中租控股

Sustainability

Structure and Operation of the Board

Annual General Meeting held on May 22, 2023. The election of directors adopts the candidate nomination system, which is nominated by shareholders with more than 1% of shares and Board of Directors, in accordance with the Company’s “Memorandum and Articles of Association” and “Rules Governing the Election of Directors”. The 5th session of the Board of Directors is composed of 5 directors and 4 independent directors. The number of independent directors was increased comparing with the previous session of the Board of Directors. As the Company being an investment holding company, it does not conduct any business of its own. Although the Company’s Chairman and the CEO are the same person, the Chairman and the CEO or other equivalent highest level manager are not the same person in the Company’s important subsidiaries: Chailease Finance Co., Ltd., FINA Finance & Trading Co., Ltd. and Chailease International Finance Co., Ltd., etc. Hence, the actual business operation is consistent to the spirit of corporate governance.

In consideration of assisting the Board of Directors with legal compliance, strengthening corporate governance, and building a culture of compliance, the Company appointed a dedicated Corporate Governance Officer to ensure company strategies conform to all legal and regulatory requirements. Regular Board meeting should be called and chaired by the Chairman at least quarterly in compliance with “Rules and Procedures of Board of Directors Meetings”. Meeting agenda and materials are circulated to directors 7 days before the meeting to ensure directors have sufficient information to involve in discussions and decision-making, and to facilitate the board to oversee and direct the Company and the management team. The Company specifically stated in the “Regulations Governing Evaluation of the Performance of the Board of Directors” that the average of directors’ attendance rate of Board meeting and attendance rate of committees meeting on which the director serves shall reach no less than 80%. 11 Board meetings were held in 2023, and the average attendance rate of all Board members reached 98% (100% if attendance by proxy is included). The actual attendance rate of each director also exceeded 90%.

In order to effectively perform the functions of the Board of Directors and to improve the quality of decision-making by the Board of Directors, functional committees such as the Audit Committee, the Compensation Committee, and the Corporate Governance and Sustainable Development Committee have been established under the Board of Directors by the authority and function thereof. The Board of Directors further made the decision to adjust the structure and elevate the Risk Management Committee to a functional committee under the Board of Directors on April 10, 2023. The Management Committee has been established under the Chairman of the Company to be responsible for discussions on important issues related to economic, environmental, and social risks.

The functional committees are either composed of independent directors or participated by independent directors, such that the decisions and recommendations of the committees are forward-looking, objective and thorough, and the mechanisms of independent supervision and checks and balances are effectively implemented to ensure that all resolutions and actions taken by the Board of Directors are reported and discussed by the Board of Directors. If a director has a related interest themselves or if the director represents a legal entity that is a stakeholder in a related interest, then the director should recuse themselves from the meeting. Some motions are also reported and discussed at the Shareholders' Meeting to act in the best interest of relevant stakeholders.

The Company has established “Audit Committee”, “Compensation Committee”, “Corporate Governance and Sustainable Development Committee” and “Risk Management Committee” under the Board of Directors. These committees enhance the function of the Board of Directors, improve the independence of supervision and protect the rights of shareholders. The main responsibilities and status of each functional committee are as follows:

The Company sets sustainable business operation as core mission and is devoted to strengthening corporate governance mechanism, improving risk management system and fulfilling ethical management policies. To enhance the functionality and efficiency of the Board of Directors as the highest corporate governance unit, the professionalism, diversity and independence of directors are highly valued. The 5th session of the Board of Directors (including independent directors) were elected at the There are specific rules on handling situations in which a director’s own interests conflict with those of the Company in internal regulations. A director who is an interested party with respect to any agenda item of the Board of Directors cannot participate in discussion and voting nor hold a proxy for any other director on that agenda item and shall enter recusal during discussion and voting. Directors adhere to a high level of self-discipline and strict determination in recusing themselves from participating discussions and voting of proposals where a conflict of interest exists between the Company’s interests and the interests of a director or the legal entity that the director represents.

The Company fully disclosed the concurrent positions of the directors, the top ten shareholders and related party transactions in the 2023 Annual Report. For details, please refer to P.15~17, P.96 and P.260~265 of the 2023 Annual Report.

Professional Backgrounds of the 4th Session of the Board of Directors

The composition of the Board of Directors should take into account the Company’s mid- and long-term development strategy, changing trends in external environment, major issues for sustainable management, and overall configuration and diversification. The selection guidelines include but not limited to the followings:

(1)Basic requirements and value: gender, age, race, nationality, and cultural background;
(2)Professional knowledge and skills: professional background, professional skills and industry experience.

The members of the 5th session of the Board of Directors have professional backgrounds covering finance, IT, Health Care, energy, legal and financial accounting, and have rich practical experience in corporate management, legal compliance, international taxation and corporate governance. They all have the expertise and abilities required to perform their duties. All directors are further provided with annual external training sessions that assist them to improve their professional capabilities and understanding of trending issues. In 2023, in response to promoting the global net-zero emissions target and enhancing the risk awareness, the topics of sessions included “Carbon Management Trends & Responses to Net Zero” and “Global Risk and Corporate Social Responsibility”. Every director acquired at least 6 hours of certified training, which was in line with the suggestions from external regulation. For details regarding the implementation of diversity and independence of the Board of Directors at the Company, please refer to P.18~22 of the 2023 Annual Report of the Company.

