[guest-authors: Selin Kaledelen, Atakan Arslan, Elif Engin, Sertac Yuksel]*
The "Regulation on Sharing of Secret Information" ("Regulation") prepared by the Banking Regulation and Supervision Agency (the "Agency" or "BRSA") is published in the Official Gazette dated June 4, 2021.
In accordance with the article 73 of the Banking Law No. 5411 ("Banking Law"), BRSA was authorized to determine the scope, form, procedures and principles regarding the sharing and transfer of secret information or to impose restrictions on them as of February 2020. Aiming to provide clarity on issues such as the obligations of banks, exceptions to this obligation, the concept of customer secret and their transfer, the draft Regulation on Sharing Secret Information ("Draft") was published on the website of the BRSA and opened to public opinion. The Regulation published in the Official Gazette dated June 4, 2021 and numbered 31501 will enter into force on January 1, 2022.
Customer Secret and Bank Secret Concepts
Within the scope of the Regulation, the concept of "customer secret" is handled more broadly than the Banking Law. Unlike article 73/3 of the Banking Law, which regulates that data belonging to natural and legal persons formed after establishing customer relations with banks specific to banking activities is customer secret, the regulation regulates that any information that a natural or legal person indicates that the customer is a customer of the bank is also covered by customer secret. In addition, even if a customer relationship has not been established, it has been stated that obtaining and finding out the customer secret information held by another bank is within the scope of this confidentiality obligation.
Contrary to the concept of "customer secret", the concept of "bank secret" is not defined in the Banking Law. Although there is no direct definition under Article 5 of the Regulation, an arrangement has been made to determine the scope of this concept. According to the provisions of Article 5/5 of the Regulation, sharing the information that is not a customer secret but only a bank secret that contains the bank's information with third parties under the responsibility of the bank, with the decision of the bank's board of directors, will not constitute a violation of the confidentiality obligation. From this exception provision, it is understood that within the scope of the concept of bank secret, there is only information about the bank and the internal functioning of the bank, which is not a customer secret.
New Regulations Under the Regulation
1. Confidentiality Obligation
1.1 The Confidentiality Term
Pursuant to the article 4/3 of the Regulation, the information of a legal or a natural person that is collected within the scope of banking activities and that is specific to these activities after establishing a customer relationship with the bank is confidential. Information that forms the basis of the customer relationship between the natural or legal person and the bank is also included within the scope of confidentiality. If a bank that has not established a customer relationship with the natural or legal person in question reaches a confidential information, it must keep it with respect to the same obligations as a customer secret that exist within its system in accordance with article 4/1 of the Regulation.
1.2 Persons Who Are Under Confidentiality Obligation
Pursuant to article 4 of the Regulation, those who find out secret information of banks or their customers due to their titles and duties are under confidentiality obligation. Confidentiality obligation and persons subject to this obligation under the Regulation is also regulated in parallel with the Banking Law. In both regulations, it is clearly stated that these persons cannot disclose the secret information in question to others except the authorities explicitly authorized in the relevant regulation.
1.3 Continuity of the Confidentiality Obligation
According to the article 4 of the Regulation, the confidentiality obligation continues even if the person who found out the secret information leaves the office. Unlike the Draft, the Regulation that entered into force also regulated when the confidentiality obligation related to the data in question would begin. According to the last sentence added to article 4/4 of the Regulation, the confidentiality obligation begins as soon as the data obtained by the banks from the third parties before the establishment of customer relationship becomes a customer secret. Becoming a customer secret, on the other hand, occurs by processing the personal data in a way that it will serve the customer relationship after the establishment of customer relationship by the bank.
2. Exceptions to the Confidentiality Obligation
2.1 Exceptions
(a) General Exception
According to article 5/1 of the Regulation, disclosure of secret information to those who are authorized by the law does not result in violation of the confidentiality obligation.
