Turkey: Draft Regulation On Information Systems Of Banks And Electronic Banking Services

Last Updated: 13 March 2019
Article by Tuğrul Sevim and D. Çağla Nizam

Draft Regulation on Information Systems of Banks and Electronic Banking Services ("Draft Regulation") which is drafted in order to abolish the Communiqué on Principles on the Management of Information Systems' of Banks ("Communiqué") and based on the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks ("Internal System Regulation") has been published and opened to public opinion on the official website of Banking Regulatory and Supervisory Agency ("BRSA") on 25 December 2018.

Draft Regulation is planned to enter into force on the date of its publication and an implementation period has been foreseen until 1 January 2020.

The main changes introduced by the Draft Regulation are as follows:

  • Committee, Unit and Positions: Committee, unit and positions that shall be in charge for the management of information systems are regulated. The related committee, unit and positions in subject are detailed and reproduced compared to the Communiqué. Similarly, the responsibilities of the parties who will be commissioned in the management of information systems are expanded.
  • Policy and Procedures: The number of policies, procedures and process documents that the banks are required to prepare are increased, the context of such documents is detailed and concepts that will be reflected to the documents are explained.
  • Primary and Secondary Systems: The provision within the Internal System Regulation, which requires keeping the primary and secondary systems of the banks within the country is kept as the same but detailed.
  • Outsource Service Procurement: The rules and principles that banks shall apply during the outsource service procurement are detailed. In this context,

    • The definition of "outsource service" is included under the Draft Regulation and the definition provided therein is written in such a way that it covers all services outsourced by banks including those that fall under the definition of "support services" as defined by the Regulation on Support Service Procurement of Banks.
    • It is prohibited to carry out critical services, services and critical workflows within the scope of standard contracts where the obligations related to the contracts in which the obligations cannot be fulfilled,
    • It is regulated that a responsible person shall be assigned regarding outsourcing,
    • It is regulated that products and services with respect to critical information systems and security to be procured should be produced in Turkey or the R&D centers should be preferred to be present in Turkey and in any case response teams shall be present in Turkey,
    • The procurement of cloud computing services is allowed; the cloud computing services shall solely be procured by (i) private cloud service or (ii) community cloud services that serve to banks only by means of logical distinction,
    • It is regulated that source codes shall be obtained from the supplier from the beginning or resource codes shall be delivered by escrow agreements,
    • It is regulated that with respect to contracts to be concluded with service providers such as search engines and social media platforms, provisions regarding the responsibility of providers in preventing fake ads given in the name of the bank and compensate the damages that shall arise due to such fake ads; otherwise no services shall be procured from the related providers.
  • Internet Banking: The definition of electronic banking services is expanded to include channels such as internet banking, mobile banking, telephone banking, television banking, open banking services, ATM and kiosk devices. In this context, the following has been regulated:

    • Customers' identities shall be verified in case of access to all electronic banking services applications, including transactions that do not bear financial consequences, such as displaying customer information,
    • In contrast to the BRSA decision which has been previously communicated to banks in relation to the issue, authentication components that are integrated into the device that provides access to the mobile banking application have been permitted to be used for 2 (two) component authentication application,
    • An obligation on implementing systemic restrictions which enable the customers to read the relevant information has been introduced in order to ensure that the information to be provided to the customers is duly carried out,
    • Sending SMS OTP as an authentication component has been prohibited, except for activation and reactivation; it has been regulated that all the necessary contracts with the electronic communication operators which provide short message services shall be concluded in order to ensure SIM card change inquire,
    • The open banking services have been defined in line with the Directive numbered 2015/2366/EU (Directive on payment services in the internal market-PSD2) ("Directive")1 , and regulations on open banking services were introduced.
  • Data Privacy: Detailed regulations on the protection of customer data and payment data, and cyber security has been introduced. In this regard,

    • An obligation to create a data inventory in addition to the asset inventory has been imposed,
    • It has been regulated that trace records regarding inquiries2 on sensitive data3 and personal data held by other institutions and establishments, and the purpose of these inquiries shall be kept,
    • It has been regulated that in the event of a cyber incident turning into a crisis, a leakage or disclosure of sensitive data or personal data, the sectoral SOME4 shall be informed immediately,
    • It has been regulated5 that in the event of a cyber incident causing leakage or disclosure of sensitive data or personal data, public announcements shall be made on the bank's own website or on the website where the bank offers its internet banking services,
    • Banks have been obliged to back-up such data by way of making a copy of the data as soon as possible and maintain the original until the request is fulfilled in case of data requests from judicial authorities and the BRSA,
    • It has been permitted that, besides written form, customer's consent regarding the provision of customer's data may be obtained through a permanent data register6; it has been decided that customer's consent regarding the disclosure of such information cannot be imposed as a prerequisite of the service provided,
    • It has been regulated that the international transfer of customer information is subject to BRSA's permission even if the explicit consent of the customer is obtained.


1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366

2. Draft Regulation, "Sensitive Data" refers to 'confidential data and data used in authentication'. Therefore, concept of "Sensitive Data" differentiates from the concept of personal data defined under the Law on Protection of Personal Data numbered 6698.

3. Inquiries made in the systems of "Kredi Kayıt Bürosu" can be evaluated in this context.

4. According to Communiqué on the Procedures and Principles on the Establishment, Duties and Activities of Cyber Incidents Response Teams (OG. 11.11.2013/28818) comprising of provisions regarding the establishment and duties of CIRT, Sectoral CIRTs are established within regulatory and supervisory institutions to cover institutions, organizations and enterprises operating in their respective sectors. Pursuant to the Sectoral CIRT Establishment and Management Guide published by the Ministry of Transportation, the financial sector is designated as a critical infrastructure and the banking sector-specific sectoral CIRT is to be established within the BRSA: http://www.udhb.gov.tr/doc/siberg/Sektorel_SOME_Reh.pdf.

5. It should be emphasized that the related notification obligation must be considered as a separate obligation from the obligation to notify the related data subjects and the Personal Data Protection Authority pursuant to Article 12 of the Law on the Protection of Personal Data numbered 6698 in the event of a data breach. In this sense, in the event of a cyber incident within the banks causing a personal data breach, a public announcement must be made on the bank's website in addition to the notifications to be made to the related data subjects and the Personal Data Protection Authority.

6. The definition of a "permanent data register" has not been provided for under the Draft Regulation. However the definition of a permanent data register commonly referred to within the consumer legislation is as follows: all kinds of tools and media such as text messages, e-mail, internet, disk, CD, DVD, memory card and so on, which allows the consumer to record and inalterably copy the information which has been transmitted to or transmitted by him/her in a manner enabling the examination of such information for a reasonable period of time, in accordance with the purpose of this information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions