Turkey: Draft Communique On Information Systems Of Related Financial Institutions

Introduction and Scope

On 6 November 2018, the Turkish Banking Regulation and Supervision Agency ("BRSA") have published the Draft Communiqué on Management and Auditing of the Information Systems of Financial Leasing, Factoring and Financing Companies ("Draft Communiqué") on their website.

The Draft Communiqué has been drafted to determine principles and procedures on the management and independent auditing of information systems of financial leasing, factoring and financing companies in Turkey (hereafter collectively referred as "Entities") that they use when conducting financial leasing, factoring and financing operations that fall under the scope of Law No. 6361 on Financial Leasing, Factoring and Financing Companies ("Law").

The On-Soil Requirement

Key Definitions: The Draft Communiqué defines Primary Systems as "the systems where all the information regarding to the issues stated under the Law are kept in an electronic environment that allows secure and on demand access and the complete system consisting of infrastructure, hardware, software and data, which are used to conduct operations."; and Secondary Systems as "back-ups of the primary systems that allows for the continuity of operations within the acceptable interruption periods as defined under the information systems continuity plans and ensures access to all information regarding to the issues stated under the Law, where an interruption happens in the operations that are run through the primary systems".

The above definitions appear to be rather broad and all-inclusive. When this fact is considered along with the known attitude of the BRSA, one might expect these definitions will be read broadly. Consequently, almost all information system assets of the Entities may be considered to be falling within the scope of definitions and therefore be subjected to requirements listed under the Draft Communiqué.

Information Systems: The Draft Communiqué requires all Entities to have their primary and secondary systems; and therefore, the information systems and backups used by the outsource service providers (including cloud service providers) within the territory of the Republic of Turkey¹.

On the other hand, the Draft Communiqué regulates that the Entities may procure cloud services as outsource service and the cloud services may be used as private cloud service model allocated to the single Entity, via the private hardware and software sources. Furthermore, with the permission of BRSA, common/shared cloud service model may be used, on the hardware and software allocated solely to the Entities, by making a logical division between the Entities².

Due to the abovementioned rules, it is obvious that the Entities shall not maintain their information systems abroad and accordingly the Entities operating in Turkey shall maintain all the information systems used for their operations in Turkey, transfer them to Turkey in case required (in case, the information systems are maintained abroad).

Despite the localization requirement, the Draft Communiqué does not ban the use of cloud-based services and the Entities may use the cloud-based services hosted in Turkey. However, the Draft Communiqué has a crucially negative impact on the cloud-based services that are not hosted in Turkey.

As a result, the related cloud-based services may be used by the Entities as follows:

• Private Cloud-Based Services: Although, The Draft Communiqué does not define private cloud-based services, the Entities may use the cloud-based services in case (i) the hardware and software are allocated to the related Entity, (ii) the hardware that the hosting service is provided on is allocated to the related Entity and is not used by third parties, and (iii) the information systems are hosted in Turkey.

• Shared Cloud-Based Services: Although, The Draft Communiqué does not define common/shared cloud-based services, the Entities may use the common/shared cloud-based services in case (i) the hosting service provider provides the service exclusively  by making a logical division between the Entities, (ii) the permission of BRSA is obtained and (iii) the information systems are hosted in Turkey.

Outsourcing

The Entities need to assess and manage the risks that may result from outsourcing information systems, determine alternative outsource service providers for the cases where the related outsource service provider is not capable to provide services, establish required control mechanisms for the access of outsource service providers, take required measures for the safety of the outsource service provider access and data of the Entities and users.

Also, the outsource service provider and the Entities shall execute written agreements which shall include, as a minimum, the following content:

• Provisions ensuring that all systems and processes within the scope of outsourced service comply with the Entity's own risk management, security and privacy policies
• Provisions related to the ownership of the products and services subject to the agreement and intellectual property rights,
• Provisions ensuring that the provisions bearing obligations for outsource service provider will also be included as binding provisions in the agreements to be made with subcontractors,
• Provisions related to the management of risks arising out of the termination or interruption of outsourced service, apart from the way it is planned,
• Provisions ensuring that the provisions of the legislation to which the Entity is subject are also applicable for outsource service provider, within the scope of the service outsourced,
• Provisions ensuring that the independent audit controls carried out in terms of independent audit of the Entity shall be implemented within the scope of the outsourced service carried out, without limiting the scope for the activities,
• Provisions ensuring that all kinds of information and documents requested by BRSA will be submitted in a timely and accurate manner in relation to the activities carried out by the outsource service provider and every kind of electronic, magnetic and similar records related to the outsource service will be readable and accessible,
• Provisions ensuring that the changes will be made on the information systems of the company by outsource service provider, upon the instruction of the BRSA, within the instruction period and the scope of the services.

Significant Obligations

Information System Management: The Entities shall establish an information system structure and establish the policy, procedure and processes that are reviewed regularly and approved by the executives, within this scope. Furthermore, the internal control departments of the Entities shall draft a legislation compliance report to be presented to the executives, once in a year.