(b) Exceptions Related to Confidentiality Agreement
According to articles 5/2, 5/3 and 5/4 of the Regulation, provided that a confidentiality agreement is concluded and the secret information that belongs to a bank or a customer is used for limited purposes that have been determined:
Exchange of information and documents between banks and financial institutions;
Exchange of information and documents through the Risk Centre envisaged to be established in Additional clause 1 of the Banking Law or companies established by at least five banks or financial institutions;
Provided that a copy of the contract, the purposes of sharing, technical and administrative measures, information related to title and country of the parties which the information is shared with are reported to the Institution once every six months or in case of a change; it is possible for parent companies, which have at least 10% share in the capital of the bank, to be domestic or foreign credit institutions or financial institutions. In addition, provided that the required administrative and technical measures are taken, to the controlling partner or the group company to be determined by this partner and from which they receive services regarding certain activities;
(i) Consolidated financial statements
(ii) Risk management activities in all risk categories included in the Regulation on the Internal Systems of Banks and Internal Capital Adequacy Assessment Process ("İSEDES Regulation")
(iii) Provided that it arises from a national or international legislation, compliance risk activities, including the risk of committing financial crimes defined in the Law on the Prevention of Laundering Proceeds of Crime No.5549 ("Law No. 5549") and the Law on the Prevention of Terrorism No.5415, and
(iv) Internal audit practices providing information and documents related to:
- Provided that at least 10% of the Bank's capital is represented directly or indirectly, exchange of information and documents regarding the sale of these shares to inform the prospective buyers and to be used in valuation of assets including loans and securities of these assets,
- Provided that the required administrative and technical measures are taken, providing information and documents to those who deliver services in valuation, rating, support services, independent audit activities, does not constitutes violation of the confidentiality obligation.
(c) Exceptions Related to Corporations
The Regulation accepts that sharing of customer secrets will not violate confidentiality obligation in some cases. Accordingly:
- Sharing the information that is in the nature of a bank secret with third parties, the responsibility of which belongs to the bank, upon the transfer of the bank's board of directors' decision or the authority of the board of directors to decide on sharing, provided that the procedures and principles are determined,
- Confirmation of the accuracy of the secret information given by the customers to public institutions and organizations at their own request, by banks, Risk Centre or companies formed by at least five banks or financial institutions upon the instruction or the request of the customer,
- Providing information to the authorities authorized to settle the dispute and their representatives in case of a dispute between the bank and the customer, provided that the customer's secret and the bank secrets are necessary for the bank to exercise its right of claim and defence, and
- Sharing information by the financial group affiliates within the group related to the recognition of customers, accounts and transactions according to Article 5 of Law No.5549 does not constitute a violation to the confidentiality obligation.
2.2 Regulatory Differences Between the Regulation and the Daft
Although the Regulation is mostly similar to the Draft, some provisions have been changed:
- Compared to the Draft, other exemptions to the confidentiality obligation are regulated more broadly and more specifically in the Regulation;
- The sharing of information within the scope of compliance risk stated in article 5 of the Regulation is conditioned to originate from national or international legislation to which the parties are subject;
- The Regulation earned a more organized view by moving the provision regarding the evaluation of bank secrets that may be shared with the third parties in accordance with the decision of the bank's board of directors as an exception under the exceptions title and it is also stated that this will fall under the responsibility of the bank;
- The issue related to the confirmation of customer secret under article 5 of the Regulation is limited to conforming whether the information is correct or not and the institutions and organizations that has the right to benefit from the exception have been expanded;
- As part of the matters to be reported to the institution under article 5 of the Regulation, the phrase "Bank secret and information that qualifies as customer secret" was added and the phrase "Information shared within the scope of confidentiality, including the controlling partner / parent company" was removed from the Regulation;
- In case of a dispute of financial group affiliates within the group and a dispute to which the bank is a party to, the issue regarding the sharing customer secrets or bank secrets with whom and under what conditions and how in accordance with article 5 of Law No.5549, without violating the confidentiality obligation, is regulated in the Regulation, even though it was not regulated in the Draft;
For more detailed information, please review the table related to the differences between the Regulation and the Draft at the end of our information note.
3. General Principles Regarding Sharing Confidential Information
3.1 Principle of Proportionality
In accordance with issues shown in article 6 of the Regulation, five criteria have been foreseen. As a requirement of the principle of proportionality, within the scope of confidentiality, it has been foreseen that;
- The information should contain data that will only serve the stated purpose;
- In order for sharing of data to serve the stated purpose, the relationship between the data and the purpose should be displayable;
- Anonymization and aggregation methods should be applied for the information regarding the identity of owner of the information in cases where the purpose does not differ;
- If the owner of the secret information is not the controlling partner, parent company or the customer of the group company, the methods of de-identification, aggregation and anonymization should be applied, and
- The parties and methods should act in a way that will create minimum data duplication.
