Recent Developments
Article 73 of the Banking Law No. 5411 ("Law") authorizes the Banking Regulatory and Supervisory Authority ("BRSA") to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. Accordingly, the BRSA previously published the "Draft Regulation on the Sharing of Client Information", which we analyzed in our Legal Alert dated February 23, 2021. Accordingly, the Regulation on Disclosure of Client Information (the "Regulation") was published in the Official Gazette dated June 4, 2021 and No. 31501. The Regulation will enter into force on January 1, 2022.
What's New?
" Confidentiality Obligation:
- The confidentiality obligation is drafted similarly to Article 73 of the Law. Accordingly, bank and client secrets will not be disclosed to anyone except those legally authorized.
- The confidentiality obligation will also apply for information which is obtained through non-automated methods or methods that are not used for any data recording system.
- Any information evidencing that a real or legal person is a bank client will be deemed confidential information.
- The confidentiality obligation will also apply if a bank obtains any information from another bank, regardless of whether it has established a client relationship information with the relevant client itself.
- Exceptions:
- The Regulation also sets forth exceptions that apply to the
confidentiality obligation in detail. While no additional
conditions are stipulated regarding the disclosure of confidential
information to legally authorized persons, two additional
conditions must be met to benefit from the new exceptions set out
under the Regulation:
- Execution of a confidentiality agreement
- Limitation to the stated purposes
- In this regard, the Regulation reiterates four exceptions which are also found under the Law and clarifies one of them, namely the sharing of information for the preparation of consolidated financial reports, risk management and internal audit purposes. The Regulation also sets forth that while sharing information for the preparation of consolidated financial reports, risk management and internal audit purposes, banks will need to prepare a report addressed to the BRSA containing information on transferee third parties, the reasons for information sharing, measures taken to ensure the confidentiality of the shared information and a copy of the confidentiality agreement every six months and immediately in case of any material change. Moreover, banks will need to keep information regarding these transfers ready for auditing.
- In addition, the Regulation provides another general exception to the confidentiality obligation. Accordingly, confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a board of directors' resolution of the bank. The bank will remain liable for this information sharing. In order to share information within this exception with foreign banking regulatory authorities, banks will need to notify the BRSA in writing. The board of directors may delegate this authority to the bank's general directorate, provided that the relevant procedures and principles are determined by the board of directors.
- According to the Regulation, the verification of client information provided to public institutions by the client's request by banks, the Risk Center, or companies established by at least five banks or financial institutions will not be deemed a violation of the confidentiality obligation, provided that the client has requested the verification of such information.
- According to the Regulation, the Banks may share information regarding persons that are parties to a dispute that the bank is also a party in and other information deemed bank secret with authorized institutions and authorized representatives of the bank if sharing of this information is needed to prove the facts related to the dispute.
- Lastly, banks are authorized to disclose information for the purposes of client identification or information regarding accounts and transactions within the same financial group within the scope of Law No. 5549 on the Prevention of Laundering of Proceeds of Crime.
- Principles of Information Sharing: The
Regulation also sets forth the general principles of sharing
confidential information. Disclosure of confidential information
that must be compliant with proportionality principle. If it is
possible to achieve the purpose of disclosure without sharing the
entirety of the information, the disclosure is not considered
proportionate. In this respect, disclosures must contain the least
amount of data as necessary to achieve the purpose of disclosure,
and banks must be able to demonstrate that the disclosed proportion
of the data is indeed necessary for the purpose. In addition, if it
is possible to achieve the same purpose by aggregation,
de-identification or anonymization methods, these methods must be
used instead. If the bank client whose information will be
disclosed is not a client of the parent company, the controlling
shareholder or the relevant group company with which the
information will be disclosed to, the information should not reveal
the relevant client's identity, or render such client
identifiable. In addition, information sharing will need to be
structured in order to create as few data copies as possible. Save
for exemptions from the confidentiality obligation, client's
request or instruction is necessary for the disclosure of client
secret data to third parties resident in Turkey and abroad, and
explicit consent does not suffice for such disclosure. In addition,
health and sexual life data cannot be disclosed to third parties in
Turkey or abroad based on the exemptions from the confidentiality
obligation, even if such data constitutes client secret. The
client's request or instruction may be received in written form
or via permanent data carrier. Provided that the client is able to
cancel or amend its request or instruction at any time and by the
same methods used to provide the request or instruction, the
client's request or instruction may be given to encompass
multiple transactions, and request or instructions regarding
continuous transactions may be given for an indefinite period of
time. As a general principle, the client will be able to query the
requests or instructions given through electronic banking channels.
For sharing of information in accordance with a client request or
instruction, the determination of whether the principle of
proportionality principle is complied with or not will be
determined by inspecting whether the sharing of information
respects the request or instruction of the client, provided that
the data set requested to be shared by the client does not contain
confidential information regarding other persons. According to the
Regulation, for transactions as domestic/international fund
transfers, international letter of credit, letter of guarantee and
reference letter, initiation of the transaction or order entries
through distribution channels of electronic banking services by the
client constitutes a request or instruction for the sharing of
information, if: (i) interaction with bank, payment service
provider, payment, securities settlement or messaging systems is
necessary due to the nature of the transaction; and
(ii) disclosure of client secrets is mandatory for the completion of the transaction. " Information Sharing Committee: Article 7 of the Regulation requires banks to establish an "Information Sharing Committee". The Regulation also sets forth the principles regarding the formation of this committee. Conclusion The Regulation aims to:
- Clarify the confidentiality obligation, the applicable exceptions, and the concept of client secret; and
- Set forth the procedures and general principles of sharing and transferring of information deemed secret under Article 73 of the Law, including the sharing of information while benefitting from exceptions.
With its entry into force on January 1, 2021, the Regulation will clarify many questions regarding the implementation of Article 73 of the Law.
Disclosure of Client Secret | |
As part of confidentiality obligation,
client's request or instruction is necessary for the disclosure
of client secret data to third parties resident in Turkey and
abroad.
Client secret data can only be disclosed to third parties without client request or instruction under following situations under banking laws. |
|
Transactions That Constitute Client Request or Instruction | Exemptions from Requirement to Obtain Client Request or Instruction |
Initiation of the transaction or order entries
through distribution channels of electronic banking services by the
client for transactions as domestic/international fund transfers,
international letter of credit, letter of guarantee and reference
letter if:
|
Exemptions from confidentiality obligation do not apply to disclosure of health and sexual life data to third parties, even if such data constitutes client secret. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.