Introduction
Banking confidentiality in Turkey is one of the core principles of Turkish banking law. Banks hold highly sensitive information about individuals, companies, investors, borrowers, depositors and financial institutions. Account balances, loan records, payment transactions, credit limits, debt history, foreign transfers, investment activity, collateral information, customer identity details and even the fact that a person is a customer of a particular bank may all be legally protected.
In modern banking, confidentiality is no longer limited to paper files kept inside a branch. Banks now process and transfer large volumes of customer data through mobile banking, internet banking, open banking interfaces, payment systems, card networks, SWIFT messages, cloud infrastructure, outsourcing providers, credit risk systems, group companies, compliance departments, audit firms, data analytics tools and foreign financial institutions. This creates a difficult legal balance: banks must protect customer secrets, but they must also comply with regulatory, judicial, anti-money laundering, tax, risk management and operational requirements.
The main legal basis for banking confidentiality in Turkey is Article 73 of Banking Law No. 5411. This provision regulates bank secrets, customer secrets, confidentiality obligations, data sharing restrictions, exceptions and the authority of the Banking Regulation and Supervision Agency, known as the BRSA or BDDK. Banking Law No. 5411 states that data and information belonging to real or legal persons, collected through banking activities and transactions after a customer relationship is established, become customer secrets. It also provides that customer secrets cannot be disclosed to or shared with domestic or foreign third parties without the customer’s request or instruction, even if explicit consent is obtained under the Personal Data Protection Law, except for statutory exemptions.
This article explains banking confidentiality in Turkey, including customer secrets, bank secrets, data sharing rules, legal exceptions, group company transfers, foreign transfers, KVKK interaction, MASAK obligations, litigation disclosures and remedies for confidentiality breaches.
1. What Is Banking Confidentiality in Turkey?
Banking confidentiality means that banks, bank employees, managers, auditors, service providers and other persons who learn bank secrets or customer secrets due to their duties cannot disclose such information to unauthorized persons. This duty continues even after employment or office ends.
The BRSA’s Regulation on the Disclosure of Confidential Information expressly states that persons who learn the secrets of banks or their clients due to their titles and duties cannot disclose those secrets to anyone other than authorities expressly authorized by law, and that this obligation continues after leaving office.
Banking confidentiality serves several purposes. It protects customers’ privacy. It safeguards commercial secrets. It supports confidence in the banking system. It prevents misuse of financial information. It protects banks against reputational and operational risks. It also ensures that data sharing occurs only when there is a lawful basis, proper purpose and proportional scope.
In practice, confidentiality may apply to both individual and corporate customers. A company’s credit line, loan default, cash flow, supplier payments, payroll account, export revenue, collateral structure or refinancing negotiations may be commercially sensitive. An individual’s account balance, credit card spending, mortgage debt, salary account or transfer history may be private and legally protected.
2. Difference Between Bank Secrets and Customer Secrets
Turkish law distinguishes between bank secrets and customer secrets. A bank secret generally refers to confidential information belonging to the bank itself. This may include internal systems, business strategies, internal risk models, audit findings, bank-specific commercial information, financial structure or operational information.
A customer secret, on the other hand, refers to confidential information relating to a bank customer. The BRSA regulation states that, specific to banking activities, data pertaining to natural and legal persons that arise after the establishment of a client relationship with banks becomes a client secret. It also states that information indicating that a real or legal person is a client of the bank is itself a client secret.
This is a very important point. The confidentiality obligation does not protect only account balances or transaction details. Even confirming that a person has an account with a particular bank may fall within the scope of customer secrecy.
For example, if a third party calls a bank and asks whether a person has an account, the bank generally cannot confirm this unless there is a lawful basis, customer request or statutory exception. Similarly, a bank employee cannot disclose that a company is negotiating a loan facility or that a customer has defaulted on a credit card.
