2025-08-11

Added

Cathay United Bank Fined 12 Million TWD for Internal Control Failures Related to Customer Credit Card Fraud by Customer Service Staff

The Financial Supervisory Commission imposed a 12 million New Taiwan dollar fine on Cathay United Bank for failing to maintain adequate internal controls that allowed a customer service representative to fraudulently steal approximately 6.88 million TWD from 18 clients. The regulator identified critical deficiencies in the bank's mechanisms for verifying customer identity during card replacement, adjusting payment amounts, and accessing credit card image systems. These control failures enabled the employee to bypass security checks, alter client contact information, and conceal fraudulent transactions.

Financial Supervisory Commission Taiwan logo

Taiwan

Financial Supervisory Commission Taiwan

Click to view thumbnail

Regulatory Information

Return to Homepage

Announcement Information

Penalty Cases

Penalty Cases

FACEBOOK Line Twitter Print-friendly Back to Previous Page

The deficiencies involving Cathay United Bank's customer service representative in the unauthorized use of customers' credit cards constitute violations of Article 45-1, Paragraph 1 of the Banking Act and Articles 3, Paragraph 1 and 8, Paragraph 1 of the "Implementation Measures for Internal Control and Audit Systems of Financial Holding Companies and Banks." Pursuant to Article 129, Paragraph 7 of the Banking Act, a fine of New Taiwan Dollars (hereinafter the same) 12,000,000 is imposed.

2025-08-11

Financial Supervisory Commission Penalty Decision

Addressee: As listed in the original and copies Date of Issue: August 8, 2025 (Republic of China Year 114) Document Number: Jin Guan Yin Kong Zi No. 11402725142 Respondent: Cathay United Bank Co., Ltd. Unified Business Number: 04231910 Address: 1st Floor, No. 7, Songren Road, Xinyi District, Taipei City Legal Representative or Manager: Guo [Redacted] Address: Same as above

Subject: The deficiencies involving your bank's customer service representative in the unauthorized use of customers' credit cards constitute violations of Article 45-1, Paragraph 1 of the Banking Act and Articles 3, Paragraph 1 and 8, Paragraph 1 of the "Implementation Measures for Internal Control and Audit Systems of Financial Holding Companies and Banks." Pursuant to Article 129, Paragraph 7 of the Banking Act, a fine of New Taiwan Dollars (hereinafter the same) 12,000,000 is imposed.

Facts: Your bank's customer service representative, Huang [Redacted] (hereinafter referred to as "Huang"), between March 2024 and October 2024, took advantage of his position to unauthorizedly apply for credit card replacements for customers. After applying but before the cards were issued, he changed the customers' contact information to his own. He then used the customers' credit cards to make purchases on foreign websites to recharge his own and his relatives' accounts on those websites, and subsequently transferred the funds back to his own accounts. This method was used to steal customer funds. A total of 18 customers were affected, with a total stolen amount of approximately 6,880,000 TWD.

Reasons and Legal Basis:

  1. Article 45-1, Paragraph 1 of the Banking Act and Articles 3, Paragraph 1 and 8, Paragraph 1 of the "Implementation Measures for Internal Control and Audit Systems of Financial Holding Companies and Banks" stipulate that banks must establish an internal control system. Furthermore, pursuant to Article 129, Paragraph 7 of the same Act, if a bank fails to establish an internal control system in accordance with Article 45-1 or fails to implement it effectively, it shall be fined between 2,000,000 and 50,000,000 TWD.

  2. Upon review, your bank has the following deficiencies in the control mechanisms for customer service personnel handling credit card customer data changes, reporting loss and applying for replacements, adjusting credit card payment amounts, and accessing the credit card image retrieval system:

(1) Failure to adequately establish control mechanisms for credit card customer data changes and loss reporting/replacement applications:

  1. According to the "Customer Service Center Knowledge Base System (hereinafter referred to as KMS)/Credit Card Customer Data Change Operation" stipulated in your bank's "Financial Services Department Operation Guidelines," for changes to basic credit card customer data, customer service personnel may directly change the data after verifying the cardholder's identity, provided there are no special circumstances. When data is changed, the system immediately checks if two or more people share the same mobile phone number or email address; if a shared situation is detected, the system blocks the data change login. Additionally, according to your bank's "KMS/Loss Reporting and Credit Card Replacement" regulations, for cardholders reporting lost cards, customer service personnel may execute loss reporting and replacement operations in the customer service system after confirming relevant data.
  2. However, the aforementioned two regulations lacked mechanisms to confirm that the cardholder had actually contacted the center to request the relevant operations before customer service personnel changed data or executed replacement operations. This allowed Huang to directly use multiple mobile phone numbers and email addresses, or invalid mobile phone numbers, to change data, thereby evading system checks and preventing your bank from effectively notifying customers. He also exploited his authority to change applications for card suspension to loss reporting and replacement, or locked customers who had not used their cards for a long time, and unauthorizedly applied for loss reporting and replacement of credit cards. The replaced cards were mailed to the contact address previously changed by Huang.