Independent directors: are non-executive directors that are independent by meeting at least 4 of the 9 criteria (of which at least 2 of the 3 first criteria) listed below:
1. The director must not have been employed by the company in an executive capacity within the last year.
2. The director must not accept or have a “Family Member who accepts any payments from the company or any parent or subsidiary of the company in excess of $60,000 during the current fiscal year”, other than those permitted by SEC Rule 4200 Definitions, including i) payments arising solely from investments in the company's securities; or ii) payments under non-discretionary charitable contribution matching programs. Payments that do not meet these two criteria are disallowed.
3. The director must not be a “Family Member of an individual who is [...] employed by the company or by any parent or subsidiary of the company as an executive officer.”
4. The director must not be (and must not be affiliated with a company that is) an adviser or consultant to the company or a member of the company’s senior management.
5. The director must not be affiliated with a significant customer or supplier of the company.
6. The director must have no personal services contract(s) with the company or be a member of the company’s senior management.
7. The director must not be affiliated with a not-for-profit entity that receives significant contributions from the company.
8. The director must not have been a partner or employee of the company’s outside auditor during the past year.
9. The director must not have any other conflict of interest that the board itself determines to not be considered independent.

Evaluation of the Performance of the Board of Directors

To fulfill corporate governance and enhance the effectiveness of the Board of Directors, the Company has established “Regulations Governing Evaluation of the Performance of the Board of Directors” pursuant to “Corporate Governance Best-Practice Principles”. The Company regularly conducts performance evaluations of the Board of Directors and functional committees in November annually for the evaluation period from November 1 of the preceding year to the end of October of the current year. The performance evaluation scope covers the performance of the Board as a whole, functional committees and individual directors. The performance evaluation was assessed based on the questionnaire on a scale of 1 to 5 (5 is the full score) with the assessment items as below:

If 90% of the measurement indexes reach 4 points or more, the internal performance evaluation result in a grade of “Exceed the Standard”; if more than 80% but less than 90% of the measurement indexes reach 4 points or more, the result shall be in a grade of “Meet the Standard”; if less than 80% of the measurement indexes reach 4 points or more, the result shall be in a grade of “Moderately Unsatisfactory”.

Please refer to the Company’s website for the board performance evaluation report of 2023 (https://www.chaileaseholding.com/en/CorporateGovernance/Directors).

Every three years, the Company commissions a third party to perform an external performance evaluation. In 2023, the Taiwan Corporate Governance Association (hereafter “TCGA”) was engaged to conduct board performance evaluation. The TCGA and execution experts have no business relationship with the Company and are independent. The evaluation procedures not only contained the review of written descriptions for assessment indicators and supporting documents, but also face to face meetings between the TCGA and directors, each functional committee convener, and top managements. The TCGA examined the operation of the board of directors and each functional committee from 8 aspects, including the composition, direction, authorization, supervision, and communication of the board, internal control and risk management, self-discipline of the board, board meetings and supporting system, based on its wide experience of corporate governance assessment. The Company obtained objective comments and suggestions from the Board Performance Evaluation Report issued by the TCGA on December 4, 2023. The Company reported TCGA’s suggestions related to above matters and measures to be taken to the Board on March 23, 2023 and amended the “Regulations Governing Evaluation of the Performance of the Board of Directors” at the same meeting to enhance the operational efficiency of the Board.

In order to continuously strengthen corporate governance, the Company complies with external regulations while draws lessons from indicators of international assessments. The Company revised “Corporate Governance Best-Practice Principles”, “Corporate Sustainable Development Best Practice Principles”, “Risk Management Policy” and “Human Rights Policy” in 2023.

The Remuneration policy

(I) Remuneration policies, standards, and packages:

1. Remuneration for directors shall observe Article 94 of Chailease Holding’s Articles of Association. The Board of Directors (BoD) shall consider suggestions from the Compensation Committee and industry standards to determine remuneration. Article 118 of our Articles of Association also rules that the BoD may distribute profit-sharing compensation to current directors in years when the company is profitable. Profit-sharing compensation to directors shall not exceed 0.1% of earnings before taxes for that accounting period (year). In compliance with "Rules for Performance Evaluation of Board of Directors," Chailease Holding conducts at least one internal performance evaluation annually and one external performance evaluation, by external independent agencies or experts/ scholar teams, every three years. Chailease Holding provide reasonable remuneration based on the company's performance, industry standards, and the result of performance evaluation of directors, which include but is not limited to individual contribution to company performance, attendance, and participation. Performance evaluations and remuneration both require approval from the Compensation Committee and BoD.

2. Remuneration for managerial officers shall observe Article 94 of our Articles of Association. The BoD shall consider suggestions from the Compensation Committee and industry standards to determine remuneration. Article 118 of our Articles of Association also rules that the BoD may distribute profit-sharing compensation to current employees in years when the company is profitable. Profit-sharing compensation to employees shall account for between 0.01%~1% of earnings before taxes for that accounting period (year).

Chailease Holding determines profit-sharing compensation for managerial offices based on performance evaluations in compliance with "Rules for Objective Management" and "Rules for Performance Review." KPIs for managerial officers fall under the two following categories. The company will then determine a profit-sharing compensation based on their managerial performance and review the remuneration scheme when necessary to reflect company performance and related regulations:

(1) Financial KPIs:

KPIs: Sales fulfillment, earnings before taxes (EBT) fulfillment, return on equity (ROE), delinquent ratio, remaining principal balance, net profit per personnel expense, and net profit ratio per capita.

