The Regulation on the Sharing of Confidential Information (the “Regulation”) was published in Official Gazette no. 31501 dated 4 June 2021 by the Turkish Banking Regulation and Supervision Agency (the “BRSA”).The purpose of this Regulation is to provide more detailed rules to govern the sharing of confidential information covered by bank secrecy.

The Regulation clarifies the implementation of Article 73 of Banking Law no.  5411 (the “Banking Law”), which addresses the protection of bank secrets. It provides for a broader definition of customer secrets, determines the scope, exemptions and general principles applicable to the confidentiality obligation, and introduces an obligation to establish information sharing committees.

The Regulation will enter into force on 1 January 2022 and be monitored by the chairman of the BRSA.

Definition of customer secrets

Similar to the Banking Law, the Regulation defines customer secrets as information in relation to individuals or legal entities generated after the establishment of a customer relationship specifically for the purpose of banking activities.

The Regulation further provides that any information showing that an individual or legal entity is a customer of the bank is also considered as a customer secret. Even if a customer relationship has not been established, the confidentiality obligation will apply in case the bank obtains customer secrets held by another bank.

Customer data that existed before the customer relationship was established will also be treated as customer secrets if the data is processed in a way that identifies a person as a bank customer, whether on its own or when processed together with customer secrets created after the establishment of the customer relationship.

Scope of the confidentiality obligation

The Regulation reiterates the principle that any person who has obtained access to client secrets due to their position or in the performance of their duties cannot disclose such secrets to anyone other than the authorities expressly authorised by law.

This obligation remains in force following the end of their duties, and applies regardless of whether the other party is aware of the contents of the information. The confidentiality obligation also apply to cases where the information considered as customer secrets is obtained through non-automated methods or methods that are not part of any data recording system.

Exemptions from the confidentiality obligation

In addition to the possibility to share customers secret with the authorities explicitly authorised by law, the Regulation provides for exemptions from the confidentiality obligation in the following circumstances – which were already covered under the Banking Law but are further clarified by the Regulation – in each case provided that a confidentiality agreement is in place:

• exchange of information among banks or other financial institutions, either directly or indirectly through the Banks Association of Turkey Risk Centre or companies established by at least five banks or other financial institutions;
• provision of information to a local or foreign parent company, including credit and financial institutions, that owns 10% or more of the share capital of the bank for the purpose of financial consolidation, risk management or internal audit;
• provision of information to a prospective buyer for the purpose of valuation in relation to the sale of shares representing ten percent or more of the bank’s capital or the sale of assets, including loans or securities based on such assets; and
• provision of information and documents to service providers for the procurement of valuation, rating or independent audit services and other support services.

Where information is shared with a parent company for the purpose of the preparation of financial statements or consolidated risk management, the following should be complied with:

• The confidentiality agreement must identify the specific purposes for which the information is shared (and information should only be shared for these purposes) and should contain provisions to ensure that the necessary technical and organisational measures are taken by the other party to protect the confidentiality of the data.
• Every six months, the bank must file with the BRSA a copy of the confidentiality agreements, the purposes for sharing data, the technical and organisation measures taken, and the names and countries of all third parties to which data is transferred; any changes should be reported immediately.
• All data sharing activities that identify customers or make them identifiable should be kept ready for audit and such information must be provided to the BRSA upon request.

Finally, the confidentiality obligation will not be violated in the cases below:

• sharing confidential information that does not constitute customer secrets, but only bank secrets, with third parties, provided that the bank adopts a board resolution to that effect;
• verification of customer information provided by the bank, the Banks Association of Turkey Risk Centre, or companies established by at least five banks or financial institutions, to public institutions upon the customer’s request;
• sharing confidential information regarding persons who are party to a dispute involving the bank and other secret information with authorised institutions and authorised representatives of the bank, if necessary for evidence purposes; and
• sharing confidential information for customer identification purposes, or information regarding accounts and transactions within the same financial group within the scope of Law no. 5549 on the Prevention of Laundering the Proceeds of Crime.

Principle of proportionality

Information classified as customer or bank secrets can only be shared for identified purposes and to the extent necessary to fulfil such purposes. If the intended purpose can be achieved without sharing part of the data, the data transfer will not be considered proportional.

The following minimum principles should be applied to ensure proportionality:

• the bank must share as little data as necessary to fulfil the intended purpose;
• the bank must be in a position to demonstrate the necessity of sharing such data;
• if possible to achieve the same purpose, the data must be aggregated, de-identified or anonymised;
• if the bank customer whose information will be disclosed is not a customer of the parent company or group company to which the information will be shared, the information should not disclose the customer’s identity or render such customer identifiable; and
• information sharing must be planned in such a way that a minimum number of copies of the data will be generated.

If information is shared upon the customer’s instruction or request, compliance with the proportionality principle will be assessed by reviewing whether the sharing of information is consistent with the request or instruction at hand.

Personal data processing upon customer request or instruction

The general principles on personal data processing under Law no. 6698 on the Protection of Personal Data should be complied with when sharing the customer secrets of individuals. The Regulation explicitly provides that health and sexual life data cannot be disclosed to third parties in Turkey or abroad based on exemptions from the confidentiality obligation, even if such data constitutes customer secrets.

Save for exemptions from the confidentiality obligation listed under the Regulation, even if the explicit consent of the customer is obtained, information classified as customer secrets cannot be transferred to third parties in Turkey or abroad without a request or instruction from the customer. It follows that, even if the bank has obtained the customer’s consent to the sharing of personal data to third parties in Turkey or abroad under data protection law, a specific instruction or request from the customer in respect of one or a series of transactions will be necessary to transfer customer secrets. In addition, the Regulation sets forth that the customer’s explicit consent, request or instruction to share their information cannot be presented as a prerequisite for the services to be provided by the bank.

Such request or instruction can be received in written form or via permanent data carrier. The customer’s request or instruction may be granted to include multiple transactions, and request or instructions regarding continuous transactions may be given for an indefinite period, provided that the customer is able to cancel or amend its request or instruction at any time and by the same methods used to provide the request or instruction. In principle, customers should be able to consult the requests or instructions they have given through electronic banking channels.

Under the Regulation, the initiation of transactions or order entries by the customer through electronic banking services are considered as a request or instruction for the sharing of information in respect of transactions such as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter, provided that (i) the interaction with a bank, payment service provider, or payment, securities settlement or messaging systems is necessary due to the nature of the transaction; and (ii) the sharing of customer secrets is mandatory for the completion of the transaction.

International information sharing

Information sharing upon the request of foreign authorities equivalent to the BRSA shall be carried out directly by the BRSA, if it is possible to meet such request with the information held by the BRSA. If the information available to the BRSA is not sufficient, the data sharing shall be carried out by the banks upon permission of the BRSA. It is not a violation to share information classified as bank secrets upon the request of foreign authorities equivalent to the BRSA, provided that a written notification is made to the BRSA before sharing the data.

The BRSA can prohibit the sharing of all kinds of data which constitute customer or bank secrets with third parties located abroad, based on its assessment of economic security.

Obligation to establish information sharing committees

According to the Regulation, Turkish banks are required to establish an Information Sharing Committee, the duties and working principles of which must be approved by the board of directors. This committee will be responsible to coordinate the sharing of the information classified as customer or bank secrets in accordance with the principle of proportionality, to evaluate the suitability of the sharing requests, and to keep a record of the same.