To print this article, all you need to do is be registered or log in to Mondaq.com.
Article 73 of Banking Law No. 5411 (“Right“) authorizes the Banking Regulatory and Supervisory Authority (BRSA) to determine the scope, form, procedures and principles regarding the sharing and transfer of customer information. The BRSA previously issued the Disclosure Regulations customer information (“Regulation“), which we have analyzed in our legal alert dated June 7, 2021. Accordingly, on August 11, 2022, the BRSA issued Customer Information Disclosure Circular No. 2022/1 (“Circular“) to clarify the Settlement and determine the terms of the application processes provided for in the Settlement. The Circular is available here In Turkey.
The circular clarifies certain questions concerning the implementation of the regulation, in particular, with regard to the questions below.
Information about bank employees
The circular emphasizes that bank employee data is primarily considered personal data. However, the Circular also recalls that certain information relating to employees may contain data relating to “the financial condition of the bank, the bank’s management principles regarding its main activities such as lending and deposit taking, the technical methods used by the bank and the capacity of the bank” and this personal data may also contain banking secrets.
BRSA notice on disclosures without anonymization measures
The Circular explains the principles for disclosing client secrets to parent companies for compliance risk purposes and details how to apply the ARSB’s advice. In this regard, banks should request BRSA to disclose non-spouse customer information to the parent company for compliance risk purposes without any anonymization measures, and provide the following information:
- The content and purpose of sharing and necessity under applicable laws.
- The opinion of the Information Disclosure Committee regarding compliance and proportionality of disclosure.
The circular specifies that if the parent company requests information from the Turkish bank on the basis of a legal obligation or a right granted to the parent company under applicable laws, and that if the non-disclosure of the information would expose the parent company at the risk of sanctions, it will be accepted that the disclosure is due to a risk of non-compliance of the recipient, since this assessment must also be submitted in the application to the BRSA.
In addition, in accordance with the circular, identified or identifiable customer information (including that contained in audit study documents) must not be disclosed to third parties for internal audit purposes. However, if it is determined that the disclosure is due to the recipient’s risk of non-compliance and requires access to information contained in the bank’s audit study materials or its internal audit practices, the bank can always obtain the opinion of the ARSB to release raw data without de-identifying.
In addition, parent/controlling shareholder banks may request customer information from their local affiliate banks for compliance risk purposes without obtaining BRSA’s advice and anonymize the information.
Disclosures to foreign authorities
If a foreign authority equivalent to the BRSA in the relevant jurisdiction requests information directly from a bank in Turkey or if such disclosure is not due to the risk of non-compliance, to share the requested information, the bank must obtain the approval of the BRSA under article 98 of the law and article 6/9 of the regulations in accordance with the principle of reciprocity.
The circular states that even if such disclosure relates only to bank secrets, the previous assessment regarding BRSA approval still applies, and it would not be possible to rely on the resolution of the board of directors. to disclose banking secrets to such foreign authority in the event that BRSA approval is required.
Disclosures in connection with SWIFT transactions
The BRSA notes that disclosure of customer information for post-transaction checks in SWIFT processes may be considered disclosure for compliance risk purposes. However, the BRSA stresses that the principle of proportionality must also be taken into account for such disclosures.
The Circular explains that banks may also rely on customer instructions/requests in the event of such disclosures. Under the Regulation, if a transaction requires interaction with systems outside of Turkey and disclosure of information is mandatory to complete the transaction, the client’s order to initiate the transaction is itself an “instruction/ customer request “. At the same time, anonymization measures should not be implemented because there is an instruction/request from the customer. If system rules or the correspondent bank itself require response to requests for information as a result of money transfer transactions, such as SWIFT, which are based on customer instructions, customer information may be shared to respond to such requests, provided that the customer is duly informed. of this sharing of information before the transaction.
On the other hand, the Circular specifies that the disclosure must be limited to “compulsory” information.
Banking secrets and resolution of the board of directors
According to the circular, bank secrets can be disclosed to third parties based on a resolution of the board of directors, which does not have to include disclosures with exemptions.
Reporting and retention requirements
The first reports to be submitted in accordance with Article 5/9 of the Regulation for the period July to December 2022 must be submitted until 31 January 2022, while the reports for the period January to June 2023 must be submitted before July 31, 2023. The content and format of the report will be determined separately by BRSA, and BRSA is authorized to make changes to this format.
Details of the disclosure of information that identifies and makes the customer identifiable must be retained for a period of 10 years.
Client Secrets and Instruction
The circular clarifies that the ARSB notice requirements under Article 6/8 of the regulations continue to apply in cases where the bank is relying on customer instructions/requests for disclosure benefiting from exemptions, such as risk management, consolidation of financial statements and internal audits. .
The following should be considered for instructions/requests:
- Standard forms prepared by banks can be used. However, the bank’s form must be converted into a customer’s instruction/request. Banks must obtain written approval from customers indicating that customers have understood and consented to the instruction. These standard forms should be clearly separated from banking service contracts.
- Approvals can also be obtained by digital signature.
- Customers should be able to view instructions/requests on mobile and online banking tools.
In accordance with the regulations, disclosures about joint clients can be made without anonymization in the event that the disclosures are based on exemptions. According to the Circular, for a client to be considered as a “joint client”, (i) the same natural/legal person must be a client of (ii) both the bank in Turkey and the parent company/company of the group (iii) simultaneously.
Disclosure of sensitive personal data
If special personal data other than information on health and sex life becomes secret from the customer, this data may be disclosed to third parties on the basis of exemptions from confidentiality obligations. On the other hand, information on health and sex life cannot be disclosed to third parties solely on the basis of the exemptions to the obligation of confidentiality, and the client’s explicit consent would be required for such disclosures.
Disclosure to Legal Advisors
Disclosure to legal consultants is considered exempt based on the subcontracting exemption. However, if the legal advisor directly represents the bank in a dispute, the client’s secrets may be disclosed without anonymization. In case of potential representation, the instruction/request of the client is required for the disclosure of the information.
The circular clarifies the questions and uncertainties raised by the banks regarding the provisions of the regulation and provides details on the application processes set out in the regulation.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.