A Long-Awaited Development: Draft Regulation by the Turkish Banking Regulator on "Sharing of Confidential Information"
The Turkish Banking Regulation and Supervision Agency ("BRSA") published a draft regulation to clarify a long-awaited obligation under Banking Law No. 5411 ("Banking Law"). Draft Regulation on the Sharing of Confidential Information determines the scope, form, procedure and principles regarding the sharing and transferring of confidential bank and customer secrets ("Draft Regulation").1 The Draft Regulation was published on the BRSA's website in February 2021 for public consultation and is yet to be published in the Official Gazette as of the date of this edition of Legal Insights Quarterly.
The Draft Regulation is based on Articles 73 and 93 of the Banking Law2 and it is important as it expands and clarifies the application of the Article 73, which is critical in terms of transfer of customer information, which could also include personal data. Article 73 prohibits the sharing of such data with domestic or foreign third parties without an instruction or request received from the customer. The relevant article of the Banking Law explicitly states that this condition must be fulfilled even if an explicit consent is received from the customer within the scope of Law No. 6698 on Protection of Personal Data ("DPL").3
The Draft Regulation basically clarifies the scope of the confidentiality obligation, any exceptions, and the definition of "customer secret," along with determining the general principles and procedure regarding the sharing and transferring of confidential information, including the transfers which are exempted from the confidentiality obligation specified in the fourth paragraph of the Article 73 of the Banking Law. These clarifications will bring some guidance and also relief from uncertainty, for the banks and other institutions which are subject to the Banking Law.
The persons who have confidentiality obligation is defined in the Draft Regulation as: Those who, by virtue of their positions or in the course of performance of their duties, have access to bank or customer secrets are not permitted to disclose such confidential information to any person or entity other than the authorities explicitly authorized by law.4 This obligation will also be applicable in cases where the information classified as a customer secret is obtained and learned through methods which are not automated nor part of any data recording system.
What constitutes a "customer secret"?
The Draft Regulation expands on the term "customer secret." It reiterates the Banking Law clause that, specific to banking activities, real and legal persons` data which comes into being after the customer - bank relationship is established, becomes a customer secret. It further adds that, any information which may indicate that a real or legal person is a customer of the bank, is also considered to be a customer secret. However, even if a customer relationship has not been established, the confidentiality obligation will also be applicable in the event of receiving or learning the customer secrets held by another bank.
Moreover, per the Draft Regulation, a data that existed before the customer relationship was established with the bank, becomes a customer secret if it is processed in a way that identifies such person as a bank customer on its own or when processed together with the customer secret data that is created after a bank-customer relationship is built.
Exceptions to the confidentiality obligation
According to the Draft Regulation, sharing the information classified as a bank or customer secret with authorities which are explicitly authorized by laws, does not constitute a violation of the confidentiality obligation. The Draft Regulation further regulates the exceptions to the confidentiality obligation, providing that a confidentiality agreement is executed and limited to the specified purposes.
Although the Banking Law includes most of these exceptions to some degree, the Draft Regulation further clarifies and separates them more distinctly. Whereas the Banking Law merely states the circumstances under which customer secrets can be shared, the Draft Regulation additionally includes the persons with whom the customer secrets can be shared under such circumstances.
For instance, the Draft Regulation deems providing information and documents to service providers to be used in transactions related to the service provisions as an exception, provided that necessary administrative and technical measures are taken, while the Banking Law made it an exception to learn customer or bank secrets during the course of meeting information and document requests to use in transactions related to receiving of services. The altered provision in the Draft Regulation appears to be aimed at addressing the issues that service providers encounter, when obtaining the necessary customer data to perform their services for banks.
The exceptions also include providing information and documents to parent companies, including credit institutions and financial institutions residing abroad, having ten percent or more shares in the capitals of the banks, within the scope of preparation of consolidated financial statements, risk management and internal audits.
This exception also includes sharing data with the controlling shareholder, or a group company that such controlling shareholder/parent company nominates to provide services for the preparation of financial statements or consolidated risk management, provided that the sharing is limited to the purposes mentioned in the relevant exception clause, and subject to a executing an confidentiality agreement which also ensures that the other party shall take the necessary technical and administrative measures.
The Draft Regulation, however, mandates that a copy of such confidentiality agreement, the purposes of sharing, administrative and technical measures and title and country of residence for all third parties (including controlling partner/parent company) with whom the customer secrets were shared, must be periodically reported to BRSA; comprising a period of six months; and all such sharing activities that directly identifies the customer or makes them identifiable must be readied for audit and such information shall be sent to BRSA when requested using a method that BRSA finds applicable.
General principles and applicability of the data protection legislation
Further to the foregoing, the Draft Regulation determines the general principles and procedures regarding the sharing and transferring of confidential information. In principle, customer and bank secrets can be transferred only for specified purposes and is limited to the data required by these purposes, in accordance with the principle of proportionality. The Draft Regulation further defines the minimum requirements that should be met for considering that the transfer of the information is in line with the principle of proportionality.
The Draft Regulation refers to the DPL, stating it is obligatory to comply with the general principles regulated under Article 4 of the DPL while sharing the confidential information of the real person customers. However, the Draft Regulation strictly prohibits the transfer of the personal data related to health and sexual life to domestic or foreign third parties, using a customer secret confidentiality exception as grounds, even if such personal data are considered as customer secrets.
Cross-border transfers
It appears that the Draft Regulation aims to provide some relief to necessary domestic and cross-border transfers, where communication with a foreign bank, payment service provider, payment or messaging system is necessary and it is a mandatory element of the transaction to share customer secrets (e.g., fund transfers, letter of credit, letter of guarantee etc). For such transfers, the initiation of the transaction by the customer or a customer entering an order through distribution channels are considered as a duly made request or instruction under the relevant clause.
However, the Draft Regulation authorizes the Banking Regulation and Supervision Board ("Board") to prohibit the sharing of all kinds of confidential data comprising customer or bank secrets with third parties abroad, when deemed necessary, based on its evaluation of economic security.
Moreover, under the exceptions, the Draft Regulation emphasizes the application of the reciprocity principle with respect to sharing customer or bank secrets with a third party abroad. The Draft Regulation authorizes the Board to restrict, cease or prohibit the sharing of customer or bank secrets under exceptions, with those parties that are identified as not complying with the reciprocity principle.
Information sharing committees
Finally, in the context of the Draft Regulation, banks are obliged to establish an Information Sharing Committee, which will be responsible for (i) coordinating the sharing of the information classified as customer and bank secrets, by taking into account the principle of proportionality, (ii) evaluating the suitability of the requests to share data, and (iii) maintaining a record of these evaluations.
The Draft Regulation is currently open to public consultation as BRSA announced that comments on the Draft Regulation might be emailed5 to the authority, and therefore may undergo some changes before entering into force.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in June 2021. A link to the full Legal Insight Quarterly may be found here.
Footnotes
1 Available at https://www.bddk.org.tr/ContentBddk/dokuman/mevzuat_1069.pdf (Last accessed on April 2, 2021)
2 Available at https://www.tbb.org.tr/en/Content/Upload/Dokuman/1/Banking%20Law.pdf (Last accessed on April 2, 2021)
3 Available at https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law (Last accessed on April 2, 2021)
4 Article 4 of the Draft Regulation
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
