Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
In parallel with the global trend, corporate risk management and legal compliance have become an area of significant importance in Turkey.
Legislative developments in regulated industries have laid the foundation for the legal framework of risk and compliance management issues. The financial sector has always had a direct impact on risk and compliance management in terms of the economy, where ensuring stability in the management of sector players and minimising management risks are two primary goals. Along with close supervision of the regulatory authorities, the first regulations on risk management and legal compliance were adopted at the sector level. In recent years, Basel III criteria has become increasingly important and various new banking regulations have been adopted in an attempt to harmonise the Turkish legal framework with the European standard of risk management for capital adequacy, liquidity coverage ratios, mitigating credit risks, risk assessment models and measurement of market risk.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
Since corporate risk and compliance management matters are not organised under a single source of law, the rules and principles can be found scattered across various pieces of legislation that set general standards and touch upon both civil and criminal liabilities arising from risk and compliance management failures for corporations and individuals.
Privately held companies
The Turkish Commercial Code (TCC), published in 2012, is the general set of rules applicable to all companies, listed and privately held alike, which rests on four main principles: transparency, equality, accountability and responsibility. It governs board duties and accountability, introduces a clear cut distribution of liability, requires the formation of early risk detection committees and allows a more transparent system for the benefit of all stakeholders through mandating annual activity reports, company websites and electronic shareholders’ meetings.
Failure to comply with these rules can lead to civil liabilities for the board of directors and the management of a privately held company. As further detailed below, compliance failures could also lead to criminal liability on the part of the board of directors (as the governing body) or the management of a privately held company. White collar crimes such as bribery, fraud, money-laundering of criminal proceeds and embezzlement are the main white collar corruption offences that would trigger criminal liability as per the Turkish Criminal Code (the Criminal Code), applicable to all individuals within companies regardless of whether they are privately held, listed or regulated.
For listed companies, the main source of law is Corporate Governance Principles Communique No. II. 17-1 (the Corporate Governance Communique) issued by the Capital Markets Board (CMB). The Corporate Governance Communique aims to enhance corporate governance mechanisms and risk and compliance management systems for listed companies. The communique provides 20 mandatory corporate governance principles that listed companies must abide by, making an exception for small groups that remain below certain thresholds in terms of overall market value and the market value of floating shares. The mandatory principles mainly focus on maintaining efficient disclosure mechanisms and transparency, appointing independent directors, and forming committees including those monitoring risk and corporate governance compliance within the board of directors.
Owing to their inherent nature, listed companies benefit from a higher level of scrutiny by regulatory authorities as opposed to privately held companies not active in a regulated sector. Therefore, any failure to comply with these principles would be more easily detected in terms of civil or criminal liability.
For listed companies, in addition to the offences exemplified above for privately held companies, the Capital Markets Code also names certain white collar crimes leading to criminal liability, including insider trading and market manipulation, that are specifically applicable to listed companies.
For banks and other actors in the financial services sector, the main piece of legislation is Banking Code No. 5411 (the Banking Code). The Banking Code sets forth the principles and procedures to establish confidence and stability in financial markets, effective functioning of the credit system, and the protection of the rights and interests of depositors. The regulatory authority, the Banking Regulation and Supervision Agency (BRSA), is entitled to deliver secondary legislation for these issues. For compliance and risk management, the Regulation on Banks’ Internal Systems sets forth the rules for establishing internal control, internal audit and risk management systems for banks by specifying various types of risks and how to mitigate and process such risks.
Insurance Code No. 26551 (the Insurance Code) requires insurance and reinsurance companies to establish an effective internal control system, covering internal audit and risk management, in order to monitor compliance with the legislation, internal directives, management strategy and policies, and to prevent fraudulent acts and irregularities in all transactions.
As data protection is one of the current trending topics in Turkey, duties of the board of directors and senior management to ensure the protection of customer and employee personal data are of increasing importance. The laws on personal data are governed by the Code on the Protection of Personal Data. The Code allows companies to retain and process customer and employee personal data only after obtaining explicit consent (save for specific exceptions).
