Article 73 of Banking Law No. 5411 (“Law“) authorizes the Banking Regulatory and Supervisory Authority (BRSA) to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. The BRSA previously published the Regulation on Disclosure of Client Information (“Regulation“), which we analyzed in our legal alert dated 7 June 2021. Accordingly, on 11 August 2022 the BRSA published the Circular on the Disclosure of Client Information No. 2022/1 (“Circular“) to clarify the Regulation and to determine the procedures for the application processes stipulated in the Regulation. The Circular is available here in Turkish.
The Circular clarifies certain issues regarding the implementation of the Regulation, in particular, with respect to the matters below.
Bank employee information
The Circular emphasizes that bank employees’ data is principally considered personal data. However, the Circular also points out that certain employee information might contain data relating to “the financial status of the bank, the bank’s management principles regarding its main activities such as loaning and collection of deposits, technical methods used by the bank and the capability of the bank” and such personal data may also contain bank secrets.
BRSA opinion on disclosures without de-identification measures
The Circular explains the principles of disclosure of client secrets to parent companies for compliance risk purposes, and details the application procedures for the BRSA’s opinion. With respect to this, the banks must apply to the BRSA in order to disclose non-joint client’s information to the parent company for compliance risk purposes without any de-identification measures, and provide the following information:
- The content and purpose of sharing and the necessity within the framework of applicable laws.
- The opinion of the Information Disclosure Committee regarding the compliance and proportionality of the disclosure.
The Circular sets out that if the parent company requests information from the Turkish bank based on a legal obligation or a right granted to the parent company under applicable laws, and that if the non-disclosure of the information would put the parent company at risk of sanctions, it will be accepted that the disclosure is due to a compliance risk of the recipient, as that evaluation must also be submitted in the application to the BRSA.
Additionally, as per the Circular, clients’ identified or identifiable information (including those in the audit study papers) must not be disclosed to third parties for internal audit purposes. However, if it is concluded that the disclosure is due to the compliance risk of the recipient and this requires access to the information in the bank’s audit study papers or its internal audit practices, the bank may still obtain the BRSA’s opinion to disclose raw data without de-identification.
Moreover, parent /controlling shareholder banks may request from their local affiliate banks client information for compliance risk purposes without obtaining the BRSA opinion and de-identifying the information.
Disclosures to the foreign authorities
If a foreign authority equivalent to the BRSA in the relevant jurisdiction requests information from a bank in Turkey directly or if such disclosure is not due to the compliance risk, to share the requested information, the bank must obtain the BRSA’s approval under Article 98 of the Law and Article 6/9 of the Regulation in line with the reciprocity principle.
The Circular stipulates that even if such disclosure relates to bank secrets only, the foregoing assessment regarding the BRSA approval still applies, and it would not be possible to rely on the board resolution to disclose bank secrets to such foreign authority in a case where the BRSA’s approval is required.
Disclosures as part of SWIFT transactions
The BRSA notes that disclosure of client information for post-transaction controls in SWIFT processes may qualify as disclosures for compliance risk purposes. However, the BRSA underlines that proportionality principle must be taken into account for such disclosures as well.
The Circular explains that banks may also rely on client instructions/requests in case of these disclosures. Under the Regulation, if a transaction requires interaction with systems outside of Turkey and that the disclosure of information is mandatory to realize the transaction, the client’s order to initiate the transaction qualifies as ‘client instruction/request’ by itself. Alongside this, de-identification measures do not have to be implemented as there is a client instruction/request. If the system rules or the corresponding bank itself requires information requests to be responded following money transfer transactions, such as SWIFT, which his based on the client’s instruction, client information may be shared to respond to such requests, provided that the client is duly informed of such information sharing prior to the transaction.
On the other hand, the Circular notes that the disclosure must be limited to ‘mandatory’ information.
Bank secrets and board of directors’ resolution
According to the Circular, bank secrets may be disclosed to third parties based on a board of directors resolution, which does not have to include disclosures that benefit from exemptions.
Reporting and retention requirements
The first reports to be submitted pursuant to Article 5/9 of the Regulation for the period between July – December 2022 must be submitted until 31 January 2022, whereas the reports for the period between January – June 2023 must be submitted by July 31, 2023. The content and the format of the report will be separately determined by the BRSA, and the BRSA is authorized to make changes to such format.
The details on the disclosure of information that identifies and renders the client identifiable must be retained for a span of 10 years.
Client secrets and instruction
The Circular sets forth that BRSA opinion requirements under Article 6/8 of the Regulation continue to apply in cases where the bank relies on client instructions/requests for a disclosure that benefits from exemptions, such as risk management, consolidation of financial statements and internal audits.
The following must be taken into account for instructions/requests:
- Standard forms prepared by the banks can be used. However, the bank’s form must be converted into an instruction/request from the client. Banks must obtain a written approval of the clients stating that the clients understood and consented to the instruction. These standard forms must be clearly separate from banking services agreements.
- The approvals can also be obtained via digital signature.
- The clients must have the option to review the instructions/requests on mobile and online banking tools.
As per the Regulation, disclosures on joint clients can be carried out without de-identification in case the disclosures are based on exemptions. Further to the Circular, in order for a client to be deemed a ‘joint’ client, (i) the same real/legal person must be a client of (ii) both the bank in Turkey and the parent company/group company (iii) simultaneously.
Disclosure of sensitive personal data
If special personal data other than health and sexual life information becomes client secret, such data may be disclosed to third parties based on exemptions from confidentiality obligations. On the other hand, health and sexual life information may not be disclosed to the third parties solely based on the exemptions from confidentiality obligation, and the client’s explicit consent would be necessary for these disclosures.
Disclosure to legal consultants
The disclosure to legal consultants are considered exempted based on outsourcing exemption. However, if the legal consultant directly represents the bank in a dispute, then the client secrets can be disclosed without de-identification. In case there is a potential representation, then the instruction/request of the client is required for disclosure of the information.
The Circular clarifies the questions and uncertainties raised by banks regarding the provisions of the Regulation and provides details on the application processes set out in the Regulation.