Sustainability
Structure and Operation of the Board

The Company sets sustainable business operation as core mission and is devoted to strengthening corporate governance mechanism, improving risk management system and fulfilling ethical management policies. To enhance the functionality and efficiency of the Board of Directors as the highest corporate governance unit, the professionalism, diversity and independence of directors are highly valued. The 5th session of the Board of Directors (including independent directors) were elected at the Annual General Meeting held on May 22, 2023. The election of directors adopts the candidate nomination system, which is nominated by shareholders with more than 1% of shares and Board of Directors, in accordance with the Company’s “Memorandum and Articles of Association” and “Rules Governing the Election of Directors”. The 5th session of the Board of Directors is composed of 5 directors and 4 independent directors. The number of independent directors was increased comparing with the previous session of the Board of Directors. As the Company being an investment holding company, it does not conduct any business of its own. Although the Company’s Chairman and the CEO are the same person, the Chairman and the CEO or other equivalent highest level manager are not the same person in the Company’s important subsidiaries: Chailease Finance Co., Ltd., FINA Finance & Trading Co., Ltd. and Chailease International Finance Co., Ltd., etc. Hence, the actual business operation is consistent to the spirit of corporate governance.

According to the Taiwan Company Act, if a director violates the law or the Company’s Articles of Incorporation in the execution of business and causes damage to the Company, he/she shall be liable to the Company for damages. This is a mandatory requirement and cannot be limited or exempted through the Company’s internal regulations or articles of incorporation. Furthermore, the Company’s internal regulations and articles of incorporation do not limit or exempt the liability of former directors for damages. In addition, amendments to the Articles of Incorporation must be approved by a "special resolution," which refers to a resolution adopted at a shareholders' meeting attended by shareholders representing at least two-thirds of the total voting rights, with the approval of a majority of the voting rights present, either in person or by proxy (if authorized).

In consideration of assisting the Board of Directors with legal compliance, strengthening corporate governance, and building a culture of compliance, the Company appointed a dedicated Corporate Governance Officer to ensure company strategies conform to all legal and regulatory requirements. Regular Board meeting should be called and chaired by the Chairman at least quarterly in compliance with “Rules and Procedures of Board of Directors Meetings”. Meeting agenda and materials are circulated to directors 7 days before the meeting to ensure directors have sufficient information to involve in discussions and decision-making, and to facilitate the board to oversee and direct the Company and the management team. The Company specifically stated in the “Regulations Governing Evaluation of the Performance of the Board of Directors” that the average of directors’ attendance rate of Board meeting and attendance rate of committees meeting on which the director serves shall reach no less than 85%. 11 Board meetings were held in 2024, and the average attendance rate of all Board members reached 99% (100% if attendance by proxy is included). The actual attendance rate of each director also exceeded 90%.

In order to effectively perform the functions of the Board of Directors and to improve the quality of decision-making by the Board of Directors, functional committees such as the Audit Committee, the Compensation Committee, and the Corporate Governance and Sustainable Development Committee have been established under the Board of Directors by the authority and function thereof. The Board of Directors further made the decision to adjust the structure and elevate the Risk Management Committee to a functional committee under the Board of Directors. The Management Committee has been established under the Chairman of the Company to be responsible for discussions on important issues related to economic, environmental, and social risks. There were no significant events included in the Board’s discussions in 2024.

The functional committees are either composed of independent directors or participated by independent directors, such that the decisions and recommendations of the committees are forward-looking, objective and thorough, and the mechanisms of independent supervision and checks and balances are effectively implemented to ensure that all resolutions and actions taken by the Board of Directors are reported and discussed by the Board of Directors. If a director has a related interest themselves or if the director represents a legal entity that is a stakeholder in a related interest, then the director should recuse themselves from the meeting. Some motions are also reported and discussed at the Shareholders' Meeting to act in the best interest of relevant stakeholders. These committees enhance the function of the Board of Directors, improve the independence of supervision and protect the rights of shareholders. The main responsibilities and status of each functional committee are as follows:

There are specific rules on handling situations in which a director’s own interests conflict with those of the Company in internal regulations. A director who is an interested party with respect to any agenda item of the Board of Directors cannot participate in discussion and voting nor hold a proxy for any other director on that agenda item and shall enter recusal during discussion and voting. Directors adhere to a high level of self-discipline and strict determination in recusing themselves from participating discussions and voting of proposals where a conflict of interest exists between the Company’s interests and the interests of a director or the legal entity that the director represents.

The Company fully disclosed the concurrent positions of the directors, the top ten shareholders and related party transactions in the 2024 Annual Report. For details, please refer to P.10~16, P.78~79 and Consolidated Financial Statements 8-(7) Related Party Transactions.

Professional Backgrounds of the Session of the Board of Directors

The composition of the Board of Directors should take into account the Company’s mid- and long-term development strategy, changing trends in external environment, major issues for sustainable management, and overall configuration and diversification. The selection guidelines include but not limited to the followings:

  1. Basic requirements and value: gender, age, race, nationality, and cultural background;
  2. Professional knowledge and skills: professional background, professional skills and industry experience.

The members of the 5th session of the Board of Directors have professional backgrounds covering finance, IT, Health Care, energy, legal and financial accounting, and have rich practical experience in corporate management, legal compliance, international taxation and corporate governance. They all have the expertise and abilities required to perform their duties. All directors are further provided with annual external training sessions that assist them to improve their professional capabilities and understanding of trending issues. In 2023, in response to promoting the global net-zero emissions target and enhancing the risk awareness, the topics of sessions included “Carbon Management Trends & Responses to Net Zero” and “Global Risk and Corporate Social Responsibility”. Every director acquired at least 6 hours of certified training, which was in line with the suggestions from external regulation. For details regarding the implementation of diversity and independence of the Board of Directors at the Company, please refer to P.21~24 of the 2024 Annual Report of the Company. The Board of Directors includes stakeholder representatives, comprising both shareholders and employees.

