KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

nameidentity documents

KYC to onboard international persons

nameidentity documents

corporate requirements

account informationinvestments infrmationfinancial entities

National ID card name

National Identification Card 國民身份證

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Electronic Signatures Act 2001-11-14

E-sig law files

What year did the relevant AML laws and regulations become effective?

1996

Further details on AML regime

Taiwan's anti-money laundering legislation is embodied in The Money Laundering Control Act, 1996 (amended in 2003, 2006, 2007, 2008, and 2009, hereinafter the “Act”).

Who is the regulator for AML controls for Banking

Under Article 5 of the Act, banks, trust and investment corporations, credit cooperative associations, credit department of farmers’ associations, credit department of fishermen’s associations, Agricultural Bank of Taiwan, postal service institutions which also handle the money transactions of deposit, transfer and withdrawal, negotiable instrument finance corporations, credit card companies, insurance companies, securities brokers, securities investment and trust enterprises, securities finance enterprises, securities investment consulting enterprises, securities central depository enterprises, futures brokers, trust enterprises, and other financial institutions designated by the Financial Supervisory Commission (hereinafter the “FSC”) fall within the definition of “financial institutions” and are thus subject to the Act.

Link to site

http://www.fsc.gov.tw/en/index.jsp

Other financial Services

jewellery, retail businesses and other institutions having the risk of being used for money laundering and having been designated by the Ministry of Justices in consultation with such institutions’

Website of Regulator

http://www.moj.gov.tw/mp095.html

Financial Sector regulator

N/A

Practical Guidance for AML

As of Nov 2014, each type of “financial institution” under Article 5 of the Act, except Agricultural Bank and securities central depository enterprises, has respective, standalone AML practical guidance. While

Is there a requirement to verify the identity of customers retroactively?

Retroactive details

There is no requirement to retrospectively verify the identity of customers before the Act was adopted and became effective. However, in any of following events, financial institutions are required to verify a customer’s identity even after the customer has a pre-existing relationship with the financial institution: a) any domestic transfer or remittance that exceeds TWD30,000 (approx. USD900); b) discovery of a transaction suspicious of money laundering or financing of terrorism, or remittance from countries or regions with high risk of money laundering or financing of terrorism; or c) suspicion of authenticity or sufficiency of customer identity information having previously acquired.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Taiwan has not been the subject of a FATF Mutual Evaluation since 2008.

PDF of FATF review

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Under applicable practical guidance, customer due diligence is required upon: a) the establishment of business relationship; b) discovery of a transaction which raises suspicion of money laundering or financing of terrorism, or remittance from countries or regions with a high risk of money laundering or financing of terrorism; or c) suspicion of authenticity or sufficiency of customer identity information having previously acquired, regardless of any transaction threshold. In the case of one-off transactions, customer due diligence is required where: a) single receipt or payment of cash or exchange of new bills exceeds TWD500,000 (approx. USD15,000); or b) domestic cash remittance exceeds TWD30,000 (approx. USD900) but lower than TWD500,000 (approx. USD15,000). In addition, customer due diligence is also required for any domestic transfer or remittance that exceeds TWD30,000 (approx. USD900).

Details to be Collected on Corporates

Individuals: a) identification of customer and verification of identity must be based on reliable, independent original copy, information or data, the photocopies of which must be kept in custody or on record; b) in cases where an agent carries out an account-opening or a transaction, the authority must be verified and the identity of the agent must be confirmed by way of a) above; c) reasonable measures to identify and verify the beneficiary of a customer must be adopted; and d) verification of customer identity should include inquiries on the purpose and nature of business.

What are the high level requirements around beneficial ownership (identification and verification)?

When a customer is trustee of a trust, the identities of settlor, trustee, guardian, beneficiary and any other individual that has the power to effectively control the trust account must be acquired to verify the

What circumstances are enhanced customer due diligence measures required?

While practical guidance allows the adoption of simplified due diligence arrangements in low risk circumstances, there is no definition of what constitute low risk circumstances in practical guidance. On the other hand, simplified customer due diligence is prohibited in high risk circumstances, which are defined as: a) where customers are from a high risk country or region where no effective anti-money laundering or counter-financing terrorism measures are available; or b) where there is reasonable suspicion that the customer or transaction is implicated with money laundering or financing of terrorism.