- According to Article 6/7 of the Regulation, the criteria of the principle of proportionality will be evaluated in the light of compliance with customer's demands and limits of their instructions. During the shares that will be made within the framework of Article 5/2 (b) and 5/3 of the Regulation;
- Provided that positive opinion of the BRSA is obtained for comprehensive data sharing and sharing for the purpose of compliance risk of the counterparty, even if the controlling partner, parent company or group company is not a customer, and
- Provided that the data to be shared for the purpose of consolidated risk management belongs to a natural person, legal person or a risk group that has borrowed 10% or more of the bank's main capital,
The provision regarding anonymization in article 6/1 (ç) of the Regulation will not be applied. The Institution reserves the right to make changes in these limitations.
Pursuant to article 6/10 of the Regulation, the fact that the identity of the customer is determinable in the sharing related to internal audit within the scope of article 5/2 (b) and article 5/3 of the Regulation will violate the principle of proportionality in any case.
3.2 Other General Principles
Pursuant to article 6 of the Regulation, the general principles within the scope of article 4 of Law on the Protection of Personal Data No. 6698 ("KVKK") should be considered during the storage of natural person customer secrets.
The explicit consent of the customer does not abolish the confidentiality obligation. Except for the cases shown among exceptions, even with the explicit consent of the customer, information that qualifies as customer secret cannot be shared with parties resident in the country or abroad without the request or instruction of the customer. Defining the request or the instruction that will abolish the aforementioned obligation as a pre-requisite for the services that will be provided by the bank under normal conditions will be considered to be unlawful as well. Provided that the same customer reserves the right to change this request or instruction subsequently, the request or instruction may be given in writing or via permanent data storage, temporarily or indefinitely, valid for one or more transactions. In cases other than those listed in article 6/6 of the Regulation, it is essential that requests and instructions are visible via electronic banking.
In cases where it is obligatory to share information that qualifies as customer secret pursuant to article 6/6 of the Regulation, if the process is initiated by the customer or an order is given through electronic banking, this will count as a request or instruction.
In accordance with article 3 of the İSEDES Regulation, in sharings to be made pursuant to article 5/2 (ç) of the Regulation on support services, valuation, rating and service purchases other than primary systems, customer requests and instructions must be included. No requests or instructions are sought for the shares to be made regarding the bank's right of claim and defence.
The Banking Supervision and Regulation Board ("Board") has determined the principle of reciprocity as an essential principle for sharing all kinds of confidential information within the scope of Article 5 and if it notices any information sharing with third parties resident abroad that isn't compatible with the principle of reciprocity, it will be authorized to restrict, stop and prohibit such sharings.
The Regulation clearly states that the Article 98 of the Banking Law will be reserved in case there is a request for information and audit by a foreign institution equivalent to the Board according to the foreign law that the institution is subjected to about branches and partnerships of institutions operating in the financial markets of their own in Turkey, and information requests of branches and partnerships of the banks operating abroad within the scope of consolidation. In cases in which the information can be given by the Institution, the request will be satisfied by the Institution directly and in cases where it cannot, the relevant bank will satisfy the request after receiving the permission of the Board. In addition, provided that the Board is notified in writing, banks may share information that qualifies as bank secret with the requesting foreign authority that is equivalent to the Institution on their own initiative.
3.3 Differences Between Regulation and Draft Regulation In Terms of General Principles
Unlike the Draft, the Regulation clearly states that, apart from the exceptions in article 5 of the Regulation, the customer secret cannot be shared with third parties in Turkey or abroad without a request or instruction of the customer, even if the explicit consent of the customer is obtained. Based on this, article 6 of the Regulation continues by emphasizing on the will of the customer by stating that the customer can cancel or change the request with the same means and this can done to cover multiple transactions or indefinitely for continuous transactions.
A measurement assessment is provided for sharings that can be made in accordance with the request or instruction of the customer specified in article 6 of the Regulation in contrast to the Draft and this assessment will also be determined on whether the customer's instruction (in the absence of information about other customers or customers of other banks) is shared in accordance with its limit. The condition of obtaining the approval of BRSA, within the scope of Article 5/2(b) of the Regulation, before the sharings that require extensive data sharing regarding a large number of customers and the sharings to be made for the purpose of compliance risk of the counterparty, is included in the Regulation as well as in the Draft. Unlike the Draft, the possibility of sharing bank secrets with foreign authorities upon request and its conditions are regulated in article 6 of the Regulation.