Evaluation of the Performance of the Board of Directors

To fulfill corporate governance and enhance the effectiveness of the Board of Directors, the Company has established “Regulations Governing Evaluation of the Performance of the Board of Directors” pursuant to “Corporate Governance Best-Practice Principles”. The Company regularly conducts performance evaluations of the Board of Directors and functional committees in November annually for the evaluation period from November 1 of the preceding year to the end of October of the current year. The performance evaluation scope covers the performance of the Board as a whole, functional committees and individual directors. The performance evaluation was assessed based on the questionnaire on a scale of 1 to 5 (5 is the full score) with the assessment items as below:

If 90% of the measurement indexes reach 4 points or more, the internal performance evaluation result in a grade of “Exceed the Standard”; if more than 80% but less than 90% of the measurement indexes reach 4 points or more, the result shall be in a grade of “Meet the Standard”; if less than 80% of the measurement indexes reach 4 points or more, the result shall be in a grade of “Moderately Unsatisfactory”. Please refer to the Company’s website for the board performance evaluation report of 2024 (https://www.chaileaseholding.com/en/CorporateGovernance/Directors).

Every three years, the Company commissions a third party to perform an external performance evaluation. In 2023, the Taiwan Corporate Governance Association (hereafter “TCGA”) was engaged to conduct board performance evaluation. The TCGA and execution experts have no business relationship with the Company and are independent. The evaluation procedures not only contained the review of written descriptions for assessment indicators and supporting documents, but also face to face meetings between the TCGA and directors, each functional committee convener, and top managements. The TCGA examined the operation of the board of directors and each functional committee from 8 aspects, including the composition, direction, authorization, supervision, and communication of the board, internal control and risk management, self-discipline of the board, board meetings and supporting system, based on its wide experience of corporate governance assessment. The Company obtained objective comments and suggestions from the Board Performance Evaluation Report issued by the TCGA on December 4, 2023. The Company reported TCGA’s suggestions related to above matters and measures to be taken to the Board on March 23, 2023 and amended the “Regulations Governing Evaluation of the Performance of the Board of Directors” at the same meeting to enhance the operational efficiency of the Board.

In order to continuously strengthen corporate governance, the Company complies with external regulations while draws lessons from indicators of international assessments. The Company revised “Operational Procedure for Preparation and Validation of the Sustainability Report”, “Regulations Governing Evaluation of the Performance of the Board of Directors”, “Audit Committee Charter”, “Corporate Sustainable Development Best Practice Principles” and “Internal Control Systems and Internal Audit Systems of the Company” in 2024.

The Remuneration policy
(I) Remuneration policies, standards, and packages:
1. Remuneration for directors shall observe Article 94 of Chailease Holding’s Articles of Association. The Board of Directors (BoD) shall consider suggestions from the Compensation Committee and industry standards to determine remuneration. The remuneration of the Company’s directors consists of a fixed monthly payment, transportation and communication allowances, meeting attendance fees, and directors’ compensation. Article 118 of our Articles of Association also rules that the BoD may distribute profit-sharing compensation to current directors in years when the company is profitable. Profit-sharing compensation to directors shall not exceed 0.1% of earnings before taxes for that accounting period (year). In compliance with "Rules for Performance Evaluation of Board of Directors," Chailease Holding conducts at least one internal performance evaluation annually and one external performance evaluation, by external independent agencies or experts/ scholar teams, every three years. Chailease Holding provide reasonable remuneration based on the company's performance, industry standards, and the result of performance evaluation of directors, which include but is not limited to individual contribution to company performance, attendance, and participation. Performance evaluations and remuneration both require approval from the Compensation Committee and BoD.
 
2. Remuneration for managerial officers shall observe Article 94 of our Articles of Association. The BoD shall consider suggestions from the Compensation Committee and industry standards to determine remuneration. Article 118 of our Articles of Association also rules that the BoD may distribute profit-sharing compensation to current employees in years when the company is profitable. Profit-sharing compensation to employees shall account for between 0.01%~1% of earnings before taxes for that accounting period (year). Chailease Holding determines profit-sharing compensation for managerial offices based on performance evaluations in compliance with "Rules for Objective Management" and "Rules for Performance Review." KPIs for managerial officers fall under the two following categories. The company will then determine a profit-sharing compensation based on their managerial performance and review the remuneration scheme when necessary to reflect company performance and related regulations:
 
(1) Financial KPIs:
KPIs: Sales fulfillment, earnings before taxes (EBT) fulfillment, return on equity (ROE), delinquent ratio, remaining principal balance, net profit per personnel expense, and net profit ratio per capita. In addition to evaluating KPI fulfillment toward annual targets, the company also considers KPI growth from the same period last year.
(2) Non-financial KPIs:
In addition to financial KPIs, the company also evaluates non-financial areas such as strategic objectives, risks to sustainable operations, corporate governance and material topics. The managerial officers' non-financial indicators also contain 10% of the sustainable development goals, including but not limited to the increase in the scale of solar power plant assets (including the simultaneous increase in the number of solar power plants and total power generation capacity), energy conservation, expand carbon inventory, and improvement of occupational safety and health prevention plans, etc. In addition, 10% of the Chailease common goals include but are not limited to energy conservation and departmental public service hours.
 
