The Financial Supervisory Commission (FSC) imposed a penalty on Hua Nan Commercial Bank (Hua Nan Bank) for violation of regulations. Hua Nan Bank was found to have deficiencies when assisting Financial Information Service Co., Ltd. (FISC) to process the transfer of uniform invoice lottery prize money to the accounts of prize winners on June 6, 2023. The deficiencies indicated that the bank had failed to establish adequate measures to protect customer interests, enforce regulations regarding information system conversion, implement reporting procedures for material contingencies, and provide a comprehensive audit report to thoroughly outline the incident’s progression. The bank was identified that it had failed to properly establish and rigorously implement internal controls, in violation of regulations in Article 45-1, Paragraph 1 of the Banking Act, and regulations in Article 3, Paragraph 1 as well as Article 8, Paragraph 1 of the "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries" established based on the authorization therein. The FSC therefore imposed a penalty of NT$4 million on Hua Nan Bank in accordance with Article 129, Subparagraph 7 of the Banking Act.
I.    Penalized entity: Hua Nan Bank
II.    Legal basis for the penalty: Article 129, Subparagraph 7 of the Banking Act
III.    Facts of violations:
(I)    The information system used by Hua Nan Bank to carry out payment collection operations was replaced with the newly built "NTD and foreign currency payment collection system" on June 1, 2023. When Hua Nan Bank assisted FISC to process the transfer of uniform invoice lottery prize money to the accounts of prize winners at 1:39 a.m. on June 6, 2023, the system encountered an issue during data conversion where the amount column shifted, resulting in an extra 2 zeros being added to the payment amounts. This led to 35,952 irregular payments totaling NT$2.025 billion (the correct payment amount should have been  NT$20.2589 million). Although the bank performed a correction operation on the accounts at 4:28 a.m. on the same day, some customers had already transferred funds out of their accounts or had used them to pay utility bills, resulting in failure of withdrawal. Ultimately, a total of 142 customer accounts were affected and NT$9.18 million could not be recovered promptly.
(II)    The deficiencies in this case indicated that the bank had failed to properly establish and rigorously implement internal controls.
1.    Failure to establish adequate measures for protecting customer rights and interests before information system conversion operations: The bank's "NTD and foreign currency payment collection system" is utilized for various automatic bill payment and collection transactions, and due to its importance it was classified as Type 1 computer systems specified in the "Information Security Standards for Financial Institutions". However, the customer service department was not included in the task force of the emergency contingency plan and training program for the bank's information system conversion. Consequently, when system anomalies occurred, the bank's customer service department failed to promptly address customer complaints and only sent SMS notifications to customers over 13 hours after the incident, which did not help customers realize the impact on their rights and interests.
2.    Failure to enforce regulations relating to the information system conversion operations:
(1)    Failure to conduct testing procedures prior to system conversion: During the preparation work prior to the system conversion, the bank failed to follow the internal regulations to implement parallel testing or comprehensive exercises again after identifying misuse of source file format from FISC, and launched the system directly.
(2)    Failure to monitor the new system status after conversion: Following the launch of the new system, the bank failed to allocate appropriate personnel to continuously monitor system launch operations and did not ensure data accuracy in accordance with internal regulations in the first batch operations of the uniform invoice lottery prize money payments. Until the bank's customer service department received customer calls, the anomalies were discovered then prompting them to contact IT unit personnel to address the issues.
3.    Failure to rigorously implement material contingency reporting procedures: The bank is required to immediately report material  contingencies when they occur. In this case, abnormalities in the information system occurred at approximately 1 a.m. on June 6, 2023, involving a total of 35,952 irregular payments. Even receiving the notice from the Banking Bureau of the FSC, the bank still reported the material  contingency at approximately 9 p.m. on the following day, June 7, failing to carry out the material contingency reporting procedures based on the severity of the system abnormality.
4.    Failure to provide a comprehensive audit report to thoroughly outline the incident’s progression: The audit unit serves as the third line of defense in the internal control system and is responsible for providing a detailed report of the incident 's progression and reviewing the root cause of the problem to facilitate improvements. However, the audit report filed by the bank for the material contingency did not include all the important information related to the incident, thereby compromising the accuracy and integrity of the bank's audit report. As a result, the internal control system did not operate effectively.
IV.    Results of the penalty: The bank violated Article 45-1, Paragraph 1 of the Banking Act, and regulations in Article 3, Paragraph 1 as well as Article 8, Paragraph 1 of the “Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries” established based on the authorization therein. The FSC therefore imposed a fine of NT$4 million in accordance with Article 129, Subparagraph 7 of the Banking Act.