How should FI's deal with Politically exposed persons

In the case of an over-the-counter request for account-opening, a financial institution must conduct due diligence on whether a customer is a foreign PEP with a database established and maintained by the financial institution, or outside information sources. Secondly, practical guidance requires that heightened risk control measures and regular review thereof must apply to such foreign PEPs.

What enhanced due diligence must be performed for correspondent banking relationships?

Banks are required to: a) gather sufficient information about a respondent institution to fully understand the nature of the respondent’s business and to determine, from publicly available information, the reputation of the institution and the quality of supervision, including whether it complies with AML and counter financing of terrorism regulations; b) assess the respondent institution’s AML and counter financing of terrorism controls and effectiveness thereof; c) obtain approval from senior management before establishing new correspondent relationships; d) document the respective AML and counter financing of terrorism responsibilities of each institution; e) where a correspondent relationship involves “payable–through accounts”, it is necessary to ensure that the correspondent bank has strictly identified the customer’s identity and is able to provide the relevant identity information if necessary; and f) not to establish correspondent relationships with any shall banks or any foreign financial institution which allows a shell bank to open an account with it.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Banks are prohibited from establishing a correspondent relationship with any shell banks or any foreign financial organisation which allows a shell bank to open an account with it.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Banks are required to implement procedures that allow them to verify a customer’s identity for the purpose of non face-to-face transactions and/or relationships effectively conducted on a face-to-face basis.

To whom are SAR's made? (suspicious activity reports)

Anti-Money Laundering Division, Investigation Bureau, Ministry of Justice

Link to website of SAR reporting

http://www.mjib.gov.tw/mlpc/download-1.htm

Other Suspicious or unusual transactions obligations.

Yes. In addition to suspicious transactions, the following information must be reported: a) any currency transaction exceeding TWD500,000 (approx. USD15,000) (or the equivalent in foreign currency); and b) passengers or service crew on board who cross the border with the carrier and carry the following items shall make declarations to customs: a. cash of foreign currency with total amount exceeding a certain amount (approx. USD10,000); and b. securities with a face value exceeding a certain amount (approx. USD10,000). Customs shall report subsequently to the Investigation Bureau, Ministry of Justice.

Are there any de-minimis thresholds below which transactions do not need to be reported?

USD10,000

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Yes: a) any financial institution which violates its reporting obligation for failure to report any currency transaction exceeding TWD500,000 (approx. USD15,000), as required by relevant laws and regulations, shall be punished by a fine between TWD200,000 (approx. USD6000) and TWD1 million (approx. USD30,000); b) any financial institution which violates its reporting obligation for failure to report any suspicious transaction as required by relevant laws and regulation, shall be punished by a fine between TWD200,000 (approx. USD6,000) and TWD1 million (approx. USD30,000). However, if the violating financial institution is able to prove that the cause of this violation is not attributable to the intentional or negligent act of its employee(s), no fine shall be imposed.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

No.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Although there are no requirements to obtain authority in order to proceed with a current/ongoing transaction that is identified as suspicious, practical guidance requires that in case of abnormal transactions, the person designated as the AML responsible person (must be vice President or equivalent level of personnel) must submit such transactions as the report of the financial institution to the Investigation Bureau.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Under Taiwan’s Personal Data Protection Act, in order for transactions to be monitored outside Taiwan’s jurisdiction, either the prior written consent of the data subject must be obtained, or such monitoring outside the jurisdiction must be specifically required by law or to advance public interests. As of Nov 2014, there is no express law or regulation in Taiwan that authorises or requires the monitoring of transactions outside Taiwan’s jurisdiction. However, since Taiwan is a member of the Egmont Group and the Asia/Pacific Group on Money Laundering, and has executed cooperative memorandum of understanding with a number of countries for information exchange purpose, Taiwan’s Investigation Bureau, after receiving reports from financial institutions, has the discretion to share such information and transactions outside Taiwan’s jurisdiction. Therefore, while there is not yet express law or regulation in Taiwan that allows the monitoring of transactions outside Taiwan, such information is monitored outside Taiwan in practice by operation of law.

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

No.

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

yes, for example, name, birthdate, ID card number, passport number, contact information, criminal records, and financial condition

Data Protection for Corporate Data

Taiwan’s Personal Data Protection Act only applies to personal data. However, corporate data may be covered by a financial institution’s duty of confidentiality such as under the Banking Act

Data protection for "sensitive Data" and additional protections.

although there is no specific definition of “sensitive data” under Taiwan’s Personal Data Protection Act, the Personal Data Protection Act categorises medical data, genetic data, sex life, health examination or criminal records as having heightened sensitivity, which may not be collected, processed, or used unless with one of the four conditions below: a. express written legal requirement; b. necessary for the performance of duties by data controller which has adopted appropriate safety maintenance measures; c. personal data having been published by data subject or by way of other legal manner; or d. necessary to statistics and academic research within the purpose of medical, health or criminal prevention by public authority or academic research institutions, which has been collected, processed or used by way of standardised procedure.

