BRSA’s Circular on Disclosure of Confidential Information Regulation
The Banking Regulation and Supervision Agency (“BRSA”) published the Circular on the Disclosure of Confidential Information Regulation No.2022/1 (“Circular”) on 11.08.2022. The purpose of this Circular is to elaborate on concepts and procedures as outlined in the Regulation on Disclosure of Confidential Information that was published in the Official Gazette dated 4.06.2021 and numbered 31501 (“Regulation”) in line with Article 73 and Article 93 of Banking Law No.5411 (“Banking Law”), which authorizes BRSA to determine the scope, form, procedures and principles regarding sharing and transfer of confidential information or to impose restrictions. The Circular has particular importance as it aims to address and resolve several issues regarding the implementation of the Regulation such as criteria to be considered as joint-client, disclosures made to parent companies and sharing of sensitive data. This article briefly identifies BRSA’s key provisions.
BRSA’s Explanations Regarding Banks’ Confidentiality Obligation
The Circular concludes that the bank employees’ data is essentially considered personal data and should be treated within the principles and the scope of Law No.6698 on Protection of Personal Data (“LPPD”). However, when some categories of data such as human resources data contain information about a bank's financial status or main activities such as lending and deposit collection, the technical methods used by the bank and the capability of the bank, it is possible to treat this aspect of the data as a bank secret.
The Circular further sets the framework for exceptions to the confidentiality obligation as outlined in the Regulation. The Regulation permits banks to disclose information for the preparation of consolidated financial reports, risk management and internal audit purposes, as long as they execute a confidentiality agreement and limit disclosure of confidential information to its stated purpose. Consequently, the Circular states that within the scope of the preparation of consolidated financial statements, risk management and internal audit purposes, banks can disclose information to their parent companies, including domestic or foreign credit institutions and financial institutions holding at least ten percent of their share capital. In these cases, BRSA emphasizes the importance of proportionality for such disclosures, as also indicated in Article 6 of the Regulation, with particular focus on disclosing only as much data as required for the purpose of sharing, and the requirement that the banks must be able to prove that the entire data set subject to the disclosure is necessary for the realization of the stated purpose. In addition, in case the client whose information is to be shared according to the first paragraph of Article 6 of the Regulation is not a joint client with the parent, such confidential information to be disclosed cannot include any information identifying or identifiable to the client. For disclosure of non-joint clients’ information without the de-identification measures to the parent companies for compliance risk purposes, banks need BRSA’s approval and evidence of i) the content and purpose of sharing and the necessity within the framework of applicable laws and ii) the opinion of the Information Disclosure Committee, which is responsible for coordinating the disclosure of the confidential client information and bank secret, and evaluating the appropriateness of the sharing requests, as indicated in Article 7 of the Regulation regarding the compliance and proportionality of the disclosure.
Similarly, a situation may arise where the information to be disclosed by the Turkish bank is requested as a result of a legal obligation or a right granted to the parent company / controlling shareholder bank and the parent company / controlling shareholder is at risk of being sanctioned by a foreign regulatory authority if it does not meet the request. In such a case, these requests can also be considered as a compliance risk, so that the Turkish bank must fulfill the above-mentioned conditions (i.e. content and purpose of sharing and the opinion of the Information Disclosure Committee) in the same way in its application to the BRSA and demonstrate this situation in a concrete way.
The Circular indicates that for fund transfer transactions mediated by the parent company as the correspondent bank, confidential information which is requested from the Turkish bank for the purpose of enabling controls to eliminate the financial crime risk can also fall within the framework of compliance risk. In this case, the BRSA emphasizes the importance of the principle of proportionality with regard to these disclosures. The Circular further references Article 6 paragraph 6 of the Regulation, which states that “for transactions such as domestic/international fund transfers, international letters of credit, letters of guarantee and reference letters, initiation of the transaction or order entries through distribution channels of electronic banking services by the client constitutes a request or instruction for the sharing of information, if i) interaction with bank, payment service provider, payment, securities settlement or messaging systems is necessary due to the nature of the transaction; and ii) disclosure of client secrets is mandatory for the completion of the transaction.” In addition, the Circular states that client information disclosure requests made for the parent company’s own risk management protocols rather than due to the nature of the transaction cannot fall into the scope of this provision and do not qualify as client requests or instructions.
As per Article 5 paragraph 5 of the Regulation, “confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a board of directors’ resolution of the bank and the bank will remain liable for this information sharing.” The Circular indicates that with a board of directors’ resolution, bank secrets can be disclosed to third parties. The definition of “third party” is broad, as it also includes parties apart from the ones that are exempted from the confidentiality obligation specified in the Regulation.
Evaluations Regarding General Principles for Disclosure of Confidential Information
The Circular indicates that as per Article 73 of Banking Law and the relevant provisions of the Regulation, even the explicit consent of the client is obtained, confidential information cannot be shared with third parties in Turkiye or abroad in the absence of a request or instruction from the client. Furthermore, the customer's explicit consent or request or instruction to share their information cannot be made a prerequisite for the services to be provided by the bank. Exemptions to this rule are outlined in Article 5 of the Regulation. Consequently, as outlined above, the Circular emphasizes BRSA’s approval of the disclosure of non-joint clients’ information between the Turkish bank and its parent company/ controlling shareholder without de-identification measures for compliance risk purposes. The Circular further evaluates the criteria for the term “joint” client and indicates that to be considered as a joint client, the same individual or legal person must simultaneously be a client of the Turkish bank and the parent company / controlling shareholder bank.
The Circular also details the disclosure of some sensitive personal data as defined in the LPPD. As per Article 6 paragraph 2 of the Regulation “…health and sexual life data cannot be disclosed to third parties in Turkiye or abroad based on the exemptions from the confidentiality obligation, even if such data constitutes a client secret.” The Circular outlines that if sensitive data other than health and sexual life data constitutes a client secret, such data can be processed without the client’s explicit consent based on exceptions to the confidentiality obligation. However, data relating to health and sexual life that also constitutes confidential information cannot be disclosed without the client’s explicit consent and the client’s request or instruction.
As outlined above, the Circular makes several important remarks regarding the disclosure of client information. BRSA’s remarks regarding joint-clients are particularly noteworthy. It is possible to state that the Circular sheds light on major questions regarding the application of the Regulation.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
The European Commission (“Commission”) has published the Proposal for a Directive of the European Parliament and of the Council on Payment Services and Electronic Money Services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC. This proposal...
Organization for Economic Co-operation and Development (“OECD”) has published its paper[i] presenting an outline of the diverse frameworks implemented for open banking and other data sharing arrangements in different jurisdictions, discussing expansion of open banking related data arrangements, which is referred...
The goal of this article is to explain and compare asset backed and asset based sukuk structures and their application in Turkish leasing certificate issuance. Sukuk, an Arabic word which is the plural of Sakk, is the common name of sharia compliant bonds also referred to as Islamic bonds. However, the Arabic word...
In September, the Central Bank of the Republic of Turkey (“CBRT”) published the Guide on Associating Business Models in the Field of Payments with Payment Service Types (“Guide”). The Guide includes explanations regarding payment services and electronic money issuance. An operating license is required...
Public-private partnerships (“PPP”) take a wide range of forms varying to the extent of involvement of, and risk taken, by the private party. The terms of a PPP are typically set out in a contract or agreement, often subject to the private law, to outline the responsibilities of each party and allocation of risk...