New Regulation On Bank's Information Systems And Outsource Services
parallax background

Deniz Mina Küpana


New Regulation On Bank's Information Systems And Outsource Services

On 15 March 2020 the Regulation on Banks' Information Systems and Electronic Banking Services ("Regulation") prepared by the Banking Regulation and Supervision Agency ("BRSA") has been published in the Official Gazette. The Regulation, which sets out the procedures and principles regarding the information systems of Banks, will enter into force on 1 July 2020.

The Regulation sets out new procedures like network security, data privacy and cyber security, while the new principles introduced about outsource services will become an important topic in the next days. In the sixth part of the Regulation, the process regarding the outsourcing procurement will play a guiding role about third party management for the business world.

As per the Article 29 of the Regulation's important topics are explained below;

  • The Role of Executive Management

The Bank's executive management is responsible for establishing a mechanism about the outsource services and managing the risk factors in the process. In this context, considering risk management in the organization, paying attention on the choosing of outsource service providers and audit procedures are only few of the regulations introduced in the Article. 1

Providing such a role for management is also important for all information security and data privacy processes. Because the support of the organization's top management will be the key point of this process.

  • The Agreement Between Parties

One of the topics that draw attention within the Regulation is the rules regarding the contract between the parties. The Regulation determines the minimum elements of the contract to be signed with third-party providers regarding outsourced service procurements.

In the contract, especially confidentiality, data breach and measures are accepted as high point topics. Since many of these subjects and more have been emphasized within the scope of KVKK2, which has been in force since 2016.

Standardizing of agreements will also be important for the management of third parties and post-contract procedures. Since now, contracts with the outsource service providers will become standardized and any possible dispute or other processes between the parties will be more manageable for the Banks.

  • Creating a Third-Party Management Procedure

According to The Regulation banks from now on should act in accordance with their information security policies while working with third parties and and they are also responsible for preparing updated procedures in accordance with these policies.

Thus, Banks establish the standards and guidelines for all employees and contractors who work with third-parties. Third Party Management Procedures is also important to the Banks because it enables the organization to control the risks associated with outsourced relationships. One of the important point of this obligation is to identify a responsible person for all these works. For a sustainable third-party management, it is important to make clear who is responsible for this process.

  • Taking Necessary Measures

Banks are obliged to take all necessary measures while working with third parties. In addition, they should pay attention to sharing information by acting in accordance with the principles specified in KVKK.3

Access Control which is also counted in the guidelines prepared by Turkish Data Protection Authority i4s one these measures. It is an important point that the Regulation includes similar topics with the data protection law.

  • Limitation of Services

With the Regulation, it has been emphasized that some internal services can not be outsourced due to importance and risk of these subjects. İnternal audit and critical issues are given as an example.

The Regulation aims to reduce the the risk of outsourcing critical and important services and indicate to provide these services by Bank employees.

  • Local Outsourcing

One of the most important topics brought under the Regulation is undoubtedly the regulation for the use of local outsource services and products. According to the Regulation, critical information systems and the production of goods should outsource locally.

Especially in these days transfering the personal data abroad is a very problematic topic according to KVKK so the Regulation's local outsourcing rule will be mentioned a lot.

Consequently, outsource services are an important topic due to unpredictable risks for most of the companies. For this reason, third party management has become a serious topic for many organizations. This Regulation is an important step to minimize all these risks for the Banks but it is also significant for many institutions and organizations in the coming days. Today, when there are so many data breachs due to outsourcing services, the Regulation is undoubtedly important in many respects.


1 Article 29 (1), The Regulation on Banks' Information Systems and Electronic Banking Services

2 The Personal Data Protection Law No:6698

3 Article 4, The Personal Data Protection Law No:6698


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.