In addition to evaluating KPI fulfillment toward annual targets, the company also considers KPI growth from the same period last year.

(2) Non-financial KPIs:

In addition to financial KPIs, the company also evaluates non-financial areas such as strategic objectives, risks to sustainable operations, corporate governance and material topics. The managerial officers' non-financial indicators also contain 10% of the sustainable development goals, including but not limited to the increase in the scale of solar power plant assets (including the simultaneous increase in the number of solar power plants and total power generation capacity), energy conservation, expand carbon inventory, and improvement of occupational safety and health prevention plans, etc. In addition, 10% of the Chailease common goals include but are not limited to energy conservation and departmental public service hours.

3. Remuneration packages at Chailease Holding include monetary compensation, stock options, stock bonus, pension plan, offboarding compensation, other allowances, and other measures providing actual compensation. The packages for directors and managerial officers shall be determined in compliance with the organizational rules of the Compensation Committee and shall remain consistent with the scope published in annual reports.

(II) Procedures for determining remuneration:

1. Directors are evaluated based on the "Rules for Performance Evaluation of Board of Directors" and managerial officers and employees are evaluated based on the "Rules for Objective Management " and "Rules for Performance Review." Results from the evaluations serve as the basis for regular evaluations of remuneration to directors and managerial officers.

2. The business strategies, HR policies, and payment capacity determine remuneration policies at Chailease Holding. The Compensation Committee and BoD also annually evaluate and review performance evaluations and remuneration for directors and managerial officers. In addition to individual KPI fulfillment and contribution to company performance, the company also considers overall business performance and future risks and development trends in the industry. In addition, the company monitors actual company operations and related regulations to review the remuneration scheme when necessary to thereby fulfill sustainable operations and risk control. The actual remuneration paid to directors and managerial officers in 2022 was deliberated by the Compensation Committee and then submitted to the BoD for deliberation and approval.

(III) Linkage to operating performance and future risk exposure:

1. To enhance the efficiency of the BoD and units under managerial officers, remuneration standards and schemes are evaluated primarily in consideration of the company's overall operations, while remuneration is determined by KPI fulfillment and contribution. In addition, the company refers to industry standards by regularly commissioning management consulting firms to survey compensation levels in the finance sector and using survey results to evaluate our own compensation standards and provide competitive compensation, ensuring that compensation to managerial officers is competitive to retain outstanding managerial officers.

2. To manage and regulate potential risks within the scope of their job functions and duties, the KPIs for managerial officers are connected to risk control. The results of performance evaluations are then considered in tandem with related HR and compensation policies. Material decisions from managerial officers at Chailease Holding shall be derived from careful consideration of various risk factors. The performance of related decisions will reflect in the company's profits and affect the compensation of managerial officers and their KPIs on risk control.

3. Long-term incentive plans for senior executives:

Chailease Holding established the "Officers Stock Ownership Trust Plan", in consideration of the plausibility of association with future risk exposure, to incentivize managerial officers to meet and exceed company targets, generate profits, and enhance business performance. The " Officers Stock Ownership Trust Plan" is mapped out with consideration to deferred reward, long-term reward, and Stock Ownership Requirement of Officers.

Bonuses to the CEO and other senior executives are primarily derived from the company's business performance, ESG, total shareholder return (TSR), and future risk factors. Deferred reward are capped at 20% of the year-end bonus from the previous year, which will be deposited into a dedicated Officers Stock Ownership Trust Plan account for payment deferral of at least 1 year. Distribution of deferred bonuses will be based on TSR fulfillment in comparison to the year's Finance and Insurance Sub-index compiled by the Taiwan Stock Exchange (TWSE), connecting bonuses for senior executives with long-term company’s performance and shareholder interests. In the event of material risk events impacting the company's goodwill or similar situations, the company may deduct or withhold bonuses according to the "Clawback Policy" depending on circumstances.

4. Future risks to company operations mainly stem from losses from bad debt, a factor of asset quality. Chailease Holding has established a Risk Management Department to handle and oversee assessments of asset quality for finance-related business units. The company will adjust the percentage of bad debt reserves for regular cases according to asset quality. When losses from bad debt increase, the individual performance and, therefore, bonuses of directors, presidents, and vice presidents will decrease accordingly.

Note 1: The "Officers Stock Ownership Trust Plan" is applicable to the same targets as the "Stock Ownership Guidelines".

Note 2: The average shareholding value of senior executives other than the President in 2022 was 37.5 times that of their total annual base salary.

ESG Performance and Reward System of Senior Managers

The work objectives of senior managers in each group company must be linked to ESG. Through the performance management mechanism, the ESG performance of managers and employees are linked to the reward system to implement the effectiveness of ESG promotion.

