To ensure healthy development and capital adequacy, and to achieve reasonable risk and benefit targets, the Company followed the “Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries” to formulate the “Risk Management Policy and Guidelines” as a basis for risk management.

TCFHC and its major subsidiaries are equipped with “Risk Management Committees” that are responsible for designing risk management systems, policies, and monitoring indicators, and for carrying out risk management activities. The purpose is to ensure the healthy development of the Group, ensure capital adequacy, and achieve reasonable risk and return targets.

Risk Management Structure

The Company’s Board of Directors serves as the highest risk management decision-making body and the ultimate undertaker throughout the Group. The “Risk Management Committee”, consisting of the chair of the Board of Directors, the CEO, executive vice presidents, chief compliance officer, unit supervisors, and presidents of respective subsidiaries, acts as the highest management unit for risk management. It connects the risk management units (2^nd line of defense) and business units (1^st line of defense) of the Company and its subsidiaries. The internal audit unit (3^rd line of defense) performs audits independently, impartially, and periodically to cover the Company’s risk management procedures in order to reasonably ensure the effective operation of the risk management system.

The chair concurrently serves as the chair of the “Risk Management Committee”, and the E.V.P. & Chief Audit Executive is the highest management level for risk monitoring and auditing. Both report directly to the Board of Directors. The “Risk Management Committee” meets on a quarterly basis. TCFHC and its subsidiaries present reports for the current period on the overview of risk management, changes in capital adequacy, responses to major irregularities, exposure analysis of key monitored subjects and industries, and progress follow-up on actions to be taken as decided in meetings.

Risk Appetite

Risk appetite is the overall risk that is willingly undertaken within the overall scope of risk-undertaking capability, is mainly based on the operational strategy and financial goals, and takes into consideration factors such as growth, risk, and rewards. TCB has its risk appetite mechanism adopting a "bottom-up" approach. Every year, the supervisory vice president of Risk Management Department and the business units responsible for each indicator have meetings to discuss. The risk management department is responsible for summarizing and submitting results of meetings to the Risk Management Committee and the Board of Directors for review. After approval, those will be reported to the Risk Management Committee and the Board of Directors on a quarterly basis. In 2024, a total of 25 indicators were defined and the responsible unit for each indicator reported its implementation status on a quarterly basis. In case of non-compliance, related countermeasures shall be clarified at the same time in order to define the risk culture and to reinforce the risk management mechanism.

Sensitivity Analysis and Stress Test

We regularly conduct sensitivity analysis and stress testing on financial and non-financial risks to review the risk management mechanism and risk tolerance. In terms of financial risk, based on the content set in the stress test scenario meeting, TCB conducts market risk factors (including interest rates and equity securities prices) inspection. In terms of non-financial risks, TCB conducted an analysis to assess the potential impact of an operational risk event involving embezzlement of customer deposits. The stress test results indicated that the Bank’s capital adequacy ratio, Tier 1 capital ratio, Common Equity Tier 1 ratio, and leverage ratio all remained in compliance with regulatory requirements.

Risk Identification and Mitigation Strategies

Primary Risk Management

The Group conducts annual assessments of internal and external operational risks that may arise from its financial activities. Risk management is implemented proactively through authorization mechanisms, limit controls, and monitoring indicators. Risk-bearing capacity and corresponding response measures are regularly reported to the Board of Directors and senior management. Each subsidiary is also required to establish risk indicators and control procedures based on the nature of its products, business scale, and risk characteristics. To oversee the execution of risk management, the Company regularly monitors the Group’s credit risk exposures and compliance with relevant limit controls, including but not limited to industry concentration limits, watch-list industries, high-risk industries in Mainland China, country risk, exposure limits for Mainland China, and large corporate group limits. In addition, statutory reports are submitted to the Financial Supervisory Commission within the prescribed deadlines for regular monitoring of exposure fluctuations and risk management performance.

