The Electronic Signatures Act Is Revised for the First Time in over 20 Years to Align with International Standards
On April 30, 2024, the Legislative Yuan of Taiwan passed the third reading of the draft amendment to the Electronic Signatures Act, which clearly establishes the legal status of electronic signatures, and laid a solid foundation for future integration with foreign authentication technology and international trends. One of the most concerning areas of the amendment is the stipulation that digital signatures belong to a type of electronic signature, and a document signed with a digital certificate issued by a government-recognized certificate institution is presumed to be signed or stamped in person with even better effectiveness. It is expected that electronic signatures and digital signature technologies will become increasingly popular in the future, which will contribute to Taiwan’s digital and sustainable transformation.
Taiwan’s Securities Market Adopted the Electronic Certificate Signature Authentication Mechanism for Electronic Order Placement Since August 2000
In fact, Taiwan’s securities market announced that securities firms using electronic order placement should use an authentication mechanism since August 2000. In addition to the account password used for login, each order must be authenticated with an electronic certificate. However, due to the stock hacking incident in 2020 and 2021, the TWSE revised relevant regulations to require investors to adopt a two-factor authentication method for placing electronic orders and logging in, and when applying for or updating the certification mechanism, a different factor should be added and used for login besides the two factors to strengthen information security. The history of relevant regulations is detailed in the appendix.
It is worth noting that the two-factor authentication method is applied to the “login” and “application or update of electronic certificate” stages, and each investor’s order still needs to undergo single factor authentication of the electronic certificate. Looking back at the past, there were suggestions from relevant industry players on whether the TWSE might use another mechanism such as OTP or biometric authentication to replace the electronic certificate authentication mechanism; however, considering the non-repudiation of the certificate authentication mechanism, the credibility of certificate institutions, the extremely fast speed of electronic certificate authentication, and the smoothness of investor order placements, electronic certificate authentication cannot be completely replaced by other identity authentication mechanisms for entrusted order placement.
Appendix: History of Relevant Norms for Securities Firms to Process Electronic Transactions and Electronic Certificates
Date | Main revised content | Legal basis |
August 11, 2000 | The TWSE announced the amendment to its Operating Rules to require securities brokers to use an authentication mechanism for electronic file transmission including order transmission, receipt of orders, and transaction returns through the Internet. | Article 75 of the Operating Rules of the Taiwan Stock Exchange Corporation (current) |
January 31, 2001 | The TWSE requested by letter that for securities firms that had not completed the establishment of an authentication mechanism as scheduled, the disposal period was deferred until May 1, 2001 | Letter referenced Tai-Cheng (90) Chiao No. 001881 |
October 23, 2001 | The Securities and Futures Commission (now the Securities and Futures Bureau) amended the “Regulations Governing Securities Firms Accepting Orders to Trade Foreign Securities,” and specified that securities firms may accept entrusted trading of foreign securities from customers through electronic trading methods such as the Internet. | Article 13 of the Regulations Governing Securities Firms Accepting Orders to Trade Foreign Securities (current) |
February 21, 2002 | The TWSE issued the “Establishing Information Security Inspection Mechanisms for Securities Firms,” which stipulates that securities firms should fully use authentication mechanisms for order placement online. | Article 7 of the Establishing Information Security Inspection Mechanisms for Securities Firms (current) |
November 19, 2004 | The Taiwan Securities Association released the “Consent Form for Electronic Trading Account Entrustment of Securities Trading by Securities Firms (Template),” which requires the customer to obtain a password and download and install the electronic certificate issued by the certificate institution for the account designated for electronic trading entrustment. | Article 3 of the Consent Form for Electronic Trading Account Entrustment of Securities Trading by Securities Firms (Template) (current) |
January 8, 2021 | In order to strengthen the cybersecurity protection mechanism of securities firms’ communication, the TWSE requested that securities firms adopt a two-factor authentication method when logging in for order placement online. | Letter referenced Tai-Cheng-Fu No. 1100500068 |
July 20, 2021 | The TWSE amended the “Establishing Information Security Inspection Mechanisms for Securities Firms,” which stipulates that securities firms providing online order services should adopt a multi-factor authentication method (such as order certificates, binding devices, OTP, and biometric identification) when logging in for order placement online to ensure that customers log in personally. | Article 7 of the Establishing Information Security Inspection Mechanisms for Securities Firms (current) |
November 30, 2021 | The TWSE requested securities firms by letter to strengthen their cybersecurity control measures, including that when a customer applies for or updates the certification mechanism, there should be an authentication mechanism for the investor to add and login with a different factor (such as OTP and SIM authentication) besides the original two factors used for login. | Letter referenced Tai-Cheng-Fu No. 1100503618 |
Note: organized by the TWSE |
The Electronic Certificate Signature Authentication Mechanism Has High Security and Low Latency, and the Risk of Transaction Disputes Is Low
In practice, the securities market generally adopts the software C3 certificate authentication mechanism,[see footnote1] which fully complies with the technical security control and non-technical (procedural) security control mechanisms of the current “Electronic Signatures Act” and “Regulations on Required Information for Certification Practice Statements” to effectively prevent hackers from intercepting transaction information and altering information content, and ensure that investor trading activities operate safely on public networks.
