Author: Sevgi Unsal Ozden
Introduction
The Banking Regulation and Supervision Authority (“BRSA”) was authorized to determine the scope, form, procedures and principles regarding the sharing and transferring of confidential information within the scope of the amendment[1] made in Article 73 of Banking Law No. 5411 (“Law”) last year. Accordingly, the long-awaited regulation (“Regulation”), which aims to clarify the confidentiality obligation, which is one of the most important obligations of banks, the exceptions to this obligation and the concept of customer secrets, was published as a draft on the website of the BRSA,[2] by considering the authorization set forth under Article 73 and Article 93, titled “Duties and powers of the Agency” of the Law.
What Does the Regulation Determine?
When the justification and the provisions of the Regulation are examined that the definitions of concepts, such as customer secrets, data processing and pseudonymization are elaborated upon, the principles regarding information sharing are determined, along with the clarification of the exceptions to the confidentiality obligation.
Customer Secret
As per Article 73/3 of the Law, data and information belonging to natural persons or legal entities collected in the course of banking activities and transactions after the establishment of customer relations with banks become, and are classified as, customer secrets. The Regulation expands this definition and sets forth that any information showing that a real or legal person customer is a customer of the bank, is also deemed as customer secrets. It further regulates that even if a customer relationship has not been established, obtaining and learning customer secrets held by another bank will be considered within the scope of the confidentiality obligation. Moreover, pursuant to the Regulation, data that exists prior to the customer relationship with the banks, and which is not held by another bank as a customer secret, becomes a customer secret if it is processed in a way that identifies such person as a bank customer on its own, or when processed together with the customer secret data, which is formed after a bank-customer relationship is established.
It is also seen that the Regulation includes the definition of pseudonymization and data processing in parallel with Personal Data Protection Law No.6698 (“Law No.6698”). Article 3/1(i) defines the pseudonymization by considering the banking activities and the characteristics of the finance sector as follows: “Processing of customer-related data in a manner that cannot be linked with the customer, provided that technical and administrative measures are taken in order not to link the customer with an identified or identifiable real/legal person and without combining it with other data stored in a different platform.”
Confidentiality Obligation
The confidentiality obligation was regulated in parallel with the banking legislation as the following: Those who, by virtue of their positions or in the course of performance of their duties, have access to a bank secret or customer secret are not permitted to disclose such confidential information to any person or entity other than the authorities explicitly authorized by law. This obligation shall also be applicable in cases where the information identified as a customer secret is obtained and learned through non-automatic methods or are not a part of any data recording system.
The Exceptions to the Obligation of Confidentiality
As a principle, sharing the information classified as a bank or customer secret with the authorities that are explicitly authorized by the law do not constitute a violation of the confidentiality obligation. Moreover, in cases that are explained in detail under Article 6 of the Regulation, sharing bank or customer secrets will not be considered as a breach of the obligation of confidentiality, provided that a confidentiality agreement is concluded and limited only to specified purposes. These exceptions may be briefly listed as follows:
- Exchanging information and documents between banks and financial institutions;
- Sharing information and documents for the preparation of consolidated financial reports, risk management and internal audit purposes;
- Sharing information and documents as a part of the valuation process for the sale of shares;
- Providing information and documents to service providers in connection with assessments, ratings or support services, independent audits or service procurement;
- Disclosure of confidential information that is not a client secret, but only a bank secret, to third parties pursuant to a board of directors’ resolution of the bank;
- The verification of customer information provided to public institutions by the customer’s request by banks, risk centers, or companies established by at least five banks or financial institutions.
Although some of the exceptions to the obligation of confidentiality were included in Article 73 of the Law, there may be discrepancy about which cases are considered to be exceptions or in which cases the customer request or instructions are required. On the other hand, within the framework of Article 6 of the Regulation, it is seen that the exceptions to the confidentiality obligation are explained in detail as subclauses in a way to clarify such discrepancies, and that under which conditions and to whom the information sharing will be accepted as an exception, and that some of the exception cases (such as disclosures for the preparation of consolidated financial reports, risk management and internal audit purposes) are clarified. For instance, it is stated in the Regulation that the data transfer for risk management purposes covers all risk management activities, including compliance, credit, and reputation risks included in the ISEDES Regulation.[3]
The Regulation further indicates that the obligation to obtain the request or instruction of the customer shall be met for information sharing within the scope of outsourced services, if the outsourced service is not within the scope of the primary systems.
