You can see the rules and regulations in other jurisdictions.
As far as the duty of confidentiality is concerned, there are two distinct laws: Law 5411 governs banking and financial information confidentiality, and Personal Data Protection Law (Law No. 6698) prohibits or limits disclosure, processing, and transfer of personal information, including client information.1
The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers defines 'sensitive customer data' as personal data and customer security information used in issuing payment orders or verifying identity. These details, if accessed or tampered with by third parties, could potentially lead to fraud or fraudulent transactions being made in the customer's name. As such, fintech companies must implement appropriate safeguards to preserve the secrecy of sensitive customer data and their own data when procuring external services.1
The Regulation for Disclosure of Confidential Information was initially published in the Official Gazette dated 4 June 2021, with a planned effective date of 1 January 2022; however, this has now been amended to 1 July 2022 through the Regulation Amending the Regulation for Disclosure of Confidential Information. Law No. 6493 is referenced by the regulation and it seeks to set out the terms, methods and principles pertaining to confidential bank and customer data sharing and transfer. Article 73 of Law No. 5411 deals specifically with confidentiality obligations, exceptions and definitions of confidential customer data which have been incorporated into the regulation.1
In accordance with Decisions Nos. 2020/191, 2020/192, 2020/193 and 2020/194 of 3 March 2020, notified that several factoring companies violated the data stored in the Banks Association of Turkey Risk Centre. Since some of the factoring companies' employees transferred data collected through the Risk Centre to unauthorised individuals, the Board imposed administrative sanctions on them.1
The Regulation on Banks' Information Systems and Electronic Banking Services enables banks to use cloud computing systems as an external service tool, provided the systems are held in Turkey in accordance with the regulation's provisions. The Communiqué on Management and Supervision of Information Systems of Payment Institutions and Electronic Money Institutions requires these institutions to maintain their primary and secondary systems inside Turkey, with cloud computing being included within those systems. Thus, if electronic money or payment institutions store information through external cloud services, the data centres must be situated in Turkey.1
Cross-border payments in Turkey