In order to truly promote environmental sustainability and implement the development of carbon reduction and energy creation, Chailease Holding has been actively investing in green energy since 2010 and established Chailease Energy Integration Co., Ltd. in 2015 to provide a full range of green energy solutions, including equipment sales and financing, power plant planning and development, new energy investment, operation and maintenance. Our employees have further set performance goals related to climate change, integrating the concept of environmental friendliness into the mission of mutual prosperity and goodwill for individual employees and even management, and providing bonuses to recognize achievements in meeting energy-saving or energy-creation goals. In addition, we select exemplary employees of the year each year, including those who have demonstrated good performance on climate change issues. In order to achieve the solar installation capacity goal, all Chailease Energy Integration Co., Ltd. employees, including supervisors, receive honorary leave (extra days off), public recognition, bonuses for achieving KPIs (Key Performance Indicators), and prizes.

In response to revisions to the scope of Taiwan’s Money Laundering Control Act, which added financial leasing activities, the company will undertake to implement all legal requirements and procedures required of financial leasing companies. Chailease will do our utmost to coordinate with competent authorities. While fulfilling our corporate social responsibility, combating money laundering and terrorist financing, We adopt a "risk-based" approach to remain compliant with financial regulations while continuing to grow our business. To achieve this, we regularly update and refine our risk assessment methodologies, leveraging technology and data analytic tools to enhance the effectiveness of our AML/CFL management action. The abstract of combating money laundering and terrorist financing of 2023 for the overseas subsidiaries of the Company are as follows:

Internal Policies and Reporting Framework

In order to comply with the Anti-Money Laundering Law, the Anti-Terrorism Law and the Anti-Money Laundering Measures for Financial Institutions, the Company has formulated the "Anti-Money Laundering and Anti-Terrorism Policy" and the “Procedures for Group Anti-Money Laundering and Countering Terrorist Financing Information-Sharing" and the. In addition to complying with the Company's holding rules and regulations, its major subsidiaries have also formulated their own internal regulations in accordance with the norms and references from the competent authorities and the Association, which are reported to the Board of Directors on a regular basis on a half-yearly basis by the special unit to track the effectiveness of their implementation, and the Board of Directors will also put forward suggestions or provide support in light of the concrete facts, so as to build up a culture of the Board of Directors that focuses on the prevention of money laundering and combating of information terrorism.

Customer Risk Management

●Customer Due Diligence
Measures are taken to identify customers, including collecting, updating, and storing information. These procedures include identifying the actual beneficiaries of business households and those with family members and close relationships with people with important political positions. We have adopted the principles of risk-based approach (RBA), review on a risk-based basis, focus on major money laundering high-risk customers and transactions with risk grading, and implement different intensity review mechanisms (CDD, EDD) to effectively allocate resources, such as identifying high risks customers’ needs to take enhanced due diligence to confirm their funding needs and main sources of repayment, and the establishment of business relationships with high-risk customers requires review and approval by senior management. In the first half of 2023, we expect to establish a business relationship with non-face-to-face source business (such as Invoice-Bizloan service, etc.), taking into account the special characteristics of the products and the distribution of customers, in addition to the general CDD procedures, if there is a high-risk situation, we will recognize the purpose of the demand and establish a business relationship only after certain approval of the senior executive.

●Establishing Group-Level Information Sharing Platform
Important subsidiaries of the Company have also established the Group's own list sharing mechanism, whereby the Company will ask each examination unit at the beginning of each month whether there is a list of customers that meets the criteria of the Group's attention, and if so, it should provide the information of the company, list format, name, gender, nationality/country of incorporation, date of birth/establishment, and information of the beneficiary in essence to report back to the specialized unit, and then each specialized unit of the subsidiaries will consolidate the information and then reply to the Holding Company's Legal Affairs Group. To establish a mechanism for information sharing within the Group for the prevention of money laundering and combating of terrorism in order to strengthen the monitoring and control of customer status and unusual transactions across subsidiaries, and in order to effectively reduce manpower working hours and strengthen data maintenance and management so as to enhance the effectiveness of the Group's integrated money laundering and terrorism risk management. The systemization of the Group's information sharing operations is expected to be completed by the end of 2024.

Education and Training

To further implement effective AML/CFT measures, all directors, senior managers, and the supervisors and personnel of compliance and AML/CFT units met their internal and external training requirements in 2023. To provide training on anti-money laundering and combating terrorism in accordance with the nature of their business, with appropriate contents and hours. , including the sharing of laws, regulations, and case studies; the identification and reporting process of suspicious transactions; and the compliance duties of relevant personnel.

During the more severe period of COVID-19, the course was changed to a recorded online course; the topics of the course were mostly on issues and current events that were highly connected with the business unit's practical operation, such as the war in Ukraine and international sanctions that customer acceptance policy, virtual assets, online Gambling and so on.

In 2023, the Company's major subsidiaries, Chailease and Fina Finance, collectively offered 46 education and training sessions. All AML/CFT supervisory officers have obtained internationally recognized anti-money laundering specialist (CAMS) license and regularly receive relevant training in the courses (including online training) held by internationally recognized anti-money laundering specialists. In response to international trends and changes in laws and regulations, understanding the latest money laundering prevention and anti-terrorism operations and making adjustments accordingly.

"Trust" and "discipline" are major cornerstones of our corporate culture, and employees are strictly held to high moral standards in undertaking work for the company. They are charged with embodying the corporate philosophy in their daily work, and every employee has the responsibility of maintaining the company's good reputation and honoring laws and regulations, avoiding conflicts of personal interest with company interest, guarding the confidentiality of company and client information, and acting according to the letter and spirit of all relevant laws and regulations. Major operational and managerial actions of the company are grounded in disclosure of information, adherence to law, risk management and honest operations.