3. Remuneration packages at Chailease Holding include monetary compensation, stock options, stock bonus, pension plan, offboarding compensation, other allowances, and other measures providing actual compensation. The packages for directors and managerial officers shall be determined in compliance with the organizational rules of the Compensation Committee and shall remain consistent with the scope published in annual reports.
 
(II) Procedures for determining remuneration:
1. Directors are evaluated based on the "Rules for Performance Evaluation of Board of Directors" and managerial officers and employees are evaluated based on the "Rules for Objective Management" and "Rules for Performance Review." Results from the evaluations serve as the basis for regular evaluations of remuneration to directors and managerial officers.
2. The business strategies, HR policies, and payment capacity determine remuneration policies at Chailease Holding. The Compensation Committee and BoD also annually evaluate and review performance evaluations and remuneration for directors and managerial officers. In addition to individual KPI fulfillment and contribution to company performance, the company also considers overall business performance and future risks and development trends in the industry. In addition, the company monitors actual company operations and related regulations to review the remuneration scheme when necessary to thereby fulfill sustainable operations and risk control. The actual remuneration paid to directors and managerial officers in 2024 was deliberated by the Compensation Committee and then submitted to the BoD for deliberation and approval.
(III) Linkage to operating performance and future risk exposure:
1. To enhance the efficiency of the BoD and units under managerial officers, remuneration standards and schemes are evaluated primarily in consideration of the company's overall operations, while remuneration is determined by KPI fulfillment and contribution. In addition, the company refers to industry standards by regularly commissioning management consulting firms to survey compensation levels in the finance sector and using survey results to evaluate our own compensation standards and provide competitive compensation, ensuring that compensation to managerial officers is competitive to retain outstanding managerial officers.
2. To manage and regulate potential risks within the scope of their job functions and duties, the KPIs for managerial officers are connected to risk control. The results of performance evaluations are then considered in tandem with related HR and compensation policies. Material decisions from managerial officers at Chailease Holding shall be derived from careful consideration of various risk factors. The performance of related decisions will reflect in the company's profits and affect the compensation of managerial officers and their KPIs on risk control.
3. Long-term incentive plans for senior executives: Chailease Holding established the "Officers Stock Ownership Trust Plan", in consideration of the plausibility of association with future risk exposure, to incentivize managerial officers to meet and exceed company targets, generate profits, and enhance business performance. The "Officers Stock Ownership Trust Plan"(note 1) is mapped out with consideration to deferred reward, long-term reward, and Stock Ownership Requirement of Officers.
Bonuses to the CEO and other senior executives are primarily derived from the company's business performance, ESG, total shareholder return (TSR), and future risk factors. Deferred reward are capped at 20% of the year-end bonus from the previous year, which will be deposited into a dedicated Officers Stock Ownership Trust Plan account for payment deferral of at least 1.5 year. Distribution of deferred bonuses will be based on TSR fulfillment in comparison to the year's Finance and Insurance Sub-index compiled by the Taiwan Stock Exchange (TWSE), connecting bonuses for senior executives with long-term company’s performance and shareholder interests. In the event of material risk events impacting the company's goodwill or similar situations, the company may deduct or withhold bonuses according to the "Salary Recovery Policy" depending on circumstances (No retroactive period).
The ratio of the annual total compensation of the Company’s highest-paid individual to the median of the annual total compensation of all other employees (excluding the highest-paid individual) ranges from 42.30 to 84.60 (Note 2). The ratio of the percentage increase in the annual total compensation of the Company’s highest-paid individual to the median percentage increase in the annual total compensation of all other employees (excluding the highest-paid individual) showed no difference between the two years (Note 3).
4. Future risks to company operations mainly stem from losses from bad debt, a factor of asset quality. Chailease Holding has established a Risk Management Department to handle and oversee assessments of asset quality for finance-related business units. The company will adjust the percentage of bad debt reserves for regular cases according to asset quality. When losses from bad debt increase, the individual performance and, therefore, bonuses of directors, presidents, and vice presidents will decrease accordingly.
Note:
  1. The "Officers Stock Ownership Trust Plan" is applicable to the same targets as the "Stock Ownership Guidelines".
  2. The annual total compensation of the highest individual of the Company’s employee compensation (President) on the annual report of the shareholders’ meeting of the Company’s honorarium range (NT$50~100 million)/median salary of full-time employees who are not in supervisory positions.
  3. There was no difference in the annual total remuneration of the highest paid individual of the Company’s staff (President) between the two years in terms of the remuneration banding in the annual report of the shareholders’ meeting (NT$50~100 million).
  4. The average shareholding value of senior executives other than the President in 2024 was 21.5 times that of their total annual base salary.
The pension plan offered at Chailease Holding is also better than regulatory requirements (also applicable to regular employees) to encourage managerial officers to contribute and deliver their best efforts to Chailease Holding.
ESG Performance and Reward System of Senior Managers
We promote the linkage of ESG with the work objectives of senior managers in each company, and through the performance management mechanism, we have set up a reward system linking the ESG-related work performance of managers and employees in the Management by Objectives (MBO) program to achieve effective ESG promotion. Of these, objectives related to climate-related risks and opportunities (such as promoting net-zero carbon reduction and sustainable financial services) have accounted for more than 7% of the MBO ratio of the ESG Executive Committee’s senior management every year since 2024 as a means to implement the Company’s strategies and actions in response to climate issues.
In order to truly promote environmental sustainability and implement the development of carbon reduction and energy creation, Chailease Holding has been actively investing in green energy since 2010 and established Chailease Energy Integration Co., Ltd. in 2015 to provide a full range of green energy solutions, including equipment sales and financing, power plant planning and development, new energy investment, operation and maintenance. Our employees have further set performance goals related to climate change, integrating the concept of environmental friendliness into the mission of mutual prosperity and goodwill for individual employees and even management, and providing bonuses to recognize achievements in meeting energy-saving or energy-creation goals. In addition, we select exemplary employees of the year each year, including those who have demonstrated good performance on climate change issues. In order to achieve the solar installation capacity goal, all Chailease Energy Integration Co., Ltd. employees, including supervisors, receive honorary leave (extra days off), public recognition, bonuses for achieving KPIs (Key Performance Indicators), and prizes.

