【Expert’s Commentary of the Commercial Times】The Newly Amended Act Governing Electronic Payment Institutions and Its Subordinate Laws Seem to Neglect Protection for Personal Information and Privacy

September 6, 2021

Along with the spread of COVID-19 and the growth of contactless payment, the number of people using electronic payment has continued to grow. Lately, the issuing of electronic stimulus vouchers is also a trending topic. According to the statistics of the Financial Supervisory Commission, up to the e

Author

Author

By Lipu Lee & Yi-Hua Lu, Managing Partner & Intern Attorney of Formosan Brothers, Attorneys-at-Law

Along with the spread of COVID-19 and the growth of contactless payment, the number of people using electronic payment has continued to grow. Lately, the issuing of electronic stimulus vouchers is also a trending topic. According to the statistics of the Financial Supervisory Commission, up to the end of June, 2021, there are 5 specialized electronic payment institutions and 23 financial institutions concurrently engaged in the electronic payment business in Taiwan (including banks, Chunghwa Post Co. Ltd., and electronic stored value card issuers), with 13,890,000 users in total, which is a 53.82% growth over the same period last year.

In December 2020, the amendment of the “Act Governing Electronic Payment Institutions” (hereinafter the “Act”) was passed by the Legislative Yuan with its third reading, which became effective on July 1, 2021, aims to consolidate the laws and regulations for stored value cards, create a payment ecology using electronic payment as the core, and build a regulation environment that is friendly to industry development. This amendment integrates the administration of “electronic payment” and “electronic stored value card,” opening up   the three main businesses, “collecting and making payments for real transactions as an agent,” “transfer between electronic payment accounts,” and “accepting deposits of funds as stored value funds.” In addition, this amendment also adds “transfer between different electronic payment institutions,” “domestic and foreign small-amount remittances,” “buying and selling of foreign currencies,” “providing electronic invoice systems and related value-added services” to enhance the convenience of payment for the general public and to speed up the push for inclusive financing.

However, electronic payments have the characteristics of promptness, covertness and the fact that no human third party is present as a monitor at the time of the transaction. These all make it a likely tool to commit money laundering or tax evasion. Hence, based on the directives issued by the Financial Action Task Force (“FATF”), the Act provides that specialized electronic payment institutions shall build mechanisms to identify users and contracted institutions, and shall retain necessary transaction records, including the user's stored value card numbers, electronic payment account numbers, transaction items, dates, amounts and currencies, as well as records on any uncompleted transactions, for at least five years. And for the purpose of preventing tax evasion, tax authorities may require specialized electronic payment institutions to provide a user’s necessary transaction records and the data obtained in the user and contracted institution identification process.

In May 2021, the Ministry of Finance announced the draft of the “Regulations Governing the Provision of Identification Information and Necessary Transaction Records to Tax Collection Authorities and Customs by Electronic Payment Institutions” (hereinafter the “Regulations”). The Regulations provide that, with respect to collecting and making payments for real transactions as an agent, electronic payment institutions shall regularly provide the aforementioned information to tax collection authorities, except where the amount collected is less than NT$480,000. Such a provision stoke some criticisms. Critics of this provision believe that if electronic payment institutions need to provide the aforementioned information to tax collection agencies regularly every year, the tax collection agencies would have a hold of the user’s identity, account or card numbers, payment methods and amount, currencies, etc., making the consumer susceptible to the risk of transaction record and/or personal information leaks.

In regard to the criticisms, the Ministry of Finance promised to take the criticisms into consideration and modify the provision accordingly. However, in the Regulations announced by the Ministry of Finance on August 17, 2021, although the criticized provision related to “payer” has been deleted, the important transaction information such as the user’s electronic payment account number, payment method, amount, currency and time have been included in the scope of information to be provided by the electronic payment institution.

Since electronic payments are mostly done using real names, and the related cash flow, property movement and personal information can all be found, “consumers can still be identified indirectly using the transaction records. Thus, the public’s concern over personal information leakage remains unaddressed. In fact, the Ministry of Justice once issued an administrative interpretation ruling to indicate that government agencies, when collecting or handling personal information, shall be bound by the scope allowed by law and shall not violate the principle of proportionality. The investigation on “specific tax collection cases” shall be done to the extent as necessary. If a tax collection agency asks a medical institution to provide broad and non-specific patient information, the agency might be overstepping the boundary. Moreover, when transactions are done in person, the consumer does not need to provide personal information. The only information left from the transaction are transaction time, amount, and transaction item, which are used by the business to file business tax and business income tax, and the filing of such taxes only requires the business to provide the items purchased and sold and accounting books and records. The Regulations’ broad requirement of electronic payment institution to provide non-specific transaction information is like an attempt through big data to monitor abnormalities in transaction records and cash flow to find businesses that evade business tax by underreporting their revenues. This seems to have crossed the line of necessity.  

In regard to this, the Ministry of Finance may refer to the existing filing system for cross-border e-commerce business entities and have the businesses file on their own, and, on a case-by-case basis, investigate the businesses that seem to show abnormality in their filing. It is the obligation of a business owner to file honestly the business tax and the business income tax. This obligation should not be shifted to the consumers. Moreover, the government should not use the tax evasion audit as the pretext to monitor consumers’ electronic payment transaction records while  neglecting the protection of personal information and privacy.

(This article was published in the Expert’s Commentary Column of the Commercial Times:https://view.ctee.com.tw/legal/32237.html