S
M
L

Search Result

Title Guidelines for Work-From-Home Applications by Bond Dealers in Response to Serious Special Infectious Diseases CH
Date 2023.10.13 ( AMENDMENT )

Article Content

1     Conditions for bond dealers to initiate work-from-home programs
  1. The term "serious special infectious disease" in these Guidelines means a statutory infectious disease as defined by the Centers for Disease Control, Ministry of Health and Welfare (such as COVID)-19) or a special infectious disease determined by the Executive Yuan to require urgent activation of epidemic prevention and handling measures.
  2. A bond dealer shall first seek alternative places of business (including off-site backup places of business), unless:
    1. The Executive Yuan (or the Ministry of Health and Welfare) declares a major epidemic (e.g., community-acquired infections).
    2. An employee of the place of business becomes a confirmed case.
    3. Any major business personnel or agent of the place of business must undergo home isolation, home quarantine, self-health monitoring, or other epidemic prevention and handling measures implemented by the competent authority.
2     Bond dealer work-from-home application process and application documents
  1. Bond dealers application process
    1. A bond dealer applying for the first time for working from home for business such as proprietary trading operations and transactions and clearing and reporting procedures shall submit its application to the Taipei Exchange (TPEx) for transfer as a special case to the competent authority for approval. However, to shorten the application procedures, the bond dealer may prepare the relevant documents and apply to the TPEx for preliminary examination. If prevented by an emergency (e.g., lockdown, any confirmed case among employees, etc.) from making a written application according to normal procedure, the bond dealer may make a report to the TPEx by special means (e.g., email), followed by the submission of the relevant documents to the TPEx for the record after the incident.
    2. The work-from-home period applied for may not exceed 3 months, but if there are legitimate reasons, a bond dealer may, before the expiration of that time limit, apply to the TPEx for a 3-month extension. If, upon expiration of the extension period, it is assessed that there is still a need to implement working from home, an application may be submitted to the TPEx in accordance with the process described in "A" above.
  2. Application documents
    3. A bond dealer applying for working from home shall submit a special application to the TPEx in advance, with a contingency plan and case checklist (as attached). The contingency plan shall include the following:
    1. Availability period: The period available for work-from-home being applied for.
    2. Personnel deployment: Information relating to personnel deployment, and a senior managerial officer must be designated as the contact window.
    3. Business activities: The scope of business items handled during the work-from-home period is limited to those stated in the application (e.g., transactions, clearing). If the work-from-home application is to handle transactions only, clearing business not covered by the application may be handled only at the place of business. If anything is to be newly added to the scope of business, the application process in 2.1 must still be carried out when the business activity is initially added.
    4. Operational methods and procedures: Work-from-home operational methods and procedures must clearly describe the differences and similarities with working at a place of business.
    5. Transaction and employee conduct management measures:
      1. The company shall establish measures to monitor the activities and communications of employees working from home. Work-from-home activities are limited to those approved by the company. Stricter reviews shall be conducted of the personal transactions of work-from-home employees (including that the methods for managing the employees' communications and activities in connection with proprietary trading etc. shall be expressly prescribed). In principle, no personnel responsible for reviewing and monitoring the activities of work-from-home employees may work from home, unless such personnel's review and monitoring will not be hindered by their working from home.
      2. The company shall fully inform work-from-homers of their rights and obligations and fully explain the importance of legal compliance.
      3. The company shall adopt measures to protect client privacy and the safety of client data and records, etc., and expressly prescribe management and control measures for the same.
      4. The company must verify client identity (e.g., when accepting orders) and enhance measures to manage accounts.
      5. The company shall publish an outline of the work-from-home arrangements on the company website (home page) and assist clients in understanding company operations and the risk of possible disruption of transactions, etc.
      6. Control measures for proprietary trading operations, including control procedures for audio and video recording or related alternative measures.
    6. Test reports: The company must test in advance the remote access system for work-from-home purposes and ensure employees can access the company system only through a safe connection.
    7. Information security measures:
      1. The company must establish secure remote connection mechanisms (e.g.: virtual private network [VPN]; virtual desktop infrastructure [VDI]), including: adopting security measures including multi-factor authentication mechanisms (employee account number and password, dynamic password, one-time password), encrypting connections, adopting the principle of least privilege, keeping complete audit trails of user operations, monitoring and alerting of anomalous operation behaviors, performing security vulnerability updates, and other security control measures, and educating home workers to stay alert to network risks, etc.
      2. The company must restrict log-in to company employees only, track the operation of equipment and keep complete records, and prescribe regulations governing the hours that connection is available based on the schedule of the employees' performance of duties.
      3. The company must use firewalls to block malicious or unauthorized connections, set rules and disable non-essential ports based on the principle of least privilege, and monitor network traffic with alerts and disconnection mechanisms for anomalous activity.
      4. The company must follow the principle of least privilege to conduct differentiated management of users' access to the system so that those working from home can have only the necessary functional access privileges to perform business, and turn off non-essential system function authorizations.
