The Regulation on the Disclosure of Confidential Information ("Regulation") issued by the Banking Regulatory and Supervisory Authority ("BRSA") published in the Official Gazette No. 31501 dated 4 June 2021 will enter into force on 1 January 2022.
The Regulation aims to clarify the additional provisions introduced in 2020 to Article 73 of Banking Law No. 5411 ("Law No. 5411") and the relationship between this law and the Personal Data Protection Law No. 6698.
The Regulation determines the scope, form, procedures and principles regarding the sharing and transfer of bank and client secrets.
REGULATIONS RELATING CONFIDENTIALITY OBLIGATION
Article 73 of Law No. 5411 stipulates that those who learn bank or client secrets due to their titles and duties cannot disclose said secrets to anyone except those legally authorised. Any information evidencing that a person is a bank client will be deemed client secret.
According to the Regulation, the confidentiality obligation will also apply to:
- Client secrets obtained and learned through non-automated methods or methods that are not used for any data recording
- Client secrets obtained and learned from another bank, regardless of whether it has established a client relationship.
EXCEPTIONS TO CONFIDENTIALITY OBLIGATIONS
The Regulation states when the disclosure of confidential information will not constitute a violation of the confidentiality obligation, if the requirement to execute a confidentiality agreement and the requirement to limit the disclosure to the stated purposes are met:
- Confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a bank board of directors’ resolution .
- In cases where it is mandatory to prove facts related to disputes in which the banks are a party, bank or client secrets of one of the parties to the dispute may be shared with authorised institutions and representatives if sharing of this information is deemed necessary to prove the facts related to the dispute.
- Disclosure of information by institutions affiliated with a financial group for the purpose of client identification or information regarding accounts and transactions within a same financial group is authorised under Law No. 5549 on the Prevention of Laundering the Proceeds of Crime.
- Verification of client information provided to public institutions on the client’s request by banks, the Risk Centre, or companies established by at least five banks or financial institutions will not be deemed a violation of the confidentiality obligation, provided that the client has requested the verification of such information.
REGULATIONS RELATING TO PRINCIPLES OF INFORMATION SHARING
The Regulation sets forth the ground rules for sharing client and bank secrets with third parties as follows:
- Disclosure of client secrets and bank secrets must be compliant with the principle of proportionality and accordingly, if the purpose of the disclosure can be achieved without sharing such secret data, the disclosure will be deemed not proportionate. Furthermore, disclosures must contain the minimal amount of secret data to achieve the purpose of disclosure.
- The regulation defines "de-identification", "data processing", "anonymisation" and "aggregation". In sharing confidential information, aggregation, de-identification or anonymisation methods must be used as a matter of course.
- Client secret data shall not be shared with third parties resident in Turkey or abroad without the client's request or instruction, even with the explicit consent of the client except in cases that are exempt from the confidentiality obligation.
- If the bank client whose information will be disclosed is not a client of the parent company, the controlling shareholder or the group company, the confidential information to be shared with such entities must not reveal the identity of the said client or render such client identifiable and aggregation, de-identification and anonymisation methods should be applied.
- Exceptions have been determined for transactions where data sharing is necessary due to the nature of such transaction.
- When it is necessary to interact with the bank, payment service provider, payment securities settlement or messaging systems located in Turkey or abroad, and the sharing of a client secret is deemed necessary for transactions such as fund transfer, letter of credit, letter of guarantee, or reference letter, the following two situations will replace "customer request or instruction":
- Initiation of transaction by the client
- Order entries through distribution channels of electronic banking services by the client.
BANKS' OBLIGATION TO REPORT TO BRSA FOR INFORMATION DISCLOSURE WITH THE PARENT COMPANY
While sharing information for the preparation of consolidated financial statements, risk management and internal audit practices, banks are obliged to report to BRSA every semester or immediately in case of any material change. This report must contain information transferee third parties, reasons for information disclosure, measures taken to ensure the confidentiality of the shared information and a copy of the confidentiality agreement.
BANKS' OBLIGATION TO ESTABLISH AN INFORMATION SHARING COMMITTEE
Banks must establish an Information Sharing Committee, whose functions and working principles will be approved by the bank's Board of Directors. The Committee is responsible of coordinating the disclosure of client and bank secrets, assessing the compatibility of the disclosure requests with the principle of proportionality, and keeping records of these decisions.
In compliance with Turkish bar regulations, opinions relating to Turkish law matters that are included in this client alert have been issued by Özdirekcan Dündar Şenocak Avukatlık Ortaklığı, a Turkish law firm acting as correspondent firm of Gide Loyrette Nouel in Turkey.