Turkey Publishes Bank Client Confidentiality Regulation

Recent Developments

Article 73 of the Banking Law No. 5411 (“ Law “) authorizes the Banking Regulatory and Supervisory Authority (“ BRSA “) to determine the scope, form, procedures and principles regarding the sharing and transferring of client information. Accordingly, the BRSA previously published the “Draft Regulation on the Sharing of Client Information”, which we analyzed in our Legal Alert dated February 23, 2021 . Accordingly, the Regulation on Disclosure of Client Information (the “ Regulation “) was published in the Official Gazette dated June 4, 2021 and No. 31501. The Regulation will enter into force on January 1, 2022.

What’s New?

• Confidentiality Obligation:

The confidentiality obligation is drafted similarly to Article 73 of the Law. Accordingly, bank and client secrets will not be disclosed to anyone except those legally authorized.
The confidentiality obligation will also apply for information which is obtained through non-automated methods or methods that are not used for any data recording system.
Any information evidencing that a real or legal person is a bank client will be deemed confidential information.
The confidentiality obligation will also apply if a bank obtains any information from another bank, regardless of whether it has established a client relationship information with the relevant client itself.

Exceptions:

The Regulation also sets forth exceptions that apply to the confidentiality obligation in detail. While no additional conditions are stipulated regarding the disclosure of confidential information to legally authorized persons, two additional conditions must be met to benefit from the new exceptions set out under the Regulation:
- Execution of a confidentiality agreement
- Limitation to the stated purposes
In this regard, the Regulation reiterates four exceptions which are also found under the Law and clarifies one of them, namely the sharing of information for the preparation of consolidated financial reports, risk management and internal audit purposes. The Regulation also sets forth that while sharing information for the preparation of consolidated financial reports, risk management and internal audit purposes, banks will need to prepare a report addressed to the BRSA containing information on transferee third parties, the reasons for information sharing, measures taken to ensure the confidentiality of the shared information and a copy of the confidentiality agreement every six months and immediately in case of any material change. Moreover, banks will need to keep information regarding these transfers ready for auditing.
In addition, the Regulation provides another general exception to the confidentiality obligation. Accordingly, confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a board of directors’ resolution of the bank. The bank will remain liable for this information sharing. In order to share information within this exception with foreign banking regulatory authorities, banks will need to notify the BRSA in writing. The board of directors may delegate this authority to the bank’s general directorate, provided that the relevant procedures and principles are determined by the board of directors.
According to the Regulation, the verification of client information provided to public institutions by the client’s request by banks, the Risk Center, or companies established by at least five banks or financial institutions will not be deemed a violation of the confidentiality obligation, provided that the client has requested the verification of such information.
According to the Regulation, the Banks may share information regarding persons that are parties to a dispute that the bank is also a party in and other information deemed bank secret with authorized institutions and authorized representatives of the bank if sharing of this information is needed to prove the facts related to the dispute.
Lastly, banks are authorized to disclose information for the purposes of client identification or information regarding accounts and transactions within the same financial group within the scope of Law No. 5549 on the Prevention of Laundering of Proceeds of Crime.

Principles of Information Sharing: The Regulation also sets forth the general principles of sharing confidential information.
Disclosure of confidential information that must be compliant with proportionality principle. If it is possible to achieve the purpose of disclosure without sharing the entirety of the information, the disclosure is not considered proportionate.

In this respect, disclosures must contain the least amount of data as necessary to achieve the purpose of disclosure, and banks must be able to demonstrate that the disclosed proportion of the data is indeed necessary for the purpose. In addition, if it is possible to achieve the same purpose by aggregation, de-identification or anonymization methods, these methods must be used instead. If the bank client whose information will be disclosed is not a client of the parent company, the controlling shareholder or the relevant group company with which the information will be disclosed to, the information should not reveal the relevant client’s identity, or render such client identifiable. In addition, information sharing will need to be structured in order to create as few data copies as possible.

Save for exemptions from the confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad, and explicit consent does not suffice for such disclosure. In addition, health and sexual life data cannot be disclosed to third parties in Turkey or abroad based on the exemptions from the confidentiality obligation, even if such data constitutes client secret. The client’s request or instruction may be received in written form or via permanent data carrier. Provided that the client is able to cancel or amend its request or instruction at any time and by the same methods used to provide the request or instruction, the client’s request or instruction may be given to encompass multiple transactions, and request or instructions regarding continuous transactions may be given for an indefinite period of time. As a general principle, the client will be able to query the requests or instructions given through electronic banking channels.

For sharing of information in accordance with a client request or instruction, the determination of whether the principle of proportionality principle is complied with or not will be determined by inspecting whether the sharing of information respects the request or instruction of the client, provided that the data set requested to be shared by the client does not contain confidential information regarding other persons.

According to the Regulation, for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter, initiation of the transaction or order entries through distribution channels of electronic banking services by the client constitutes a request or instruction for the sharing of information, if:

(i) interaction with bank, payment service provider, payment, securities settlement or messaging systems is necessary due to the nature of the transaction; and
(ii) disclosure of client secrets is mandatory for the completion of the transaction.

• Information Sharing Committee: Article 7 of the Regulation requires banks to establish an “Information Sharing Committee”. The Regulation also sets forth the principles regarding the formation of this committee.

Conclusion

The Regulation aims to:

Clarify the confidentiality obligation, the applicable exceptions, and the concept of client secret; and
Set forth the procedures and general principles of sharing and transferring of information deemed secret under Article 73 of the Law, including the sharing of information while benefitting from exceptions.

With its entry into force on January 1, 2021, the Regulation will clarify many questions regarding the implementation of Article 73 of the Law.

Disclosure of Client Secret
As part of confidentiality obligation, client’s request or instruction is necessary for the disclosure of client secret data to third parties resident in Turkey and abroad. Client secret data can only be disclosed to third parties without client request or instruction under following situations under banking laws.
Transactions That Constitute Client Request or Instruction	Exemptions from Requirement to Obtain Client Request or Instruction
Initiation of the transaction or order entries through distribution channels of electronic banking services by the client for transactions as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter if: interaction with bank, payment service provider, securities settlement, or payment or messaging systems is necessary due to the nature of the transaction; and disclosure of client secrets is mandatory for the completion of the transaction.	Disclosure of information with legally authorized persons and institutions Provided that there is a confidentiality agreement between parties and disclosure is limited to the stated purposes Disclosures between banks and financial institutions, Disclosures for the preparation of consolidated financial reports, risk management and internal audit purposes Disclosures as part of valuation/assessment works for the sale of shares directly or indirectly representing ten percent or more of the shares of the bank or bank assets, Disclosures to service providers in connection with assessment, rating or support services, independent audits or the procurement of services. Disclosure of confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a board of directors’ resolution of the bank. Providing verification to public institutions according to a client request Disclosure of information regarding persons that are parties to a dispute that the bank is also a party in and other information deemed bank secret with authorized institutions and authorized representatives of the bank Disclosure of information for the purposes of client identification or information regarding accounts and transactions within the same financial group Exemptions from confidentiality obligation do not apply to disclosure of health and sexual life data to third parties, even if such data constitutes client secret.