Article 73 of the Banking Law No. 5411 (“Law“) authorizes the Banking Regulatory and Supervisory Authority (“BRSA“) to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. Accordingly, the BRSA previously published the “Draft Regulation on the Sharing of Client Information”, which we analyzed in our Legal Alert dated February 23, 2021. Accordingly, the Regulation on Disclosure of Client Information (the “Regulation“) was published in the Official Gazette dated June 4, 2021 and No. 31501. The Regulation will enter into force on January 1, 2022.
• Confidentiality Obligation:
Disclosure of confidential information that must be compliant with proportionality principle. If it is possible to achieve the purpose of disclosure without sharing the entirety of the information, the disclosure is not considered proportionate.
In this respect, disclosures must contain the least amount of data as necessary to achieve the purpose of disclosure, and banks must be able to demonstrate that the disclosed proportion of the data is indeed necessary for the purpose. In addition, if it is possible to achieve the same purpose by aggregation, de-identification or anonymization methods, these methods must be used instead. If the bank client whose information will be disclosed is not a client of the parent company, the controlling shareholder or the relevant group company with which the information will be disclosed to, the information should not reveal the relevant client’s identity, or render such client identifiable. In addition, information sharing will need to be structured in order to create as few data copies as possible.
Save for exemptions from the confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad, and explicit consent does not suffice for such disclosure. In addition, health and sexual life data cannot be disclosed to third parties in Turkey or abroad based on the exemptions from the confidentiality obligation, even if such data constitutes client secret. The client’s request or instruction may be received in written form or via permanent data carrier. Provided that the client is able to cancel or amend its request or instruction at any time and by the same methods used to provide the request or instruction, the client’s request or instruction may be given to encompass multiple transactions, and request or instructions regarding continuous transactions may be given for an indefinite period of time. As a general principle, the client will be able to query the requests or instructions given through electronic banking channels.
For sharing of information in accordance with a client request or instruction, the determination of whether the principle of proportionality principle is complied with or not will be determined by inspecting whether the sharing of information respects the request or instruction of the client, provided that the data set requested to be shared by the client does not contain confidential information regarding other persons.
According to the Regulation, for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter, initiation of the transaction or order entries through distribution channels of electronic banking services by the client constitutes a request or instruction for the sharing of information, if:
(i) interaction with bank, payment service provider, payment, securities settlement or messaging systems is necessary due to the nature of the transaction; and
(ii) disclosure of client secrets is mandatory for the completion of the transaction.
• Information Sharing Committee: Article 7 of the Regulation requires banks to establish an “Information Sharing Committee”. The Regulation also sets forth the principles regarding the formation of this committee.
The Regulation aims to:
With its entry into force on January 1, 2021, the Regulation will clarify many questions regarding the implementation of Article 73 of the Law.
|Disclosure of Client Secret|
|As part of confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad.|
Client secret data can only be disclosed to third parties without client request or instruction under following situations under banking laws.
|Transactions That Constitute Client Request or Instruction||Exemptions from Requirement to Obtain Client Request or Instruction|
|Initiation of the transaction or order entries through distribution channels of electronic banking services by the client for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter if:|
Exemptions from confidentiality obligation do not apply to disclosure of health and sexual life data to third parties, even if such data constitutes client secret.