Turkey: Draft Communique On Information Systems Of Related Financial Institutions

Last Updated: 21 November 2018
Article by Erdem Aslan and D. Çağla Nizam

Introduction and Scope

On 6 November 2018, the Turkish Banking Regulation and Supervision Agency ("BRSA") have published the Draft Communiqué on Management and Auditing of the Information Systems of Financial Leasing, Factoring and Financing Companies ("Draft Communiqué") on their website.

The Draft Communiqué has been drafted to determine principles and procedures on the management and independent auditing of information systems of financial leasing, factoring and financing companies in Turkey (hereafter collectively referred as "Entities") that they use when conducting financial leasing, factoring and financing operations that fall under the scope of Law No. 6361 on Financial Leasing, Factoring and Financing Companies ("Law").

The On-Soil Requirement

Key Definitions: The Draft Communiqué defines Primary Systems as "the systems where all the information regarding to the issues stated under the Law are kept in an electronic environment that allows secure and on demand access and the complete system consisting of infrastructure, hardware, software and data, which are used to conduct operations."; and Secondary Systems as "back-ups of the primary systems that allows for the continuity of operations within the acceptable interruption periods as defined under the information systems continuity plans and ensures access to all information regarding to the issues stated under the Law, where an interruption happens in the operations that are run through the primary systems".

The above definitions appear to be rather broad and all-inclusive. When this fact is considered along with the known attitude of the BRSA, one might expect these definitions will be read broadly. Consequently, almost all information system assets of the Entities may be considered to be falling within the scope of definitions and therefore be subjected to requirements listed under the Draft Communiqué.

Information Systems: The Draft Communiqué requires all Entities to have their primary and secondary systems; and therefore, the information systems and backups used by the outsource service providers (including cloud service providers) within the territory of the Republic of Turkey1.

On the other hand, the Draft Communiqué regulates that the Entities may procure cloud services as outsource service and the cloud services may be used as private cloud service model allocated to the single Entity, via the private hardware and software sources. Furthermore, with the permission of BRSA, common/shared cloud service model may be used, on the hardware and software allocated solely to the Entities, by making a logical division between the Entities2.

Due to the abovementioned rules, it is obvious that the Entities shall not maintain their information systems abroad and accordingly the Entities operating in Turkey shall maintain all the information systems used for their operations in Turkey, transfer them to Turkey in case required (in case, the information systems are maintained abroad).

Despite the localization requirement, the Draft Communiqué does not ban the use of cloud-based services and the Entities may use the cloud-based services hosted in Turkey. However, the Draft Communiqué has a crucially negative impact on the cloud-based services that are not hosted in Turkey.

As a result, the related cloud-based services may be used by the Entities as follows:

  • Private Cloud-Based Services: Although, The Draft Communiqué does not define private cloud-based services, the Entities may use the cloud-based services in case (i) the hardware and software are allocated to the related Entity, (ii) the hardware that the hosting service is provided on is allocated to the related Entity and is not used by third parties, and (iii) the information systems are hosted in Turkey.
  • Shared Cloud-Based Services: Although, The Draft Communiqué does not define common/shared cloud-based services, the Entities may use the common/shared cloud-based services in case (i) the hosting service provider provides the service exclusively  by making a logical division between the Entities, (ii) the permission of BRSA is obtained and (iii) the information systems are hosted in Turkey.


The Entities need to assess and manage the risks that may result from outsourcing information systems, determine alternative outsource service providers for the cases where the related outsource service provider is not capable to provide services, establish required control mechanisms for the access of outsource service providers, take required measures for the safety of the outsource service provider access and data of the Entities and users.

Also, the outsource service provider and the Entities shall execute written agreements which shall include, as a minimum, the following content:

  • Provisions ensuring that all systems and processes within the scope of outsourced service comply with the Entity's own risk management, security and privacy policies
  • Provisions related to the ownership of the products and services subject to the agreement and intellectual property rights,
  • Provisions ensuring that the provisions bearing obligations for outsource service provider will also be included as binding provisions in the agreements to be made with subcontractors,
  • Provisions related to the management of risks arising out of the termination or interruption of outsourced service, apart from the way it is planned,
  • Provisions ensuring that the provisions of the legislation to which the Entity is subject are also applicable for outsource service provider, within the scope of the service outsourced,
  • Provisions ensuring that the independent audit controls carried out in terms of independent audit of the Entity shall be implemented within the scope of the outsourced service carried out, without limiting the scope for the activities,
  • Provisions ensuring that all kinds of information and documents requested by BRSA will be submitted in a timely and accurate manner in relation to the activities carried out by the outsource service provider and every kind of electronic, magnetic and similar records related to the outsource service will be readable and accessible,
  • Provisions ensuring that the changes will be made on the information systems of the company by outsource service provider, upon the instruction of the BRSA, within the instruction period and the scope of the services.

Significant Obligations

Information System Management: The Entities shall establish an information system structure and establish the policy, procedure and processes that are reviewed regularly and approved by the executives, within this scope. Furthermore, the internal control departments of the Entities shall draft a legislation compliance report to be presented to the executives, once in a year.

