Draft Regulation - On Information Systems Of Banks And Electronic Banking Services

Draft Regulation on Information Systems of Banks and Electronic Banking Services ("Draft Regulation") which is drafted in order to abolish the Communiqué on Principles on the Management of Information Systems' of Banks ("Communiqué") and based on the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks ("Internal System Regulation") has been published and opened to public opinion on the official website of Banking Regulatory and Supervisory Agency ("BRSA") on 25 December 2018.

Draft Regulation is planned to enter into force on the date of its publication and an implementation period has been foreseen until 1 January 2020.

The main changes introduced by the Draft Regulation are as follows:

  • Committee, Unit and Positions: Committee, unit and positions that shall be in charge for the management of information systems are regulated. The related committee, unit and positions in subject are detailed and reproduced compared to the Communiqué. Similarly, the responsibilities of the parties who will be commissioned in the management of information systems are expanded.
  • Policy and Procedures: The number of policies, procedures and process documents that the banks are required to prepare are increased, the context of such documents is detailed and concepts that will be reflected to the documents are explained.
  • Primary and Secondary Systems: The provision within the Internal System Regulation, which requires keeping the primary and secondary systems of the banks within the country is kept as the same but detailed.
  • Outsource Service Procurement: The rules and principles that banks shall apply during the outsource service procurement are detailed. In this context,

    • The definition of "outsource service" is included under the Draft Regulation and the definition provided therein is written in such a way that it covers all services outsourced by banks including those that fall under the definition of "support services" as defined by the Regulation on Support Service Procurement of Banks.
    • It is prohibited to carry out critical services, services and critical workflows within the scope of standard contracts where the obligations related to the contracts in which the obligations cannot be fulfilled,
    • It is regulated that a responsible person shall be assigned regarding outsourcing,
    • It is regulated that products and services with respect to critical information systems and security to be procured should be produced in Turkey or the R&D centers should be preferred to be present in Turkey and in any case response teams shall be present in Turkey,
    • The procurement of cloud computing services is allowed; the cloud computing services shall solely be procured by (i) private cloud service or (ii) community cloud services that serve to banks only by means of logical distinction,
    • It is regulated that source codes shall be obtained from the supplier from the beginning or resource codes shall be delivered by escrow agreements,
    • It is regulated that with respect to contracts to be concluded with service providers such as search engines and social media platforms, provisions regarding the responsibility of providers in preventing fake ads given in the name of the bank and compensate the damages that shall arise due to such fake ads; otherwise no services shall be procured from the related providers.
  • Internet Banking: The definition of electronic banking services is expanded to include channels such as internet banking, mobile banking, telephone banking, television banking, open banking services, ATM and kiosk devices. In this context, the following has been regulated:

    • Customers' identities shall be verified in case of access to all electronic banking services applications, including transactions that do not bear financial consequences, such as displaying customer information,
    • In contrast to the BRSA decision which has been previously communicated to banks in relation to the issue, authentication components that are integrated into the device that provides access to the mobile banking application have been permitted to be used for 2 (two) component authentication application,
    • An obligation on implementing systemic restrictions which enable the customers to read the relevant information has been introduced in order to ensure that the information to be provided to the customers is duly carried out,
    • Sending SMS OTP as an authentication component has been prohibited, except for activation and reactivation; it has been regulated that all the necessary contracts with the electronic communication operators which provide short message services shall be concluded in order to ensure SIM card change inquire,
    • The open banking services have been defined in line with the Directive numbered 2015/2366/EU (Directive on payment services in the internal market-PSD2) ("Directive")1 , and regulations on open banking services were introduced.
  • Data Privacy: Detailed regulations on the protection of customer data and payment data, and cyber security has been introduced. In this regard,

    • An obligation to create a data inventory in addition to the asset inventory has been imposed,
    • It has been regulated that trace records regarding inquiries2 on sensitive data3 and personal data held by other institutions and establishments, and the purpose of these inquiries shall be kept,
    • It has been regulated that in the event of a cyber incident turning into a crisis, a leakage or disclosure of sensitive data or personal data, the sectoral SOME4 shall be informed immediately,
    • It has been regulated5 that in the event of a cyber incident causing leakage or disclosure of sensitive data or personal data, public announcements shall be made on the bank's own website or on the website where the bank offers its internet banking services,
    • Banks have been obliged to back-up such data by way of making a copy of the data as soon as possible and maintain the original until the request is fulfilled in case of data requests from judicial authorities and the BRSA,
    • It has been permitted that, besides written form, customer's consent regarding the provision of customer's data may be obtained through a permanent data register6; it has been decided that customer's consent regarding the disclosure of such information cannot be imposed as a prerequisite of the service provided,
    • It has been regulated that the international transfer of customer information is subject to BRSA's permission even if the explicit consent of the customer is obtained.


1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366

2. Draft Regulation, "Sensitive Data" refers to 'confidential data and data used in authentication'. Therefore, concept of "Sensitive Data" differentiates from the concept of personal data defined under the Law on Protection of Personal Data numbered 6698.

3. Inquiries made in the systems of "Kredi Kayıt Bürosu" can be evaluated in this context.

4. According to Communiqué on the Procedures and Principles on the Establishment, Duties and Activities of Cyber Incidents Response Teams (OG. 11.11.2013/28818) comprising of provisions regarding the establishment and duties of CIRT, Sectoral CIRTs are established within regulatory and supervisory institutions to cover institutions, organizations and enterprises operating in their respective sectors. Pursuant to the Sectoral CIRT Establishment and Management Guide published by the Ministry of Transportation, the financial sector is designated as a critical infrastructure and the banking sector-specific sectoral CIRT is to be established within the BRSA: http://www.udhb.gov.tr/doc/siberg/Sektorel_SOME_Reh.pdf.

5. It should be emphasized that the related notification obligation must be considered as a separate obligation from the obligation to notify the related data subjects and the Personal Data Protection Authority pursuant to Article 12 of the Law on the Protection of Personal Data numbered 6698 in the event of a data breach. In this sense, in the event of a cyber incident within the banks causing a personal data breach, a public announcement must be made on the bank's website in addition to the notifications to be made to the related data subjects and the Personal Data Protection Authority.

6. The definition of a "permanent data register" has not been provided for under the Draft Regulation. However the definition of a permanent data register commonly referred to within the consumer legislation is as follows: all kinds of tools and media such as text messages, e-mail, internet, disk, CD, DVD, memory card and so on, which allows the consumer to record and inalterably copy the information which has been transmitted to or transmitted by him/her in a manner enabling the examination of such information for a reasonable period of time, in accordance with the purpose of this information.