The Turkish Banking Regulation and Supervision Agency ("BRSA") published a draft regulation to clarify a long-awaited obligation under the Banking Law. Draft Regulation on Sharing of Confidential Information determines the scope, form, procedure and principles of sharing and transferring of the bank and customer secrets as confidential information ("Draft Regulation1"). Draft Regulation is published on the BRSA's website.
This Draft Regulation is based on the Articles 73 and 93 of the Banking Law with No. 54112 and it is important as it expands and clarifies the application of the Article 73, which is critical in terms of transfer of customer data, which could also include personal data. Article 73 prohibits sharing of such data to domestic or foreign third parties without an instruction or request received from the customer. The relevant article of the Banking Law explicitly states that this condition must be fulfilled even if an explicit consent is received from the customer within the scope of Law No. 6698 on Protection of Personal Data ("DPL")3.
The Draft Regulation basically clarifies the confidentiality obligation, the exceptions to this obligation and the definition of "customer secret", along with determining the general principles and procedure regarding sharing and transferring of confidential information, including the transfers which are exempted from the confidentiality obligation specified in the fourth paragraph of the Article 73 of the Banking Law. Thereby, the clarifications might relieve the banks and other institutions, which are subject to the Banking Law.
The confidentiality obligation is defined in the Draft Regulation as the following: Those who, by virtue of their positions or in the course of performance of their duties, have access to bank secret or customer secret are not permitted to disclose such confidential information to any person or entity other than the authorities explicitly authorized by law4. This obligation will also be applicable in the cases that the information classified as customer secret is obtained and learned through the methods which are not automated or are not a part of any data recording system.
What constitutes "customer secret"?
The Draft Regulation expands the term "customer secret". After reiterating the Banking Law clause that the data belonging to real and legal persons that are formed after establishing a customer - bank relationship specific to banking activities becomes a customer secret, it further includes that any information showing that a real or legal person customer is a customer of the bank is also considered customer secret. However, even if a customer relationship has not been established, the confidentiality obligation will also be applicable in the event of obtaining and learning of customer secret held by another bank.
Moreover, per the Draft Regulation, a data that exists before the customer relationship with the banks becomes a customer secret if it is processed in a way that identifies such person as a bank customer on its own or when processed together with the customer secret data that is formed after a bank-customer relationship is built.
Exemptions to the confidentiality obligation
According to the Draft Regulation, sharing the information classified as bank or customer secret with the authorities which are explicitly authorized by laws do not constitute a violation of the confidentiality obligation. The Draft Regulation further regulates the exemptions to the confidentiality obligation providing that a confidentiality agreement is executed and specified purposes are limited.
Although the Banking Law includes most of these exemptions to some degree, the Draft Regulation further clarifies and more distinctly separates those exemptions. Whereas the Banking Law merely states the circumstances under which customer secrets can be shared, the Draft Regulation additionally includes the persons with whom the customer secrets can be shared under such circumstances.
For instance, the Draft Regulation makes providing information and documents to service providers to be used in transactions related to the service provisions as an exemption provided that necessary administrative and technical measures are taken, while the Banking Law made it an exemption to learn customer or bank secrets during the course of meeting information and document requests to use in transactions related to receiving of services. The altered provision in the Draft Regulation appears to aim addressing issues service providers of banks encounter to obtain necessary customer data to perform their services.
The exemptions also include providing information and documents to parent companies including credit institutions and financial institutions residing abroad having ten percent or more of the capitals of the banks within the scope of preparation of consolidated financial statements and risk management and internal audits.
This exemption is further expanded including such sharing is also allowed to be made with the controlling shareholder or a group company such controlling shareholder/parent company determines that provides service for preparation of financial statements or consolidated risk management provided that the sharing is limited to the purposes mentioned in the relevant exemption clause, in the condition of drafting of confidentiality agreement and when ensured that the other party takes necessary technical and administrative measures through such confidentiality agreement.
The Draft Regulation, however, mandates that a copy of such confidentiality agreement, purposes of sharing, administrative and technical measures and title and country of all third parties (including controlling partner/parent company) customer secrets were shared with must be reported to BRSA in six months intervals and all sharing activities that identifies or makes identifiable the customer must be readied for audit and such information shall be sent to BRSA when requested using a method that BRSA finds applicable.
General principles and relation with data protection legislation
Further to the foregoing, the Draft Regulation determines the general principles and procedures regarding sharing and transferring of the confidential information. In principle, customer secret and bank secret can be transferred only if it is limited to the specified purposes and contains the data which is required by these purposes in accordance with the principle of proportionality. The Draft Regulation further defines the minimum necessities that should be fulfilled for considering that transfer of the information is in line with the principle of proportionality.
The Draft Regulation refers to the Law No. 6698 on Personal Data Protection ("DPL"), stating it is obligatory to comply with the general principles regulated under Article 4 of the DPL while sharing the confidential information of the real person customers. However, the Draft Regulation strictly prohibits the transfer of the personal data related to health and sexual life, to the domestic or foreign third parties using a customer secret confidentiality exemption as grounds, even if such personal data are considered as customer secrets.
It appears that the Draft Regulation aims to provide some relief to necessary domestic and cross-border transfers, where communication with a foreign bank, payment service provider, payment or messaging systems is necessary and it is a mandatory element of the transaction to share customer secrets (e.g. fund transfers, letter of credit, letter of guarantee etc.). For such transfers, initiations of the transaction by the customer or a customer entering an order through distribution channels are considered as request or instruction under the relevant clause.
However, the Draft Regulation authorizes Banking Regulation and Supervision Board ("Board") to prohibit all kinds of customer secret or bank secret data to third parties abroad as a result of its evaluation on economic security.
Moreover, the Draft Regulation emphasizes the application of reciprocity principle to share customer or bank secret with a third party abroad in the course of exemptions that allow sharing of customer or bank secrets. The Draft Regulation authorizes the Board to restrict, cease or prohibit sharing of customer or bank secrets in the course of exemptions with parties that are identified as not complying with the reciprocity principle.
Information sharing committees
Finally, in the context of the Draft Regulation, banks are obliged to establish an Information Sharing Committee, which will be responsible for (i) coordinating the sharing of the information classified as customer secret and bank secret by taking into account the principle of proportionality, (ii) evaluating the suitability of the sharing requests and (iii) recording of these evaluations.
In accordance with the BRSA's statement that the opinions related to the Draft Regulation might be emailed5 to the authority, the Draft Regulation is currently open to public opinion and it might not enter into force as is.
1. Available at https://www.bddk.org.tr/ContentBddk/dokuman/mevzuat_1069.pdf
3. Available at https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law
4. Article 4 of the Draft Regulation
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.