Governance
The Bank has in place appropriate risk management procedures, with a three-tier risk defense mechanism based on cross-departmental coordination.
Established the Corporate Information Security Committee to manage the effective promotion of information security business and emerging information security issues and response plans. In 2022, our information security and personal information security education training completion rate was 100%, and there were no major information leaks.
CTBC Bank has established AML/CFT committees to hold regular meetings and discuss important AML/CFT-related issues. In 2022, 27,772 of CTBC Bank completed the related training.
To strengthen its corporate governance, CTBC Bank has stipulated internal regulations including the Corporate Governance Best Practice Principles, Policy for the Prevention of Insider Trading, Code of Ethical Conduct, Code of Business Integrity, Business Integrity Operational Procedures and Behavior Guidelines, Board Performance Evaluation Measures, and Employee Code of Conduct. These rules are revised from time to time as necessary in accordance with external regulation revisions and actual operational circumstances.
Sustainable business is one of our core values. In response to global carbon reduction and sustainable transformation trends, as well as its own growth objectives, the rights and interests of stakeholders, and the need for socially and environmentally sustainable solutions, we properly manage the company’s economic, environmental, and social risks and impacts.
We are acutely aware of the importance of risk management. Echoing the PRI, PRB, TCFD, and other initiatives, we have established a robust risk management organizational structure and comprehensive management strategies. In addition to scrupulously complying with the rules of the relevant authorities, we apply appropriate risk management procedures in our daily operations, supplemented by qualitative and quantitative evaluation and monitoring, integration, and coordination across units. This three-fold risk defense mechanism optimizes implementation and control to achieve sustainable and stable operations.
We attach great importance to the risk awareness of our employees and encourage them to actively discover potential risks. Indeed, employees' risk management and control results are a core component of their performance appraisals. By providing risk education training, we equip our employees with the knowledge and skills to practically incorporate risk management and control into everyday risk decisions. Once a risk is discovered, it is reported and escalated to the head of operations following the risk identification–assessment–measurement– monitoring process, with management tools such as risk and control assessments (RCA) and key risk indicators (KRI). Such risks will also be reported to senior managers and the Board regularly. The risk units consolidate all related events and summarize them into instructional materials to be shared with various units via internal meetings. This keeps all relevant employees informed and on alert regarding the reoccurrence of such events.
We have also designed risk courses to further increase our employees' risk awareness. Specifically, to provide new employees with a grounding in risk, we provide general courses online, including an introduction of bank risk management and operational risk management. For junior and midlevel managers, we provide risk management programs that reinforce their understanding of risk. The training results for 2022 were as follows:
| Trainees | Trainees who completed training |
Coverage rate(%) (Note) |
Total training hours | Description | |
|---|---|---|---|---|---|
| New employees | 2,699 | 2,654 | 98 | 2,677.5 | 33 people resigned before completing the training |
| Newly appointed managers | 194 | 194 | 100 | 108.5 |
CTBC Bank has long taken a proactive stance to maintaining its compliance within the latest local and global financial and legal environments. The Bank requires a self-assessment of legal compliance every six months, to ensure all its business operations satisfy legal requirements. In addition, it further optimizes its Legal Compliance System Policy and related measures every year. The legal compliance management, legal compliance department personnel, and legal compliance executives at each business unit must satisfy all relevant legal requirements, including completing a 30-hour training course and passing the requisite examination before taking their position. Subsequently, they are required to complete at least 15 hours of on-the-job training courses per year, and submit an annual legal compliance risk assessment report to the competent authorities in accordance with regulations. Each department must ensure compliance with external laws and regulations in the course of doing businesses and formulate internal operational regulations when necessary.
In the event of any regulatory violations, the legal compliance unit effectively overcomes any deficiencies by supervising each unit to analyze the reasons behind legal non-compliance or fraudulent activities, to evaluate possible areas of impact, and to make suggestions for improvement. If the non-compliance or deficiencies are severe, the Board of Directors must be notified immediately in order to allow Board members to obtain relevant information in a timely manner and guide their decision making accordingly.
To better comply with the provisions of the Taiwan government’s Money Laundering Control Act, Terrorism Financing Prevention Act, and Regulations Governing Anti-Money Laundering of Financial Institutions, CTBC Bank formulated a Policy Statement of Global AML/CFT; Global Sanctions Policy; Global Customer Screening Regulations for Preventing Money Laundering And Terrorism Financing; Education and Training Measures for Anti-Money Laundering and Combating Terrorist Financing; and other policies, and has established an AML/CFT Committee.