In response to revisions to the scope of Taiwan’s Money Laundering Control Act, which added financial leasing activities, the company will undertake to implement all legal requirements and procedures required of financial leasing companies. Chailease will do our utmost to coordinate with competent authorities. While fulfilling our corporate social responsibility, combating money laundering and terrorist financing, We adopt a "risk-based" approach to remain compliant with financial regulations while continuing to grow our business. To achieve this, we regularly update and refine our risk assessment methodologies, leveraging technology and data analytic tools to enhance the effectiveness of our AML/CFL management action. The abstract of combating money laundering and terrorist financing of 2024 for the overseas subsidiaries of the Company are as follows:

Internal Policies and Reporting Framework

In order to comply with the Anti-Money Laundering Law, the Anti-Terrorism Law and the Anti-Money Laundering Measures for Financial Institutions, the Company has formulated the "Anti-Money Laundering and Anti-Terrorism Policy" and the “Procedures for Group Anti-Money Laundering and Countering Terrorist Financing Information-Sharing" and the. In addition to complying with the Company's holding rules and regulations, its major subsidiaries have also formulated their own internal regulations in accordance with the norms and references from the competent authorities and the Association, which are reported to the Board of Directors on a regular basis on a half-yearly basis by the special unit to track the effectiveness of their implementation, and the Board of Directors will also put forward suggestions or provide support in light of the concrete facts, so as to build up a culture of the Board of Directors that focuses on the prevention of money laundering and combating of information terrorism.

Customer Risk Management
●Customer Due Diligence
Measures are taken to identify customers, including collecting, updating, and storing information. These procedures include identifying the actual beneficiaries of business households and those with family members and close relationships with people with important political positions. We have adopted the principles of risk-based approach (RBA), review on a risk-based basis, focus on major money laundering high-risk customers and transactions with risk grading, and implement different intensity review mechanisms (CDD, EDD) to effectively allocate resources, such as identifying high risks customers’ needs to take enhanced due diligence to confirm their funding needs and main sources of repayment, and the establishment of business relationships with high-risk customers requires review and approval by senior management.

For non-face-to-face CDD (e.g., consumer installment, online car finance platform)is conducted based on product/service characteristics. Risk models are developed using customer profile data (e.g., occupation, marital status, housing, education), external credit information (e.g., CRIF, collateral registry, court judgments, motor vehicle records), and internal transaction history. The risk model provides a comprehensive score and assigns a risk rating by evaluating the customer’s income capacity and debt level, serving as the basis for implementing a differentiated pre-approval review mechanism.  Further verification may be conducted if income concerns arise, ensuring alignment between the customer's repayment ability and the associated credit risk. Final approval decisions consider both the model assessment and verification results.

●Establishing Group-Level Information Sharing PlatformImportant subsidiaries of the Company have also established the Group's own list sharing mechanism, whereby the Company will ask each examination unit at the beginning of each month whether there is a list of customers that meets the criteria of the Group's attention, and if so, it should provide the information of the company, list format, name, gender, nationality/country of incorporation, date of birth/establishment, and information of the beneficiary in essence to report back to the specialized unit, and then each specialized unit of the subsidiaries will consolidate the information and then reply to the Holding Company's Legal Affairs Group. To establish a mechanism for information sharing within the Group for the prevention of money laundering and combating of terrorism in order to strengthen the monitoring and control of customer status and unusual transactions across subsidiaries, and in order to effectively reduce manpower working hours and strengthen data maintenance and management so as to enhance the effectiveness of the Group's integrated money laundering and terrorism risk management.

Education and Training

To further implement effective AML/CFT measures, all directors, senior managers, and the supervisors and personnel of compliance and AML/CFT units met their internal and external training requirements in 2024. To provide training on anti-money laundering and combating terrorism in accordance with the nature of their business, with appropriate contents and hours. , including the sharing of laws, regulations, and case studies; the identification and reporting process of suspicious transactions; and the compliance duties of relevant personnel.

During the more severe period of COVID-19, the course was changed to a recorded online course; the topics of the course were mostly on issues and current events that were highly connected with the business unit's practical operation, such as the war in Ukraine and international sanctions that customer acceptance policy, virtual assets, online Gambling and so on.

In 2024, the Company's major subsidiaries, Chailease and Fina Finance, collectively offered 41 education and training sessions. All AML/CFT supervisory officers have obtained internationally recognized anti-money laundering specialist (CAMS) license and regularly receive relevant training in the courses (including online training) held by internationally recognized anti-money laundering specialists. In response to international trends and changes in laws and regulations, understanding the latest money laundering prevention and anti-terrorism operations and making adjustments accordingly.

"Trust" and "discipline" are major cornerstones of our corporate culture, and employees are strictly held to high moral standards in undertaking work for the company. They are charged with embodying the corporate philosophy in their daily work, and every employee has the responsibility of maintaining the company's good reputation and honoring laws and regulations, avoiding conflicts of personal interest with company interest, guarding the confidentiality of company and client information, and acting according to the letter and spirit of all relevant laws and regulations. Major operational and managerial actions of the company are grounded in disclosure of information, adherence to law, risk management and honest operations.

