Regulations for Telecommunications Enterprises Using Designated Databases to verify User Identity
2024-11-19
手機睡眠
語音選擇
Article 1
These Regulations are formulated pursuant to Paragraph 3, Article 19 of the Fraud Crime Hazard Prevention Act (hereinafter referred to as "the Act").
Article 2
The terms used in these Regulations are defined as follows:
1. Telecommunications services: refers to the telecommunications services defined in Subparagraph 2, Paragraph 1, Article 3 of the Telecommunications Management Act.
2. Subscriber: refers to the subscriber defined in Subparagraph 9, Paragraph 1, Article 3 of the Telecommunications Management Act.
1. Telecommunications services: refers to the telecommunications services defined in Subparagraph 2, Paragraph 1, Article 3 of the Telecommunications Management Act.
2. Subscriber: refers to the subscriber defined in Subparagraph 9, Paragraph 1, Article 3 of the Telecommunications Management Act.
Article 3
The designated databases (hereinafter referred to as "designated databases") specified by the competent telecommunications authority pursuant to Paragraph 2, Article 19 of the Act include the following:
1. The Household Registration and Conscription Information System of the Ministry of Interior: The National ID Card Issuance, Replacement, and Update Record Inquiry System established within the Household Registration and Conscription Information System.
2. Integrated Anti-Fraud Risk Database: The Integrated Anti-Fraud Risk Database established by the National Police Agency, Ministry of the Interior.
3. Immigration Database: The database established within the cloud query services of the National Immigration Agency, Ministry of the Interior.
Telecommunications enterprises that have been assigned subscriber numbers shall establish connections to the designated databases specified in Subparagraphs 2 and 3 of the preceding paragraph.
Telecommunications enterprises that have been assigned subscriber numbers shall assist its affiliated telecommunications enterprises or telecommunications enterprises providing wholesale resale services of subscriber numbers in conducting inquiry operations with the designated databases specified in these Regulations.
1. The Household Registration and Conscription Information System of the Ministry of Interior: The National ID Card Issuance, Replacement, and Update Record Inquiry System established within the Household Registration and Conscription Information System.
2. Integrated Anti-Fraud Risk Database: The Integrated Anti-Fraud Risk Database established by the National Police Agency, Ministry of the Interior.
3. Immigration Database: The database established within the cloud query services of the National Immigration Agency, Ministry of the Interior.
Telecommunications enterprises that have been assigned subscriber numbers shall establish connections to the designated databases specified in Subparagraphs 2 and 3 of the preceding paragraph.
Telecommunications enterprises that have been assigned subscriber numbers shall assist its affiliated telecommunications enterprises or telecommunications enterprises providing wholesale resale services of subscriber numbers in conducting inquiry operations with the designated databases specified in these Regulations.
Article 4
Telecommunications enterprises shall process applications for telecommunications services as follows:
1. For ROC nationals: Verify the authenticity of the National ID Card using the designated database specified in Subparagraph 1, Paragraph 1 of the preceding article, based on the National ID Card number, issuance date, issuance location, and the category of issuance, replacement, or update.
2. For individuals from Mainland China, Hong Kong, or Macau: Verify the entry and exit status and the validity of the Exit and Entry Permit using the designated database specified in Subparagraph 3, Paragraph 1 of the preceding article, based on the Exit and Entry Permit number.
3. For non-ROC nationals: Verify the entry and exit status and the validity of the document using the designated database specified in Subparagraph 3, Paragraph 1 of the preceding article, based on the passport number and nationality code, or the Residence Permit number.
4. For juristic persons, unincorporated bodies, or business entities: Conduct inquiries in accordance with the relevant category of the representative specified in Subparagraphs 1, 2, or 3 above.
If telecommunications enterprises discover discrepancies within the documents of identification, discover that the individual has exited the country, or discover that the stay or residence period has expired during the verification process in the preceding paragraph, the application shall be rejected.
1. For ROC nationals: Verify the authenticity of the National ID Card using the designated database specified in Subparagraph 1, Paragraph 1 of the preceding article, based on the National ID Card number, issuance date, issuance location, and the category of issuance, replacement, or update.
2. For individuals from Mainland China, Hong Kong, or Macau: Verify the entry and exit status and the validity of the Exit and Entry Permit using the designated database specified in Subparagraph 3, Paragraph 1 of the preceding article, based on the Exit and Entry Permit number.
3. For non-ROC nationals: Verify the entry and exit status and the validity of the document using the designated database specified in Subparagraph 3, Paragraph 1 of the preceding article, based on the passport number and nationality code, or the Residence Permit number.
4. For juristic persons, unincorporated bodies, or business entities: Conduct inquiries in accordance with the relevant category of the representative specified in Subparagraphs 1, 2, or 3 above.
