The Banking Regulatory and Supervisory Authority (the "BRSA") presented the Draft Regulation on Banks' Information Systems and Electronic Banking Services (the "Draft Regulation") for public consultation on 25 December 2018. The Draft Regulation, which will replace the Communiqué of 14 June 2007 on the Principles Applicable to Banks' Information Systems Management, introduces the rules and procedures regarding management of information systems, provision of electronic banking services, and risk management.
According to the Draft Regulation, a Turkish bank may use cloud services if;
- the service is specifically assigned to deliver services to banks, and the cloud deployment model complies with banking regulations in relation to services falling within the scope of primary and secondary systems; and
- the BRSA approval is obtained to deploy public cloud services for activities such as core banking application, credit and credit cart practices and payment services.
With regard to the transfer of customer data to third parties, Turkish banks will only be able to share data if the scope of the transfer are explicitly specified and customer's explicit consent is obtained in writing or through a permanent data register for evidentiary purposes. The customer must be informed of the transfer and must be offered an option regarding the transfer. The consent cannot be made a condition to the provision of banking services.
Further, regardless of customers' explicit consent, the transfer of customer data outside Turkey will be subject to the BRSA's approval. Banking operations that by nature require interaction with banks, payment or messaging systems located abroad, will be exempt from this condition.
Taking into regard the developments in fintech and the data privacy laws, the BRSA aims at updating the legal infrastructure surrounding Turkish banks' information technologies. You may submit your opinion on the Draft Regulation to firstname.lastname@example.org.