The Regulation On Disclosure Of Client Information
In 2020, additional regulations were introduced to Article 73 of the Banking Law No. 5411 (“Law”) titled “Confidentiality” and these regulations were subject to criticism due to them being open to interpretation and references to the Law on Protection of Personal Data No. 6698 (“LPPD”). One of such amendments which were introduced last year was the authorization of the Banking Regulation and Supervision Authority (“BRSA”) to determine the scope, form, procedures, and principles regarding the sharing and transfer of confidential information and to impose restrictions on these.
BRSA carried out the necessary studies and accordingly, the Regulation on Disclosure of Client Information (“Regulation”), which will enter into force on 1st of January 2022, regarding the sharing and transfer of information in the nature of bank and client secrets, was published in the Official Gazette No. 31501 on 4 June 2021.
WHAT DOES THE REGULATION BRING?
With the Regulation, the confidentiality obligation regulated in Article 73 of the Law, the exceptions to this obligation and the concepts of client secret have been clarified and the results connected to these concepts have been detailed. At the same time, the procedures and principles regarding the sharing and transferring of the bank and client secrets were regulated.
In the Regulation, similarly to Article 73 of the Law, it is stated that those who learn the bank or client secrets due to their titles and duties, cannot disclose the said secrets to anyone other than the authorities expressly authorized by law in this regard. It is underlined that this obligation will continue after the relevant persons leave their duties.
So, which kind of information will be considered confidential within the scope of this legislation? 'Client secret' is defined as the data belonging to real and legal persons formed after establishment of a client relationship with banks specifically for to banking activities, and any information evidencing that a person is a bank client is also included in this scope. In addition, even if a client relationship has not been established, client secrets held by another bank are also included in the scope of confidentiality obligation.
Exceptions of the Confidentiality Obligation
Exceptions of the confidentiality obligation are regulated in Article 5 of the Regulation. It has been stated that the disclosures made to the authorities expressly authorized by law and the following situations will be considered as exceptions provided that a confidentiality agreement is signed and is limited to the stated purposes only:
- Exchange of all kinds of information and documents between banks and financial institutions directly or through companies to be established by the Risk Center or at least five banks or financial institutions.
- Providing information and documents to the banks' parent companies, including domestic or foreign credit institutions and financial institutions, which have ten percent or more of their capital, within the scope of preparation of consolidated financial statements, risk management, and internal audit practices.
- Providing information and documents to prospective buyers to be used in valuation studies to be made for the purpose of sale of shares representing ten percent or more of the bank's capital through direct or indirect shareholding or providing information and documents to be used in valuation studies to be made for the purpose of selling assets including loans or securities based on these assets.
- Providing information and documents to those who provide this service to be used in valuation, rating, support services, and independent audit activities or in transactions for service procurement, provided that the necessary technical and administrative measures are taken.
On the other hand, confidential information that is not a client secret, but only a bank secret, and that relates only to the bank may be shared with third parties pursuant to a board of directors’ resolution of the bank. The bank will remain liable for this disclosure.
Moreover, in cases where it is mandatory to prove facts related to disputes in which the banks are a party, bank or client secrets of one of the parties to the dispute may be shared with domestic and international courts, institutions and representatives for the performance of judicial activities.
In accordance with the Regulation, reporting obligation has been introduced for disclosures within the scope of consolidated financial statement preparation studies, risk management, and internal audit practices, and it is stipulated that the reporting shall be made in 6- month periods- immediately in case of a critical change- to the Authority including the information specified in the Regulation. As it can be seen, even in exceptional cases, these disclosures will be kept under control through these reports.
General Principles Regarding Sharing Confidential Information
Pursuant to Article 6 of the Regulation, general principles regarding the disclosures have been determined and it has been stated that data can be shared only within the limits of the stated purposes and in accordance with the principle of proportionality. It has been noted that if the stated purpose can be achieved without any part of the shared data, the disclosure will not be in compliance with the principle of proportionality. The minimum amount data that should be included in the scope of the proportionality principle is provided in detail in the relevant article.
In Article 6/2 of the Regulation, it is emphasized that the general principles regarding the processing of personal data regulated in Article 4 of the LPPD must be complied with when sharing confidential information regarding real person clients. In addition, if the client’s secret is data related to health and sexual life, which is considered as sensitive personal data in accordance with the LPPD, it is regulated that it cannot be shared with parties in Turkey or abroad even on the basis of the exceptions from the confidentiality obligation in Article 5 of the Regulation. At this point, it is seen that LPPD will be applied with priority in terms of sensitive personal data.
Pursuant to paragraph 3 of the same article, client secrets cannot be shared with third parties in the country or abroad without a request or instruction from the client, even if the clients' explicit consent is obtained, except in cases exempted from the confidentiality obligation. In accordance with the rule in the LPPD, which states that binding the service to the condition of explicit consent, it is stated that the client’s explicit consent to the disclosure or giving a request or instruction cannot be made a prerequisite for the services to be provided by the bank. It should be noted that; t requests or instructions received from the client in this regard must be provable.
In case the disclosure of client secrets is mandatory for transactions to be made with parties such as banks and payment service providers established in Turkey or abroad, as well as for transactions such as domestic/international fund transfers, international letter of credit, letter of guarantee, (i) initiation of the relevant transaction by the client or (ii) electronic entry of orders by the client through distribution channels for banking services will replace the client's request or instruction. In addition, it has been stated that it is mandatory to have a request or instruction from the client for the disclosure to be made regarding support services or service purchases other than valuation, rating, and independent auditing that are not within the scope of primary systems.
The conduct of audits and request of information at their branches or partnerships in Turkey, and the fulfillment of their information requests regarding the information included in the consolidation of foreign branches or partnerships of banks of authorities which are to are authorized to audit pursuant to the laws of foreign countries and that are equivalent to the Banking Regulation and Supervision Authority (“Authority”) are also regulated. In this case, according to Article 98 of the Law, which regulates cooperation between institutions, it is stipulated that if it is possible to meet the information request with the information held by the Authority, it will be fulfilled directly by the Authority, and if it is not sufficient, it will be fulfilled by the banks with the permission given by the Board. In addition, it has been stated that the disclosure of the information, which is not a client secret but a bank secret, with these authorities upon the request of the equivalent foreign authorities, provided that a written notification is made to the Authority before disclosure, will not constitute a violation of this paragraph.
In addition, the Board has been authorized to prohibit the disclosure of all kinds of data, which are bank and client secrets, with third parties abroad, including the cases exempted from the confidentiality obligation as a result of its assessment of economic security. The importance of the principle of reciprocity was emphasized while making an assessment on this subject.
Obligation to Establish an Information Sharing Committee:
Article 7 of the Regulation requires banks to establish an “Information Sharing Committee”. The obligation of the Information Sharing Committee is to coordinate the sharing of client secrets or bank secrets (i) in accordance with the principle of proportionality, (ii) to evaluate the appropriateness of incoming sharing requests, and (iii) to record the relevant evaluations, including the cases that are exempted from the confidentiality obligation. It has also been regulated of which persons the Committee should be composed of.
As a result, with Article 73 of the Law and the "Regulation on Sharing Confidential Information", which is planned to enter into force on January 1, 2022, the principles and exceptions regarding the confidentiality obligation regarding client and bank secrets have been clarified and it has become mandatory for banks to establish an Information Sharing Committee. In addition, by making parallel arrangements with the LPPD in the said legislation, the personal data characteristic of client secrets was once again emphasized.