If telecommunications enterprises discover discrepancies within the documents of identification, discover that the individual has exited the country, or discover that the stay or residence period has expired during the verification process in the preceding paragraph, the application shall be rejected.
Article 5
When processing applications for telecommunications services, telecommunications enterprises shall, in addition to verifying the subscriber information pursuant to the preceding article, further assess the subscriber’s risk level using the Integrated Anti-Fraud Risk Database with the following identification information:
1. For ROC nationals: National ID Card number or passport number.
2. For individuals from Mainland, Hong Kong, or Macau: Exit and Entry Permit number.
3. For non-ROC nationals: Passport number or Residence Permit number.
For subscribers who are juristic person, unincorporated body, or business entities, the verification under the preceding paragraph shall include the following information:
1. For juristic persons, unincorporated bodies, and business entities: Unified Business Number or registration certificate number, and the National ID Card number, Exit and Entry Permit number, passport number, or Residence Permit number of their representative.
2. For foreign juristic persons: The Unified Business Number of the branch office approved for establishment, and the National ID Card number, Exit and Entry Permit number, passport number, or Residence Permit number of their representative registered with the competent authority.
If the telecommunications enterprise discovers, during the verification under the preceding two paragraphs, that a telecommunications service subscriber is listed in the Integrated Anti-Fraud Risk Database, it shall implement corresponding risk control measures and, pursuant to Paragraph 3, Article 23 of the Act, restrict the number of services the subscriber may apply for.
1. For ROC nationals: National ID Card number or passport number.
2. For individuals from Mainland, Hong Kong, or Macau: Exit and Entry Permit number.
3. For non-ROC nationals: Passport number or Residence Permit number.
For subscribers who are juristic person, unincorporated body, or business entities, the verification under the preceding paragraph shall include the following information:
1. For juristic persons, unincorporated bodies, and business entities: Unified Business Number or registration certificate number, and the National ID Card number, Exit and Entry Permit number, passport number, or Residence Permit number of their representative.
2. For foreign juristic persons: The Unified Business Number of the branch office approved for establishment, and the National ID Card number, Exit and Entry Permit number, passport number, or Residence Permit number of their representative registered with the competent authority.
If the telecommunications enterprise discovers, during the verification under the preceding two paragraphs, that a telecommunications service subscriber is listed in the Integrated Anti-Fraud Risk Database, it shall implement corresponding risk control measures and, pursuant to Paragraph 3, Article 23 of the Act, restrict the number of services the subscriber may apply for.
Article 6
If telecommunications enterprises are notified by the competent telecommunications authority or judicial police agencies that the telecommunications services used by a subscriber are suspected of being involved in fraudulent activities, they shall reverify the subscriber's identity in accordance with the provisions of Articles 4 and 5.
Article 7
Before providing the entire or partial international roaming services to offshore high-risk telecom businesses, telecom businesses, if technically feasible, shall verify the following identification information of the user via the Immigration Database to confirm entry records. International roaming services may only be provided if entry data are confirmed. However, services may be offered if users present identification documents at the telecom counter for verification and registration:
1. For ROC nationals: Passport number.
2. For individuals from Mainland China, Hong Kong, or Macau: Exit and Entry Permit number.
3. For non-ROC nationals: Passport number or Residence Permit number.
If the verification specified in Subparagraph 1 of the preceding paragraph cannot be conducted, international roaming services may only be offered if users present identification documents at the telecom counter for verification and registration.
Telecommunications enterprises providing international roaming services in accordance with Paragraph 1 shall, where technically feasible, conduct monthly inquiries via the Immigration Database. If the user is found to have exited the country, overstayed, or exceeded the permitted residence period, the telecommunications enterprises shall suspend the international roaming services.
1. For ROC nationals: Passport number.
2. For individuals from Mainland China, Hong Kong, or Macau: Exit and Entry Permit number.
3. For non-ROC nationals: Passport number or Residence Permit number.
If the verification specified in Subparagraph 1 of the preceding paragraph cannot be conducted, international roaming services may only be offered if users present identification documents at the telecom counter for verification and registration.
Telecommunications enterprises providing international roaming services in accordance with Paragraph 1 shall, where technically feasible, conduct monthly inquiries via the Immigration Database. If the user is found to have exited the country, overstayed, or exceeded the permitted residence period, the telecommunications enterprises shall suspend the international roaming services.
Article 8
After the implementation of the Act, telecommunications enterprises that provide prepaid card services to non-ROC nationals in accordance with Article 22 of the Act shall conduct monthly batch inquiries via the Immigration Database to confirm the subscriber’s entry and exit status and whether the subscriber has overstayed or exceeded the permitted residence period.