Since 2011 when the Chailease Holding was publicly listed on the Taiwan Stock Exchange, it has participated in Company Information Disclosure Evaluation. After three years of continuous efforts, the rank of the Company has improved to the best A ++ rating. In the process, the Company implemented relevant laws and regulations, improved the establishment of policies and guidelines, and voluntarily disclosed Information in order to enhance the transparency of information. The Company also participated in the Corporate Governance Evaluation, which was conducted by the Taiwan Stock Exchange and the Taipei Exchange. Of the 1,617 listed companies that participated, Chailease Holding ranked in the top 5% up to 7 times.

In addition to publicly disclosing revenue on a monthly basis as stipulated by law, before the 25th day of every month, Chailease Holding voluntarily announces its profit situation in order to give the investing public a more immediate grasp of its revenue and profits. The company website completely discloses all significant information, including complete financial operations, important resolutions from the board of directors and important regulations, all of which provides complete information disclosure services. To ensure a complete public disclosure mechanism, a clear internal implementation process has been established and responsibility has been divided up. The information is classified according to type and attribute and the relevant business units are responsible for it. An internal division of labor, reviews, and a confirmation mechanism all ensure the accuracy of the information. In 2018, the company also amended the Chailease Holdings Information Announcement and Application Procedures. The Regulatory Compliance Unit also publicly provides information relevant to external laws and regulations and accordingly modifies the information for the other business units’ reference.

When Chailease Holding went public in 2011, it voluntarily raised its regulatory compliance standards. Just like financial institutions, it established special business units to develop regulatory compliance management practices. Other major subsidiaries, including Chailease Finance Co., Ltd. and Chailease International Finance Corporation, also developed regulatory compliance management practices. They regularly hold regulatory compliance training and awareness programs to ensure their operations and products comply with internal and external regulations. In addition, they conduct annual internal regulatory compliance inspections and report the results to the board of directors.

Chailease has Corporate Governance Officer, besides statutory compliance matters, the Corporate Governance Officer is in charge of corporate governance affairs, including but not limited to, ensuring the Company’s operation and internal policies will comply with the most recent requirement provided by relevant regulation or laws, conducting regular legal compliance internal training for targeted department, conducting the legal compliance self-examination of this year. The results of legal compliance self-examination in 2022 are in compliance with the laws and regulations, and there were no significant instances of non-compliance with laws and regulations in 2023 (No violation of the laws will impact the daily operation of the Company.)

In 2023, the self-inspection results of Chailease Holding and its significant subsidiaries in Taiwan were all in compliance with laws and regulations, and there were no major violations of laws and regulations (a major violation of laws and regulations refers to a violation of laws and regulations that has resulted in a fine of up to NT$3,000,000 or a fine from the competent authority that affects the day-to-day operations of the business, e.g., termination of the listing of the company or revocation of the business license).

Internal Control System

The internal control systems of the company are management processes designed by its managers, passed by its board of directors, and implemented by the board of directors, managers, and the rest of employees for purpose of promoting sound operations of the company, so as to reasonably ensure that the following objectives are achieved:

1. Effectiveness and efficiency of operations.

2. Reliability, timeliness, transparency, and regulatory compliance of reporting.

3. Compliance with applicable laws, regulations, and bylaws.

In response to international trends in taxation and governance, and to fulfill its corporate social responsibility, Chailease has set a "Tax Governance Policy" to manage tax strategies and affairs. Related policies, regulatory and management guidelines can be found in the official corporate governance rules for the company. The policy will be reviewed every year. If modifications are needed due to regulations or external environment, the policy will be submitted to the board of directors for approval.

The central bank interest rate raised, the crisis collapse of foreign banking, geopolitical risks in 2023 caused steady decline in world growth; and the risk of wider restrictions on the movement of people, goods and services, reduced business and consumer confidence, as well as slowed down production. When facing the overall economic environment, we always uphold the concept of risk management in order to take advantage of industry developments and future prospects. By ways of adopting a decentralized customer base, decentralized industry exposures, and through geographic dispersion, we effectively lower the risk of any market changes that might happen.

Key subsidiaries have established Risk Management Committees that meet quarterly, to maintain a robust and effective risk management mechanism and formulate risk management policy. The Committees also manage and supervise financial assets, effectively manage potential risks arising from all company business, and make adjustments to the normal ratio of allowance for bad debts based on the asset quality. In addition, there is a model to assess client credit risk, while there are two methods for evaluating credit risks for corporate financing and micro-enterprises; both were awarded a patent by the Taiwan Intellectual PropertyOffice.

Organization of Chailease Holding Risk Management Structure

Risk management and internal control are implemented through three lines of risk management. The authority of each line of defense supervises the subsidiaries and continues to optimize the adjustment according to the target.

The company has developed and promoted a risk management culture within the organization and established a comprehensive risk management education and training system, which includes courses on risk management concepts, knowledge of the risks of various products, the case review process, and analysis of financial statements. New product development is included in the risk assessment, and each subsidiary has formulated guidelines for the management of new products or new businesses. Risk assessment, risk management procedures and control mechanisms are subject to the opinions of the relevant authorities and approved by the general manager or chairman of the board of directors. In addition, relevant risk management indicators, such as the amount of delays and the default rate, are included in the assessment of senior executives and business unit personnel performance, so that the risk management indicators are linked to their performance and the payment of bonuses.

