The risks of outsourcing information technology by a bank must be balanced by the secrecy obligations set forth under the Turkish Banks' Act Number 4389, which is not wholly clear on this matter. The Turkish Banking Regulation and Supervision Agency (BRSA) had issued a regulation in 2001, the Regulation on Banks' Internal Control and Risk Management Systems, which set forth the principles and procedures of the internal monitoring, control and risk management systems that banks must set up to monitor and control the risks to which they are exposed. Following this, the BRSA has announced a draft regulation on its website, the Draft Communiqué regarding the application of the Banks' Internal Control and Risk Management Systems Regulation.
According to the Banks' Act, bank officers and third parties disclosing confidential information of a bank and its clients will be in violation of the law and subject to fines and imprisonment. What is considered confidential information is not specifically defined in the Banks Act. However, according to scholarly opinion and practice, confidential information should be broadly interpreted. Any personal information provided by a client to its bank without explicit or implicit permission for its disclosure should be deemed confidential information of the client (for example, assets and cash flow, personal information, credit records or information about legal proceedings) and any information regarding the activities of a bank should be deemed a bank's confidential information (for example, financial sources or correspondence).
The Regulation provides that, to prevent any negative effects on their ability to provide basic financial services, banks should establish plans regarding their information systems and other important systems to ensure the continuity of their activities and periodically test these plans by also taking into consideration alternative outsourcing options.
The Draft Communiqué, which has not yet been promulgated, also mentions outsourced information technology functions. The Draft Communiqué, in its relevant provision, regulates information technology control systems by stating that the bank management must take all the necessary measures to solve and avoid any problems arising from information technology systems. In this regard, it is stated that the bank management should review the measures taken to avoid lack of control, illegal use, fraud or leakage (unauthorized dissemination) of confidential and critical information in its outsourced services and in services provided from outside the bank. Neither the Regulation nor the Draft Communiqué, however, specifically state which measures should be taken. Efficient monitoring will help to eliminate the risk of bank secrecy violations and the practices to be developed may also lead the regulators to set forth guiding rules and principles with respect to outsourcing of information technology services by the banks.