Under the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, in addition to the above-mentioned approval requirement applicable to material systems for consumer banking business, the following restrictions apply where a cloud service provider hosts financial institutions' data in a data center outside Taiwan:

• Financial institutions should retain the right to designate the location of the processing and storage of customers' data
• The local data protection regulations in the relevant jurisdiction should not be more lenient than those of Taiwan
• Backups of customers' data shall be retained in Taiwan

Moreover, the Financial Supervisory Commission may restrict or prohibit cross-border transmission of personal data under Article 21 of the Personal Data Protection Act.