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
While Turkish legislation does not make a distinction between different types of undertakings in terms of risk and compliance management rules and principles, regulated entities (eg, listed companies, banks, insurance companies and other financial institutions) have a stricter list of obligations.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
Privately held companies
Privately held companies that are not active in a regulated sector and therefore do not enjoy the close scrutiny of a regulatory authority are usually monitored by their shareholders, board of directors, management, creditors or customers. Compliance issues can be raised by these constituents and may lead to civil or criminal liability by reference to courts depending on the nature of the problem.
For market competition matters, the Turkish Competition Authority is the main authority that oversees compliance with Turkish competition regulations. It can, among other things, conduct investigations, issue administrative fines for non-compliance and review merger and acquisition transactions for approval.
Also, there are authorities focused on other fields of compliance. For instance, the Board of Protection of Personal Data is authorised to oversee the protection and legal processing of individual personal data.
The CMB is the regulatory and supervisory authority for listed companies, intermediary institutions, portfolio management companies and other capital markets institutions. For both listed companies and capital markets institutions, the CMB issues secondary legislation (ie, CMB communiques) that govern areas of law varying from corporate governance rules to financial reporting. In order to enhance enforcement mechanisms for listed companies in terms of compliance, the CMB is equipped with broad intervention powers. For example, in the case of a compliance violation, the CMB is authorised to issue administrative fines, seek judicial orders to invalidate non-compliant transactions where the company failed to comply with mandatory principles, seek injunctive relief, withdraw activity permits and signatory authorities, replace board members, order to restore compliance or ban trading.
The BRSA is the regulatory body focused on banks and banking activities. In the case of non-compliance with banking regulations, the BRSA is authorised to initiate criminal investigations by filing with the public prosecutor, issuing administrative fines, forcing non-compliant institutions to cease activity, or issuing and cancelling permits that are required to carry out banking activities.
For Criminal Code violations, legal proceedings are carried out by the Turkish criminal courts where public prosecutors act ex officio. In relation to crimes that are governed by specific pieces of legislation (eg, crimes listed under the Banking Code), public prosecutors initiate criminal proceedings by filing with the relevant authority (eg, BRSA for banking crimes listed under the Banking Code).
For the prevention of money laundering and financing of terrorism, the Financial Crimes Investigation Board (MASAK) is the regulatory body established in 1997 that has the authority to monitor financial institutions that are active in capital markets, insurance, banking and other financial services sectors. The relevant legislation provides a list of individuals and entities from different occupational groups that are obliged to conduct know-your-customer tests and inform MASAK of suspicious transactions. The list includes, among other entities, banks, insurance and pension companies, sports clubs, public notaries and certified accountants. Accordingly, MASAK is authorised to examine suspicious transaction reports and any documents and records of a company to ensure compliance with the Code on Prevention of Money Laundering. In the existence of concrete evidence indicative of money laundering activities, MASAK can also initiate criminal investigations through filing with the public prosecutor.
For insurance and reinsurance companies, the regulatory body is the Undersecretariat of the Turkish Treasury (the Undersecretariat). The Undersecretariat is authorised to issue and cancel activity permits if the company fails to comply with certain requirements.
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
Turkish legislation does not set forth an explicit definition for the terms ‘risk management’ and ‘compliance management’. However, the pieces of legislation mentioned in question 2 seem to collectively recognise risk and compliance management principles as a means of running effective and transparent operations within a company and emphasise institutions such as risk detection committees, activity reports and board liability rules.
Are risk and compliance management processes set out in laws and regulations?
In general, the laws and regulations set out major requirements for risk and compliance management processes (eg, formation of risk detection committees, publishing corporate governance compliance reports), but the details are left for the company to tailor. However, in line with the global trend, more comprehensive rules and procedures have been introduced particularly in the financial services sector as explained in question 7 below.
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes.