3. When Does Customer Secret Status Begin?
Customer secret status generally begins after the establishment of a customer relationship with the bank. However, the BRSA regulation provides additional nuance. Data that existed before the customer relationship and does not alone constitute a customer secret may become a customer secret when processed together with data generated after the customer relationship, in a way that indicates the person is a bank customer.
This means that ordinary personal or commercial data may become protected as customer secret when combined with banking context. For example, a person’s name and phone number may not alone be a bank customer secret. But when processed in a bank’s customer database together with account or transaction records, it may become part of the protected confidentiality framework.
This rule is especially important for digital banking, customer relationship management systems, marketing analytics, credit scoring tools and group-level data platforms. Banks must evaluate not only the type of data but also the context in which it is processed.
4. Customer Consent Is Not Always Enough
One of the most distinctive features of Turkish banking confidentiality law is that customer consent alone may not always be sufficient for sharing customer secrets. Banking Law No. 5411 provides that, except for statutory exemptions, customer secrets cannot be shared with third parties in Turkey or abroad without the customer’s demand or instruction, even if explicit consent is obtained under the Personal Data Protection Law.
The BRSA regulation repeats this approach. It states that, except for exempted cases, client confidential information cannot be shared with third parties in Turkey or abroad without a request or instruction from the client, even if the client’s explicit consent is obtained. It also provides that the client’s consent, request or instruction cannot be made a prerequisite for the services to be provided by the bank.
This is a critical compliance point. Under general personal data protection law, explicit consent may sometimes be a legal basis for data processing or transfer. But banking confidentiality imposes a stricter sector-specific rule. For customer secrets, banks generally need the customer’s request or instruction unless a legal exception applies.
This prevents banks from using broad consent forms to justify unnecessary data sharing. It also prevents banks from forcing customers to approve unrelated data transfers as a condition of receiving banking services.
5. The Principle of Purpose Limitation and Proportionality
Even where data sharing is legally permitted, the bank cannot share unlimited information. Both Banking Law No. 5411 and the BRSA regulation emphasize purpose limitation and proportionality. Banking Law No. 5411 provides that bank secrets and customer secrets may be shared only for specified purposes and limited to the data required for those purposes.
The BRSA regulation gives detailed guidance. It states that confidential information may be shared only if it is limited to the specified purposes and includes only as much data as required. It also states that if the stated purpose can be achieved without some of the shared data, the sharing cannot be considered proportionate.
This principle has practical consequences. If a bank needs to share a customer’s identity confirmation with a payment system, it should not transfer the customer’s full credit history. If a bank shares data with a service provider for fraud monitoring, it should not include unrelated personal or financial data. If data can be aggregated, anonymized or de-identified while still achieving the purpose, the bank should consider those methods.
Data minimization is therefore not only a KVKK principle. In banking confidentiality, proportionality is a direct regulatory requirement.
6. Legal Exceptions to Banking Confidentiality
Turkish law recognizes several exceptions to banking confidentiality. These exceptions exist because banks must sometimes share information for regulatory supervision, judicial proceedings, risk management, financial reporting, audit, anti-money laundering compliance, payment transactions, group-level controls and legally authorized public requests.
The BRSA regulation states that sharing bank secrets or customer secrets with authorities expressly authorized by law does not constitute a breach of confidentiality. It also provides exceptions for certain information exchanges among banks and financial institutions, parent company reporting, prospective buyer due diligence for significant share transfers, litigation defense, arbitration, mediation and disclosures under Law No. 5549 on anti-money laundering.
However, exceptions should be interpreted carefully. The existence of an exception does not mean that all data may be shared freely. Purpose limitation, proportionality, confidentiality safeguards and documentation duties still matter.
7. Sharing with Public Authorities
Banks may be required to share customer information with public authorities that are expressly authorized by law. These may include courts, prosecutors, enforcement offices, tax authorities, regulatory authorities, MASAK, BRSA, Central Bank of the Republic of Türkiye or other legally authorized institutions.
