Financial Leasing, Factoring and Financing companies: New legislation requires IT systems to be kept in Turkey


The Banking Regulation and Supervision Agency (“BRSA”) has released a Communiqué on the Management and Supervision of Information Systems of Financial Leasing, Factoring and Financing Companies (the “Communiqué”), which is based on the Law on Financial Leasing, Factoring and Financing Companies (“Law”) and on the Regulation on Principles of Establishment and Operation of the Financial Leasing, Factoring and Financing Companies (“Regulation”).

Entities concerned:

The principles and requirements introduced by the Communiqué apply to financial leasing companies, factoring companies and financing companies established in Turkey (each a “Concerned Entity”).

Fundamental issues:

The Communiqué requires, inter alia, that Concerned Entities establish their primary and secondary systems (infrastructure, hardware, software systems) inside Turkey.

In cases of outsourcing arrangements related to information systems and all their backups, the relevant service provider should also establish and keep such systems inside Turkey.

Other principles introduced by the Communiqué:

  • The Concerned Entities must establish policies and procedures related to their information systems, which will be reviewed, updated (if necessary) and approved by the boards of directors of such Concerned Entities.

  • Internal control units within the Concerned Entities must prepare reports setting out the relevant entity’s compliance with the applicable legislation and the policies and procedures adopted internally. The report must be submitted to the board of directors of the relevant Concerned Entity for assessment.

  • The Concerned Entities must establish network control security systems to eliminate any potential threats from external networks.

  • The Concerned Entities must take necessary precautions against external cyber-attacks and conduct leak tests (“sızma testi”) every two (2) years to ensure all information is safeguarded from a data privacy point of view.

  • An appropriate identity validation mechanism is to be established by the Concerned Entities for the transactions performed via information systems, which includes the whole process through which customers and personnel complete their transactions and leave the system.

Restrictions regarding internet services, information systems and independent audits:

As for online services offered by the Concerned Entities, the Communiqué requires that an adequate infrastructure is to be installed to:

  1. guarantee that the platform on which the customer performs the transaction belongs to the relevant Concerned Entity;

  2. ensure that the necessary authentication mechanism is appropriate for the potential risks posed by the transaction in question; and

  3. inform users/customers about security risks.

Transition process:

The Communiqué requires that the Concerned Entities ensure compliance with the principles it introduces within one (1) year of the effective date of the Communiqué, namely 1 January 2019.


Please do not hesitate to contact us for further details on the subject or with any specific questions.