Since 2011 when the Chailease Holding was publicly listed on the Taiwan Stock Exchange, it has participated in Company Information Disclosure Evaluation. After three years of continuous efforts, the rank of the Company has improved to the best A ++ rating. In the process, the Company implemented relevant laws and regulations, improved the establishment of policies and guidelines, and voluntarily disclosed Information in order to enhance the transparency of information. The Company also participated in the Corporate Governance Evaluation, which was conducted by the Taiwan Stock Exchange and the Taipei Exchange. Of the 1,617 listed companies that participated, Chailease Holding ranked in the top 5% up to 8 times.

In addition to publicly disclosing revenue on a monthly basis as stipulated by law, before the 25th day of every month, Chailease Holding voluntarily announces its profit situation in order to give the investing public a more immediate grasp of its revenue and profits. The company website completely discloses all significant information, including complete financial operations, important resolutions from the board of directors and important regulations, all of which provides complete information disclosure services. To ensure a complete public disclosure mechanism, a clear internal implementation process has been established and responsibility has been divided up. The information is classified according to type and attribute and the relevant business units are responsible for it. An internal division of labor, reviews, and a confirmation mechanism all ensure the accuracy of the information. In 2018, the company also amended the Chailease Holdings Information Announcement and Application Procedures. The Regulatory Compliance Unit also publicly provides information relevant to external laws and regulations and accordingly modifies the information for the other business units’ reference.

When Chailease Holding went public in 2011, it voluntarily raised its regulatory compliance standards. Just like financial institutions, it established special business units to develop regulatory compliance management practices. Other major subsidiaries, including Chailease Finance Co., Ltd. and Chailease International Finance Corporation, also developed regulatory compliance management practices. They regularly hold regulatory compliance training and awareness programs to ensure their operations and products comply with internal and external regulations. In addition, they conduct annual internal regulatory compliance inspections and report the results to the board of directors.

Chailease Holding has a dedicated head of corporate governance. In addition to statutory corporate governance matters, the head of corporate governance co-ordinates the Company’s legal affairs and is responsible for system planning, implementation, management, and evaluation. Main objectives include collecting external laws and regulations, establishing a clear and appropriate system for the transmission, consultation, coordination, and communication of laws and regulations and confirming that operational and management rules and regulations are updated in a timely manner to ensure that operational activities are in compliance with laws and regulations. The formulation and implementation of laws and regulations follow the contents and procedures of self-checking and evaluation and supervise the implementation of such laws and regulations by each unit; and provide appropriate training to each unit on laws and regulations.

In 2024, the self-inspection results of Chailease Holding and its significant subsidiaries in Taiwan were all in compliance with laws and regulations, and there were no major violations of laws and regulations (a major violation of laws and regulations refers to a violation of laws and regulations that has resulted in a fine of up to NT$3,000,000 or a fine from the competent authority that affects the day-to-day operations of the business, e.g., termination of the listing of the company or revocation of the business license).

Number and amount of fines imposed on Chailease Holding for violating regulations in the past two years. Chailease Holding:

Internal Control System

The internal control systems of the company are management processes designed by its managers, passed by its board of directors, and implemented by the board of directors, managers, and the rest of employees for purpose of promoting sound operations of the company, so as to reasonably ensure that the following objectives are achieved:

  1. Effectiveness and efficiency of operations.
  2. Reliability, timeliness, transparency, and regulatory compliance of reporting.
  3. Compliance with applicable laws, regulations, and bylaws.

In response to international trends in taxation and governance, and to fulfill its corporate social responsibility, Chailease has set a "Tax Governance Policy" to manage tax strategies and affairs. Related policies, regulatory and management guidelines can be found in the official corporate governance rules for the company. The policy will be reviewed every year. If modifications are needed due to regulations or external environment, the policy will be submitted to the board of directors for approval.

The monetary policy, geopolitics, artificial intelligence and robotics technology innovations risks in 2024, and the global economy continued to fluctuate. The risk of wider restrictions on the movement of people, goods and services, reduced business and consumer confidence, as well as slowed down production. When facing the overall economic environment, we always uphold the concept of risk management in order to take advantage of industry developments and future prospects. By ways of adopting a decentralized customer base, decentralized industry exposures, and through geographic dispersion, we effectively lower the risk of any market changes that might happen. 

Key subsidiaries have established Risk Management Committees that meet quarterly, to maintain a robust and effective risk management mechanism and formulate risk management policy. The Committees also manage and supervise financial assets, effectively manage potential risks arising from all company business, and make adjustments to the normal ratio of allowance for bad debts based on the asset quality. In addition, there is a model to assess client credit risk, while there are two methods for evaluating credit risks for corporate financing and micro-enterprises; both were awarded a patent by the Taiwan Intellectual Property Office.

Organization of Chailease Holding Risk Management Structure

Three Lines of Defense for Risk Management

Risk management and internal control are implemented through three lines of risk management. The authority of each line of defense supervises the subsidiaries and continues to optimize the adjustment according to the target.

Risk Management Policies and Procedures

The company has developed and promoted a risk management culture within the organization New product development is included in the risk assessment, and each subsidiary has formulated guidelines for the management of new products or new businesses. Risk assessment, risk management procedures and control mechanisms are subject to the opinions of the relevant authorities and approved by the general manager or chairman of the board of directors. In addition, relevant risk management indicators, such as the amount of delays and the default rate, are included in the assessment of senior executives and business unit personnel performance, so that the risk management indicators are linked to their performance and the payment of bonuses.

The company has also established a comprehensive risk management education and training system, which includes courses on risk management concepts, knowledge of the risks of various products, the case review process, and analysis of financial statements.

