Financial Crime World

Electronic Payment Institutions Regulations in Taiwan

Overview

The regulations governing electronic payment institutions in Taiwan require specific measures for payment via linked deposit accounts. This article outlines these requirements, including direct and indirect link mechanisms, application processes, and security controls.

Requirements

Electronic payment institutions must use either direct or indirect link mechanisms to provide the service of payment via agreed linked deposit accounts.

Certificate Requirements

  • Electronic payment institutions must apply for financial certificates from banks.
  • These certificates serve as proof of authentication and are used exclusively for payment via linked deposit account operations.

Application Process

  • The electronic payment institution must apply to the financial institution holding the account.
  • The electronic payment institution must apply to the dedicated deposit account bank.

Agreed Linkage Procedure

  • User Application
    • Users should apply for account linkage and agree to have the electronic payment institution carry out transfers of funds on their behalf through a financial institution holding the account.
    • The user provides the financial institution with bank deposit account number, e-payment account number, and other agreed information.
  • Verification Process
    • The agreed linkage is effective after the user’s bank has verified the user’s identity.

Transaction Procedure

  • The electronic payment institution gives the financial institution holding the account a payment deduction instruction according to the user’s payment instruction.
  • The electronic payment institution gives the financial institution holding the account a payment deduction instruction through a connected financial information service enterprise or clearing house.

Security Measures

Private Key Protection

  • Private keys for certificates should be stored in a hardware security module that complies with Common Criteria EAL 4+ or FIPS 140-2 Level 3 or above.
  • Private keys are subject to expressed key export restrictions.

Access Control

  • Electronic payment institutions must establish control mechanisms to restrict access to private keys and programs related to agreed linked deposit account operations by unauthorized personnel or programs.

Notification Mechanism

The electronic payment institution should ask the financial institution holding the account to establish a notification mechanism, by which the institution will notify the user instantly after making fund transfers.

Risk Control

Electronic payment institutions must ask the dedicated deposit account bank or the financial institution holding the account to establish reasonable transaction flow control mechanisms.

Termination of Agreed Linkage

Users should apply for termination of agreed linkage in a manner provided by Item 3 (1) hereof or other manners agreed with the electronic payment institution or the financial institution holding the account.