(2) Failure to adequately establish control mechanisms for adjusting credit card payment amounts: Your bank's "KMS/Adjustment of Minimum Payment Amount" regulations state that after the credit card bill closing date, if a cardholder applies to deduct store refunds, fee waivers, disputed bill payments, or apply for manual installment payments, customer service personnel may adjust the minimum payment amount on the bill. However, if the cardholder is "not overdue," customer service personnel do not need to open an electronic form for countersignature by the responsible department, nor is there a post-event review mechanism, allowing them to directly adjust the minimum payment amount for the month. This enabled Huang to cover up his fraudulent behavior by adjusting the payment amount to 0 TWD.

(3) Failure to adequately establish control mechanisms for the credit card image retrieval system: Your bank's "KMS/Querying Credit Card Image Retrieval System" regulations state that if confirmation of credit card application form data is required, customer service personnel may retrieve credit card application form content through the credit card image retrieval system using "any one of the following query conditions": application number, ID number of primary/additional cardholder, Chinese name of primary/additional cardholder, or unified business number. However, this system did not establish appropriate query control conditions, allowing Huang to easily randomly query a customer's ID number from their credit card application form data by name. He used this to log into the customer service system to view the customer's credit card usage, thereby facilitating the locking of specific characteristic customers as targets for fraud.

  1. The aforementioned deficiencies indicate that your bank failed to adequately establish an internal control system, constituting violations of Article 45-1, Paragraph 1 of the Banking Act and Articles 3, Paragraph 1 and 8, Paragraph 1 of the "Implementation Measures for Internal Control and Audit Systems of Financial Holding Companies and Banks." Therefore, pursuant to Article 129, Paragraph 7 of the Banking Act, a fine of 12,000,000 TWD is imposed.

Payment Method:

  1. Payment Deadline: Payment must be made within 10 days from the day following the service of this decision.
  2. Please follow the payment instructions attached by the Banking Bureau of this Commission.

Notes:

  1. If the respondent disagrees with this decision, they must, within 30 days from the day following the service of this decision, prepare an appeal petition in accordance with Article 58, Paragraph 1 of the Administrative Appeal Act and submit it to the Executive Yuan via this Commission (18th Floor, No. 7, Section 2, Xianmin Avenue, Banqiao District, New Taipei City). However, pursuant to Article 93, Paragraph 1 of the Administrative Appeal Act, unless otherwise provided by law, filing an appeal does not suspend the execution of this decision. The respondent must still pay the fine.
  2. If the respondent fails to pay the fine within the payment period specified in this decision, the case will be transferred to the various branches of the Administrative Enforcement Agency of the Ministry of Justice for administrative enforcement, pursuant to the proviso of Article 4, Paragraph 1 of the Administrative Enforcement Act.

Original: Cathay United Bank Co., Ltd. (Representative: Mr. Guo [Redacted]) Copy: Cathay Financial Holding Co., Ltd. (Representative: Cai [Redacted]), Central Deposit Insurance Corporation (Representative: Huang [Redacted]), this Commission's Inspection Bureau, Banking Bureau

Page Views: 25,553 Update Date: 2025-08-12

:::

Privacy Policy Declaration | Information Security Policy Declaration | This Commission's Website Data Open Declaration | Subscribe to Newsletter | Latest Newsletter

Financial Supervisory Commission Copyright 220232 18th Floor, No. 7, Section 2, Xianmin Avenue, Banqiao District, New Taipei City

FSC Electronic Map

Telephone: (02) 8968-0899 Fax: (02) 8969-1215

This Commission's New York Representative Office: 1 E. 42 Street, 13F, New York, NY 10017, U.S.A. Contact Telephone: (1-212) 317-7326

This Commission's London Representative Office: 46-48 Grosvenor Gardens, London SW1W 0EB, UK Contact Telephone: (44-20) 7628-1501

If you have specific suggestions for improving this Commission's global information network, please email us. Thank you.

Update Date: 2026-07-09

Visitor Count: 61,478,092 Back to Top