The Communiqué Amending the Communiqué on Independent Audit of Information Systems (III-62.2.b) ("Audit Communiqué") and the Communiqué on the Procedures and Principles for Information Systems Management (VII-128.10) ("Management Communiqué"), issued by the Capital Markets Board ("Board"), were published in the Official Gazette dated March 13, 2025, No. 32840, and entered into force. These Communiqués introduce significant changes to the obligations of capital market institutions regarding the management and audit of their information systems.
On the same date, the Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1) and the Communiqué on the Working Principles and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2) were also published in the Official Gazette. You can access detailed information on these regulations here.
Below are our explanations regarding the relevant changes:
1. Amendments in the Audit Communiqué
With the Audit Communiqué, crypto asset service providers have been included within the scope of independent audits of information systems. Accordingly, Borsa İstanbul A.Ş., İstanbul Takas ve Saklama Bankası A.Ş., Merkezi Kayıt Kuruluşu A.Ş., stock exchanges and market operators, other organized marketplaces, central clearing institutions, central depositories, data storage institutions, and crypto asset service providers will be subject to an independent audit of information systems once a year.
Additionally, banks, insurance companies, leasing, factoring, financing, and savings finance companies will be audited in accordance with the principles established in their specific regulations and shall be deemed to comply with the obligations set forth in this Audit Communiqué. It has been stipulated that, provided there is no contradiction with their specific regulations, the provisions of the Audit Communiqué shall apply to the submission of independent audit reports on information systems to the Board.
The procedures for the preparation, submission, and delivery of independent audit reports on information systems have been updated. Previously, independent audit reports on information systems had to be submitted to the board chairperson on the first business day following their finalization and sent to the Board within five business days. Additionally, reports had to be completed and submitted to the Board within 30 days following the end of the audit period.
With the new regulation, the five-business-day submission requirement has been abolished, and a requirement has been introduced to submit reports to the Board by the end of the month following the audit period. This change has made the process faster and more efficient.
Finally, audit periods for certain brokerage firms and portfolio management companies have been differentiated. Accordingly, limited and fully authorized brokerage firms and certain portfolio management companies will be audited every two years, while other portfolio management companies and the Capital Markets Licensing, Registry, and Training Institution A.Ş. will be audited every three years.
2. Amendments in the Management Communiqué
The Management Communiqué has repealed the previously effective Communiqué on Information Systems Management (VII-128.9), and the regulations concerning information systems management have been updated and consolidated under the new Communiqué (VII-128.10). Accordingly, certain obligations regarding information systems management for institutions, organizations, and partnerships operating in the capital markets have been amended.
Scope and Obligations
With the new Communiqué, crypto asset service providers, which were previously not within the scope, have now been made subject to information systems management obligations. Additionally, certain provisions have been updated for institutions and organizations already subject to these obligations, ensuring the harmonization of processes.
Changes in Information Systems Management and Security
- Information security policies must now be approved by the board of directors, and their implementation principles have been further detailed.
- Information systems risk management processes have been strengthened, making risk analyses mandatory at least once a year.
- Internal audit obligations have been expanded, requiring at least one internal audit per year on information systems management.
- Network security requirements have been enhanced, and multi-factor authentication is now mandatory for access to critical systems.
- Regulations concerning external service providers have been tightened, and restrictions have been imposed on the use of cloud services.
Updates on Information Systems Continuity and Crisis Management
- The scope of business continuity plans has been expanded, making it mandatory to establish scenarios for extraordinary situations.
- The requirement to keep primary and secondary systems within the country has been clarified, with specific transition periods defined, particularly for crypto asset service providers.
- Requirements for penetration tests have been increased, with additional tests mandated for critical information systems.
Implementation and Compliance Timeline
The new Communiqué will enter into force on June 30, 2025, with compliance periods extending into 2025 and 2026 for specific institutions and organizations. With the repeal of Communiqué VII-128.9, all obligations related to information systems management will now be regulated under Communiqué VII-128.10.
These regulations aim to enhance the framework for information security and information systems management for capital market institutions, improve risk management processes, and strengthen audit mechanisms. You can access the Audit Communiqué and the Management Communiqué here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