For many years, there have been no major trading disputes in Taiwan’s securities market due to the failure of the electronic certificate encryption authentication mechanism. After the amendment to the Electronic Signatures Act today, investors’ use of electronic certificates for entrusted order placement can be presumed to be the intention of the investors themselves. If there is a dispute between a securities firm and an investor in electronic trading, a third-party certificate institution can issue relevant records with evidential power in judicial proceedings.
In addition, electronic certificates can support multiple operating systems, meet the needs of multiple order placement channels such as mobile devices, tablets, and personal computers, and have a fast signature authentication speed. Even after the securities market fully implemented the transaction by transaction system on March 23, 2020, there has been no delay in trading speed as a result of it. In addition, the electronic certificate authentication process is carried out through the securities firm’s order placement and certificate authentication system, which automatically verifies the validity and validity period of the investor’s electronic certificate, and the investor does not need to enter any password at the time of order placement. Imagine that in addition to logging in with two factors, if an investor needs to enter a one-time authentication code OTP or perform biometric authentication when placing an order, it may cause great inconvenience to the investor’s order placement process.
Although Foreign Exchanges Have Not Widely Implemented the Electronic Certificate Signature Authentication Mechanism, Their Emphasis on Identifying Investor Identity Has Increased Rather Than Decreased
There have been voices stating that unlike Taiwan, markets such as Hong Kong, the United States and Singapore do not require electronic certificate authentication when placing orders online. However, the TWSE believes that different countries have their own unique environment and historical background in the development of their securities trading markets, and the situations cannot be generalized. For example, the US securities trading market does not have only one single platform for trading, and after investors place orders, securities firms can match through the centralized exchange platform, the over-the-counter platform, or dark pools. If all trading platforms import their exclusive electronic certificates, customers may need to have a large number of different certificates on their own devices, which seems unfeasible logically.
On the other hand, although markets such as Hong Kong, the United States and Singapore have not explicitly required the need of electronic certificate authentication for placing orders, as the trend of information security is becoming increasingly important, regulators in various countries continue to strengthen their efforts on the effective identification of customer identities. For example, in order to regulate the market more effectively, the Hong Kong Securities and Futures Commission officially implemented the “Real Name Registration System for Hong Kong Stocks” in March 2023 for clear recognition of the identity of the customer behind each transaction. In 2001, the United States required financial institutions such as securities brokers and settlement agencies to adopt a complete money laundering prevention plan and establish a Customer Identification Program (CIP), and in 2023, the US Securities and Exchange Commission (SEC) continuously reminded securities firms to implement identity recognition operations, and confirm the identity of customers who execute transactions and keep relevant records within a reasonable and feasible scope besides account opening operations. In Singapore, the Singapore Exchange (SGX) stipulates that exchange members should ensure that the customer of each order in the trading system can be identified and tracked. In addition, the practical points of the SGX rules recommend that exchange members use digital signatures to verify customer identity online.
Therefore, it can be seen that the aforementioned countries’ emphasis on effective identification of investor identity has increased rather than decreased. As electronic certificate operations have been implemented for many years in Taiwan, the regulatory authorities can fully grasp the identity of the customer behind each transaction. This is in line with the international trend, and there is no special reason to relax the existing identity recognition mechanism which is mature and effective.
Epilogue
The legal benefits of electronic signatures and digital signatures have been further confirmed after the amendment to the Electronic Signatures Act. Taiwan’s securities market introduced the electronic certificate authentication mechanism 20 years ago, which not only provides security, efficiency and compliance, but also has the feature of confirming that investors’ trading behavior is out of their own will. In addition to protecting investors’ rights and interests, it can enable law enforcement agencies to fully grasp investors’ identities. Looking ahead to the future, as the amendment to the Electronic Signatures Act mentions that the relevant provisions which are originally excluded by administrative agencies from the application of the Electronic Signatures Act will gradually sunset, it is expected that the original over-the-counter operations in the securities market will be gradually simplified in the future, and the digital transformation of the securities market will further take a big step forward.
[Footnote 1] Software C3 certificate:refer to the third-level business EC+certificate, third-level business XML certificate (including business XML Plus), or third-level public CA certificate issued by Chunghwa Telecom that complies with Taiwan’s Electronic Signatures Act and is recognized by the Financial Supervisory Commission, with the registration center being a securities firm.