Risk Management: The Entities shall draft a risk management process for analyzing, measuring, tracking, reporting the risks arising out of the use of the use of information systems, which is approved by the executives and contains the (i) the inventory of the information assets including existing data, software and hardware, evaluation regarding the threats towards the assets in the inventory, possibility of risks, possible outcomes of the risks, the precautions that can be taken and (ii) the methods chosen among the methods of reduction of risk, avoidance of risk, acceptance of risk or transfer of risk. Furthermore, the Entities shall draft a risk assessment report to be presented to the executives, once in a year.

Information Security Management: The Entities shall establish a process, draft documents related to the process, roles and responsibilities regarding information security and take measures ensuring the privacy, integrity, accessibility of the information systems and the data therein. Within this scope, the Entities shall classify the stored, shared and processed data in accordance with their security level.

Furthermore, the Entities shall install web control security systems against the threats arises from the external webs, in case it communicates with the external webs other than its own corporate web. Additionally, the Entities shall use one or more firewalls that are configured and constantly being observed. The Entities are also required to carry out penetration tests once in a 2 (two) years period and to draft a security breach report to be presented to the executives, once in a year.

Authorization and Access Control: For access to the databases, applications and systems, an appropriate authorization and access control method must be implemented. When deciding access and authorization levels, the minimum access and authorization levels that is necessary for the relevant duties and responsibilities must be considered; and such authorizations and access rights shall be evaluated at least once in a year. Assigned duties and responsibilities must be consistent with the principle of separation of duties. In case of temporary authorization, authorization conditions and period shall be determined, and trail records shall be kept.

Authentication: The Draft Communiqué requires an appropriate authentication mechanism to be installed for the processes taking place on the information systems by considering of the type and nature of the process and the losses may be occurred in case of a breach, and the data's sensitivity levels. Additionally, it is prohibited for the same account to be used by multiple users.

The Entities shall ensure the incontestability of the authorizations. Critical information such as passwords must be kept encrypted in a way that is compliant with the current technology.

It shall be ensured that a single user is not allowed for multiple logins. The accounts that are inactive for a certain period of time must be automatically logged off.

Audit Trails: An efficient mechanism of audit trailing regarding the Entities' operations shall be established. The audit trails regarding accesses, inquiries, regarding information on Entity operations and customers, and changes in access authorizations and unauthorized access attempts to this information shall be recorded.

The audit trails shall be recorded in sufficient detail, clarity and in a way that does not to allow its integrity to be infringed and changed and in a reportable format. Audit trails regarding to the process shall include the information such as; date, time, application information, user name, what data is being investigated, changed etc. The audit trail records shall be kept ready for audits for a minimum of 5 (five) years period. Back-ups of the records shall be taken so that the records are kept accessible even after potential disasters. Furthermore, the Entities shall ensure that the audit trails kept by its outsource service providers is compliant with its own standards and their auditing trails to be accessible to themselves.

Management of Information Assets: The Entities shall keep the inventory of their information assets consisting of hardware inventory, software inventory and data inventory. The inventories shall be kept up-to-date and the inventory records of the last 3 (three) years shall be stored. To ensure the physical security of the information systems, the following measures shall be taken:

  • The area where the information systems are located shall be secured, and all necessary measures to protect this area from internal and external threats shall be taken,
  • The entrances and exits to the system rooms shall be equipped by key card systems or physical locks. All information regarding entries and exits shall be kept in written records,
  • Primary, secondary system rooms and their entrances shall be monitored by CCTV cameras. The relevant records shall be stored for 3 (three) months.

Information Systems Continuity Plan: The Entities are required to draft an information systems continuity plan which is approved by the executives, in order to ensure the continuity of information systems services that support its operations and important business functions. Within the scope of the plan, a secondary data centre shall be established, and data and system backups shall be held available at the secondary centre.

In order to ensure the effectiveness and up-to-datedness of the plan; tests shall be carried out at least once a year through the secondary centre and outsource service providers, if any, shall be included in the tests, the test results shall be reported to the executives and the plan shall be updated according to these results.

Independent Audit

The information systems, processes, hardware and software of the Entities shall be audited periodically once in a 3 (three) years period by an independent auditor, in order the ensure the compliance of the systems with the Draft Communiqué. During the audit, independent auditor may carry out audits on the systems of the outsource service providers in case it considers it necessary and as the conclusion of the audits independent auditor reports shall be drafted and delivered to BRSA.

BRSA is granted an authority to determine the time that such periodical audits begin, and it is also regulated that the scope and period of the audits may be varied in case BRSA considers it necessary. 


The Draft Communiqué enters into force as of 1 January 2019 and foresees a compliance period of 1 (one) year starting from the enforcement date, for the Entities and their information systems to become compliant with the Draft Communiqué.


1 "Article 14 (2): Entities shall keep their primary and secondary information systems in within the borders of Turkey. Consequently, in case the services are outsourced, the information systems and backups used by the outsource service providers shall also be kept in Turkey."

2 "Article 12(5): Entities may procure cloud services as outsource service and in such case, the cloud services may be used as private cloud service model allocated to the single entity, via the private hardware and software sources. Furthermore, with the permission of BRSA, common/shared cloud service model may be used, on the hardware and software allocated solely to the financial leasing, factoring and financing companies, by making a logical division between the companies."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions