2025-05-08

Added

Case Involving Deficiencies of Shin Kong Commercial Bank Regarding Abnormal Mailing Addresses for Collection Letters and Misplaced Credit Card Statement Data

The Financial Supervisory Commission of Taiwan imposed a NT$6 million fine on Shin Kong Commercial Bank for systemic failures in its internal controls and outsourcing oversight that resulted in abnormal collection letter addresses and misprinted credit card statements. The penalty addresses violations of the Banking Act and related internal control regulations stemming from untested system parameter changes and inadequate vendor supervision, which exposed 1,447 customers to potential personal data breaches. The decision mandates immediate payment within ten days and outlines the legal procedures for administrative appeal or enforcement action in case of non-compliance.

Financial Supervisory Commission Taiwan logo

Taiwan

Financial Supervisory Commission Taiwan

Click to view thumbnail

::: Regulatory Information ::: Back to Homepage Announcement Information Penalty Cases Penalty Cases _ FACEBOOK Line Twitter Printer-Friendly Version Back to Previous Page Shin Kong Commercial Bank's case regarding deficiencies involving abnormal mailing addresses for collection letters and misplaced credit card statement data has been found to violate Article 45-1, Paragraphs 1 and 3 of the Banking Act. Pursuant to Article 129, Item 7 of the Banking Act, a fine of New Taiwan Dollars (hereinafter the same) 6,000,000 is imposed.

2025-05-08

Financial Supervisory Commission Penalty Decision Addressee: As per original and copy copies Date of Issue: May 8, 2025 (Republic of China Year 114) Document No.: Jin-Guan-Yin-Kong Zi No. 11402712992 Penalized Party: Shin Kong Commercial Bank Co., Ltd. Unified Business Number: 86519539 Address: 1F and B1, No. 44, Sec. 2, Zhongshan N. Rd., Zhongshan Dist., Taipei City Representative/Manager: Wu OO Address: Same as above Subject: Regarding the case of deficiencies involving abnormal mailing addresses for collection letters and misplaced credit card statement data at your bank, it has been found to violate Article 45-1, Paragraphs 1 and 3 of the Banking Act. Pursuant to Article 129, Item 7 of the Banking Act, a fine of New Taiwan Dollars (hereinafter the same) 6,000,000 is imposed. Facts: When your bank adjusted the address field in the credit card system on May 1, 2020 (ROC Year 109) and May 9, 2024 (ROC Year 113), it failed to synchronously adjust the reading function of the collection system. Additionally, when your bank adjusted the mobile banking address change function in August 2022 (ROC Year 111), an erroneous rule design was written into the TWD core system. These respectively caused abnormal mailing addresses for collection letters generated by the collection system for charge card financial cards, credit cards, and consumer finance products, potentially leading to misdelivery and personal data breaches, affecting a total of 1,089 customers. Furthermore, your bank entrusted OO Information Co., Ltd. (hereinafter "the Outsourced Vendor") to handle credit card statement printing and packaging. Due to a sensor and alignment code reading anomaly in the vendor's printer at dawn on November 22, 2024 (ROC Year 113), the customer name on the front of the printed statement and the transaction details/payment slip on the back belonged to different customers, affecting a total of 358 customers. Reasons and Legal Basis: I. Upon review, your bank has the following deficiencies in failing to properly establish and strictly implement internal control and operational systems, violating Article 45-1, Paragraphs 1 and 3 of the Banking Act, and the "Implementation Measures for Internal Control and Audit Systems of Financial Holding Companies and Banks" (hereinafter "Internal Control Measures") Articles 3(1) and 8(1), as well as the "Measures for Internal Operational Systems and Procedures for Financial Institutions Entrusting Others to Process Operations" (hereinafter "Outsourcing Measures") Article 6(1): (1) Failure to properly establish internal control systems:

