Article 73 of the Banking Law No. 5411 (“Law“) authorizes that the Banking Regulatory and Supervisory Authority (“BRSA“) to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. Accordingly, the BRSA published the “Draft Regulation on the Sharing of Client Information” (“Draft Regulation”).
• Confidentiality Obligation:
Disclosure of confidential information that must be compliant with proportionality principle. If it is possible to achieve the purpose of disclosure without sharing the entirety of the information, the disclosure is not considered proportionate.
In this respect, disclosures must contain the least amount of data as necessary to achieve the purpose of disclosure, and banks must be able to demonstrate that the data is indeed necessary for the purpose. In addition, if it is possible to achieve the same purpose by aggregation, de-identification or anonymization methods, these methods must be used instead.
Save for exemptions from the confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad, and explicit consent does not suffice for such disclosure. In addition, health and sexual life data cannot be disclosed to third parties in Turkey or abroad based on the exemptions from the confidentiality obligation, even if such data constitutes client secret.
According to the Draft Regulation, for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter, initiation of the transaction or order entries through distribution channels of electronic banking services by the client constitutes a request or instruction for the sharing of information, if:
(i) interaction with bank, payment service provider, or payment or messaging systems is necessary due to the nature of the transaction; and
(ii) disclosure of client secrets is mandatory for the completion of the transaction.
• Information Sharing Committee: Article 7 of the Draft Regulation requires banks to establish an “Information Sharing Committee”. The Draft Regulation also explains the formation of this committee.
The Draft Regulation aims to:
The Draft Regulation is expected to clarify many question marks regarding the implementation of Article 73 of the Law with its entry into force.
|Disclosure of Client Secret|
|As part of confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad.|
Client secret data can only be disclosed to third parties without client request or instruction under following situations under banking laws.
|Transactions That Constitute Client Request or Instruction||Exemptions from Requirement to Obtain Client Request or Instruction|
|Initiation of the transaction or order entries through distribution channels of electronic banking services by the client for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter if:|
o Disclosures between banks and financial institutions,
o Disclosures for the preparation of consolidated financial reports, risk management and internal audit purposes,
o Disclosures as part of valuation/assessment works for the sale of shares,
o Disclosures to service providers in connection with assessment, rating or support services, independent audits or the procurement of services.
Exemptions from confidentiality obligation do not apply to disclosure of health and sexual life data to third parties, even if such data constitutes client secret.