Do any restrictions on the transfer of credit reports exist?

Criminal records and medical data shall not be used with the exceptions of the following: a) when in accordance with law; b) when it is necessary for the government agency to perform its duties or for the non-government agency to fulfil the legal obligation, and when there are proper security measures; c) when the individual has disclosed such information by himself, or when the information concerned has been publicised legally; and d) when the personal information is collected, processed or used under certain methods by a government agency or an academic research institution based on the purpose of medical treatment, personal hygiene or crime prevention statistics and/or study. For a government agency, credit reports shall be used in accordance with the scope of its job functions provided by laws and regulations, and in compliance with the specific purpose of collection. However, the information may be used outside the scope upon the occurrence of one of the following conditions: a) where in accordance with law; b) where it is for national security or to promote public interests; c) where it is to prevent harm on the life, body, freedom or property of the individual; d) where it is to prevent harm on the rights and interests of other people; e) where it is necessary for public interests on statistics or the purpose of academic research conducted by a government agency or an academic research institution, respectively. The information may not lead to the identification of a certain person after the treatment of the provider or the disclosure of the collector; f) where such use may benefit the individual; or g) a written consent of the individual has been obtained. For a non-government agency, credit reports shall be used in accordance with the scope of the specific purpose of collection provided. However, the information may be used outside the scope upon the occurrence of one of the following conditions: a) where in accordance with law; b) where it is to promote public interests; c) where it is to prevent harm on the life, body, freedom or property of the individual; d) where it is to prevent harm on the rights and interests of other people; e) where it is necessary for public interests on statistics or the purpose of academic research conducted by a government agency or an academic research institution, respectively. The information may not lead to the identification of a certain person after the treatment of the provider or the disclosure of the collector; or f) where a written consent of the individual has been obtained.

Regulator Acronym

FSC

Year of last FATF mutual evaluation

2011

National ID card details

It is compulsory at 14.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/National_Identification_Card_(Republic_of_China)

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Regulator allows for monitoring transactions outside jurisdiction

Requirement to proceed

requirement to use automated suspicious transaction tools

Who are SARS made to?

IBMJ

shell banks

Yes

EDD for correspondent banking

Yes

Minimum transactions

TWD 500,000

Min transaction USD

15000

Personal Data protection

Data Protection for Corporates

key restrictions

Getting express consent to do business electronically is particularly important in Taiwan. Taiwanese law does not view a party’s name on an email as an adequate electronic signature. A number of government agencies have issued bulletins excepting themselves from the law.

Summary

Article 9 states that electronic signatures may replace handwritten signatures. Article 4 provides that if a law or regulation requires information be provided in writing, the requirement may be satisfied with an electronic record. Summary of law Taiwan follows the UNCITRAL model law and is similar to the laws of many European Union member states. It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case.

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

N/A

Does the country have a risk based approach?

Yes. The measures to verify customer identity and continuous monitoring are implemented in accordance with risk-based approach, under which verification of customer identity or continuous monitoring are strengthened for high risk circumstances and simplified measures are taken for low risk circumstances.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Legal entities: In case where a customer is a corporation, the following information must be acquired to identify the beneficiary of the customer: a) the identity of ultimate individual beneficiary in control (such as name, birth date, nationality, and ID number). Control means any person holding 25% or more of the shares or capital of a corporation; b) in case where there is no individual beneficiary in control or suspicion whether the individual beneficiary in control is the ultimate beneficiary, inquiries should be made as to whether there is any individual who exercise control over the customer in any other manner. When necessary, the customer must be required to issue declaration to verify the identity of ultimate beneficiary; and c) in case where no individual beneficiary in control is found in accordance with a) and b) above, a financial institution must adopt reasonable measures to verify the identity of individual holding highlevel executive positions (such as director, president, or other equivalent or similar positions).

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

No.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

Article 48 of Taiwan’s Banking Act requires that a bank keep confidential record of a customer’s deposit, loan, or remittance information, unless with exceptions specified under the same article