Article 73 of Banking Law No. 5411 (“Law“) authorizes the Banking Regulatory and Supervisory Authority (“BRSA“) to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. The BRSA previously published the Regulation on Disclosure of Client Information (“Regulation“), which we analyzed in our legal alert dated 7 June 2021. The Regulation will enter into force on 1 July 2022. Accordingly, the BRSA opened the Draft Circular on the Disclosure of Client Information No. 2022/1 (“Draft Circular“) to the banks’ opinion to clarify the Regulation and to determine the procedures for the application processes stipulated in the Regulation.
The Draft Circular clarifies certain issues regarding the implementation of the Regulation, in particular, with respect to the matters below.
Bank employee information
The Draft Circular emphasizes that bank employees’ data is principally considered personal data. However, the Draft Circular also points out that certain employee information might contain data relating to “the financial status of the bank, the bank’s management principles regarding its main activities such as loaning and collection of deposits, technical methods used by the bank and the capability of the bank” and such personal data may also contain bank secrets.
BRSA opinion on disclosures without de-identification measures
The Draft Circular explains the principles of disclosure of client secrets to parent companies for compliance risk purposes, and details the application procedures for the BRSA’s opinion. With respect to this, the banks must apply to the BRSA in order to disclose non-joint client’s information to the parent company for compliance risk purposes without any de-identification measures, and provide the following information:
- The content and purpose of sharing and the necessity within the framework of applicable laws.
- The opinion of the Information Disclosure Committee regarding the compliance and proportionality of the disclosure.
The Draft Circular sets out that if the parent company requests information from the Turkish bank based on a legal obligation or a right granted to the parent company under applicable laws, and that if the non-disclosure of the information would put the parent company at risk of sanctions, it will be accepted that the disclosure is due to a compliance risk of the recipient, as that evaluation must also be submitted in the application to the BRSA.
Additionally, as per the Draft Circular, clients’ identified or identifiable information (including those in the audit study papers) must not be disclosed to third parties for internal audit purposes. However, if it is concluded that the disclosure is due to the compliance risk of the recipient and this requires access to the information in the bank’s audit study papers or its internal audit practices, the bank may still obtain the BRSA’s opinion to disclose raw data without de-identification.
Disclosures to the foreign authorities
If a foreign authority equivalent to the BRSA in the relevant jurisdiction requests information from a bank in Turkey directly or if such disclosure is not due to the compliance risk, to share the requested information, the bank must obtain the BRSA’s approval under Article 98 of the Law and Article 6/9 of the Regulation in line with the reciprocity principle.
The Draft Circular stipulates that even if such disclosure relates to bank secrets only, the foregoing assessment regarding the BRSA approval still applies, and it would not be possible to rely on the board resolution to disclose bank secrets to such foreign authority in a case where the BRSA’s approval is required.
Disclosures as part of SWIFT transactions
The BRSA notes that disclosure of client information for post-transaction controls in SWIFT processes may qualify as disclosures for compliance risk purposes. However, the BRSA underlines that proportionality principle must be taken into account for such disclosures as well.
The Draft Circular explains that banks may also rely on client instructions/requests in case of these disclosures. Under the Regulation, if a transaction requires interaction with systems outside of Turkey and that the disclosure of information is mandatory to realize the transaction, the client’s order to initiate the transaction qualifies as ‘client instruction/request’ by itself. Alongside this, de-identification measures do not have to be implemented as there is a client instruction/request.
On the other hand, the Draft Circular notes that the disclosure must be limited to ‘mandatory’ information.
Bank secrets and board of directors resolution
According to the Draft Circular, bank secrets may be disclosed to third parties based on a board of directors resolution, which does not have to include disclosures that benefit from exemptions.
Reporting and retention requirements
The first reports to be submitted pursuant to Article 5/9 of the Regulation must be submitted until 31 December 2022. The reports must be in line with the annex of the Draft Circular and must contain disclosed data sets, confidentiality agreements, purposes of disclosure, technical and organizational measures, trade names of third-party recipients and their countries.
The details on the disclosure of information that identifies and renders the client identifiable must be retained for a span of 10 years.
Client secrets and instruction
The Draft Circular sets forth that BRSA opinion requirements under Article 6/8 of the Regulation continue to apply in cases where the bank relies on client instructions/requests for a disclosure that benefits from exemptions, such as risk management, consolidation of financial statements and internal audits.
The following must be taken into account for instructions/requests:
- Standard forms prepared by the banks can be used. However, the bank’s form must be converted into an instruction/request from the client. Banks must obtain a written approval of the clients stating that the clients understood and consented to the instruction.
- The approvals can also be obtained via digital signature.
- The clients must have the option to review the instructions/requests on mobile and online banking tools.
As per the Regulation, disclosures on joint clients can be carried out without de-identification in case the disclosures are based on exemptions. Further to the Draft Circular, in order for a client to be deemed a ‘joint’ client, (i) the same real/legal person must be a client of (ii) both the bank in Turkey and the parent company/group company (iii) simultaneously.
Disclosure of sensitive personal data
If special personal data other than health and sexual life information becomes client secret, such data may be disclosed to third parties based on exemptions from confidentiality obligations. On the other hand, health and sexual life information may not be disclosed to the third parties solely based on the exemptions from confidentiality obligation, and the client’s explicit consent would be necessary for these disclosures.
Disclosure to legal consultants
The disclosure to legal consultants are considered exempted based on outsourcing exemption. However, if the legal consultant directly represents the bank in a dispute, then the client secrets can be disclosed without de-identification. In case there is a potential representation, then the instruction/request of the client is required for disclosure of the information.
The Draft Circular aims to clarify the questions and uncertainties raised by banks regarding the provisions of the Regulation, which will be in force by 1 July 2022 and provide details on the application processes set out in the Regulation.