All directors, senior managers, and the supervisors and personnel of compliance and AML/CFT units met their internal and external training requirements in 2022. In addition, newly hired employees were required to complete relevant training within three months of starting at the Company. We also require all employees to attend AML/CFT seminars every year, covering topics such as relevant laws and regulations, legal cases, how to identify and report suspicious transactions, and staff compliance with relevant duties. In addition, employees must receive AML/CFT training tailored to their specific roles and are encouraged to participate in related training and certification programs. In 2022, CTBC Bank employees completed a total of 27,772 related training sessions.
| AML/CFT prevention and control training | 2022 | 2021 | 2020 |
|---|---|---|---|
| Employees who completed training | 27,772 | 26,998 | 27,376 |
| Training hours | 77,620 | 75,634 | 63,638 |
CTBC Holding's Procedures for Money Laundering and Terrorist Financing Risk Management stipulate that the background, characteristics of occupational and socio-economic activities, and geographical location of customers as well as the organizational structure of non-natural person customers be comprehensively considered in order to identify each customer's ML and FT risks. The procedures also stipulate that customers, or their ultimate beneficial owners, who are current politically exposed persons with foreign governments be considered high-risk customers and that enhanced measures be taken during customer identification or ongoing monitoring. Such efforts include obtaining the approval of senior managers prior to establishing or creating new business relationships, and that business relationships not be established with individuals, legal persons, or entities that are sanctioned under the Counter-Terrorism Financing Act.
CTBC Bank's Policy Statement of Global AML/CFT stipulates the relevant customer due diligence investigation procedures used to ensure effective risk control.
To ensure continual information security management of the Bank and that its trade secrets and confidential client information are protected against damages arising from internal or external willful or negligent conduct comprising their confidentiality, integrity, accuracy, or availability, CTBC Bank established the Enterprise Information Security Committee in 2013 as its highest information security management authority. Responsible for two subgroups, namely the Information Security Promotion Group and the Information Security Working Group, the committee is charged with communicating and coordinating in a timely manner to ensure cross-organizational security information management and personal information protection.
The Enterprise Information Security Committee meets quarterly, with the Bank's President acting as the convener and its chief information security officer as the executive secretary. The meetings are attended by the chief officers of business units, including the compliance, legal, financial, risk management, institutional banking, capital market, retail banking, and information management units, as well as the Chief Auditor. Committee meetings review the Bank's information security policy and relevant information security management and personal information protection measures.
In accordance with the relevant measures for operational risk and control evaluation management, every year, CTBC Bank collects and analyzes major domestic and foreign information security events and evaluates their potential impact on the Company. We establish management and control mechanisms as well as monitoring mechanisms for major risks, and the relevant evaluation results are approved by the Chief Information Security Officer. We have set up a Security Operations Center (SOC) and conduct 24-hour monitoring of changes in the Company's internal information security environment in order to actively identify and address potential threats in real time. The SOC and information security incident response procedure periodically implements drills simulating information security events to strengthen its ability to detect and respond to attacks. In addition, we are also cultivating our workforce of information security professionals through regular training courses.
In order to proactively monitor the execution status of information security protection operations, a Security Operation Center Dashboard has been established in addition to information security risk indicators being set by the information security department. The dashboard monitors over 29 indicators in four key areas (namely anti-virus, anti-hacking, data loss prevention, and regulatory compliance categories), with reference to domestic and foreign information security risk indicators and the Company's own operating status. Alerts are sent on a daily basis to unit heads for items where targets are not met to resolve potential issues as early as possible. Alerts are sent on a daily basis to unit heads for items where targets are not met to resolve potential issues as early as possible. Furthermore, the Personal Security Operation Center Dashboard has been established to empower employees to assess their personal cybersecurity risk exposure level and security practices. Unit supervisors can also utilize the dashboard to identify individuals with higher cybersecurity risk exposure or weaker security habits and provide them with targeted education.
To prevent and manage the occurrence of personal data breaches or security-related events, CTBC Bank established Personal Information Protection Instructions as well as Personal Information Protection and Information Security Management - The Guidance. Every year, the Company faithfully executes relevant personal data security maintenance operations and regularly assesses the effectiveness of its control mechanisms in order to ensure the legal collection and use of customer and employee personal data. Furthermore, in order to comply with relevant IP rights regulations, the Company requires all units to inspect the status of the use of software in all computers every six months to ensure that legal authorization has been obtained for the software and to prevent IP right infringements. Taiwan Life established the Emergency Response Plan for Personal Data Breaches. If an employee discovers or receives a report of a suspected information security incident, including one involving personal data, the employee is required to immediately notify the relevant units and assess the severity of the reported incident. If necessary, the incident response officer will establish an Emergency Response Center within 60 minutes, notify a senior manager, and record the details of the incident. The Emergency Response Center officer position will be assumed by a department head or above of the responsible unit, and task force members of the Corporate Information Security Committee will be responsible for event management, communication and coordination, investigation and evaluation, and public relations and media management. The responsible unit will submit a detailed event report one week after the resolution of the event and conduct a root-cause analysis to reduce the likelihood of such an event reoccurring.