15 June 2021
Regulation on Sharing of Secret Information (“Regulation”) issued by the Banking Regulation and Supervision Agency (“BRSA”) has been published on the Official Gazette numbered 31501 and dated 4 June 2021 to enter into force on 1 January 2022.
The Regulation introduces detailed regulations in the point of intersection of the Banking Law No. 5411 (“Banking Law”) and the Personal Data Protection Law No. 6698 (“PDPL”) regarding the confidentiality obligation of those who learn the secrets of banks or their customers due to their duties. Since due to the risk-based nature of the sector, many data, some of which have the nature of personal data and some of which are purely confidential, are subjected to circulation, certain measures are introduced in the Regulation regarding the protection of such secret data within the framework of Article 73 of the Banking Law, regardless of whether they qualify as personal data or not.
You may find a brief review of the rules introduced by the Regulation in light of the relevant legislation below.
Currently, Article 73 of the Banking Law regulates the general obligation to keep the information confidential for those who learn the secrets of banks or their customers due to their titles and duties. Members and personnel of the BRSA, Banking Regulation and Supervision Board (“Board”), Savings Deposit Insurance Fund Board are also included within the scope of this obligation. The article regulates the secrets of banks and their customers. Therefore, it is possible to express the material scope of the confidentiality obligation as "customer secret" and "banking secret". Those who learn this confidential information can only share this information with the authorities expressly authorized by law, even after their term of office expires, but certain exceptions are also provided. For instance, provided that a confidentiality agreement is made and the activity is limited to the stated purpose, all kinds of information and document exchanges between banks and financial institutions, (for example by Kredi Kayıt Bürosu A.Ş and applications such as Findeks, which is a side-institution of Kredi Kayıt Bürosu A.Ş). valuation studies of prospective buyers for the sale of shares representing ten percent or more of the capital of these institutions, or in the preparation of consolidated financial statements by the parent companies already holding such shares, in risk management and internal audit practices, the obligation of confidentiality will not be applied.
Data relating to natural person and legal entities formed after a customer relationship is established for a transaction specific to a banking activity, will be considered as customer secret. Besides from the exceptions to the confidentiality obligation, the sharing of such data is subject to the customer's request and instruction, regardless of the responsibility of obtaining explicit consent stipulated by the PDPL in certain cases. In addition, the Agency is authorized to impose restrictions to the transfer of customer secrets and banking secrets abroad, independent of the PDPL regulations, depending on economic security reasons.
In addition, the general principles stated in the PDPL, the principles of connection with purpose and relevance, and proportionality will also be applied in the sharing of these data, regardless of whether they contain personal data or not. Considering the sensitive nature of the data obtained during banking transactions, it is understood that providing a protection similar to the "special categories of data" in the personal data legislation is desired with these specific regulations. In fact, it is clear that banking transactions in which natural persons are a party will mostly make these persons identifiable and have the qualification of personal data. However, in the face of banking risks, legal entity financial data that the legal entity customer can evaluate as a trade secret in its field of activity are also included within this protective sphere. In any case, in addition to the reservations that legal entities may have, it is possible for the data belonging to legal entities to render the natural persons within the legal entity organization identifiable and to have the nature of personal data. However, it should not be forgotten that the banking legislation will also be applied outside of the cases covered by the PDPL, and it brings sector-specific regulations.
In case of the disclosure of customer secrets or banking secrets, sanctions may be imposed regarding the crime of "disclosure of information or documents in the form of trade secret, banking secret or customer secret" regulated in Article 239 of the Turkish Penal Code, as well as sanctions of non- compliance with the law and the secondary regulations specified in Article 148 of Banking Law.
With the Regulation, the notions in the legislation on the protection of personal data, such as data processing and anonymization, have been included in the banking legislation for the first time to the extent that they are compatible with the content of the legislation.
The limited definition of becoming customer secret is extended by also preserving the fundamental philosophy embraced by the Article 73 of Banking Law. Accordingly, obtaining and learning customer secret information held by another bank is subject to the confidentiality obligation. In another words, although the definition of customer secret is indicating the confidential information of bank’s customers, with the regulation its meaning exceeds this definition and is not limited within its scope to a bank’s customers’ information. Likewise, such information, that is, information that is not a customer secret can be considered as customer secret, if it is processed in a way that reveals the customer’s identity or with the information obtained after the establishment of the customer relationship. From then on, such data will also be regarded within the scope of the confidentiality obligation.
The principle of having the customer’s request independent from the necessity of explicit consent in terms of PDPL is preserved regarding the sharing of confidential data.
According to paragraph 3 of Article 6 of the Regulation which takes an approach that regards the interests of the customer, explicit consent, request or demand cannot be the presented as a pre- condition to services. Besides, detailed provisions are provided regarding the format of such demand and request. Accordingly, customers’ demand can include more than one transaction and can be for an indefinite period for ongoing transactions on the condition that the customer’s demand is provable and can be retracted or modified upon the request of the customer by following the same procedure. It is fundamental that the customer is able to inquire and view his/her given demand or requests through the distribution channels of electronic banking services.