  1. Failure to properly establish testing and verification mechanisms for information system changes: Your bank did not establish complete business control procedures, including testing, verification by development and user units, and impact analysis of peripheral and upstream/downstream systems, for system parameter adjustments and program changes related to customer personal data. Consequently, when your bank adjusted the mobile banking communication data change function in August 2022 and the credit card system address field length in May 2023, it failed to detect abnormal data transmission between systems.
  2. Failure to properly establish control mechanisms for mailing and handling returned collection letter files: Your bank originally only established a pre-mailing sampling inspection mechanism for outsourced collection letters, and for self-collected letter files, only verified the total number transmitted to the vendor. After July 2023, the sampling scope was expanded to include all collection letters. Additionally, returned mail cases (except those returned due to unknown relocation) were only destroyed after system registration, without establishing proper tracking and control measures to check for address anomalies. Consequently, from May 2020 to August 2023 (a period of 4 years and 3 months), system-generated address anomalies were not detected. (2) Failure to strictly implement internal control and operational systems:
  3. Failure to strictly implement testing and acceptance operational standards internally: Although your bank's internal regulations stipulate that system testing prior to launch should verify the correctness of output data, your bank's IT unit failed to strictly review output results during the integration testing before the May 2020 credit card system launch, resulting in the failure to detect address output anomalies.
  4. Failure to effectively supervise entrusted institutions to establish sound internal control systems: Although your bank's internal regulations stipulate that a dedicated unit should supervise entrusted institutions to establish internal control and audit systems, in this case, the entrusted institution OO Information Co., Ltd. failed to strictly verify the correctness of printed data according to operational procedures, and its procedures lacked an effective pre-mailing error verification mechanism, causing incorrectly printed statements to be mailed. This clearly shows your bank failed to effectively supervise the entrusted institution to establish a sound internal control system. II. The aforementioned deficiencies indicate your bank's failure to properly establish and strictly implement internal control systems, violating Article 45-1, Paragraphs 1 and 3 of the Banking Act, and the Internal Control Measures Articles 3(1) and 8(1), and the Outsourcing Measures Article 6(1). Pursuant to Article 129, Item 7 of the Banking Act, a fine of 6,000,000 is imposed. Payment Method:
  5. Payment Deadline: Within 10 days from the day following the service of this decision.
  6. Please follow the payment instructions attached by the Banking Bureau of this Commission. Important Notes:
  7. If the penalized party disagrees with this decision, it must, within 30 days from the day following the service of this decision, prepare an appeal petition pursuant to Article 58, Paragraph 1 of the Administrative Appeal Act, and submit it through this Commission (18F, No. 2, Sec. 2, Xianmin Ave., Banqiao Dist., New Taipei City) to the Executive Yuan for administrative appeal. However, pursuant to Article 93, Paragraph 1 of the Administrative Appeal Act, unless otherwise provided by law, filing an appeal does not suspend the execution of this decision, and the penalized party must still pay the fine.
  8. If the penalized party fails to pay the fine within the payment deadline stipulated in this decision, it will be transferred to the various sub-bureaus of the Ministry of Justice's Administrative Execution Agency for administrative execution pursuant to the proviso of Article 4, Paragraph 1 of the Administrative Execution Act. Original: Shin Kong Commercial Bank Co., Ltd. (Representative: Mr. Wu OO) Copy: Shin Kong Financial Holding Co., Ltd. (Representative: Mr. Wu OO), Central Bank, Central Deposit Insurance Co., Ltd. (Representative: Mr. Huang OO), Inspection Bureau of this Commission, Banking Bureau

Page Views: 29,124 Last Updated: 2025-05-09 ::: Privacy Policy Declaration │ Information Security Policy Declaration │ Website Data Openness Declaration │ Subscribe to Newsletter │ Latest Newsletter Financial Supervisory Commission Copyright 220232 18F, No. 2, Sec. 2, Xianmin Ave., Banqiao Dist., New Taipei City FSC Electronic Map Phone: (02)8968-0899 Fax: (02)8969-1215 FSC New York Representative Office: 1 E.42 Street, 13F, New York, NY 10017, U.S.A. Contact Phone: (1-212) 317-7326 FSC London Representative Office: 46-48 Grosvenor Gardens London SW1W 0EB, UK Contact Phone: (44-20)7628-1501 If you have specific suggestions for improving our global website, please email us. Thank you. Last Updated: 2026-07-09 Visitor Count: 61,478,092 Back to Top