Emerging Risks

Based on the emerging risks mentioned in the World Economic Forum Global Risk Report, the categories of emerging risks are increasing year by year and the probability of occurrence is increasing. In order to strengthen the management of emerging risks, the company has established an emerging risk identification and management procedure, and then assess the impact and likelihood of risks, and formulate mitigation measures based on important emerging risks, and implementation results are regularly followed up on and reviewed.

1.Emerging risk identification process

2.Emerging risk matrix

We have analyzed the emerging risks identified in the World Economic Forum’s (WEF) Global Risk Report, and have reviewed and analyzed each risk through the internal risk management unit’s discussion of the degree of impact, the level of probability, and the company’s preparedness and adaptability (vulnerability) to the risk to draw a matrix of emerging risks. Compared with the emerging risks in recent years, we identified the emerging risks with high impact and occurrence to the Company, including geo-economic conflict risk, generation AI risk, and decarbonization risk, and proposed mitigation measures for the emerging risks with significant impact.

Emerging Risk Identification Procedures and Response Measures

The “Corporate Governance and Sustainable Development Committee" is responsible for promoting business ethics. The Company has business ethics related regulations such as “Ethical Corporate Management Best Practice Principles”, “Procedures for Ethical Management and Guidelines for Conduct”, “Corporate Governance Best-Practice Principles”, “Corporate Sustainable Development Best Practice Principles”, and “Ethical Conduct Best Practice Principles”;

The company provides customer satisfaction in accordance with our Ethical Conduct Best Practice Principles and strives to compete in the marketplace in an honest manner and does not use illegal or unethical means to gain results. Chailease Holding and its significant subsidiaries in Taiwan were not involved in any corruption and bribery, fraud, insider trading, anticompetitive, antitrust and monopolistic practices, and there were no lawsuits and penalties related to market manipulation in 2023.

All directors and senior executives of the Company have signed the "Integrity Statement" which has been disclosed on the Company's website. The Integrity Statement declared that the Company and all of its employees shall not directly or indirectly offer, promise to offer, request or accept any improper beneﬁts, nor commit unethical acts for purposes of acquiring or maintaining beneﬁts while engaging in commercial activities, in order to implement the integrity management policy, actively prevent dishonesty, and declare the determination and commitment of the board of directors and senior management to operate in good faith. All new recruits must attend the course on the Ethical Corporate Management Best-Practice Procedure and Code of Conduct, and regular training was also provided for existing employees.

In order to further enhance ethical management, the Company has implemented the ISO 37001 Anti-Bribery Management System, and formulated the “Anti-Corruption and Anti-Bribery Policy”, the prevention of corruption and bribery, the guidance for the stakeholders so as to prevent the corruption and bribery, the establishment of the ethical management policy, and the implementation of corporate social responsibility and sustainability are set forth in the Policy.

Chailease’s ISO 37001 Anti-Bribery Management System received certificate from BSI in May 2023, and passed the validity audit in January 2024. Currently, the scope of the ISO 37001 Anti-Bribery Management System is Chailease Holding Company Limited, the Company will evaluate the possibility of extending the scope of the system to subsidiaries.

Liability Insurance for Our Directors

The company’s policy regarding director insurance goes beyond current legal requirements. Since going public in 2012, the company has purchased liability insurance for our directors. In August 2017, during a special shareholder meeting, the Articles of Association were revised to add retired directors to the scope of compensation, while indemnity agreements shall also be signed by each director. At the same time, the company purchases Directors and Officers Liability Insurance to prevent erroneous actions taken by directors and supervisors and company officers in the process of their executive duties to cause damages to third parties and provide them with a means to pursue a claim. The insurance also helps to mitigate financial risks to the company caused by litigation and ensure healthy company operations.

Employee Integrity Risk

Insurance for "Employee Integrity Risk", with the company listed as the insured, prevents and protects against dishonest actions by employees which might cause grave damage to the company (such as legal or financial accounting personnel), and cause the loss of company assets or assets the company is charged to steward. This will offset operational risk onto an insurance liability, reducing losses to the company and thereby protecting shareholder interests.

Whistleblowing System and Protection of Whistleblower

The Company and its subsidiaries have established the Whistle-Blower Policy, Procedures for Protecting Whistle-Blower, the Regulations of Prevention, Correction, Complaint and Punishment of Sexual Harassment, and the Regulations of Prevention, Correction, Complaint and Punishment of Unlawful Violations in Workplace have also been established as well. Personnel within and people outside of the company can report improper actions, corruption, or actions in violation of the Code of Conduct through the channels of the established public hotlines, the e-mail mailboxes on the official website, and the traditional mailbox. The Whistle-Blower Policy specifies the dedicated receiving units, the independent investigation units, and the acceptance and investigation schedule for misconduct and malpractice. If the unlawful infringement (includes: discrimination, sexual and non-sexual harassment) has been verified, Chailease may transfer, demote, cut pay, punish employees or impose other punishments on the employees based on relevant regulations such as working rules, depending on the severity of the unlawful infringement. If the investigation result shows that a criminal case, Chailease will help complainants take legal actions, and transfer the case to judicial authorities.

