The Banking Regulatory and Supervisory Authority (”BRSA”) prepared the Regulation on Banks’ Information Systems and Electronic Banking Services (“Regulation”). The Regulation was published in the Official Gazette No. 31069 dated March 15, 2020 and will enter into force on July 1, 2020. The Communiqué on the Principles to be Considered in Bank Information Systems Management (“Communiqué“) will be abolished with the Regulation’s entry into force.
1. RISK MANAGEMENT AND CONTROL MECHANISMS REGARDING INFORMATION SYSTEMS
As per the Regulation, bank’s board of directors is liable for conducting effective supervision to manage any risks arising from the use of information systems. Accordingly, the Regulation sets out that the board of directors must approve and establish a strategic plan, establish a strategy committee and a guidance committee related to information systems.
The Regulation also sets forth the standards regarding the following points to control the information systems:
- Establishment of authentication mechanisms
- Establishment of track record mechanism for transactions related to information systems
- Establishment of network security control systems
- Security configuration management
- Security vulnerability management
- Cyber-attack management and cyber information sharing
- Creation of an information security awareness training program.
Information Assets Inventory
According to the Regulation, banks must prepare a detailed data inventory to establish control mechanisms adequate for the security requirements of information assets. Information on whether the data contains personal data must also be included in the data inventory.
Information Security Management
The ultimate responsibility for ensuring information security within a bank belongs to the board of directors. Within the scope of this responsibility, the board of directors must establish and supervise an information security management system. Information security provisions envisaged in the Communiqué are re-formulated and detailed through these provisions in the Regulation.
Sharing and Transfer of Client Information
The Regulation also addresses the sharing and cross-border transfer of client information. Save for the exceptions under the Banking Law, banks cannot transfer or disclose to any third parties in Turkey or abroad any information that can be regarded as clients secrets that banks acquired, stored or processed through information systems during the performance of their activities and the procurement of outsourced services, without the client’s request in written form, or that is verifiable through permanent data storage. Clients’ explicit consent for the disclosure of personal data cannot be a precondition for the provision of the services.
Our recent legal alert on amendments made to the Banking Law concerning data protection practices in banking activities is available here.
Banks must take the necessary measures to ensure the safety of the banks and clients’ confidential information during the procurement of outsourced services. Accordingly, outsourcing service providers’ authorization to access bank systems and bank data or to review data must be limited. It is the banks’ responsibility to take measures to protect this confidential data.
Cyber Attack Management
Pursuant to the Regulation, banks will establish cyber-attack management and cyber-attack response processes. Banks are also required to (i) form an Institutional Cyber Attack Response Team (”ICART”) composed of members with sufficient technical and operational skills; and (ii) ensure that the current contact details regarding the ICART are notified to the BRSA, and that cyber-attacks are reported to the relevant management units.
In the event of a cyber-attack resulting in the breach or disclosure of sensitive data or personal data, banks must notify their customers following an internal assessment. As an important note, the definition of “sensitive data” under the Regulation does not correspond to the definition of “special categories of personal data” under the Law on the Protection of Personal Data. According to the Regulation, sensitive data means “any data, authentication data in particular, that banks store for various reasons, the disclosure of which to third parties may result in damage to identity verification mechanisms in place, allowing fraud or fraudulent transactions to be made on behalf of customers”.
2. CONTINUITY OF MANAGEMENT SYSTEMS AND ACCESSIBILITY MANAGEMENT
Keeping Primary and Secondary Systems in Turkey
The Regulation clarifies the scope of primary and secondary systems, while requiring banks to keep these systems in Turkey. In this regard, except for banking transactions such as payments, and messaging systems that require interaction abroad by nature, the Regulation requires banks to carry out their banking transactions without an approval procedure through a system abroad, and to continue providing banking services in Turkey through their primary and secondary systems even in cases of any disconnection with the networks abroad.
Cloud Computing System
The Regulation allows banks to use cloud-computing systems as an outsourced service. Banks may procure cloud services for primary or secondary systems as a special cloud service model through hardware and software sources allocated to a single bank. On the other hand, outsourcing through a community cloud service model, where hardware and software sources allocated to organizations under the supervision of the BRSA were physically shared, but in a way that sources were specifically allocated to each bank is subject to the BRSA’s approval. The BRSA is authorized to change the organizations to be included in the community cloud service, if deemed necessary.
In addition, the Regulation states that if banks outsource or procure cloud-computing services for an activity falling in the scope of primary or secondary systems, information systems that outsourcing service providers use to perform their services and their backups will be regarded as primary and secondary systems, and must be kept in Turkey.
Procurement of Outsourced Services
The executive managements of banks are required to establish a supervision mechanism that enables the assessment and management of risks related to the outsourced services and the maintenance of relationships with service providers.
The Regulation specifies the minimum elements of the contract to be signed with service providers regarding outsourced service procurements. In this context, banks will be unable to outsource critical services through outsourcing service models when it is not possible to enforce the obligations included in the service contract as per the Regulation.
Banks must also control whether service providers, such as search engine and social media platform providers, from which they wish to procure advertisement services in relation to banking activities take measures to prevent false advertisement made on the banks’ behalf. Accordingly, banks cannot procure services from providers that do not take adequate measures. If a false advertisement is published, banks must incorporate provisions allowing them to obtain all relevant and necessary information about these occurrences from providers to protect clients. Contracts with intermediary firms for the procurement of advertisement services also fall within the scope of the foregoing rules.
Our recent legal alert on amendments to the Banking Law regarding online advertisement in the scope of banking activities is available here.
Continuity of Information Systems
Banks are required to set up back-up or hibernation schemes for critical hardware and systems.
In addition, banks are obliged to create appropriate alternative communication channels should any interruptions to the network and communication infrastructure occur.
Banks are obliged to keep records regarding the frequency, the method and the location of back-ups.
Further, banks are required to procure the data requested by (i) the judicial authorities conducting an investigation or prosecution; or (ii) the BRSA, and to retain the original copies of the data and back up the data.
3. ELECTRONIC BANKING SERVICES
As per the Regulation, banks are required to apply an authentication mechanism consisting of at least two independent components and to take measures to ensure the confidentiality of the authentication data.
Further, banks are required to establish tracking mechanisms to detect and prevent unusual or fraudulent transactions under the scope of electronic banking services. Clients using the electronic banking services provided by banks will be explicitly informed of the terms, risks and exceptional circumstances regarding such services.
In addition, the Regulation provides for authentication and transaction security provisions related to online banking, mobile banking, telephone banking, open banking services and ATM banking.
Pursuant to the Regulation, it is also possible for banks to use remote identification methods to determine the identity of the client, save for anti-money laundering laws.
The Regulation aims to (i) eliminate gaps in the legislation regarding new banking trends such as online banking, mobile banking, cloud services; (ii) expand on the provisions under the scope of the Communiqué; and (iii) update the policies, procedures and organizational structures regarding the management of information systems so as to be in compliance with technological developments. Banks and service providers that provide the services indicated in the Regulation are required to take the necessary actions by July 1, 2020.