TDCC has established a comprehensive risk management organization structure. In addition to the effective operation of risk management system and mechanism through the board's governance and supervision as well as the establishment of the risk control committee under the board for the supervision of risk management matters, the Company also introduced TPIPAS to control the risks in respect of personal information.
ISO 27001 Information and Communication Security Management System Verification
We evaluated the maturity of the information security governance. Through training, self-evaluation, review on the results of self-evaluation, enhancement in proposals and review on reported items, we hope to refine the maturity review mechanism regarding the information security governance and establish the information security protection capability index. There are a total of 83 examination items concerning the review procedures of the information security governance maturity. TDCC's overall information security activities are completed through such review procedures. We undergo information security management system verification conducted by external audit agency, British Standards Institute (BSI) twice every year and maintain continuous validity of ISO27001 information security certification. Our audit results in 2018 complied with the requirements of BSI standards.
Taiwan Personal Information Protection and Administration System (TPIPAS)
To ensure that the personal information maintained by TDCC is duly protected, the Company has introduced the TPIPAS since 2012. We successfully passed the verification conducted by a professional institution and obtained the dp.mark from the Ministry of Economic Affairs in 2013. The Company engages a professional institution to conduct verification for TDCC every year to continuously maintain the effectiveness of the dp.mark. In 2018, there was no complaint regarding infringement of customer privacy or loss of customer information.
ISO 9001 Quality Management System
TDCC passed the ISO 9002:1994 international quality assurance system verification earliest in February 1999. In order to maintain the operation of the ISO 9001:2000 international quality assurance system, TDCC passed ISO 9001:2000 verification in August 2002; passed ISO 9001:2008 verification in September 2010 and obtained certificates from four countries, including UKAS in England, ANAB in the United States, SAS in the Switzerland and JAS-ANZ in New Zealand and Australia. We passed the latest verification in May 2017 due to the latest announcement of ISO 9001:2015 in May 2017 so as to maintain the effectiveness of the quality system verification. In 2018, we continued to pass ISO information security management system verification, as well as risk identification during ISO 9001 quality management system verification.
Internal Control and Auditing System
TDCC formulated the internal control system in accordance with the "Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets" promulgated by the competent authority. TDCC established the internal auditing office under the board of directors. The Company conducted an audit on the business operated by each department and office, assisted the board of directors and managers in investigating and assessing the internal control system and providing suggestions in due course so as to ensure the continuous and effective implementation of the internal control system.
FundRich submits documents related to annual audit plan and its implementation to TDCC, whereas TDCC carries out inspection on FundRich at least once every year in accordance with the relevant laws and regulations. FundRich regularly performs internal inspection. Moreover, FundRich regularly submits written reports to various supervisors for review, reports to the board of directors, and completes the self-assessment of various departments and offices.
In August 2018, FundRich prepared the "Anti-Money Laundering and Counter-Terrorism Financing Risk Assessment Report," and submitted the report to the competent authority for reference. In the future, FundRich will examine risk factors and review risk control measures every year in the future before carrying out risk assessment, and regularly updates risk assessment reports to enhance the effectiveness of anti-money laundering and counter-terrorism financing operations.