The Turkish Banking Regulation and Supervision Agency ("BRSA") has released a draft regulation, namely the Draft Regulation on the Information Systems of the Banks and Electronic Banking Services ("Draft Regulation"), which was published on the BRSA website on 25 December 2018.
Purpose and Scope of the Draft Regulation
The purposes of the Draft Regulation is to set the standards for the management of the information systems used for banking activities and to regulate the minimum procedures and principles to be implemented for the security of electronic banking services.
Liability under the Draft Regulation
According to the Draft Regulation, the ultimate responsibility for assuring the information security of each bank's operations lies with its board of directors ("BoD"). Further, the BoD is obligated to ensure that the security measures related to information systems are at an appropriate level and that sufficient resources are allocated for this purpose.
Obligations under the Draft Regulation
The Draft Regulation introduces the following obligations to banks in relation to information security and privacy:
1. Data Privacy within the Scope of Information Security Management
Pursuant to the Draft Regulation, banks are subject to various obligations related to data privacy (veri gizliliği). Namely:
- Each bank must take measures to ensure the privacy of data used to carry out banking activities, whenever such data is moved, transferred, processed, stored or preserved. It is essential that the measures taken correspond to the degree of confidentiality of the data (gizlilik derecesi), and additional control mechanisms are established, regardless of whether the data is kept in a physical or electronic medium.
- Each bank must implement reliable encryption techniques to ensure data privacy and confidentiality. The bank must also ensure that any encryption keys in use are secured, formed and brought into use for customers and personnel in a secure way.
- Each bank must ensure that end-to-end secure communication (uçtan uca güvenli iletişim) is used for the transmission of sensitive data (hassas veri) and that such sensitive data is stored in an encrypted manner.
2. Cyber Security
According to the Draft Regulation, each bank must establish a cyber incident management team (siber olay yönetim ekibi) and a cyber incident intervention process (siber olaya müdahale süreci) for handling and tracking cyber events and to restore information system services to normal operation in the shortest time possible following a cyber incident (siber olay).
3. Cloud Services
According to the Draft Regulation, a bank may use cloud services if (i) the cloud service is established specifically to deliver services to banks, and (ii) the related cloud deployment model (bulut hizmet modeli) complies with the applicable banking regulations (see our article for further details https://www.cms-lawnow.com/ealerts/2018/12/financial-leasing-factoring-and-financing-companies?cc_lang=en).
Additionally, a bank may also benefit from collective cloud services (topluluk bulutu hizmet modeli) if it appoints separate resources for their operation. However, in this case, if collective cloud services are to be used for certain core banking applications (ana bankacılık uygulaması), credit and credit card practices, and payment services, approval from the BRSA must be obtained.
Customer Data Privacy
According to the Draft Regulation, the transfer of customer data to third persons may only be made by a bank if the scope of the transfer is explicitly specified and the customer's explicit consent is obtained. Further, customers must be informed that they have discretion over whether their data may be transfered to third persons. According to the Draft Regulation, even if a customer's explicit consent has been obtained, sharing or transferring customer data to third countries is subject to the BRSA's approval.
By virtue of the Draft Regulation, the BRSA is aiming to strengthen the information security practices of Turkish banks. Once the Draft Regulation is in its final form, its implications with respect to data privacy and security will become clearer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.