4. Information Sharing Committee
In accordance with Article 7 of the regulations for Banks, considering the principle of proportionality, and sharing the secrets of coordinating the sharing of the bank and the customer requests that will fulfill review requests for tasks such as registering and operating principles for information sharing to be determined by the board of Directors of the bank committee (the "Committee") is obliged to establish. At a minimum, this Committee must consist of representatives of the business line, internal control unit, compliance unit and legal unit, as well as related asset owners1 who request information sharing or request information from them.
5. Conclusion
It is observed that the legislator's efforts to comply with the European Union legislation are not limited to the legislation on personal data. With the regulation, it is aimed to eliminate the legal gap in the banking sector, especially regarding data transfers to be made with European Union countries. With the amendment of the existing confidentiality agreements and the documents and processes prepared within the scope of the KVKK within the scope of the Regulation, the obligation to include the Information Sharing Committee and sub-processes affiliated to this committee in the data security and data transfer plans has arisen.
The regulation has clarified the distribution and control of the information which is becoming increasingly important today, by regulating the confidentiality obligation of banks, which possess personal information of great importance for both real and legal persons as they hold a significant portion of their assets and carry out serious transactions and exceptional circumstances in which they can share this information. The increase of regulations in this regard in recent years, both in Turkey and in other modern legal systems, is of great importance for individuals to be able to predict the fate of their personal information and, as a result, to share this information more consciously or to take actions that will reveal this information.
6. Comparative Table for the Regulation and Draft
Regulation
|
Draft
|
Tier Capital definition has been added:
"Tier capital: Tier capital to be calculated within the framework of the procedures and principles determined in the Regulation on the Equity of Banks published in the Official Gazette dated 5/9/2013 and numbered 28756," (Article 3)
|
The relevant definition is not available.
|
Personal data definition has been added:
"Personal data: Personal data defined in Article 3 of the KVKK," (Article 3)
|
The relevant definition is not available
|
Risk centre definition has been added:
"Risk Centre: The Risk Centre regulated in Annex 1 of the Article," (Article 3)
|
The relevant definition is not available.
|
Aggregation definition has been added:
"ö) Aggregation: Processing of customer-related data in such a way that it cannot be associated with an identified or identifiable natural/legal person customer by combining it with data on other customers for statistical purposes such as grouping, summarizing, and collective display" (Article 3)
|
The relevant definition is not available.
|
The time when the obligation to keep confidentiality begins has been regulated:
"The liability within the scope of the first paragraph regarding the said data begins as soon as these data become customer secrets." (Article 4)
|
There is no such regulation regarding the confidentiality obligation.
|
The concept of compliance risk has been expanded:
"Dated 11/10/2006 and numbered 5549
Financial crime risk regarding the commission of crimes defined in the Law on the Prevention of Laundering Proceeds of Crime and the Law on the Prevention of the Financing of Terrorism No. 6415 dated 7/2/2013 is also considered within the scope of compliance risk. It is essential that the shares to be made for compliance risk originate from a national or international legislation that is subject to the sharing or the counterparty to which the sharing is made." (Article 5)
|
The concept of compliance risk is more narrowly explained.
|
A regulation has been introduced regarding the sharing of bank secret information under the responsibility of the bank:
"The Bank's Board of Directors may delegate this authority to the General Directorate by determining the procedures and principles." (Article 5)
|
There is no such regulation regarding bank secrets.
|
New exceptions to the obligation of secrecy have been introduced:
"In cases where it is necessary for the proof of the claim or defense of the bank in disputes to which the bank is a party, arbitration, mediation and arbitration proceedings with domestic or foreign judicial authorities regarding customer secret information or information in the nature of bank secret belonging to real or legal persons who are party to the dispute in question, sharing with the authorities authorized to settle alternative disputes such as the arbitral tribunal or with the parties representing the bank in the disputes in question in order to share with these authorities does not constitute a violation of the confidentiality obligation." (Article 5)
|
Exceptions to the obligation of secrecy are narrower.