Emerging Risks

Based on the emerging risks mentioned in the World Economic Forum Global Risk Report, the categories of emerging risks are increasing year by year and the probability of occurrence is increasing. In order to strengthen the management of emerging risks, the company has established an emerging risk identification and management procedure, and then assess the impact and likelihood of risks, and formulate mitigation measures based on important emerging risks, and implementation results are regularly followed up on and reviewed.

1.Emerging risk identification process

2.Emerging risk matrix

We have analyzed the emerging risks identified in the World Economic Forum’s (WEF) Global Risk Report, and have reviewed and analyzed each risk through the internal risk management unit’s discussion of the degree of impact, the level of probability, and the company’s preparedness and adaptability (vulnerability) to the risk to draw a matrix of emerging risks. Compared with the emerging risks in recent years, we identified the emerging risks with high impact and occurrence to the Company, including geo-economic conflict risk, generation AI risk, and decarbonization risk, and proposed mitigation measures for the emerging risks with significant impact.

Emerging Risk Identification Procedures and Response Measures

Ongoing Operations Management

In order to deal with crises or emergencies of the Company and its subsidiaries in a timely and effective manner, the Company has established crisis management guidelines for the purpose of preventing crises from occurring in the first place, shortening the timeframe for dealing with crises, and minimizing the extent of damage caused by crises. Crisis items include disasters, such as fires and floods, which threaten the safety of employees or damage or loss of Company assets; and litigation crises, such as major lawsuits that jeopardize Company interests; information crises, such as information system problems that result in the failure of business operations; documentation crises, such as loss of important information due to disaster or human error; financial crises, such as shortage of operating capital and other financial risks affecting normal operations; reputation crises, such as unfavorable and untrue reported information, which could damage the Company’s reputation and image; personnel crises, such as crises caused by employees in the performance of their duties; large-scale talent loss crises, and other major events or disasters. If necessary, we set up a crisis management team to quickly resolve incidents or resume operations.

The crisis management command center is headed by the Chairman of the Board of Directors, who also supervises the crisis teams and related executive units, each of which is headed by a vice president or above, according to the classification of the crisis or emergency. Based on crisis classifications, we simulate possible crisis situations, rehearse the procedures of crisis management, keep track of the progress of crisis management and report the results, and review and modify the crisis management mechanism regularly.

Organization of Chailease Holding's Crisis Management Structure

The “Corporate Governance and Sustainable Development Committee" is responsible for promoting business ethics. The Company has business ethics related regulations such as “Ethical Corporate Management Best Practice Principles”, “Procedures for Ethical Management and Guidelines for Conduct”, “Corporate Governance Best-Practice Principles”, “Corporate Sustainable Development Best Practice Principles”, and “Ethical Conduct Best Practice Principles”; 

The company provides customer satisfaction in accordance with our Ethical Conduct Best Practice Principles and strives to compete in the marketplace in an honest manner and does not use illegal or unethical means to gain results. Chailease Holding and its significant subsidiaries in Taiwan were not involved in any corruption and bribery, fraud, insider trading, anticompetitive, antitrust and monopolistic practices, and there were no lawsuits and penalties related to market manipulation in 2024.

All directors and senior executives of the Company have signed the "Integrity Statement" which has been disclosed on the Company's website. The Integrity Statement declared that the Company and all of its employees shall not directly or indirectly offer, promise to offer, request or accept any improper benefits, nor commit unethical acts for purposes of acquiring or maintaining benefits while engaging in commercial activities, in order to implement the integrity management policy, actively prevent dishonesty, and declare the determination and commitment of the board of directors and senior management to operate in good faith. All new recruits must attend the course on the Ethical Corporate Management Best-Practice Procedure and Code of Conduct, and regular training was also provided for existing employees.

In order to further enhance ethical management, the Company has implemented the ISO 37001 Anti-Bribery Management System, and formulated the “Anti-Corruption and Anti-Bribery Policy”, the prevention of corruption and bribery, the guidance for the stakeholders so as to prevent the corruption and bribery, the establishment of the ethical management policy, and the implementation of corporate social responsibility and sustainability are set forth in the Policy.

Chailease’s ISO 37001 Anti-Bribery Management System received certificate from BSI in May 2023, and passed the validity audit in January 2025. Currently, the scope of the ISO 37001 Anti-Bribery Management System is Chailease Holding Company Limited.

Liability Insurance for Our Directors

The company’s policy regarding director insurance goes beyond current legal requirements. Since going public in 2012, the company has purchased liability insurance for our directors. In August 2017, during a special shareholder meeting, the Articles of Association were revised to add retired directors to the scope of compensation, while indemnity agreements shall also be signed by each director. At the same time, the company purchases Directors and Officers Liability Insurance to prevent erroneous actions taken by directors and supervisors and company officers in the process of their executive duties to cause damages to third parties and provide them with a means to pursue a claim. The insurance also helps to mitigate financial risks to the company caused by litigation and ensure healthy company operations.

Employee Integrity Risk

Insurance for "Employee Integrity Risk", with the company listed as the insured, prevents and protects against dishonest actions by employees which might cause grave damage to the company (such as legal or financial accounting personnel), and cause the loss of company assets or assets the company is charged to steward. This will offset operational risk onto an insurance liability, reducing losses to the company and thereby protecting shareholder interests.

