Similar to the worldwide trend, financial institutions in Turkey are increasingly willing to outsource their financial services, prompted by the need for expertise in the fast-developing information technology sector and cost-efficiency concerns. This trend is also driven by improved foreign investment into the Turkish banking and financial system – foreign investors prefer to set up outsourcing arrangements in Turkey similar to those in their countries or in other jurisdictions where they do business.
The Banking Act 5411, and the secondary legislation issued by the Banking Regulation and Supervision Agency (BRSA), sets out guidelines on outsourcing.
Article 3 of the Banking Act defines service-providing institutions as institutions that provide services to banks as an extension of, and/or complementary to, core services within the framework of the principles and procedures to be set by the BRSA in separate regulations (not yet enacted but expected by November 1 2006) and in compliance with Basel II rules and regulations.
The Banking Act further provides that, although a confidentiality obligation applies to the service-providing institutions and their employees, the exchange of information between credit, financial and service-providing institutions under written contracts for procurement of services to monitor, evaluate and control the risk status of clients and to provide customer services would not breach the bank confidentiality obligations.
Information Systems Audit Regulation
According to this Regulation, issued by the BRSA in May, information system audits comprise audits of:
- application programming, required every year;
- general control areas, required once every two years, and comprising audit of planning and organization, supply and application, service and outsourcing, and monitoring and evaluation (including audit of compliance with legislation); and
- the two areas above at the same time.
The periods or the scope of the audit may vary at the discretion of the BRSA.
The Information Systems Audit Regulation states that the audit company, while conducting its audit, will consider the effect of the outsourced services on information systems and financial data production processes, and may also ask for, and evaluate, the audit reports prepared regarding the outsourcing company.
Further, if the bank carries out certain activities through outsourcing, the audit contract between the bank and the audit company should include provisions ensuring meetings and discussions will be held between the audit and the outsourcing companies.
Risk Management Regulation
The Risk Management Regulation governs a bank's outsourcing and information systems and states that, to ensure proper functioning of internal control mechanisms and to satisfy information needs, a reliable and efficient management information system must be established that enables data and other information to be stored and used in electronic form. The information must be reliable, timely, accessible, and provided in a consistent format. All precautions should be taken to ensure compliance with secrecy rules and regulations, and that the information can only be accessed by authorized personnel.
The Risk Management Regulation requires banks to establish plans regarding their information systems and other necessary systems for the continuity of their activities and to periodically test these plans by also considering other outsourcing options, to prevent any negative effects on their ability to provide basic financial services.
Although, the conclusive approach of the BRSA as to how far the scope of outsourcing can be extended is unclear, it is likely that the BRSA will first consider issues such as whether the planned outsourcing should be considered either as a part of the core banking business and so dealt with by the bank in Turkey or as an extension of, or complementary to, such services, in which case the second issue may be the benefit of providing such services through an outsourcing company in Turkey.
Also, discussions and confirmations with the regulatory authorities and the actual practice after the issuance of the Information Systems Audit Regulation may be helpful tools to understand the approach of the BRSA in this respect as financial companies will soon be subject to detailed audits regarding their IT systems.
Past experience with the regulatory authorities shows that the access rights, both to the information, but also to the system where the information with respect to outsourced services is kept, is quite important. It is particularly important that they have the opportunity to intervene and seize the information and the system to implement their duties, if and when necessary. The outstanding question, now, is how the BRSA will develop its practice in light of recent global trends establishing principles to better mitigate the concerns and risks surrounding the outsourcing system.
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.