    8. Issue a statement on the Establishment of Information Security Inspection Mechanisms by Securities Firm (or Financial Institution).
    9. Measures for the prevention of conflicts of interest and violations of rules and regulations: Prescribe comprehensive and express measures to prevent conflicts of interest and violations of rules and regulations by work-from-homers.
    10. Minutes of the board of directors' meeting where the board of directors agrees to the work-from-home arrangements, or in lieu thereof, the consent of the head office or regional center of the group. In the event of an emergency in which prior approval of the board of directors is not possible, the subsequent ratification method may be adopted.
    11. Perform risk assessment: If the work-from-home period applied for consecutively reaches 1 year or more, the company shall review whether the content of the contingency plan is in line with the current situation and regularly (at least once a year) assess new risks that may arise from the implementation of long-term working from home (the risk assessment shall include information security risks, legal risks, operational risks, personal information risks, and financial crime risks, etc.).
    12. Record of work-from-home related education, training, and awareness activities (at least once every half-year).
3     Complementary measures for work-from-home management of bond dealers
  1. Proprietary trading and transactions
    1. Associated persons handling proprietary trading business shall conduct business honestly and in good faith and avoid misusing non-public information and conflicts of interest.
    2. Personal computers for use at home by associated persons handling proprietary trading business shall all be allocated by the company, and appropriate hardware and software shall be installed and controlled according to the personnel's business activities.
    3. Work-from-homers may not proceed with transactions until after logging in according to their access privileges through a secure remote connection. All user log-ins and transactions shall be fully tracked and kept on record.
    4. The company shall install video equipment in the work-from-home spaces of trading personnel, keep it unobstructed during trading hours, and make and preserve a video recording of the entire process. If there are difficulties in actually implementing video recording, the company may take other appropriate measures after assessing the risks (such as arranging specific times, several times a day, etc., to turn on the camera or conduct online meetings), and strengthen review and assurance that trading personnel working from home strictly abide by confidentiality obligations in the trading decision-making process and do not engage in trading activities involving trading of listed (or over-the-counter) securities based on information known to them through their duties or otherwise violate securities laws or regulations.
    5. Such personnel shall be prohibited from logging into the system during non-trading hours or non-duty hours.
    6. Personnel responsible for reviewing and monitoring the activities of work-from-home employees must verify the trading-related audio recordings of work-from-homers periodically to ensure both conformance to those kept at the place of business and that the audio recordings of work-from-homers are distinguishable as such.
    7. With respect to the risk exposure of executed open positions, the company shall be able to control trading limits and position risks in the work-from-home operations as well as the operations at the place of business.
    8. Control of personal transactions of work-from-homers: The company may at its discretion allow or prohibit personal transactions of work-from-homers upon careful assessment in accordance with company management policies. If it allows such transactions, the means of controlling such transactions shall include prescribing express modes of operation and management methods for communications and activities pertaining to proprietary trading (e.g., stipulating that full audio recordings be made of orders placed by telephone, that full recordings be made of orders placed electronically on computers allocated by the company, etc.).
  2. Clearing and various reporting procedures
    1. A bond dealer shall complete clearing and settlement within the time limits in accordance with the TPEx Trading Rules and relevant regulations. In principle, clearing and settlement shall be handled at the place of business (including an outside backup place of business); when necessary, work-from-homers may assist in the handling of such operations.
    2. A bond dealer shall complete all reporting procedures within the time limits in accordance with the TPEx Trading Rules and relevant regulations. Reporting procedures may be handled at the place of business (including an outside backup place of business or by work-from-homers.
  3. Information security
    1. The company shall provide online work access for those working from home in accordance with the information security control measures in place at the time of application.
    2. Computer equipment (including notebooks and tablets) used by work-from-homers shall be installed with specific information security software to control application access privileges, non-essential services and operating system privileges on the computers shall be closed, and technical means shall be adopted to implement data non-leakage mechanisms for remote work (by adopting technical means to prohibit the transmission and storage of files to the computer equipment of work-at-homers), so as to reduce the risk of information leakage.
    3. Log-ins to major systems and transactions by all work-from-homers shall be fully tracked and documented.
    4. If work-from-homers need to conduct video conferencing, the remote connection security controls shall be strengthened.
  4. Prevention of conflicts of interest and violations of rules and regulations
    1. To ensure confidentiality of trading information, a work-from-homer must conduct business in an independent space and may not do so in a public space.
    2. A work-from-homer must properly retain all transaction related records as required by the competent authority, the TPEx, and the company.
    3. The company shall appoint a senior managerial officer as the chief officer responsible for implementing relevant monitoring measures during trading hours.
    4. The company shall inspect home office workers for violations of conflict-of-interest and non-compliance prevention measures.
  5. A bond dealer shall establish appropriate control mechanisms and audit procedures in the company's internal control system for all work-from-home operations and properly retain work-from-home related information to facilitate audit operations.
Top