15 June 2021

I. Introduction

Regulation on Sharing of Secret Information (“Regulation”) issued by the Banking Regulation and Supervision Agency (“BRSA”) has been published on the Official Gazette numbered 31501 and dated 4 June 2021 to enter into force on 1 January 2022.

The Regulation introduces detailed regulations in the point of intersection of the Banking Law No. 5411 (“Banking Law”) and the Personal Data Protection Law No. 6698 (“PDPL”) regarding the confidentiality obligation of those who learn the secrets of banks or their customers due to their duties. Since due to the risk-based nature of the sector, many data, some of which have the nature of personal data and some of which are purely confidential, are subjected to circulation, certain measures are introduced in the Regulation regarding the protection of such secret data within the framework of Article 73 of the Banking Law, regardless of whether they qualify as personal data or not.

You may find a brief review of the rules introduced by the Regulation in light of the relevant legislation below.

II. Present Regulations

Currently, Article 73 of the Banking Law regulates the general obligation to keep the information confidential for those who learn the secrets of banks or their customers due to their titles and duties. Members and personnel of the BRSA, Banking Regulation and Supervision Board (“Board”), Savings Deposit Insurance Fund Board are also included within the scope of this obligation. The article regulates the secrets of banks and their customers. Therefore, it is possible to express the material scope of the confidentiality obligation as "customer secret" and "banking secret". Those who learn this confidential information can only share this information with the authorities expressly authorized by law, even after their term of office expires, but certain exceptions are also provided. For instance, provided that a confidentiality agreement is made and the activity is limited to the stated purpose, all kinds of information and document exchanges between banks and financial institutions, (for example by Kredi Kayıt Bürosu A.Ş and applications such as Findeks, which is a side-institution of Kredi Kayıt Bürosu A.Ş). valuation studies of prospective buyers for the sale of shares representing ten percent or more of the capital of these institutions, or in the preparation of consolidated financial statements by the parent companies already holding such shares, in risk management and internal audit practices, the obligation of confidentiality will not be applied.

Data relating to natural person and legal entities formed after a customer relationship is established for a transaction specific to a banking activity, will be considered as customer secret. Besides from the exceptions to the confidentiality obligation, the sharing of such data is subject to the customer's request and instruction, regardless of the responsibility of obtaining explicit consent stipulated by the PDPL in certain cases. In addition, the Agency is authorized to impose restrictions to the transfer of customer secrets and banking secrets abroad, independent of the PDPL regulations, depending on economic security reasons.

In addition, the general principles stated in the PDPL, the principles of connection with purpose and relevance, and proportionality will also be applied in the sharing of these data, regardless of whether they contain personal data or not. Considering the sensitive nature of the data obtained during banking transactions, it is understood that providing a protection similar to the "special categories of data" in the personal data legislation is desired with these specific regulations. In fact, it is clear that banking transactions in which natural persons are a party will mostly make these persons identifiable and have the qualification of personal data. However, in the face of banking risks, legal entity financial data that the legal entity customer can evaluate as a trade secret in its field of activity are also included within this protective sphere. In any case, in addition to the reservations that legal entities may have, it is possible for the data belonging to legal entities to render the natural persons within the legal entity organization identifiable and to have the nature of personal data. However, it should not be forgotten that the banking legislation will also be applied outside of the cases covered by the PDPL, and it brings sector-specific regulations.

In case of the disclosure of customer secrets or banking secrets, sanctions may be imposed regarding the crime of "disclosure of information or documents in the form of trade secret, banking secret or customer secret" regulated in Article 239 of the Turkish Penal Code, as well as sanctions of non- compliance with the law and the secondary regulations specified in Article 148 of Banking Law.

III. New Regulations Introduced with the Regulation

 1. Notions related to the protection of personal data are included in the banking legislation.

With the Regulation, the notions in the legislation on the protection of personal data, such as data processing and anonymization, have been included in the banking legislation for the first time to the extent that they are compatible with the content of the legislation.

