Regulation on Sharing of Secret Information ("Regulation") issued by the Banking Regulation and Supervision Agency ("BRSA") has been published in the Official Gazette numbered 31501 and dated June 4, 2021 and will enter into force on January 1, 2022. The purpose of the Regulation is to determine the scope, form, procedures and principles regarding the sharing and transfer of bank secret and customer secret information, and the Regulation introduces detailed regulations regarding the confidentiality obligation. In this regard, we will focus on the new regulations introduced by the Regulation.
I. What is New?
A. Confidentiality of "Customer Secret"
The Regulation defines the "customer secret". As per Article 4/3 of the Regulation, information of a real or legal person, which are collected after establishing a customer relationship with banks specific to banking activities, are defined as customer secrets. Any information showing that a real or legal person is a customer of the bank will also be within the scope of customer secret. In addition, according to the Regulation, obtaining and learning customer secret information held by another bank is also subject to the confidentiality obligation.
Pursuant to Article 4/1 of the Regulation, persons who find out the secrets of banks or their customers due to their titles and duties will not be able to disclose such secrets to anyone other than the authorities expressly authorized by law. Even if a customer relationship has not been established, the confidentiality obligation will continue in case of obtaining and learning the customer secret information held by another bank.
B. Exemptions to the Confidentiality Obligation
The Regulation is in parallel with Article 73/4 of the Banking Law in terms of the exemptions to the confidentiality obligation. As per Article 5/1 of the Regulation, disclosure of secret information to those who are authorized by the law does not result in violation of the confidentiality obligation.
On the other hand, provided that a confidentiality agreement is signed and limited only to the stated purposes, sharing of bank secrets or customer secrets in the following cases will not constitute a violation of the confidentiality obligation:
- Exchange of information and documents between banks and financial institutions and exchange of information and documents through the Risk Centre or companies established by at least five banks or financial institutions.
- Providing information and documents to banks' parent companies, including domestic or foreign credit institutions and financial institutions, which have 10% or more of their capital, within the scope of preparation of consolidated financial statements, risk management and internal audit practices.
- Providing information and documents to prospective buyers to be used in valuation studies for the purpose of selling shares representing 10% or more of the bank's capital through direct or indirect ownership, or for the purpose of selling assets including loans or securities based on these assets.
- Providing information and documents to those who provide this service to be used in valuation, rating, support services and independent audit activities or in transactions for service procurement, provided that the necessary technical and administrative measures are taken.
Provided that the sharing to be made within the scope of subparagraph (b) is limited only to the purposes specified in the aforementioned paragraph, a confidentiality agreement is made and the other party takes the necessary technical and administrative measures with the provisions of the said agreement, concluding a confidentiality agreement with the controlling shareholder or with a group company to be determined by the controlling shareholder/parent company, from which it receives services within the scope of consolidated financial statement preparation or consolidated risk management practices, will not constitute a breach of confidentiality obligation.
According to Article 5/9 of the Regulation, a copy of the confidentiality agreement regarding the shares to be made within the scope of subparagraph (b), the purposes of the sharing, the technical and administrative measures taken by the controlling shareholder/parent company or the parties from which the controlling shareholder/parent company receives services in this context to ensure the confidentiality and security of confidential information and the title and country information of all third parties to whom information in the nature of bank secrets and customer secrets is transferred, is immediately reported to the BRSA in every 6 (six) months and in case of a critical change, in accordance with the format and methods deemed appropriate by the BRSA.
Pursuant to Article 5/5 of the Regulation, sharing information that is not a customer secret, but only a bank secret, through the decision of the bank's board of directors, does not constitute a violation of the confidentiality obligation.
In addition, provided that the customer's request or instruction is received to confirm the customer secret information given by the customers to the public institutions and organizations at their own request by the banks, the Risk Center or companies established by at least five banks or financial institutions, responding to the aforementioned public institutions and organizations only as to whether the information in question is correct will not constitute a violation of the confidentiality obligation.
As per Article 5/7 of the Regulation, providing information to the authorities authorized to settle the dispute and their representatives in case of a dispute between the bank and the customer, provided that the customer's secret and the bank secrets are necessary for the bank to exercise its right of claim and defense and pursuant to Article 5/8 of the Regulation, sharing the information by the financial group affiliates within the group regarding accounts, transactions and customer will also not constitute a violation of the confidentiality obligation.
C. General Principles Regarding Sharing Confidential Information
According to Article 6 of the Regulation, the customer secrets and bank secrets may be shared only for certain purposes and in accordance with the principle of proportionality, provided that they contain as much data as required for these purposes. In this context, with regards to the principle of proportionality, the sharing must contain as much data as required by the purposes, and must be demonstrable as necessary for the realization of the stated purposes. On the other hand, when the data to be shared is aggregated, de-identified or anonymized, if these purposes can still be achieved, these methods should be applied and include minimum data. If the data is related to a natural person, it will be necessary to comply with the general principles in the Law on the Protection of Personal Data.
Information that is a customer secret cannot be shared with third parties in the country or abroad without a request or instruction from the customer, even with the explicit consent of the customer, except for the cases that are exempted from the confidentiality obligation. The customer's consent or request or instruction to share their information cannot be made a prerequisite for the services to be provided by the bank.
In accordance with Article 6/9 of the Regulation, upon the request of foreign authorities that are equivalent of the Banking Regulation and Supervision Agency, information sharing will be carried out directly by the Agency. If the information available to the Agency is not sufficient, information sharing will be carried out by the banks within the permission given by the Banking Regulation and Supervision Agency.
As per Article 6/11 of the Regulation, as a result of its assessment on economic security, the Board may prohibit the sharing of all kinds of information, which are customer secrets or bank secrets, with third parties abroad, including sharing within the scope of exceptions to the obligation to keep secrets.
D. Information Sharing Committee
Pursuant to Article 7 of the Regulation, banks are required to establish an Information Sharing Committee, whose job descriptions and working principles are approved by the related bank's board of directors, which is responsible for coordinating the sharing of customer secrets and bank secrets, taking into account the principle of proportionality, and for assessing the appropriateness of incoming sharing requests and recording these evaluations. At a minimum, this committee will consist of representatives of the business line, internal control unit, compliance unit and legal unit and related asset owners who request or are asked to share information.
A new regulation about sharing of secret information has been published on the Official Gazette and will enter into force on January 1, 2022. The Regulation on Sharing of Secret Information regulates the confidentiality obligation regarding banks and customer secrets regulated in the Banking Law in detail. With the Regulation, some new regulations have been envisaged regarding confidential information and the sharing of this information. In summary, these regulations are the confidentiality obligation and its exemptions, general principles regarding sharing confidential information and obligation to establish an information sharing committee.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
By Gonenc Gurkaynak, Partner, Nazli Nil Yukaruc, Partner, and Nisa Aybuke Eroglu, Associate, ELIG Gürkaynak Attorneys-at-Law