After being verified without false allegation or incomplete information, the report or the complaint raised will be investigated by the independent investigation unit depending on the nature of the report or the complaint. When the allegations of the report or the complaint is substantiated, the appropriate disciplinary action in accordance with the Company’s Personnel Reward and Punishment Regulations will be taken. Internal publicity to comply with the Company’s discipline and regulations will be enhanced.

The “Procedures for Protecting Whistle-Blower”require that the whistleblower should be kept strictly confidential. All information disclosed during the course of investigation should remain confidential.

In order to implement the ISO 37001 Anti-Bribery Management System, the Company has amended the “Whistle-Blower Policy “and “Procedures for Protecting Whistle-Blower”, the amendments mainly include adding and channeling the reporting method for different event, regulating different investigation items for different level of the management, and strengthening the whistle-blower protection.

Statistical Diagram of Events in violation of the Company's Discipline or Regulations

Among the concerns or complaints raised to the Company and its subsidiaries in the year of 2023, 34 reported cases have been investigated and substantiated. The employees who violated the Company’s discipline or regulations have been punished in accordance with the Company’s Personnel Reward and Punishment Regulations and internal publicity has been carried out.(Note: 59 employees involved in the above 34 cases represent approximately 0.6% of the total population of the Company’s 9,887 employees by the end of 2023.)

In order to effectively promote information security work, the Company established the “Information Security Committee” in accordance with the “Regulations for Information Security Policy,” to take charge of promoting and governing information security, monitoring and managing information security risks, and reporting major information security incidents. The Committee shall hold a meeting at least once a year and may hold a meeting to report major decisions to the Board of Directors, if necessary.

In 2022, according to the “Regulations Governing Establishment of Internal Control Systems by Public Companies”, set up Chief Information Security Officer, information security supervisor, and information security dedicated department. Professional information security personnel will coordinate the information security management system and compliance, information security analysis and monitoring, threat and vulnerability management, incident response, etc.

Information Security Policy

Considering relevant business development and demands, the Company established the “Information Security Policy” to strengthen the management of information security, build a safe and reliable information operating environment, and ensure information, system, equipment and network security. Moreover, the Company also stipulated “Guidelines for the Management of Information Security” and other management regulations and established control systems, in accordance with relevant matters stated in the policy. For the content of relevant policies, please refer to the Important Articles of Incorporation for Company Governance on the company website.

Information Security Status of Implementation

In accordance with the provisions of Article 8 and 9 of the "Regulations Governing Establishment of Internal Control Systems by Public Companies", Chailease has established internal control systems and related operational specifications for information circulation and other management environment, including personal information, and computerized information system. Simultaneously, to comply with the provisions of Article 13 of the Regulations, our company information and communication security inspection is included in the annual audit plan.

Self-Risk Evaluation and Check of Internal Control Systems by Operation Units

In order to implement the self-supervision mechanism of information communication safety, ensure the implementation of the information cycle and personal information processing-related internal control systems can be adjusted in time in response to changes in the environment, so as to reduce the risk of negligence in information communication safety operations. In accordance with relevant internal and external laws, regulations, and risk assessment results, each unit decides on its own assessment procedures and methods. The frequency of execution depends on the nature of the work of each unit. It must be handled at least once a year, and the defects and abnormalities found in the assessment will be proposed for improvement. The results of the self-assessment are sent to the internal audit unit for review and review of the implementation of the self-assessment.

Control of Information Flow Security Audit and Inspection

The independent internal audit department shall draft an annual information security audit and inspection plan according to the results of self-risk evaluation and risks of each operation unit. This audit and inspection plan shall be submitted to the management and the internal audit department shall conduct due diligence based on the plan. Reports of due diligence will be submitted to the management. Defects and recommendations thereof will be tracked and improved within a due date.

Information Security Training

Each unit's new recruits are required to attend education and training classes encompassing courses of speciﬁc information security, the company's internal rules, related laws, cybercrime, and general knowledge of information security. Each year, information technology-related departments shall establish an annual education and training program and arrange personnel to participate in external workshops accordingly. Those participating in training courses will also need to pass relevant professional examinations. We also arrange companies with expertise to introduce (or educate about) important information security projects and conduct related case studies.

Information Processing Flow Chart

Regarding the management of the information service processing procedure, Chailease takes information management as its basis and builds demand management, incident management, problem management, change management, requisition form management, online management, knowledge management, and usability management, supplemented by risk management orientation, from the demands of information services at the user end to the final completion online or solutions to problems or demands, to keep close tabs on information security.

Information Security Resources Devoted for Newcomers

With the rapid advancement of technology and the increasingly complex challenges in information security, the protection of sensitive data within enterprises cannot be overlooked and a robust information security culture is crucial for the stability of business operations. The promotion and training of information security awareness among employees are key success factors in implementing information security policies. Information security training not only enhances employees' awareness but also effectively reduces the information security risks associated with internal errors or malicious actions. Recognizing this, the company actively invests in information security education resources and consistently takes note of effectiveness.