      1. Anonymization: Anonymization, which is frequently mentioned in the terminology of personal data protection and data security, is a main concept referring to the fundamental modification, grouping, obfuscation of data as a security measure, in a way that such data cannot be associated with any person again, and similar operations carried out for this purpose. In the Regulation, anonymization activities are stripped from the context of personal data and defined as rendering the data of both natural and legal person customers non-associable with an identifiable customer under any circumstances, even if they are matched with other data.
      2. Data Processing: In compliance with the personal data protection legislation, data processing refers to any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, sharing, transferring, taking over, making available, classifying or preventing the use of data. However, the limitation of "processing by fully or partially automatic or non-automatic means provided that it is a part of any data recording system" in the definition of data processing in the personal data protection legislation has not been recognized in the definition included in the Regulation. In fact, since this phrase in the PDPL is included in Article 2 regarding the scope of the law and aims to determine the scope of the personal data protection legislation, it is in accordance with the legal system that this phrase has not been included in the secrecy obligation regulations in the banking legislation, which is expected to have a wider application. Therefore, as it is clearly stated in the second paragraph of Article 4 of the Regulation, while activities such as “obtaining” personal data by automatic means or without being part of the data recording system will not be considered within the scope of the personal data protection legislation, such data will be considered within the scope of confidentiality obligation if it does qualify as a customer secret or a banking secret.
      3. Aggregation: Although the concept of aggregation used in the Regulation is a concept that was not previously included in our legislation, it has taken its place in the Regulation as a common anonymization technique. In summary, it is the expression of a large number of data in a general and concise way by removing its sub-categories. For example, expressing a data set containing the names, ages and shoe numbers of people as “Thirty percent of sixteen-year-olds have a shoe size of thirty-six” and storing the data by replacing the data with the aggregated data means the aggregation method is used.
      4. De-identification: The definition of de-identification, which was first included in the Regulation on Personal Health Data in the legislation on the protection of personal data, was expanded in the Regulation to include legal persons as well as natural persons. Essentially, this term is similar to anonymization, but non-association is not sought, rather, it is deemed sufficient to take technical and administrative measures and that the data is not actually associated with the relevant persons. In this context, it can be said that, essentially, pseudonymization is meant here as a technical security measure. Pseudonymization refers to techniques that allow data to be changed in a way that at first glance cannot be associated with any person. The difference from anonymization is that the transaction in question is reversible, that is, the data in question can be reverse engineered to be associated with certain persons again with certain procedures. However, the data in question will continue to be confidential within the scope of banking legislation and personal data within the scope of the personal data legislation.

2. The scope of the confidentiality obligation is extended:

The limited definition of becoming customer secret is extended by also preserving the fundamental philosophy embraced by the Article 73 of Banking Law. Accordingly, obtaining and learning customer secret information held by another bank is subject to the confidentiality obligation. In another words, although the definition of customer secret is indicating the confidential information of bank’s customers, with the regulation its meaning exceeds this definition and is not limited within its scope to a bank’s customers’ information. Likewise, such information, that is, information that is not a customer secret can be considered as customer secret, if it is processed in a way that reveals the customer’s identity or with the information obtained after the establishment of the customer relationship. From then on, such data will also be regarded within the scope of the confidentiality obligation.

3. The sharing of confidential information is regulated in detail and subjected to some general principles:

The principle of having the customer’s request independent from the necessity of explicit consent in terms of PDPL is preserved regarding the sharing of confidential data.

According to paragraph 3 of Article 6 of the Regulation which takes an approach that regards the interests of the customer, explicit consent, request or demand cannot be the presented as a pre- condition to services. Besides, detailed provisions are provided regarding the format of such demand and request. Accordingly, customers’ demand can include more than one transaction and can be for an indefinite period for ongoing transactions on the condition that the customer’s demand is provable and can be retracted or modified upon the request of the customer by following the same procedure. It is fundamental that the customer is able to inquire and view his/her given demand or requests through the distribution channels of electronic banking services.

For transactions like domestic and international fund transfer, foreign letter of credit, letter of guarantee and letter of reference in which due to the nature of transaction, it is essential to share confidential information in form of customer secret with domestic or foreign parties in order to complete the transaction and where it is necessary to interact with a domestic or foreign bank, payment service provider, payment, securities settlement or message systems, transactions to be initiated by the customer or entry of an order through distribution channels of banking services by the customer is to be regarded as a customer request or demand indicated in the third paragraph.

In addition, it is regulated that compliance with certain general principles is necessary for the sharing of information. Thereby, a more substantive approach is embraced rather than that of a procedural approach as is the case with the PDPL. Besides, general principles specified in the PDPL regarding personal data are reserved.

These principles will be implemented for the sharing of both customer secrets and banking secrets. Such disclosures should be in compliance with the principles of proportionality and purpose limitation. Proportionality should be determined according to the amount of data required within the scope of the stated purpose. The regulation regulates this matter concretely with additional compulsory measures which aims to maintain proportionality:

      1. Data disclosure should include the amount of data that is required by the relevant purpose.
      2. It should be provable that data or data sets involved in data disclosure is necessary for the fulfilment of the indicated purposes.
      3. Pseudonymisation, anonymization or aggregation methods should be followed if the afore- mentioned purposes can also be fulfilled where these methods are applied.
      4. If customer whose data is to be shared is not also a common customer of the controlling shareholder or the group company, confidential information to be shared with these parties shall not indicate the identity of the customer or make it identifiable. In this case, methods indicated in paragraph (c) should be followed.
      5. Parties to be included in the sharing of data and methods of disclosure should be arranged in a manner that creates minimum amount of copies of the data.

