insurance industry is likewise advocating for corresponding modifications to the Directions.

The Cloud Compliance Center content for Taiwan is premised on the Draft Amendments. As the Draft Amendments have not yet been formally enacted, the final language and effective date

thereof remains subject to change. 

Contract requirements
3. Are there any specific contractual requirements for cloud outsourcing?

Yes, under the Personal Data Protection Act (PDPA) and the Enforcement Rules of the PDPA, a cloud service agreement should specify the following:

  • The planned scope, category, specific purpose and time period of the processing or use of the data
  • The measures to be taken by the cloud service provider to prevent the data from being stolen, altered, damaged, destroyed or disclosed
  • The third party, if any, further commissioned by the cloud service provider
  • The information that must be notified and the remedial measures that must be taken if the cloud service provider or its employees violate the PDPA or relevant laws and regulations
  • Any reserved matters for which the cloud service provider is required to obtain prior instructions
  • The return of any medium containing the data and the deletion of the same stored and possessed by the cloud service provider upon the termination of the cloud service agreement
  • That the cloud service provider may only collect, process or use the data within their instructions

Pursuant to the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, the agreement between a financial institution and a cloud service provider must contain the following terms:

  • Terms granting the financial institution and the Taiwanese regulators the authority to conduct audits and inspections of the cloud service provider
  • A term obliging the cloud service provider to assist the financial institution in executing any system migration requirements and shall be liable for any interruptions in cloud services during the migration process
4. When does cloud outsourcing fall within the scope of the rules?

Under Taiwan financial laws and regulations, a financial institution's use of cloud services provided by a third party cloud service provider may constitute an outsourcing of business operations. 

Regulatory notifications

5. Does the outsourcing need to be notified to the regulator?

Under the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation (“Regulations”), any outsourcing arrangements involving offshore service providers are subject to the preapproval requirement of the Financial Supervisory Commission (FSC), regardless of whether the outsourced service would be considered material in nature.

According to the draft amendments to the Regulations ("Draft Amendments"), on one hand, a financial institution must apply to the competent authority (i.e., the FSC) for approval before outsourcing the IT system of its material consumer banking business to a service provider located in a foreign country. On the other hand, if the business is "nonmaterial," "nonconsumer banking business" or "non-overseas," a financial institution is not required to apply for preapproval from the FSC. 

Paragraph 5, Article 4 of the Draft Amendments provides that there will be "material" outsourcing in any one of the following situations:

  • The outsourcing operation is unable to provide services or has information security concerns that have a significant impact on the financial institutions' business operations.
  • The outsourcing operation involves a security incident involving customer information, which has a significant impact on the financial institutions, or customer rights.
  • Other outsourcing operations occur that have a significant impact on financial institutions or the rights and interests of customers.

The Draft Amendments relax the requirement for "systems for corporate banking business" and "nonmaterial systems for consumer banking business" to apply for approval for overseas outsourcing. However, the FSC still appears to have reservations about the outsourcing of "material systems for consumer banking business" to foreign countries. The standard for what constitutes "material" systems for consumer banking business remains ambiguous under current regulatory guidance.

Consequences of regulatory breach
6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

Under the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation ("Draft Amendments"), outsourcing and use of cloud services are regulated as part of a financial institution's internal control mechanism, and breach of related rules may lead to the imposition of an administrative fine in an amount between NTD 2 million and NTD 50 million (approximately USD 66,667 and USD 1,666,667). However, under local practice in Taiwan, the authorities would first typically require the bank to remediate any identified noncompliance before imposing an administrative fine.

Article 22 of the Draft Amendments provides that if a cloud service provider contravenes the Draft Amendments or other laws, the competent authority may, depending on the severity of the case, notify the financial institution to terminate the engagement in accordance with the contract, require it to make improvements within a certain period of time or suspend the engagement until the cloud service provider confirms that it has made improvements. Article 22 of the Draft Amendments also provides that if a cloud service provider violates the provisions of the outsourcing regulations or other laws, the Financial Supervisory Commission may, depending on the severity of the case, request that the financial institution take necessary measures. That said, under the Draft Amendments, there is no provision to impose penalties directly on cloud service providers, and the regulators are only allowed to indirectly oversee cloud service providers by exercising their regulatory authority over the financial institutions.

