The Financial Supervisory Commission (“FSC”) recently amended the Regulations Governing Internal Control and Audit Systems of Financial Holding Companies and Banking Industries. The key amendments are summarized as follows: 

1. Strengthening the mandatory appointment of key functional officers: Financial holding companies and banking institutions are now required to appoint a Chief Compliance Officer (“CCO”), Chief Risk Officer (“CRO”), and Chief Information Security Officer (“CISO”), and to establish dedicated units reporting directly to the President/General Manager. Such officers may not concurrently perform duties that give rise to conflicts of interest, in order to ensure organizational independence and mitigate conflict-of-interest risks.  
2. Enhancing the level of assurance in audit reports: The internal control audit report requirement has been revised from an “agreed-upon procedures report” to a “reasonable assurance report,” effectively increasing the scope and responsibility of accountants in conducting audits.  
3. Implementing risk-based self-assessment mechanisms: Oversight of self-assessment procedures will now be undertaken by the second line of defense, in order to reinforce the role allocation under the three-lines-of-defense model and preserve the independence of the third line of defense. In addition, financial institutions may determine the frequency, focus, and scope of self-assessments based on risk evaluation results, thereby strengthening the functional allocation among the three lines of defense within the internal control framework.  

Pursuant to the amended regulations, financial institutions are required to file the establishment of their dedicated compliance units with the FSC within two years from the date of establishment. Financial institutions are therefore advised to promptly review whether their existing internal policies and governance structures comply with the latest regulatory requirements, and to reassess whether the scope of engagement under their audit service agreements with external accountants should be correspondingly adjusted, so as to reduce compliance and internal control risks.