To print this article, all you need to do is be registered or log in to Mondaq.com.
Article 73 of Banking Law No. 5411 (“Right“) authorizes the Banking Regulation and Supervision Authority (“BRSA“) to determine the scope, form, procedures and principles regarding the sharing and transfer of customer information. The BRSA previously issued the Customer Information Disclosure Regulations (“Regulation“), which we have analyzed in our legal alert of June 7, 2021. The regulations will come into force on July 1, 2022. As a result, the ARSB has opened draft Customer Information Disclosure Circular No. 2022/1 (“Circular project“) on the advice of the banks to clarify the Regulations and determine the terms of the application processes provided for in the Regulations.
The draft circular clarifies certain questions concerning the implementation of the regulation, in particular with regard to the questions below.
Information about bank employees
The draft circular emphasizes that bank employee data is primarily considered personal data. However, the draft circular also points out that certain employee information may contain data relating to “the financial situation of the bank, the principles of management of the bank concerning its main activities such as lending and collecting deposits, technical methods used by the bank and the capacity of the bank” and this personal data may also contain bank secrets.
BRSA notice on disclosures without anonymization measures
The draft circular explains the principles for disclosing client secrets to parent companies for compliance risk purposes and details how to apply the ARSB’s advice. In this regard, banks should request BRSA to disclose non-spouse customer information to the parent company for compliance risk purposes without any anonymization measures, and provide the following information:
- The content and purpose of sharing and necessity under applicable laws.
- The opinion of the Information Disclosure Committee regarding compliance and proportionality of disclosure.
The draft circular clarifies that if the parent company requests information from the Turkish bank on the basis of a legal obligation or a right granted to the parent company under applicable laws, and that if the non-disclosure of the information would put the parent company at risk of sanctions, it will be accepted that the disclosure is due to a risk of non-compliance of the recipient, since this assessment must also be submitted in the application to the BRSA.
In addition, in accordance with the draft circular, identified or identifiable customer information (including that contained in audit study documents) must not be disclosed to third parties for internal audit purposes. However, if it is determined that the disclosure is due to the recipient’s risk of non-compliance and requires access to information contained in the bank’s audit study materials or its internal audit practices, the bank can always obtain the opinion of the ARSB to release raw data without de-identifying.
Disclosures to Foreign Authorities
If a foreign authority equivalent to the BRSA in the relevant jurisdiction requests information directly from a bank in Turkey or if such disclosure is not due to the risk of non-compliance, to share the requested information, the bank must obtain the approval of the BRSA under article 98 of the law and article 6/9 of the regulations in accordance with the principle of reciprocity.
The draft circular states that even if such disclosure relates only to bank secrets, the previous assessment regarding BRSA approval still applies, and it would not be possible to rely on the Board’s resolution. administration to disclose banking secrets to such foreign authority in the event that the approval of the ARSB is required.
Disclosures in connection with SWIFT transactions
The BRSA notes that disclosure of customer information for post-transaction checks in SWIFT processes may be considered disclosure for compliance risk purposes. However, the BRSA stresses that the principle of proportionality must also be taken into account for such disclosures.
The draft circular explains that banks may also rely on customer instructions/requests in the event of such disclosures. Under the Regulation, if a transaction requires interaction with systems outside of Turkey and disclosure of information is mandatory to complete the transaction, the client’s order to initiate the transaction is itself an “instruction/ customer request “. At the same time, anonymization measures should not be implemented because there is an instruction/request from the customer.
On the other hand, the draft circular specifies that the disclosure must be limited to “compulsory” information.
Banking secrets and resolution of the board of directors
According to the draft circular, bank secrets can be disclosed to third parties based on a resolution of the board of directors, which does not have to include disclosures with exemptions.
Reporting and retention requirements
The first reports to be submitted under Article 5/9 of the Regulation must be submitted until 31 December 2022. The reports must comply with the annex to the draft circular and must contain the data sets disclosed, the agreements of confidentiality, the objectives of the disclosure, technical and organizational measures, trade names of third party recipients and their countries.
Details of disclosure of information that identifies and makes the customer identifiable must be retained for a period of 10 years.
Client Secrets and Instruction
The draft circular clarifies that the ARSB notice requirements under Article 6/8 of the regulations continue to apply in cases where the bank is relying on customer instructions/requests for communication benefiting from exemptions, such as risk management, consolidation of financial statements and internal procedures. audits.
The following should be considered for instructions/requests:
- Standard forms prepared by banks can be used. However, the bank’s form must be converted into a customer’s instruction/request. Banks must obtain written approval from customers indicating that customers have understood and consented to the instruction.
- Approvals can also be obtained by digital signature.
- Customers should be able to view instructions/requests on mobile and online banking tools.
In accordance with the regulations, disclosures about joint clients can be made without anonymization in the event that the disclosures are based on exemptions. Following the draft circular, for a client to be considered as a “joint client”, (i) the same natural/legal person must be a client of (ii) both the bank in Turkey and the parent company/company of group (iii) simultaneously.
Disclosure of sensitive personal data
If special personal data other than information on health and sex life becomes secret from the customer, this data may be disclosed to third parties on the basis of exemptions from confidentiality obligations. In contrast, information on health and sex life cannot be disclosed to third parties solely on the basis of confidentiality waivers, and the client’s explicit consent would be required for such disclosures.
Disclosure to Legal Advisors
Disclosure to legal consultants is considered exempt based on the subcontracting exemption. However, if the legal advisor directly represents the bank in a dispute, the client’s secrets may be disclosed without anonymization. In case of potential representation, the instruction/request of the client is required for the disclosure of the information.
The draft circular aims to clarify questions and uncertainties raised by banks regarding the provisions of the regulation, which will be in force on July 1, 2022, and to provide details on the application processes set out in the regulation.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.