Privately held companies
The TCC introduced the concept of ‘early risk detection’ as a measure to be taken by an early risk detection committee to foresee and mitigate risks. Privately held companies exceeding certain thresholds and, therefore, subject to independent audit requirements, may be required to immediately form a committee upon written request from an independent auditor if considered necessary. This committee is obliged to issue their first risk determination report within one month of formation.
Privately held companies are also free to adopt risk and compliance management processes inspired by those available at listed or regulated companies (detailed below).
For listed companies, compliance with corporate governance principles stands out as an important requirement of the CMB. As per the comply-or-explain principle, listed companies are required to prepare annual corporate governance compliance reports, annexed to the annual activity reports, and to disclose to what extent they comply with the CMB’s corporate governance principles. These principles deal with a large range of topics including risk management.
Under the TCC, companies listed on the stock exchange are obliged to establish a specialised committee for the early detection of risks or threats jeopardising the existence, development and continuation of the company. These committees must also implement any measures necessary to manage these risks.
Under the Corporate Governance Principles Communique, listed companies, excluding banks, are obliged to establish early risk detection committees. Formation of these committees is not obligatory for banks since internal control mechanisms (explained below) cover this function. Early risk detection committees report to the board of directors once every two months and alert the directors of any potential risks or threats that the company may face in order to allow directors to take any necessary precautions. Under the Corporate Governance Communique, corporate governance and early risk detection committees are the entities that are expected to oversee listed company’s compliance and risk management practices, and are each composed of a minimum of two members. The board of directors and early risk detection committees must review the effectiveness of the risk management and internal control systems annually.
The risk and compliance management process for banks is regulated in a stricter manner. Accordingly, the board of directors of a bank is obliged to establish efficient and effective internal systems for risk tracking, covering all activities of domestic and foreign branches and consolidated subsidiaries of banks operating in Turkey. Internal systems consist of internal audit, internal control and risk management systems run by the relevant units under the board of directors’ supervision. The duties and responsibilities related to overseeing internal systems may be delegated to a non-executive board member, a committee consisting of non-executive members, or to the audit committee. All of these systems target compliance and risk management issues of the bank.
Internal control units inform the audit committee of information provided by internal control personnel and personnel carrying out operations in intervals no longer than three months.
The internal audit unit focuses on the sufficiency and effectiveness of internal control and risk management systems. Internal audit unit activities will be reported to the audit committee by the relevant manager in three-month intervals. The report is reviewed by the manager and audit committee, and the audit committee then presents the report to the board of directors within 10 days.
The risk management unit deals with the establishment of a risk management system, the design, selection and implementation of risk measurement models and compliance monitoring concerning risk management policies specifically tailored for different types of risks (such as interest rate risk, treasury risk, credit risk, indirect country risk, etc) by the board of directors. These risk types are specified and detailed under the banking regulations.
Insurance company regulations create an obligation of sufficient and active internal systems within the corporate organisation. Accordingly, insurance companies are required to establish internal audit, internal control and risk management systems. Risk management activities are directly reported to the general manager.
In terms of corporate social responsibility, listed companies are encouraged to adopt universal standards in terms of human rights and moral standards regarding the environment, consumer rights and public health, and to combat against bribery. They must disclose in their annual report any social responsibility activities that have an environmental or social aspect. The importance of maintaining customer satisfaction as well as product and service quality is specifically emphasised for listed companies under the Corporate Governance Communique.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
All undertakings domiciled or operating in Turkey are subject to the relevant risk and compliance obligations.
What are the key risk and compliance management obligations of undertakings?
See question 7 for key risk and compliance management obligations.
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
Boards of directors are the main governing bodies in Turkish corporations, both privately held and listed. As a general principle, the board of directors is required to manage and represent the company by contemplating the long-term interests of the company with a rational and cautious approach to risk management, keeping the risk, growth and return balance of the company at an optimum level. Members of a board of directors owe a duty of loyalty and a duty of care to their company. The standard for the duty of care introduced by the TCC echoes the well-known ‘business judgment rule’. The legislature, however, has left the scope of the Turkish business judgment rule unclear, and has deferred the interpretation surrounding the new standard to the Turkish courts. See question 14 for board liability matters.