Risk Management: The Entities shall draft a risk management process for analyzing, measuring, tracking, reporting the risks arising out of the use of the use of information systems, which is approved by the executives and contains the (i) the inventory of the information assets including existing data, software and hardware, evaluation regarding the threats towards the assets in the inventory, possibility of risks, possible outcomes of the risks, the precautions that can be taken and (ii) the methods chosen among the methods of reduction of risk, avoidance of risk, acceptance of risk or transfer of risk. Furthermore, the Entities shall draft a risk assessment report to be presented to the executives, once in a year.

Information Security Management: The Entities shall establish a process, draft documents related to the process, roles and responsibilities regarding information security and take measures ensuring the privacy, integrity, accessibility of the information systems and the data therein. Within this scope, the Entities shall classify the stored, shared and processed data in accordance with their security level.

Furthermore, the Entities shall install web control security systems against the threats arises from the external webs, in case it communicates with the external webs other than its own corporate web. Additionally, the Entities shall use one or more firewalls that are configured and constantly being observed. The Entities are also required to carry out penetration tests once in a 2 (two) years period and to draft a security breach report to be presented to the executives, once in a year.

Authorization and Access Control: For access to the databases, applications and systems, an appropriate authorization and access control method must be implemented. When deciding access and authorization levels, the minimum access and authorization levels that is necessary for the relevant duties and responsibilities must be considered; and such authorizations and access rights shall be evaluated at least once in a year. Assigned duties and responsibilities must be consistent with the principle of separation of duties. In case of temporary authorization, authorization conditions and period shall be determined, and trail records shall be kept.

Authentication: The Draft Communiqué requires an appropriate authentication mechanism to be installed for the processes taking place on the information systems by considering of the type and nature of the process and the losses may be occurred in case of a breach, and the data's sensitivity levels. Additionally, it is prohibited for the same account to be used by multiple users.

The Entities shall ensure the incontestability of the authorizations. Critical information such as passwords must be kept encrypted in a way that is compliant with the current technology.

It shall be ensured that a single user is not allowed for multiple logins. The accounts that are inactive for a certain period of time must be automatically logged off.

Audit Trails: An efficient mechanism of audit trailing regarding the Entities' operations shall be established. The audit trails regarding accesses, inquiries, regarding information on Entity operations and customers, and changes in access authorizations and unauthorized access attempts to this information shall be recorded.

The audit trails shall be recorded in sufficient detail, clarity and in a way that does not to allow its integrity to be infringed and changed and in a reportable format. Audit trails regarding to the process shall include the information such as; date, time, application information, user name, what data is being investigated, changed etc. The audit trail records shall be kept ready for audits for a minimum of 5 (five) years period. Back-ups of the records shall be taken so that the records are kept accessible even after potential disasters. Furthermore, the Entities shall ensure that the audit trails kept by its outsource service providers is compliant with its own standards and their auditing trails to be accessible to themselves.

Management of Information Assets: The Entities shall keep the inventory of their information assets consisting of hardware inventory, software inventory and data inventory. The inventories shall be kept up-to-date and the inventory records of the last 3 (three) years shall be stored. To ensure the physical security of the information systems, the following measures shall be taken:

• The area where the information systems are located shall be secured, and all necessary measures to protect this area from internal and external threats shall be taken,
• The entrances and exits to the system rooms shall be equipped by key card systems or physical locks. All information regarding entries and exits shall be kept in written records,
• Primary, secondary system rooms and their entrances shall be monitored by CCTV cameras. The relevant records shall be stored for 3 (three) months.

Information Systems Continuity Plan: The Entities are required to draft an information systems continuity plan which is approved by the executives, in order to ensure the continuity of information systems services that support its operations and important business functions. Within the scope of the plan, a secondary data centre shall be established, and data and system backups shall be held available at the secondary centre.

In order to ensure the effectiveness and up-to-datedness of the plan; tests shall be carried out at least once a year through the secondary centre and outsource service providers, if any, shall be included in the tests, the test results shall be reported to the executives and the plan shall be updated according to these results.

Independent Audit

The information systems, processes, hardware and software of the Entities shall be audited periodically once in a 3 (three) years period by an independent auditor, in order the ensure the compliance of the systems with the Draft Communiqué. During the audit, independent auditor may carry out audits on the systems of the outsource service providers in case it considers it necessary and as the conclusion of the audits independent auditor reports shall be drafted and delivered to BRSA.

BRSA is granted an authority to determine the time that such periodical audits begin, and it is also regulated that the scope and period of the audits may be varied in case BRSA considers it necessary. 

Enforcement

The Draft Communiqué enters into force as of 1 January 2019 and foresees a compliance period of 1 (one) year starting from the enforcement date, for the Entities and their information systems to become compliant with the Draft Communiqué.

Footnotes

1 "Article 14 (2): Entities shall keep their primary and secondary information systems in within the borders of Turkey. Consequently, in case the services are outsourced, the information systems and backups used by the outsource service providers shall also be kept in Turkey."

2 "Article 12(5): Entities may procure cloud services as outsource service and in such case, the cloud services may be used as private cloud service model allocated to the single entity, via the private hardware and software sources. Furthermore, with the permission of BRSA, common/shared cloud service model may be used, on the hardware and software allocated solely to the financial leasing, factoring and financing companies, by making a logical division between the companies."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.