After assessing internal and external risks and considering the potential impacts on the Company’s business, the 2 major risks in 2024 are credit risk and operating risk.

Emerging Risk Management

Shaping Risk Culture

Risk Management Training

To enhance the Group’s risk management, establish a climate governance culture, and improve the awareness of risks as well as the latest international developments and conceptual shifts among the Group’s directors, supervisors, and senior executives, annual risk management courses are arranged. In 2024, the Group held an educational training session titled “The Net-Zero Challenge and Investment & Financing Strategies for Financial Institutions” for directors, supervisors, and senior executives, with 87 participants. Additionally, to raise employees’ risk awareness, build an overall risk management culture, and effectively implement the Group’s risk management policies, the Group encourages employees to participate in various internal and external risk management training programs. Besides in-person courses, digital technologies are also utilized to provide online training. The latest risk management regulations, trends, and practices are regularly communicated to facilitate internal training within each unit.

To strengthen crisis management mechanism, resolve and alleviate emergency events quickly or resume operations in time and minimize losses, TCFHC has the "Regulations Governing Emergency and Crisis Management" to activate the group-wide emergency reporting and communication system in the event of a manmade or natural disaster, faulty internal control, employee fraud, security maintenance, significant financial loss in business, or negative media coverage that can affect the Company’s reputation and normal operation. The Crisis Management Task Force is also in charge of handling emergencies, giving instructions and speaking on behalf of the Company to outsiders according to the guidelines for spokespersons as needed.

Refining Risk Culture

The Group encourages employees to provide optimization suggestions for the operation process. If the suggestions are adopted, bonuses will be given. In 2024, a total of NT$21,000 are awarded. 268 proposals were filed by employees throughout 2024, over the optimization of branch-end transaction systems, credit and loan systems, foreign exchange IFX system, online credit, mobile banking, and intelligent wealth management to enhance operational efficiency and strengthen risk management.

The Group has formulated the "Operational Risk and Control Assessment Management Directions", and colleagues who are familiar with the business process are responsible for the operation process analysis and risk identification. The operation risk self-assessment process completed in 2024 includes 118 from head office management units and 59 from business units. Through the self-assessments results of risk control, the operational risks that should be paid attention to are summarized, and for projects with high risks, action plans are developed to respond in advance to reduce possible future operational losses, improve colleagues’ awareness and attention to risks, and integrate risk management awareness into in daily business processes.

TCB has formulated "Measures for Handling Financial Product Evaluations". Before developing financial products, it identifies and evaluates potential risks in advance and formulates relevant response plans to strengthen risk control.

Internal Audits

Organization and Functioning of Internal Audits

To establish an effective internal audit system and enforce risk management, the Company has established its “Audit Guidelines” and also follows the “Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries” promulgated by the Financial Supervisory Commission, creating a general audit system for overseeing audit operations. The Auditing Department, established under the Board of Directors, performs internal audits on the Company and each subsidiary every 6 months. It assists the Board of Directors and management in inspecting and evaluating whether the internal control system operates effectively and provides timely improvement advice, so as to both ensure that the internal control system can operate effectively and serve as a reference for further review and revision.

Furthermore, the Financial Supervisory Commission conducts general audits once every 2 years, as well as irregular special audits of the Company (1 special audit in 2024). The Company is also committed to making improvements based on audit feedback and creating an appropriate risk management mechanism. Regarding this, the internal audit unit continues to follow up on and review the improvement status of audit opinions or deficiencies identified by the Financial Supervisory Commission, accountants, the internal audit unit, and internal units through their self-audits, as well as on enhancement items listed in internal control statements. Improvements are submitted in writing to the Board of Directors and the Audit Committee and are used as an important item for penalties, rewards, and performance evaluations of related units. This further promotes the effectiveness of the Group’s overall operations and risk management.

In 2024, the Auditing Department under the Board of Directors completed all annual audit tasks and monitored the improvement status of audit findings for the Company’s various departments and subsidiaries.