Data privacy and security
7. Are there any data privacy and/or data security laws that would apply?

Yes, the Personal Data Protection Act (PDPA) applies. Pursuant to Article 8 of the Enforcement Rules of the PDPA, a financial institution is obligated to supervise its cloud service provider
(s). Among other things, the PDPA specifies certain requirements that would need to be met in a cloud services agreement (see the response to the question on specific contractual requirements for cloud outsourcing).

Additionally, Article 19 of the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation ("Draft Amendments") provides that financial institutions will ensure that they and the regulator have the power to audit the cloud service providers, with one of the drivers for this being the need to ensure data security. The Draft Amendments further require financial institutions to conduct regular inspections to verify the cloud service provider's performance and to document the findings of such inspections.

The European Union's General Data Protection Regulation (GDPR) imposes a more rigorous standard for data protection compliance compared to Taiwan's PDPA. As such, contractual terms, obligations and commitments reflecting GDPR compliance would necessarily satisfy or exceed Taiwan's PDPA standards. Given the stricter scope and mandates of the GDPR, agreements structured to meet GDPR standards would effectively satisfy the requirements under Taiwan's PDPA.

Overseas hosting

8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?

Under the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, in addition to the above-mentioned approval requirement applicable to material systems for consumer banking business, the following restrictions apply where a cloud service provider hosts financial institutions' data in a data center outside Taiwan:

  • Financial institutions should retain the right to designate the location of the processing and storage of customers' data.
  • The local data protection regulations in the relevant jurisdiction should not be more lenient than those of Taiwan.
  • Backups of customers' data shall be retained in Taiwan.

Moreover, the Financial Supervisory Commission may restrict or prohibit cross-border transmission of personal data under Article 21 of the Personal Data Protection Act. 

Financial services authorizations licenses

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

No, a cloud service provider does not a need a financial services authorization or license from the financial regulators in Taiwan. However, when engaged by a financial institution, a cloud service provider has to comply with related regulations and the requirements of the financial institution. Such an obligation to ensure compliance is typically mandated by financial regulators upon the financial institution itself. For example, paragraph 2, Article 7 of the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation ("Draft Amendments") provides that a financial institution should remain liable to its customers under the law for any intentional actions or negligent omissions caused by the cloud service provider or its employees. Subparagraph 2, paragraph 1, Article 19 of the Draft Amendments stipulates that a financial institution has an ultimate accountability to supervise its cloud service providers.

Customer data subject consent

10. Is express consent from customers or other data subjects required before moving data to the cloud?

Yes, consent is required, but the Personal Data Protection Act (PDPA) does not restrict the form of such consent. 

The PDPA also recognizes "presumed consent," according to paragraph 3, Article 7 of the PDPA, where a data subject does not object and provides their personal data after they have been informed of the relevant information specified in paragraph 1, Article 8 of the PDPA. Nonetheless, financial institutions are still expected to inform their clients and obtain express consent before transferring clients' data to their cloud service providers.

According to a ruling issued by the Taiwan Ministry of Justice, if a data subject revokes consent to transfer their data to a cloud service provider, the transfer of such data must cease.

Data access requirements

11. Are there any local laws that require a cloud service provider to be able to access the data it hosts?

No.

Data disclosure requirements

12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes. 

Criminal law enforcement: According to the Code of Criminal Procedure, public prosecutors, judicial police officers or police may request that the cloud service provider disclose data required for criminal investigations under a search warrant or a letter/notice. However, this only applies to cloud service providers within the territory of Taiwan.

Data protection law enforcement: Under Article 22 of the Personal Data Protection Act, for the purposes of conducting an audit, the Financial Supervisory Commission (FSC) or the municipality/city/county governments are entitled to request the disclosure of the data. 

According to subparagraph 5, paragraph 1, Article 18 of the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, financial institutions are required to submit a letter of consent or outsourcing contract issued by the cloud service provider when applying for the FSC's preapproval for outsourcing. The cloud service provider must agree that the financial institutions or the person designated by the competent authority may conduct an audit of the outsourced matters if necessary. This includes the fact that the competent authority can inspect the cloud service provider's database and server room if necessary.

Quick Links
{{ $store.state.loadingScreen.message }} ...