Newly onboarded personnel are required not only to receive relevant internal professional knowledge but also to complete information security training and become familiar with internal information security policy requirements. This is to proactively prevent potential risks. As of 2023, all new employees have successfully completed the training.
The company has also planned various information security courses on different topics for all employees, providing an efficient way to learn information security knowledge while meeting the training requirements. All current employees have undergone training in 2023.
Regularly conducting social engineering simulation drills to enhance employees' awareness and preparedness against actual threats. Additionally, these drills serve to verify the effectiveness of training efforts.
Establishing an 'Information Security Awareness Announcement' to regularly disseminate information on information security topics, techniques for recognizing fraudulent methods, etc. This aims to remind employees to be vigilant, understand the importance of information security, and stay informed.
To cope with the rapid changes in information technology, the Information Technology Department annually sends employees to participate in external professional training courses related to information security.

Measures for Managing Information Security Incidents

Information Technology Department provided gateways and terminal protection function, as well as quarantine alert for the virus program. Moreover, the department can further detect external suspicious intrusion behavior through network flow control and analysis. In addition, to improve threat detection speed and response time, XDR (Extended Detection and Response) was introduced comprehensively to collect and automatically cross-correlate data from multiple protection layers to provide faster threat detection through more rapid information security analysis, and to improve investigation and response time.

Enterprise Mobility Management (EMM) was gradually introduced. When employees use mobile devices to send and receive emails or perform remote connection operations, the authority is minimized and controlled according to the principle of “Need to know”, and ensure that no storing of data in endpoints. In other words, to truly protect the company operational information and customer personal information, it will not be possible to store company data externally from mobile devices.

Set up a dedicated department for information security and formulate daily information security inspection operations to ensure that all information security equipment can perform detection and defense capabilities as expected. Discover and eradicate potential external and internal threats information security risk by analyzing the warning signs and records generated by the equipment. Integrate information security equipment with operating processes to prevent threats before they happen.

In response to the company's heightened concern for sensitive data security in 2023, the implementation of Data Loss Prevention (DLP) technology has been successfully completed in Taiwan. The DLP system enables real-time monitoring, detection, and prevention of potential information leaks, ensuring the continuous surveillance of sensitive data usage. Monitoring reports are also regularly provided to mitigate the risk of data breaches proactively.

To establish a zero-trust foundation, the company has implemented a multi-factor authentication system in 2023. By combining different authentication factors, this move aims to strengthen the identity verification mechanism, providing higher security than single account password authentication. This ensures that only authorized personnel can access company resources, thereby reducing the risks of improper system usage and identity theft.

Completed the vulnerability scanning of the servers and the penetration test of the main website in 2023. This involves scrutinizing potential vulnerabilities in servers and websites to ensure their resilience against various potential threats. Following the completion of the assessment, we integrating the assessment report with current security control measures to evaluate the vulnerability risk levels under the information environment control. Subsequently, we formulate and implement a vulnerability remediation plan. The security assessments are conducted twice a year to ensure real-time control of new vulnerabilities and threats.

The vulnerability scanning platform was established in 2023. In addition to conducting vulnerability scans through external vendors regularly, this platform also enables real-time responses to emerging information security threats. It integrates with internal operational processes to proactively detect potential security vulnerabilities and validate the effectiveness of remediation for vulnerabilities. This aims to establish a more comprehensive vulnerability management system.

Completed the phishing e-mail drill in 2023. Phishing emails designed to be close to hacker attack methods were sent to all employees to test their information security vigilance and awareness in Taiwan. After statistical analysis of the drill results, information security training materials were designed, information security awareness announcement was established and published regularly to help employees understanding the latest social engineering techniques and improve the overall level of information security awareness continuously.

Implementing information security insurance in 2023. Making the risk transfer of financial aspects of information security impacts, mitigating the damage and impact of information security incidents to enhance the company's risk tolerance and resilience.

In response to potential risks such as information security, human rights, privacy, ethics, and legal implications arising from the global wave of generative AI, referencing "Reference Guide for the Use of Generative AI by the Executive Yuan and Affiliated Agencies," the company has formulated internal "Guidelines for the Use of Generative AI" in 2023. This aims to provide employees with consistent usage principles and awareness, ensuring safe, reasonable, and effective utilization to mitigate potential information security risks.

In 2023, two disaster recovery environment drills were conducted in accordance with the regulations, one for the information department recovery drill and one for the remote recovery about information department and the front end and back end. This exercise is to provide the best protection measures for the enterprise s internal systems and data, minimize the recovery time from system interruptions and reduce the data loss caused by operational interruptions through reasonable means and methods. In 2023, there were no ﬁnes or operational losses due to information equipment problems.

To standardize procedures for reporting and handling information security incidents, "Regulations on Incident Response and Notification Management for Information Security Events" was optimized in 2023. Processes for incident classification, severity levels, and response handling were established. In the event of an information security incident, actions will be taken within specified timeframes based on the severity level to complete damage control or recovery operations. After the incident is resolved, root cause analysis will be conducted, and corrective measures will be implemented to prevent recurrence.

When the enterprise pursues continuous operation, and complies with the international standard management system to achieve the goal of organizational operation safety, thereby enhancing customer trust and becoming the most reliable partner:

The ISO 27001 information security management system (ISMS) was introduced in 2021, and renewal was passed in 2022 and 2023, maintaining the validity of the international certification with a continuous optimization attitude. In 2024, "SEM financing platforms" will be included in the scope of verification to expand and expand year by year.
Implementing information security insurance in 2023. The goal is to establish the risk transfer mechanism. While pursuing sustained operations, the company aims to meet the expectations of stakeholders by demonstrating a high commitment to information security through tangible actions