The Banking Regulation and Supervision Authority (“BRSA”) has published Additional Explanations on the Implementation of the Regulation on Sharing Confidential Information in order to eliminate the difficulties experienced in practice with regards to its decision dated 11 August 2022 and numbered 10295.
Pursuant to article 73/3 of Banking Law numbered 5411, a “client secret ” consists of data specific to banking activities that are generated after the establishment of a client relationship with the bank. However, even if a client relationship has not been established, obtaining and learning client secret held by another bank is also within the scope of the confidentiality obligation.
Therefore, information regarding the bank’s operations and management principles, which may contain information about the bank’s potential, is considered as a “bank secret” and cannot be disclosed to anyone other than the authorities authorized by law, except for the exceptional circumstances listed in the Regulation.
For a sharing of bank and client secrets not to constitute a breach of the confidentiality obligation, either (i) a confidentiality agreement should be concluded between the parties or (ii) such confidential information should be limited only for the specified purposes. Such disclosures are expected to comply with the proportionality principle.
The requirement of being a common client, which is mandatory for open sharing of confidential client information, is not required for sharing within the scope of articles 5/2(b) and 5/3 of the Regulation and only in the following cases:
- Sharing of comprehensive data on a large number of clients, such as loan provision calculations and internal capital adequacy calculations, provided that the BRSA’s consent is obtained prior to disclosure,
- Disclosures to be made for the purpose of counterparty’s compliance risk, provided that the BRSA’s consent is obtained prior to disclosure,
- Disclosures to be made for consolidated risk management purposes that include data on a real or legal person or a risk group to which a loan of 10% or more of the shares of the bank or bank assets has been extended, without the need to obtain the BRSA’s consent prior to disclosure.
The Regulation also regulates other exceptions to the confidentiality obligation. In this context,
- Bank secret, which does not constitute a client secret but only contains information belonging to the bank, may be shared with third parties under the responsibility of the bank upon the decision of the board of directors of the bank.
- Client secret provided by the client to a public institution or organization for the execution of any transaction may be shared by banks, with Risk Center or companies established by at least five banks or financial institutions in order to be confirmed by the public institution or organization, and provided that the client’s request or instruction is received to provide information to the relevant public institution or organization regarding the accuracy of the information.
- If it is mandatory to prove claims or defenses in disputes to which the bank is a party, client secret or bank secret may be shared with the competent authorities or persons authorized.
Client secret cannot be shared with domestic and foreign third parties without a request or instruction from the client, even if the client’s explicit consent is obtained, and the client’s explicit consent or request or instruction to share the information cannot be made a prerequisite for the services to be provided by the bank. However, the exceptional cases in article 5 of the above-mentioned Regulation are considered as exceptions to this situation.
In conclusion, the Regulation sets out the concepts, procedures and principles regarding the sharing of client and bank secret information, imposes a reporting obligation to the BRSA for information to be shared by banks with the parent company, clarifies the scope of the sharing that banks may do, and addresses issues such as data transfer abroad.
The full text of the Announcement is available at this link. (Only in Turkish version)