The TCC clarifies the distinction between the representation and governance functions of boards of directors, which are both delegable. A board’s governance power can be partially or wholly delegated to one or more management officers or third persons through an internal company bylaw to be prepared by the board, provided that the company’s articles of association permits such delegation. If the governance power is delegated to management, then management officers would also be bound by the foregoing principles.
In addition to the foregoing, the TCC prohibits members of a board of directors from entering into any transactions with the company unless they are explicitly permitted to do so by the general assembly of shareholders. This is regardless of whether the board members act for themselves or on behalf of another person. If board members enter into such transactions with the company without shareholder authorisation, the company may choose to ratify the transaction or treat it as invalid. Furthermore, board members and their relatives who are not shareholders in the company must refrain from being indebted to the company by way of cash indebtedness. The company cannot provide sureties, guarantees or security interests to these persons. The creditors of the company are allowed direct recourse from persons acting in violation of this rule. The involvement by board members in activities competing with the company’s business is also prohibited unless approved by the general assembly prior or subsequent to the transaction. In order to avoid conflicts of interest, board members are restricted from attending and voting at meetings where their or their relatives’ interests will be discussed. Board members violating this restriction may be held personally liable for any losses suffered by the company in this connection.
For listed companies, the board of directors is also required to establish internal control systems, including risk management and information systems and processes. These internal control systems may ultimately reduce the effects of any risks that may influence the company’s stakeholders or shareholders by taking into account the views of the board committees. Privately held companies may also adopt these methods to increase compliance oversight.
Do undertakings face civil liability for risk and compliance management deficiencies?
Yes, undertakings with risk and compliance management deficiencies may face civil liabilities. This liability could arise from the general principles of tort law or from provisions of specific legislation such as the TCC or the Banking Code.
Companies and employers can be held liable for the acts of their employees unless it is proven that the company was diligent in selecting, instructing and supervising the employee.
Under the TCC, parent companies are prohibited from using their control rights to the detriment of their subsidiaries. If they do, they would be obliged to compensate the affiliate’s loss within the same year. If the parent company fails to do the foregoing, any shareholder of the subsidiary has the right to request compensation for damages of the subsidiary. The parent company’s board of directors would then be held liable along with the parent company. Creditors of the subsidiary may also request payment of the company’s loss to the subsidiary.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
Yes, they do. Undertakings with risk and compliance management deficiencies may be subject to regulatory consequences or administrative fines imposed by the regulatory authorities referred to in question 4.
Do undertakings face criminal liability for risk and compliance management deficiencies?
Under Turkish law, legal entities may not face criminal liability. However, for certain crimes specified under the Turkish Criminal Code or other legislation (such as bribery, embezzlement, money laundering, purposefully polluting the environment or breach of competition), security measures may be taken against the legal entity, such as the cancellation or confiscation of an operation licence, if it is active in a regulated sector.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Yes, they do. Board members and senior management will be held liable for damages to the company, its shareholders or creditors proportionate to the extent their fault has been proven for breach of obligations, including their risk and compliance management obligations. They are held responsible on a pro rata basis with respect to the proportion of fault found attributable to them.
The liability system of the TCC exposes board members and senior management to claims not only from shareholders but also from creditors and puts the burden of proof on the board members rather than the claimant who challenges the presumption that the directors have acted in line with their duties. Board members and senior management are held exempt from liability for fraudulent acts that are beyond their control.