General Principles Regarding the Sharing of Confidential Information
The Regulation determines the general principles and procedures regarding the transfer of the confidential information as well as specific issues related to the sharing to be made in exceptional cases.
In principle, the Regulation emphasizes that customer secrets and bank secrets should be transferred in accordance with the principle of proportionality, limited to specified purposes, and necessary for those purposes. Furthermore, it is pointed out that if the purposes in question could still be achieved when the shared data is aggregated, anonymized or pseudonymized, these methods should be applied. It is also obligatory to comply with the general principles[4] regulated under Article 4 of Law No. 6698 while sharing confidential information of real person customers. On the other hand, the domestic or cross-border transfer of the personal data with regard to health and sexual life are strictly prohibited even if such personal data are considered as customer secrets.
Pursuant to Article 6, in line with Article 73/3 of the Law, data and information classified as customer secrets cannot be shared with third parties resident in Turkey or abroad, without a demand or instruction received from the customer, even if the customer’s explicit consent is taken pursuant to Law No. 6698, except for the cases and events exempted from the confidentiality obligation.
Customer requests and instructions may be in written form or be received through data storage, provided that it could be proved. Furthermore, if interaction with bank, payment service provider, or payment or messaging systems is necessary due to the nature of the transaction, and disclosure of the customer secret is mandatory for the completion of the transaction, such as domestic/international fund transfers, international letter of credit, letter of guarantee and reference letter, initiation of the transaction or order entries through distribution channels of electronic banking services by the customer for transactions will constitute customer request or instruction. It is clear that especially this sub-Article will shed light on the applications of the banks.
Information Sharing Committee
Another change stipulated by the Regulation is the information sharing committee. Hereunder, the banks are obliged to establish an information sharing committee that will be responsible for coordinating the sharing of the confidential customer information and bank secret, and evaluating the appropriateness of the sharing requests. The Regulation also determines that this committee, as a minimum, shall consist of representatives of the business line, internal control unit, compliance unit, legal unit and related asset owners who request information sharing or from which information is requested.
In addition, with the enactment of the Regulation, the details of the sharing information, including a copy of the confidentiality agreement regarding the transfer made in some cases accepted as an exception to the confidentiality obligation, and the technical and administrative measures taken are requested to be reported to the Banking Regulation and Supervision Agency in six-month periods.
Conclusion
As stated in the justification of the Regulation, it is aimed that the provisions of this Regulation, which are anticipated following the latest amendments in Article 73 of the Law, will guide the banks in domestic and cross-border transfers and eliminate any hesitancy that may exist in practice. The impact of the draft Regulation, which was published by the BRSA on their website and opened for public opinion, on the sector practices will be seen with the enactment. As per the announcement of the BRSA, the opinions with regard to the Regulation may be sent through e-mail. Therefore, it should be noted that the version to be entered into force may vary.
[1]Law No. 7222 regarding the amendments to the Banking Law and certain other Laws entered into force after being published in the Official Gazette dated 25.02.2020 and numbered 31050. https://www.resmigazete.gov.tr/eskiler/2020/02/20200225-12.htm (Access Date: 29.03.2021).
[2] https://www.bddk.org.tr/Mevzuat-Kategori/Duzenleme-Taslaklari/11 (Access Date: 29.03.2021).
[3]Regulation on Internal Systems of Banks and Internal Capital Adequacy Assessment Process (ISEDES Regulation) was published in the Official Gazette dated 11.07.2014 and numbered 29057 and entered into force, https://www.mevzuat.gov.tr/File/GeneratePdf?mevzuatNo=19864&mevzuatTur=KurumVeKurulusYonetmeligi&mevzuatTertip=5 (Access Date: 29.03.2021).
[4]Pursuant to Article 4 of Law No. 6698; “a) Lawfulness and fairness; b) Being accurate and kept up to date where necessary; c) Being processed for specified, explicit and legitimate purposes; c) Being relevant, limited and proportionate to the purposes for which they are processed; d) Being stored for the period laid down by the relevant legislation, or the period required for the purpose for which the personal data are processed.” https://www.resmigazete.gov.tr/eskiler/2016/04/20160407-8.pdf (Access Date: 29.03.2021).