Article 73 of the Banking Law No. 5411 (“Law“) authorizes that the Banking Regulatory and Supervisory Authority (“BRSA“) to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. Accordingly, the BRSA published the “Draft Regulation on the Sharing of Client Information” (“Draft Regulation”).
• Confidentiality Obligation:
- The confidentiality obligation is drafted similarly to Article 73/5 of the Law. Accordingly, bank and client secrets will not be disclosed to anyone except those legally authorized.
- The confidentiality obligation will also apply for information which is obtained through non-automated methods or methods that are not used for any data recording system.
- Any information evidencing that a real or legal person is a bank client will be deemed confidential information.
- The confidentiality obligation will also apply if a bank obtains any information from another bank, regardless of whether it has established a client relationship information with the relevant client itself.
- The Draft Regulation also sets forth exceptions that apply to the confidentiality obligation in detail. While no additional conditions are stipulated regarding the sharing of confidential information with legally authorized persons, two additional conditions apply in order for the new exceptions in the Draft Regulation:
- Execution of a confidentiality agreement
- Limitation to the stated purposes
- In this regard, the Draft Regulation reiterates four exceptions which are also found under the Law and clarifies one of them, namely the sharing of information for the preparation of consolidated financial reports, risk management and internal audit purposes. Moreover, for the information sharing within the scope of outsourced services, the Draft Regulation sets forth that, unless the outsourced service falls within the scope of primary systems, banks will be obliged to obtain a request or instruction from their client before they share information, even if this information will be shared for the outsourcing of support services.
- In addition, the Draft Regulation provides a general exception to the confidentiality obligation. Accordingly, confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a board of directors’ resolution of the bank. The bank will remain liable for this information sharing.
- Lastly, the verification of client information provided to public institutions by the client’s request by banks, the risk center, or companies established by at least five banks or financial institutions will not be deemed a violation of the confidentiality obligation, provided that the client has given its explicit consent to the verification of such information.
- Principles of Information Sharing: The Draft Regulation regulates the general principles of sharing confidential information.Disclosure of confidential information that must be compliant with proportionality principle. If it is possible to achieve the purpose of disclosure without sharing the entirety of the information, the disclosure is not considered proportionate.
In this respect, disclosures must contain the least amount of data as necessary to achieve the purpose of disclosure, and banks must be able to demonstrate that the data is indeed necessary for the purpose. In addition, if it is possible to achieve the same purpose by aggregation, de-identification or anonymization methods, these methods must be used instead.
Save for exemptions from the confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad, and explicit consent does not suffice for such disclosure. In addition, health and sexual life data cannot be disclosed to third parties in Turkey or abroad based on the exemptions from the confidentiality obligation, even if such data constitutes client secret.
According to the Draft Regulation, for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter, initiation of the transaction or order entries through distribution channels of electronic banking services by the client constitutes a request or instruction for the sharing of information, if:
(i) interaction with bank, payment service provider, or payment or messaging systems is necessary due to the nature of the transaction; and
(ii) disclosure of client secrets is mandatory for the completion of the transaction.
• Information Sharing Committee: Article 7 of the Draft Regulation requires banks to establish an “Information Sharing Committee”. The Draft Regulation also explains the formation of this committee.
The Draft Regulation aims to:
- Clarify the confidentiality obligation, the applicable exceptions, and the concept of client secret; and
- Set forth the procedures and general principles of sharing and transferring of information deemed secret under Article 73 of the Law, including the sharing of information while benefitting from exceptions.
The Draft Regulation is expected to clarify many question marks regarding the implementation of Article 73 of the Law with its entry into force.
|Disclosure of Client Secret|
|As part of confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad.|
Client secret data can only be disclosed to third parties without client request or instruction under following situations under banking laws.
|Transactions That Constitute Client Request or Instruction||Exemptions from Requirement to Obtain Client Request or Instruction|
|Initiation of the transaction or order entries through distribution channels of electronic banking services by the client for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter if:|
o Disclosures between banks and financial institutions,
o Disclosures for the preparation of consolidated financial reports, risk management and internal audit purposes,
o Disclosures as part of valuation/assessment works for the sale of shares,
o Disclosures to service providers in connection with assessment, rating or support services, independent audits or the procurement of services.
Exemptions from confidentiality obligation do not apply to disclosure of health and sexual life data to third parties, even if such data constitutes client secret.