For example, a court may request bank records in a civil dispute. A prosecutor may request transaction records in a criminal investigation. A tax authority may request account information under tax legislation. MASAK may request documents for anti-money laundering analysis. An enforcement office may send attachment instructions to banks.
In these cases, the bank should verify the legal authority, scope and purpose of the request. It should provide the legally required information but avoid excessive disclosure. If the authority requests information beyond its legal power, the bank may need to seek clarification or legal review.
8. Litigation, Arbitration and Mediation Exceptions
Banking disputes often require disclosure of customer or bank information. For example, a bank may need to submit loan records in a lawsuit against a borrower. It may need to disclose account transactions in a fraud dispute. It may need to share documents with lawyers, experts, courts, arbitrators or mediators.
The BRSA regulation provides that, where disclosure is mandatory for proving a claim or defense in disputes to which the bank is a party, disclosures made to judicial authorities, alternative dispute resolution authorities such as arbitration and mediation bodies, or representatives of the bank in those disputes do not constitute a breach of confidentiality.
This exception is necessary because a bank must be able to defend itself. However, litigation disclosure should still be limited to what is necessary for the claim or defense. Banks should avoid submitting irrelevant customer data to court files, especially where the file may be accessible to other parties.
9. Information Sharing Among Banks and Financial Institutions
Banks and financial institutions may need to share certain information for credit risk assessment, fraud prevention, payment systems, interbank operations, syndicated loans, correspondent banking, risk center reporting and regulatory compliance.
The BRSA regulation recognizes an exception for exchanging information and documents among banks and financial institutions directly or through the Risk Center or companies established by at least five banks or financial institutions, provided that confidentiality agreements and purpose limitation requirements are satisfied.
This exception is important for credit markets. A bank cannot properly evaluate credit risk if it has no access to certain shared risk data. However, data sharing must remain controlled. A borrower’s credit information should not be shared for unrelated marketing purposes or transferred to unauthorized parties.
10. Parent Companies, Group Companies and Consolidated Risk Management
Banks that are part of financial groups may need to share information with parent companies or controlling shareholders for consolidated financial reporting, risk management and internal audit. This is particularly important for foreign-owned banks and international banking groups.
The BRSA regulation permits sharing information with parent companies, including domestic or foreign credit institutions and financial institutions holding at least ten percent of the bank’s capital, for consolidated financial statement preparation, risk management and internal audit practices.
However, this does not allow unlimited group data transfers. The bank must ensure confidentiality, security, purpose limitation and proportionality. Where data makes a customer identifiable, disclosure must be documented and kept ready for audit, and certain information about third-party recipients must be reported to the BRSA in the required format and periods.
For foreign banking groups, this is a major compliance issue. Global reporting systems must be aligned with Turkish banking secrecy rules, not only with headquarters policies.
11. Outsourcing, Audit, Rating and Support Services
Banks rely on many external service providers: auditors, law firms, rating agencies, IT companies, cloud infrastructure providers, call centers, payment processors, cyber security vendors, data analytics companies, risk model providers and consultants.
Banking Law No. 5411 recognizes certain exceptions for services such as valuation, rating, outsourcing and independent audit, provided that necessary measures are taken and disclosure is limited to specified purposes.
The legal risk is that outsourcing may involve large-scale access to customer data. A vendor may process account records, transaction logs, identity documents, call recordings or fraud alerts. Banks should therefore use detailed confidentiality agreements, data processing clauses, audit rights, access controls, data localization analysis, incident notification duties and termination rights.
A bank cannot avoid responsibility simply by saying that a vendor caused the breach. The bank remains responsible for maintaining confidentiality and ensuring that third parties process data lawfully and securely.
12. Cross-Border Transfers of Banking Confidential Information
Cross-border transfers are among the most sensitive issues in banking confidentiality. A bank may need to transfer customer data abroad for group reporting, correspondent banking, SWIFT transactions, foreign card networks, cloud services, international audits, foreign regulatory requests or cross-border transactions.