For transactions like domestic and international fund transfer, foreign letter of credit, letter of guarantee and letter of reference in which due to the nature of transaction, it is essential to share confidential information in form of customer secret with domestic or foreign parties in order to complete the transaction and where it is necessary to interact with a domestic or foreign bank, payment service provider, payment, securities settlement or message systems, transactions to be initiated by the customer or entry of an order through distribution channels of banking services by the customer is to be regarded as a customer request or demand indicated in the third paragraph.
In addition, it is regulated that compliance with certain general principles is necessary for the sharing of information. Thereby, a more substantive approach is embraced rather than that of a procedural approach as is the case with the PDPL. Besides, general principles specified in the PDPL regarding personal data are reserved.
These principles will be implemented for the sharing of both customer secrets and banking secrets. Such disclosures should be in compliance with the principles of proportionality and purpose limitation. Proportionality should be determined according to the amount of data required within the scope of the stated purpose. The regulation regulates this matter concretely with additional compulsory measures which aims to maintain proportionality:
Another matter to be pointed out is, exceptions to the confidentiality obligation will also be subject to the proportionality principle indicated in the Article. This situation is in harmony with the PDPL as the disclosure of data exempted from the explicit consent requirement will also need to comply with the general principles.
Finally, the evaluation of the principle of proportionality is limited with the satisfaction of the customers’ demand or request in disclosures that are made upon the request or demand of the customer. However, in this case, the data sets that is requested or demanded to be shared by the customer should not contain confidential information concerning other customers and other banks’ customers.
Although exceptions in which confidentiality obligation will not be applied are in line with the Article73/4 of the Banking Law, the Regulation states that in addition to the exceptions specified in the Banking Law, information which are not regarded as a customer secret but count as a banking secret can be disclosed through a decision of the board of directors. The subsequent disclosure will be made according to this provision under the liability of the bank.
Another exception foreseen in the Regulation concerns the confirmation of information qualifying as customer secrets by public institutions and organizations. Banks, risk centers or companies like Kredi Kayıt Bürosu A.Ş. established by at least five banks or financial institutions can respond to the queries of public institutions and organizations, regarding the confirmation of customer secrets which the costumer has provided by its own request, upon the request of customer. Such responses do not constitute a violation of confidentiality obligation if they are in the form of evaluating whether such information is true or not.
Likewise, sharing information that can be seen as customer secret or bank secret with authorities competent to solve disputes or with parties representing the bank for the establishment of a right within the subject jurisdiction does not breach the confidentiality obligation.
Providing information and documents to the controlling shareholder holding ten or more percent shares within the scope of preparing consolidated financial statements, or risk management and internal audit practices is counted as one of the exemptions of the confidentiality obligation in both Banking law and the Regulation. With the Regulation, a new duty is imposed regarding the application of such exemption.
A notification should be made to the BRSA regarding the information concerning the transfer and the non-disclosure agreement, which was concluded, within six months periods in order to be exempted from the obligation of confidentiality pursuant to these provisions. Privacy and security of the information concerned is aimed with this provision.
In line with the amendment made in Article 73 of Banking Law No.5411 with the Law No. 7222, the Board is authorized to restrict the transfer of data containing bank secrets and customer secrets including exemptional situations stated in Article 5 of the Regulation. In addition, in the Regulation it is specified that, the principle of reciprocity should be followed in regards of exemptions stated in Article 5 of the Regulation. Transfers that take place between parties present in countries which violates the principle of reciprocity could be prohibited by the Board.
While disclosing the information that can be regarded as a banking secret or customer secret with the controlling shareholder, the information shared should not identify the customer’s identity or should not make it identifiable. The disclosure that occurs within this scope, should be made by using pseudonymisation, anonymization or aggregation techniques.
With Article 7 of the Regulation, establishment of an information sharing committee (“Information Sharing Committee”) whose terms of reference and rules of procedure are approved by the board of directors of the bank, become compulsory for banks. Information Sharing Committee is liable for the coordination of the information which can be regarded as a customer secret or bank secret taking the principle of proportionality into account and is liable for evaluating the received requests of disclosure and recording of such requests. It is also stated that, Information Sharing Committee shall consist of business lines which request the disclosure of information or from which information is requested, internal control unit, compliance unit and representatives of the legal unit and related asset owners.
Many doubts that may arise between banking legislation and the personal data protection legislation are cleared with the Regulation. The terms of confidential customer information and confidential banking information that have caused many debates in terms of their scope, are concretely defined in a way that leaves no room for doubt with regards to their scope. In addition, procedures and principles that should be followed while disclosing information which are regarded as confidential customer information and confidential banking information are determined with the Regulation. Within this scope, general principles of and exemptions to the obligation of confidentiality, are determined.