New Regulation on Information Systems of Banks and Electronic Banking Services 

Turkiye

The Regulation on Information Systems of Banks and Electronic Banking Services ("Regulation") was published in the Official Gazette on March 15, 2020 and will enter into force on July 1, 2020. With the enactment of the Regulation, the Communiqué on the Principles to be Based on Information Systems Management in Banks (“Communiqué”) to which banks are currently subject to will be repealed.

The Regulation covers provisions to be taken regarding (i) the transmission and security of personal data and sensitive data, (ii) the questioning of this data and the preservation of records regarding the questioning and (iii) the restriction of their transfers abroad.

The asset inventory and data inventory, security classes and access rights of assets and data, and asset classification guide are also regulated pertaining to information assets of the banks' information systems.

The Communiqué dictates, for the purposes of the continuation of information systems, that the primary systems and secondary systems that include data and system backups shall be kept domestically, and the requirement of continuation of the services within twenty four (24) hours at the latest even in disaster scenarios where primary systems are completely disabled.

The Communiqué further introduces provisions on establishing redundant work for critical hardware and systems, creating appropriate alternative communication channels against interruptions in the network and communication infrastructure and putting backup plans in writing.

The Regulation explains in detail the work that banks should do on cyber incident management and the responsibilities they must fulfill through the Corporate Cyber Incidents Response Team (SOME). Additionally, the works to be done to increase the awareness of information security throughout the bank are also regulated within the scope of the Regulation.

Electronic banking services that include all kinds of electronic distribution channels such as internet banking, mobile banking, telephone banking, open banking services and ATM devices where customers can perform remote banking transactions without going to the physical branches of the bank are regulated in a separate section in the Regulation. In this respect, the measures to be undertaken on authentication and transaction security, tracking transactions, ensuring the service quality and informing the customers are set out in detail.

For more information about the new Regulation, contact your regular CMS advisor or local CMS experts: Dr. Döne Yalçın or Alaz Eker Ündar.