Banking Law No. 5411 authorizes the BRSA, following an assessment concerning economic security, to prohibit the sharing or disclosure of customer secrets or bank secrets with third parties abroad and to require domestic retention of information systems and backups used by banks for banking activities.
This means cross-border transfer is not only a data protection issue. It is also a banking regulation and economic security issue. Banks should evaluate whether the transfer is mandatory for the transaction, whether a statutory exception applies, whether customer request or instruction is required, whether KVKK transfer rules are satisfied, whether the transfer is proportionate, and whether the BRSA has imposed any limitation.
13. Interaction with Turkish Personal Data Protection Law
Banking confidentiality and personal data protection are closely connected but not identical. Banking confidentiality protects bank secrets and customer secrets, including corporate customer secrets. Personal data protection protects personal data relating to identified or identifiable natural persons.
The Personal Data Protection Law No. 6698, known as KVKK, aims to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing, and sets obligations, principles and procedures for data processors and controllers.
Banks must comply with both regimes. If the customer is a natural person, account data may be both personal data and customer secret. If the customer is a company, corporate account data may be a customer secret even if it is not personal data. Therefore, KVKK compliance alone is not enough for banking confidentiality compliance.
KVKK obligations include informing data subjects, processing personal data lawfully, respecting data subject rights, ensuring data security and responding to requests within statutory periods. The KVKK text also states that data controllers and data processors cannot disclose personal data they learn contrary to the law or use it for purposes other than processing, and that this obligation continues after the end of their term of office.
14. Cross-Border Personal Data Transfers and Banking Secrecy
If customer secret information also qualifies as personal data, cross-border transfer must satisfy both banking secrecy rules and KVKK transfer rules. In 2024, Turkey amended the rules on personal data transfers abroad, and the Personal Data Protection Authority published standard contract materials for international transfers. The standard contract materials state that the contract provides appropriate safeguards for personal data transfer abroad under Article 9 of KVKK and the relevant by-law.
For banks, this means a cross-border transfer analysis may require two separate questions:
First, is the transfer permitted under banking confidentiality rules?
Second, is the transfer lawful under KVKK?
A transfer may fail if either answer is negative. For example, even if KVKK safeguards are in place, the bank may still need a customer request or instruction unless a banking secrecy exception applies. Conversely, even if a banking secrecy exception applies, KVKK obligations may still apply for personal data of natural persons.
15. MASAK and Anti-Money Laundering Exceptions
Banks are obliged parties under anti-money laundering law. They must identify customers, monitor transactions, keep records, report suspicious transactions and provide information to MASAK where legally required.
The main Turkish AML statute is Law No. 5549 on Prevention of Laundering Proceeds of Crime, whose purpose is to determine principles and procedures for preventing money laundering.
The BRSA regulation expressly refers to information sharing under Article 5 of Law No. 5549 as an exception to confidentiality in the relevant context.
This is logical because AML compliance would be impossible if banks could not report suspicious transactions or provide records to MASAK. However, AML-related disclosures must be handled carefully. Banks should avoid tipping off customers, should disclose only to authorized persons, and should keep internal records showing the legal basis of the disclosure.
16. Payment Systems and Transaction Necessity
Banking transactions often require information to move through domestic or foreign systems. For example, an international wire transfer may require the customer’s name, account number, bank details and transaction purpose to be shared through correspondent banks or messaging systems. A card payment may involve card networks and acquiring banks. A securities transaction may involve settlement systems.
The BRSA regulation recognizes that interaction with domestic or foreign banks, payment service providers, settlement systems or messaging systems may be necessary due to the nature of the transaction and that sharing customer confidential information may be a mandatory element of the transaction.
This is an important operational exception. A bank cannot perform an international transfer without transmitting certain data. However, the data shared must still be limited to what the transaction requires.