Under the TCC’s liability principles, a company’s internal bylaws set out guidelines for governance including the definition of the board members’ and senior management’s duties, delegation of powers with respect to specific fields, exchange of information and reporting systems within the board. This clear-cut delegation of governance power made by internal bylaws also provides guidance on the allocation of liability. If the governance powers of the board have been delegated through the company’s internal bylaws, liability will attach to the delegated powers. As a result, board members and senior management who have delegated certain powers or duties will not be held liable for the actions or decisions of their delegates provided that they have acted with reasonable diligence (ie, unless proven to have acted with insufficient diligence) in delegation, instruction or supervision of such delegates. This ‘differentiated liability’ system has replaced the established liability system of the former TCC (abolished in 2012) where all directors sitting on the board were held jointly and severally liable for damages incurred by the company arising from the breach of duties and responsibilities.
Similarly, the senior management and auditors of banks can be held personally liable for the loss incurred by the bank itself owing to their action in breach of the banking regulations.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Yes, they do. The TCC stipulates various administrative monetary fines for breach of certain provisions, such as non-compliance with bookkeeping requirements or inaccurate statements on capital adequacy, to be imposed on the relevant individual (from the board or senior management) that fails to comply with the obligation in question. Board members may also be held personally liable for unpaid public debts such as taxes or social security payments to the extent that the company itself is unable to pay them.
The Capital Markets Code grants broad powers to the CMB on that matter. Accordingly, for breaches of the capital markets regulations, the CMB may adopt measures such as cancelling the signatory authorities, dismissing individuals from their duties, appointing temporary individuals to vacant positions or issuing administrative fines on the individual.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
Yes, they do. Criminal liability is generally governed under the Turkish Criminal Code. Therefore, if the members of governing bodies or senior management act in a way that falls within the scope of a specific crime (eg, bribery, embezzlement, forgery), they may face criminal liability.
In addition to the general scope of the Turkish Criminal Code, there are other pieces of more specific legislation under which criminal liability may arise, such as insider trading and market manipulation under the Capital Markets Code or forgery of company books under the Tax Procedure Code, which can lead to imprisonment or judicial monetary fines.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
As explained in question 14, if there is a delegation of powers, board members and senior management who have delegated their powers or duties will not be held liable for the actions or decisions of their delegates unless proven to have acted with insufficient diligence in the delegation, instruction or supervision of such delegates.
Discuss the most recent leading cases regarding corporate risk and compliance management failures?
The sale of a Turkish regional airline company demonstrated a recent example of corporate risk management failure on the part of both the seller and the purchaser, which in the end led to criminal proceedings. The deal had a fast-track and cursory negotiation phase where the purchaser did not run a thorough and reasonable due diligence on the target airline company and the seller did not run the necessary reliability checks on the purchaser and both parties proceeded with a share transfer agreement that did not have sufficient liability or protection mechanisms to cover their risks. Following the closing, the purchaser alleged that the financial situation of the company was misrepresented and initiated criminal proceedings for fraud against the seller. The seller, on the other hand, was exposed to potential criminal liability by the purchaser who, as a deal party, could be more prudently selected. The protracted dispute is still ongoing before court.
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
Since the 2000s, legislation on risk and compliance management in the public sector has been an important part of the Turkish government’s agenda. The Code on the Public Financial Administration and Control from 2003 introduced the ‘internal control’ and ‘internal audit’ concepts to the public sector for the first time. Although this code seems to be limited to the financial aspects of risk and compliance management, subsequent secondary legislation (ie, the Procedure and Principles Concerning Internal Control and Preliminary Financial Control) has detailed the processes and covers general compliance issues. This legislation further stipulates that public administrations are required to comply with internal control standards to be published by the Ministry of Finance for both financial and non-financial transactions.
Today, all public administrations and state-owned enterprises are compelled to establish an internal control system that requires internal audit and risk management to be carried out by internal auditors.
Framework covering digital transformation
What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?
All entities and organisations are required to observe the rule of law regardless if they are public or private. Therefore, compliance obligations are fundamental for all organisations, and all entities are expected to comply with the law and implement the best risk and compliance management practices possible.
It should be noted that the Turkish Criminal Code introduces certain crimes that can only be committed by a government official (such as a bribe - several exceptions are reserved), and in some cases, being a government official may be considered an aggravating circumstance with respect to sanctions.