|
Among the matters to be reported to the Institution:
The "bank secret and customer secret information" section was added, but the "transferred information within the scope of confidentiality, including the controlling Partner/parent company" section was removed.
|
Among the matters to be reported to the Agency are the information transferred within the scope of confidentiality, including the controlling Partner/parent partnership. "The title and country information of all third parties, including the controlling partner/parent, to whom confidential information is transferred, shall be immediately reported to the Institution in six-month periods." (Article 5)
|
It is stated that the unlawfulness of this situation will not be eliminated if the customer gives consent not only in response to a question asked but as an active instruction:
"…or request or instruct…" (Article 6)
|
|
The following text has been added:
"The customer's request or instruction can cover more than one transaction, provided that it can be canceled or changed at any time by the customer through the same methods from which the request or instruction was received, and the request or instruction for continuous transactions may be indefinite. Except for the cases specified in the sixth paragraph, it is essential for the customer to be able to inquire and view the requests or instructions he has given through the distribution channels for electronic banking services." (Article 6)
|
|
The following text has been removed:
"Transferring confidential information to the other party is also considered as sharing, regardless of whether one knows the content of the information or not." (Article 6)
|
|
The scope of services subject to the sharing to be made pursuant to Article 5 has been narrowed:
"related to support services or service procurement other than valuation, rating and independent audit" (Article 6)
A proportionality assessment is envisaged by focusing on the limit of the customer's instruction regarding the shares that can be made in line with the customer's request or instruction specified in Article 6 of the Regulation.
"Whether or not the principle of proportionality specified in the first paragraph is complied with in the shares to be made upon the request or instruction of the customer is limited to whether the customer's request or instruction is complied with. In the event that the data set requested by the customer to be shared includes confidential information regarding other customers or customers of other banks, the obligation in the first paragraph must be complied with without any limitation."
|
There is no reference to the principle of proportionality.
|
The following text has been added to Article 6 as a paragraph:
"If the data to be shared for the purpose of consolidated risk management within the scope of second subparagraph (b) and third subparagraph of Article 5 belongs to a real or legal person or a risk group that has extended a loan at the rate of ten percent or more of the bank's main capital, it is not required to obtain the approval of the Institution before sharing and to comply with the subparagraph (ç) of the first paragraph in relation to the said date. The Board is authorized to change the restrictions in this paragraph or to impose new restrictions on the issues in this paragraph." (Article 6)
|
|
It is conditional upon request to share information with the nature of bank secrets with foreign authorities in accordance with Article 5/5.
"According to the fifth paragraph of Article 5, sharing the information in the nature of bank secrets with the foreign authorities equivalent to the Institution upon the request of the authorities, provided that a written notification is made to the Institution before sharing, shall not constitute a violation of this clause." (Article 6)
|
There is no such opportunity or condition.
|
It has been restricted and expressed more generally which information will be in violation of Article 6/1 if it is included in the sharing.
"… within the scope of subparagraph (b) and third paragraph of the second paragraph of Article 5, the sharings made for the purpose of internal audit practices, including the audit working papers, contain data that will make the identity of the customer specific or identifiable, is considered a violation of the first paragraph." (Article 6)
|
It is regulated more comprehensively which information will be in violation of article 6/1 if it is included in the sharing. "… if the shares to be made for the purpose of preparing consolidated financial statements, risk management and internal audit practices are repetitive of these practices already carried out in banks by the parent, the controlling partner or the group company, or the data that will make the identity of the customer specific or identifiable for the shares made for the purpose of internal audit practices shall be deemed to be contrary to the first paragraph."
|
While the draft envisages its publication and enforcement, a specific date has been determined by the Regulation:
"The publication of the provisions of this Regulation shall enter into force on 1/1/2022." (Article 8)
|
|
Click here to download 'Regulation on Sharing of Secret Information is Published' PDF in Turkish.
1 The Regulation refers to the Regulation on Information Systems of Banks and Electronic Banking Services for the concept of asset owner. Accordingly, the person who owns the asset; is defined as the persons responsible for the maintenance and accessibility of information assets by determining the security requirements for information assets and communicating them to asset guards, and ensuring that security controls appropriate to these requirements are implemented by asset guards.
*GKC Partners authors
[View source.]