The Capital Markets Board ("the Board") issued the Communiqué on the Management of Information Systems (VII-128.9) ("Management Communiqué") and the Communiqué on the Independent Auditing of Information Systems (III-62.2) ("Audit Communiqué"), which both entered into force following their publication in the Official Gazette on 5 January 2018.
The Management Communiqué regulates the establishment and running of all information systems of all organizations falling within its scope1 , and the Audit Communiqué regulates the inspection of these systems by third parties. The Audit Communiqué does not envisage an independent audit obligation for all institutions falling within the scope of the Management Communiqué, and publicly listed partnerships fall outside the scope of mandatory audits.
1. Which organizations are subject to these obligations?
All capital markets institutions including Borsa İstanbul A.Ş. and its portfolio depository entities; all publicly listed partnerships; all private pension funds; and certain other2 institutions, organizations, and partnerships fall under the scope of the Management Communiqué.
The information systems of banking and insurance companies3 mentioned in the Communiqués, as well as those of financial leasing, factoring, and financing companies4 are already subject to their own similar sectoral regulations, therefore there is a provision stating that the satisfaction of these obligations constitutes satisfaction of the obligations stipulated under the Management Communiqué as well.
2. What obligations are set forth under the communiqué?
The primary obligations for institutions, organizations, and partnerships that fall within the scope of the Management Communiqué can be summarized follows:
- Developing policies and processes in two main categories: (i) information systems management, and (ii) information system risk analysis and follow-up;
- Allocating finances and human resources for information systems management;
- Ensuring the privacy of all data pertaining to information systems, including customer information; and
- Implementing an audit trail mechanism designed to track financial or operational processes and maintaining the records obtained from this mechanism for a minimum of five years.
3. Who is responsible for the establishment and operation of these systems?
The Management Communiqué states that the implementation of data security policies must be monitored by senior management who is responsible for operations, and that the Board of Directors has overall responsibility for carrying out effective and sufficient oversight of information systems.
The Management Communiqué states that, in addition to their certain secondary obligations regarding information systems, senior management must (i) obtain project consent for the use of information systems, (ii) appoint a person responsible for the security of information systems who has adequate technical knowledge and experience to be responsible for the implementation of processes pertaining to information systems, and (iii) formulate a continuity of business plan in order to ensure the continuity of the processes for information systems outlined under the Communiqué.
The existing general sanctions listed under the Capital Markets Code No. 6362 will likely remain applicable since the Management Communiqué does not specify particular administrative or criminal penalties that would be applicable for violation of the obligations to manage the information systems.