Another matter to be pointed out is, exceptions to the confidentiality obligation will also be subject to the proportionality principle indicated in the Article. This situation is in harmony with the PDPL as the disclosure of data exempted from the explicit consent requirement will also need to comply with the general principles.

Finally, the evaluation of the principle of proportionality is limited with the satisfaction of the customers’ demand or request in disclosures that are made upon the request or demand of the customer. However, in this case, the data sets that is requested or demanded to be shared by the customer should not contain confidential information concerning other customers and other banks’ customers.

4. The exceptions provided in the Banking Law is preserved, in addition, disclosure of information in accordance with a board of directors’ resolution is exempted from the obligation of confidentiality:

Although exceptions in which confidentiality obligation will not be applied are in line with the Article73/4 of the Banking Law, the Regulation states that in addition to the exceptions specified in the Banking Law, information which are not regarded as a customer secret but count as a banking secret can be disclosed through a decision of the board of directors. The subsequent disclosure will be made according to this provision under the liability of the bank.

Another exception foreseen in the Regulation concerns the confirmation of information qualifying as customer secrets by public institutions and organizations. Banks, risk centers or companies like Kredi Kayıt Bürosu A.Ş. established by at least five banks or financial institutions can respond to the queries of public institutions and organizations, regarding the confirmation of customer secrets which the costumer has provided by its own request, upon the request of customer. Such responses do not constitute a violation of confidentiality obligation if they are in the form of evaluating whether such information is true or not.

Likewise, sharing information that can be seen as customer secret or bank secret with authorities competent to solve disputes or with parties representing the bank for the establishment of a right within the subject jurisdiction does not breach the confidentiality obligation.

5. Obligation of reporting to BRSA is imposed.

Providing information and documents to the controlling shareholder holding ten or more percent shares within the scope of preparing consolidated financial statements, or risk management and internal audit practices is counted as one of the exemptions of the confidentiality obligation in both Banking law and the Regulation. With the Regulation, a new duty is imposed regarding the application of such exemption.

A notification should be made to the BRSA regarding the information concerning the transfer and the non-disclosure agreement, which was concluded, within six months periods in order to be exempted from the obligation of confidentiality pursuant to these provisions. Privacy and security of the information concerned is aimed with this provision.

6. The principle of reciprocity is accepted when exemptions are applied.

In line with the amendment made in Article 73 of Banking Law No.5411 with the Law No. 7222, the Board is authorized to restrict the transfer of data containing bank secrets and customer secrets including exemptional situations stated in Article 5 of the Regulation. In addition, in the Regulation it is specified that, the principle of reciprocity should be followed in regards of exemptions stated in Article 5 of the Regulation. Transfers that take place between parties present in countries which violates the principle of reciprocity could be prohibited by the Board.

7. Disclosures that occur within the scope of internal audit practices between controlling shareholders and banks should not contain data that could make the customers identifiable.

While disclosing the information that can be regarded as a banking secret or customer secret with the controlling shareholder, the information shared should not identify the customer’s identity or should not make it identifiable. The disclosure that occurs within this scope, should be made by using pseudonymisation, anonymization or aggregation techniques.

8. Information Sharing Committees must be established.

With Article 7 of the Regulation, establishment of an information sharing committee (“Information Sharing Committee”) whose terms of reference and rules of procedure are approved by the board of directors of the bank, become compulsory for banks. Information Sharing Committee is liable for the coordination of the information which can be regarded as a customer secret or bank secret taking the principle of proportionality into account and is liable for evaluating the received requests of disclosure and recording of such requests. It is also stated that, Information Sharing Committee shall consist of business lines which request the disclosure of information or from which information is requested, internal control unit, compliance unit and representatives of the legal unit and related asset owners.

IV. Conclusion

Many doubts that may arise between banking legislation and the personal data protection legislation are cleared with the Regulation. The terms of confidential customer information and confidential banking information that have caused many debates in terms of their scope, are concretely defined in a way that leaves no room for doubt with regards to their scope. In addition, procedures and principles that should be followed while disclosing information which are regarded as confidential customer information and confidential banking information are determined with the Regulation. Within this scope, general principles of and exemptions to the obligation of confidentiality, are determined.