 

Whistleblowing System and Protection of Whistleblower

The Company and its subsidiaries have established the Whistle-Blower Policy, Procedures for Protecting Whistle-Blower, the Regulations of Prevention, Correction, Complaint and Punishment of Sexual Harassment, and the Regulations of Prevention, Correction, Complaint and Punishment of Unlawful Violations in Workplace have also been established as well. Personnel within and people outside of the company can report improper actions, corruption, or actions in violation of the Code of Conduct through the channels of the established public hotlines, the e-mail mailboxes on the official website, and the traditional mailbox. The Whistle-Blower Policy specifies the dedicated receiving units, the independent investigation units, and the acceptance and investigation schedule for misconduct and malpractice. If the unlawful infringement (includes: discrimination, sexual and non-sexual harassment) has been verified, Chailease may transfer, demote, cut pay, punish employees or impose other punishments on the employees based on relevant regulations such as working rules, depending on the severity of the unlawful infringement. If the investigation result shows that a criminal case, Chailease will help complainants take legal actions, and transfer the case to judicial authorities.

After being verified without false allegation or incomplete information, the report or the complaint raised will be investigated by the independent investigation unit depending on the nature of the report or the complaint. When the allegations of the report or the complaint is substantiated, the appropriate disciplinary action in accordance with the Company’s Personnel Reward and Punishment Regulations will be taken. Internal publicity to comply with the Company’s discipline and regulations will be enhanced. The “Procedures for Protecting Whistle-Blower”require that the whistleblower should be kept strictly confidential. All information disclosed during the course of investigation should remain confidential.

To comply with the ISO 37001 Anti-Bribery Management System, the Company has established the “Whistle-Blower Policy “and “Procedures for Protecting Whistle-Blower”. These policies include dedicated reporting channels for fraud, corruption, bribery, and violation of code of conduct. Among these channels, fraud and corruption/bribery reports can be submitted anonymously. Additionally, the reporting and investigation procedures for different management levels are clearly defined, ensuring that cases are escalated according to designated authorities. Furthermore, enhanced measures have been implemented to strengthen the protection of whistleblowers.

●Process for investigating the reported breaches:

Statistical Diagram of Events in violation of the Company's Discipline or Regulations

We investigated 52 cases reported by the Company or its subsidiaries during the year. Among the concerns or complaints raised to the Company and its subsidiaries in the year of 2023, 34 reported cases have been investigated and substantiated. The employees who violated the Company’s discipline or regulations have been punished in accordance with the Company’s Personnel Reward and Punishment Regulations and internal publicity has been carried out.(Note: 145 employees involved in the above 52 cases represent approximately 1.4% of the total population of the Company’s 10,295 employees by the end of 2024.

Note:

  1. There were no cases of corruption or bribery, violations of customer privacy, conflicts of interest, money laundering or insider trading in 2024.
  2. There has not been any legal penalty against the company or its internal personnel, or any disciplinary penalty by the company against its internal personnel for violation of the internal control system during the past 2 years, where the result of such legal penalty or disciplinary penalty could have a material effect on the shareholder rights and interests or securities prices.
  3. In fiscal year 2024, 86 more people were penalized than in fiscal year 2023, mainly due to minor violations of Company regulations for which warnings were issued.

In order to effectively promote information security operations, the "Information Security Committee" is established in accordance with the company's "Information Security Policy". The chairman is a chairman with financial IT management experience. He is responsible for the company's information security promotion and governance, information security risk supervision and management, information security division of responsibilities and coordination, etc., and serves as the basis for the information security regulations and measures of each subsidiary. The Committee shall hold a meeting at least once a year and may hold a meeting to report major decisions to the Board of Directors, if necessary. The Committee shall hold a meeting at least once a year and may hold a meeting to report major decisions to the Board of Directors, if necessary.

According to the “Regulations Governing Establishment of Internal Control Systems by Public Companies”, set up Chief Information Security Officer, information security supervisor, and information security dedicated department. Professional information security personnel will coordinate the information security management system and compliance, information security analysis and monitoring, threat and vulnerability management, incident response, etc. In alignment with the continuous development of the information system scale, in conjunction with the information security blueprint, annually review and assess the resource allocation, professional capabilities, and expansion requirements of the information security department.

Information Security Policy

Considering relevant business development and demands, the Company established the “Information Security Policy” to strengthen the management of information security, build a safe and reliable information operating environment, and ensure information, system, equipment and network security. Moreover, the Company also stipulated “Guidelines for the Management of Information Security” and other management regulations and established control systems, in accordance with relevant matters stated in the policy. For the content of relevant policies, please refer to the Important Articles of Incorporation for Company Governance on the company website

Organizational Structure

Information Security Management Plan

Information Security Status of Implementation
In accordance with the provisions of Article 8 and 9 of the "Regulations Governing Establishment of Internal Control Systems by Public Companies", Chailease has established internal control systems and related operational specifications for information circulation and other management environment, including personal information, and computerized information system. Simultaneously, to comply with the provisions of Article 13 of the Regulations, our company information and communication security inspection is included in the annual audit plan.
 
Self-Risk Evaluation and Check of Internal Control Systems by Operation Units
In order to implement the self-supervision mechanism of information communication safety, ensure the implementation of the information cycle and personal information processing-related internal control systems can be adjusted in time in response to changes in the environment, so as to reduce the risk of negligence in information communication safety operations. In accordance with relevant internal and external laws, regulations, and risk assessment results, each unit decides on its own assessment procedures and methods. The frequency of execution depends on the nature of the work of each unit. It must be handled at least once a year, and the defects and abnormalities found in the assessment will be proposed for improvement. The results of the self-assessment are sent to the internal audit unit for review and review of the implementation of the self-assessment.
 
Control of Information Flow Security Audit and Inspection
The independent internal audit department shall draft an annual information security audit and inspection plan according to the results of self-risk evaluation and risks of each operation unit. This audit and inspection plan shall be submitted to the management and the internal audit department shall conduct due diligence based on the plan. Reports of due diligence will be submitted to the management. Defects and recommendations thereof will be tracked and improved within a due date.
 