For prepaid card services provided to non-ROC nationals prior to the implementation of Article 22 of the Act, telecommunications enterprises shall notify subscribers to provide the identification information required for verification via the Immigration Database within two weeks. Once the subscriber provides the required information, telecommunications enterprises shall verify and register the information, and thereafter conduct regular inquiries in accordance with the preceding paragraph.
The notification procedure specified in the preceding paragraph shall be outlined in a notification plan, which telecommunications enterprises shall submit to the competent telecommunications authority for recordation within two months of the implementation of these Regulations. Any changes to the plan shall also be submitted for recordation. Telecommunications enterprises shall complete the notification process in accordance with the plan.
If, during the verification specified in Paragraphs 1 and 2, telecommunications enterprises discover that the subscriber has exited the country, overstayed, or exceeded the permitted residence period, they shall notify the subscriber to reverify and register their identification information in person at a store of the telecommunications enterprise within two weeks. Before the specified period expires, telecommunications enterprises may restrict certain functions of the telecommunications service. If the subscriber fails to complete the reverification and registration process within the specified period, telecommunications enterprises shall restrict or terminate the provision of telecommunications services in accordance with Article 22 of the Act.
For prepaid card services provided to non-ROC nationals prior to the implementation of Article 22 of the Act, telecommunications enterprises shall notify subscribers to provide the identification information required for verification via the Immigration Database within two weeks. Once the subscriber provides the required information, telecommunications enterprises shall verify and register the information, and thereafter conduct regular inquiries in accordance with the preceding paragraph.
The notification procedure specified in the preceding paragraph shall be outlined in a notification plan, which telecommunications enterprises shall submit to the competent telecommunications authority for recordation within two months of the implementation of these Regulations. Any changes to the plan shall also be submitted for recordation. Telecommunications enterprises shall complete the notification process in accordance with the plan.
If, during the verification specified in Paragraphs 1 and 2, telecommunications enterprises discover that the subscriber has exited the country, overstayed, or exceeded the permitted residence period, they shall notify the subscriber to reverify and register their identification information in person at a store of the telecommunications enterprise within two weeks. Before the specified period expires, telecommunications enterprises may restrict certain functions of the telecommunications service. If the subscriber fails to complete the reverification and registration process within the specified period, telecommunications enterprises shall restrict or terminate the provision of telecommunications services in accordance with Article 22 of the Act.
Article 9
When using designated databases for verification, telecommunications enterprises shall comply with the following information security regulations:
1. Cooperate fully with the information security management requirements stipulated by the competent telecommunications authority and the authorities responsible for the designated databases.
2. Incorporate information security management measures related to the connection with designated databases into their overall information security protocols.
3. Ensure that programs used for connecting to the designated databases have undergone security testing and provide proof of security. The programs must not originate from Mainland China, Hong Kong or Macau and must not contain backdoors or Trojan horse programs.
4. Assign sufficient personnel with appropriate qualifications, such as information security certifications or relevant experience, to perform verification operations involving designated databases.
5. Telecommunications enterprises shall not refuse regular or ad-hoc audits conducted by the competent telecommunications authority, the authorities responsible for the designated databases, or designated project teams.
6. In the event of an information security incident related to the connection with the databases, promptly report the incident in accordance with the Cyber Security Management Act. Collaborate with internal information security teams to investigate and document the incident, and submit the records to the competent telecommunications authority and the authorities responsible for the designated databases.
7. For other information security management operations, telecommunications enterprises shall comply with the relevant regulations stipulated in the Cyber Security Management Act and by the Administration for Cyber Security, Ministry of Digital Affairs.
1. Cooperate fully with the information security management requirements stipulated by the competent telecommunications authority and the authorities responsible for the designated databases.
2. Incorporate information security management measures related to the connection with designated databases into their overall information security protocols.
3. Ensure that programs used for connecting to the designated databases have undergone security testing and provide proof of security. The programs must not originate from Mainland China, Hong Kong or Macau and must not contain backdoors or Trojan horse programs.
4. Assign sufficient personnel with appropriate qualifications, such as information security certifications or relevant experience, to perform verification operations involving designated databases.
5. Telecommunications enterprises shall not refuse regular or ad-hoc audits conducted by the competent telecommunications authority, the authorities responsible for the designated databases, or designated project teams.
6. In the event of an information security incident related to the connection with the databases, promptly report the incident in accordance with the Cyber Security Management Act. Collaborate with internal information security teams to investigate and document the incident, and submit the records to the competent telecommunications authority and the authorities responsible for the designated databases.
7. For other information security management operations, telecommunications enterprises shall comply with the relevant regulations stipulated in the Cyber Security Management Act and by the Administration for Cyber Security, Ministry of Digital Affairs.
Article 10
These Regulations shall come into force on the date of implementation of Article 19 of the Act.