Design Principles for Payment via Linked Deposit Accounts in Taiwan

===========================================================

Article 10-1: Design Principle for Payment via Agreed Linked Deposit Account

Requirements for Electronic Payment Institutions

Electronic payment institutions in Taiwan must adhere to the following requirements when providing payment services through linked deposit accounts.

• Direct or Indirect Link Mechanism: The institution must use either a direct or indirect link to provide the service.
• Financial Certificate and Agreement: The institution must apply for a financial certificate from a financial institution and enter an exclusive agreement with them to serve as the certificate for payment via linked deposit account operations.
• Authentication Mechanism: Both parties must agree that the certificate authentication mechanism will serve as the undeniability of the transaction.
• Agreed Linkage Procedure: The user must apply for account linkage in a specific manner, and both the user’s bank and the electronic payment institution must verify the user’s identity before effecting the linkage.

Transaction Procedure

There are two possible scenarios when it comes to transaction procedure:

Direct Link Mechanism

• The electronic payment institution gives the financial institution holding the account a payment deduction instruction.
• This instruction is authenticated by the financial certificate and relevant data of the agreed linked deposit account.

Indirect Link Mechanism

• The electronic payment institution gives the financial institution holding the account a payment deduction instruction through a financial information service enterprise or clearing house connected to the dedicated deposited account bank.

Security Measures

To ensure secure transactions, electronic payment institutions must implement the following security measures:

Private Key Protection

• Private keys for the certificate must be stored in a hardware security module that complies with specific security standards.

Access Control

• The institution must establish a mechanism to restrict access to private keys and programs related to linked deposit account operations.

Notification Mechanism

• The financial institution holding the account must notify the user instantly after making fund transfer.

Risk Control

• The dedicated deposited account bank or financial institution holding the account must establish reasonable transaction flow control mechanisms.

Termination of Agreed Linkage

The procedure for terminating agreed linkage involves notification from both the user and the financial institution holding the account.