Information Security Training
Each unit's new recruits are required to attend education and training classes encompassing courses of specific information security, the company's internal rules, related laws, cybercrime, and general knowledge of information security. Each year, information technology-related departments shall establish an annual education and training program and arrange personnel to participate in external workshops accordingly. Those participating in training courses will also need to pass relevant professional examinations. We also arrange companies with expertise to introduce (or educate about) important information security projects and conduct related case studies.
 
Information Processing Flow Chart
Regarding the management of the information service processing procedure, Chailease takes information management as its basis and builds demand management, incident management, problem management, change management, requisition form management, online management, knowledge management, and usability management, supplemented by risk management orientation, from the demands of information services at the user end to the final completion online or solutions to problems or demands, to keep close tabs on information security.
 
Information Security Resources Devoted for Newcomers
With the rapid advancement of technology and the increasingly complex challenges in information security, the protection of sensitive data within enterprises cannot be overlooked and a robust information security culture is crucial for the stability of business operations. The promotion and training of information security awareness among employees are key success factors in implementing information security policies. Information security training not only enhances employees' awareness but also effectively reduces the information security risks associated with internal errors or malicious actions.Recognizing this, the company actively invests in information security education resources and consistently takes note of effectiveness.
 
Measures for Managing Information Security Incidents
Information Technology Department provided gateways and terminal protection function. Moreover, the department can further detect external suspicious intrusion behavior through network flow.

Enterprise Mobility Management (EMM) was introduced. When employees use mobile devices to send and receive emails or perform remote connection operations, the authority is minimized and controlled, and ensure that no storing of data in endpoints. In other words, to truly protect the company operational information and customer personal information.

Set up a dedicated department for information security and formulate daily information security inspection operations to ensure that all information security equipment can perform detection and defense capabilities as expected. Discover and eradicate potential external and internal threats information security risk by analyzing the warning signs and records generated by the equipment. Integrate information security equipment with operating processes to prevent threats before they happen.

In response to the company's heightened concern for sensitive data security, real-time monitoring, detection and prevention of potential information leak age are conducted to prevent data leakage risks.

Strengthening the identity verification mechanism, ensures that only authorized personnel can access company resources, thereby reducing the risks of improper system usage and identity theft.

Completed the vulnerability scanning of the servers and the penetration test of the main website regularly every year. This involves scrutinizing potential vulnerabilities in servers and websites to ensure their resilience against various potential threats. Following the completion of the assessment, we integrating the assessment report with current security control measures to evaluate the vulnerability risk levels under the information environment control. Subsequently, we formulate and implement a vulnerability remediation plan.

In response to potential risks such as information security, human rights, privacy, ethics, and legal implications arising from the global wave of generative AI, referencing "Reference Guide for the Use of Generative AI by the Executive Yuan and Affiliated Agencies," the company has formulated internal "Guidelines for the Use of Generative AI". This aims to provide employees with consistent usage principles and awareness, ensuring safe, reasonable, and effective utilization to mitigate potential information security risks.
 
Completed the phishing e-mail drill regularly every year. Phishing emails designed to be close to hacker attack methods were sent to all employees to test their information security vigilance and awareness. Information security training materials were designed, information security awareness announcement was established and published regularly to help employees understanding the latest social engineering techniques and improve the overall level of information security awareness continuously.
 
Disaster recovery environment drills were conducted each year in accordance with the regulations. This exercise is to provide the best protection measures for the enterprise s internal systems and data, minimize the recovery time from system interruptions and reduce the data loss caused by operational interruptions through reasonable means and methods.
 
Continuously optimize procedures for reporting and handling information security incidents. In the event of an information security incident, actions will be taken within specified timeframes based on the severity level to complete damage control or recovery operations. After the incident is resolved, root cause analysis will be conducted, and corrective measures will be implemented to prevent recurrence. It is also combined with information security incident simulation drills to improve personnel's response capabilities and strengthen crisis awareness. Emergency response and notification management comply with the requirements of internal and external laws and regulations, and the legal department conducts "The self-inspection of legal compliance" every year, and the inspection results in 2024 are qualified.
 
The service APP passed information security testing and verification and obtained the MAS certification mark (Mobile Application Basic Security), enhancing customer confidence and ensuring security, and protecting personal data and privacy.
 
Join the information sharing organization, regularly compile external threat information to improve the defense capabilities of internal protection equipment, and ensure that malicious attacks can be blocked immediately and effectively.
 
When the enterprise pursues continuous operation, and complies with the international standard management system to achieve the goal of organizational operation safety, thereby enhancing customer trust and becoming the most reliable partner:
 
 Complete the ISO 27001:2022 Information Security Management System (ISMS) transition verification in 2024, follow the latest international standards for the information security management system, and maintain the effectiveness of international certification with an attitude of continuous optimization.
 
 Implementing information security insurance in 2023, and completed renewal in 2024. The goal is to establish the risk transfer mechanism. While pursuing sustained operations, the company aims to meet the expectations of stakeholders by demonstrating a high commitment to information security through tangible actions.
 
 There were no major information security incidents in 2023, and the major information security incidents, possible impacts and response measures in 2024: 
The company suffered a DDOS attack on September 13, 2024, which affected the official website service. This DDOS attack had no major impact on the company's operations, and no information leakage occurred. At the time of the incident, the information security-related defense mechanism and recovery operations were immediately activated. Subsequently, the network and information control will continue to be strengthened to ensure data security, and the material information will be completed in accordance with regulations.
 
企業社會責任報告