17. Health and Sexual Life Data Restriction
The BRSA regulation contains a strict rule regarding sensitive personal data. It states that, in sharing confidential information relating to real person clients, the general KVKK principles must be followed, and personal data relating to health and sexual life cannot be shared with domestic or foreign parties on the basis of one of the situations exempted from the secrecy obligation, even if such data is in the nature of client secrets.
This rule is particularly relevant for banks involved in insurance-linked products, medical payment data, health-related credit products, private banking advisory services or customer records that may reveal sensitive personal information.
Banks should avoid processing or sharing sensitive data unless strictly necessary and legally justified.
18. Confidentiality in Digital Banking and Open Banking
Digital banking increases the importance of confidentiality. Mobile applications, APIs, online onboarding, remote identity verification, digital credit scoring, open banking interfaces and fintech partnerships all involve data sharing.
Open banking creates additional complexity because customers may instruct data sharing with third-party providers. In such cases, banks must verify the customer’s instruction, ensure transaction security, limit the data transfer to the requested scope and comply with sectoral regulations.
A fintech integration should not be implemented only from a technical perspective. Legal teams should review whether the data qualifies as customer secret, whether customer instruction is valid, whether the third-party provider is authorized, whether data minimization is applied, whether cross-border transfer occurs and whether the bank can audit the integration.
19. Confidentiality in Bank Mergers, Acquisitions and Due Diligence
Bank share sales, mergers, acquisitions and asset transfers may require disclosure of confidential information to potential buyers or advisers. The BRSA regulation permits certain disclosures to prospective buyers for valuation studies concerning share sales representing ten percent or more of a bank’s capital, subject to confidentiality agreement and purpose limitation conditions.
This is significant in bank M&A transactions. Potential buyers need due diligence access, but customer secrets must be protected. Data rooms should be carefully structured. Customer data should be anonymized, aggregated or redacted where possible. Access should be limited. Confidentiality agreements should be strict. Downloading, copying and onward transfer should be controlled.
20. Breach of Banking Confidentiality
A breach of banking confidentiality may occur in many ways. A bank employee may disclose account information to an unauthorized person. A branch may give customer data to a relative without authority. A bank may share customer data with a group company for marketing without proper basis. A vendor may leak data. A customer’s loan status may be disclosed to a business competitor. A bank may send statements to the wrong e-mail address. A call center may confirm customer status to a third party.
Possible remedies depend on the facts. The affected customer may file a complaint with the bank, request an internal investigation, apply to the BRSA where appropriate, use KVKK remedies for personal data, claim compensation before civil courts, initiate consumer or commercial proceedings depending on status, or file a criminal complaint if the conduct constitutes a criminal offense.
The customer should preserve evidence immediately. Screenshots, e-mails, SMS messages, call records, written bank responses, witness statements and documents showing damage may be important.
21. Bank Liability for Confidentiality Breaches
A bank may be liable if confidentiality is breached due to its own actions, employees, systems or service providers. Liability may arise from breach of statutory duty, breach of contract, tort, data protection violation, consumer law or commercial law depending on the case.
To claim compensation, the customer generally needs to establish unlawful disclosure, fault or responsibility, damage and causal link. In some cases, reputational harm, loss of business opportunity, emotional distress or financial loss may be claimed, but these must be supported with evidence.
For corporate customers, confidentiality breaches may cause serious commercial damage. Disclosure of a refinancing attempt, loan default, blocked account, tax investigation or cash-flow problem may harm negotiations with suppliers, customers or investors. For individual customers, disclosure of financial hardship, credit card debt or personal transactions may violate privacy and dignity.
22. Internal Compliance Measures for Banks
Banks should maintain robust confidentiality compliance systems. These should include:
Written confidentiality policies, access controls, role-based authorization, employee training, logging and monitoring, data classification, vendor due diligence, confidentiality clauses, data minimization procedures, internal approval workflows, customer instruction verification, incident response plans, audit trails, disciplinary rules and board-level oversight.
Access to customer data should be based on need-to-know. A branch employee should not be able to view unrelated customer accounts without business necessity. Internal systems should log access and detect suspicious viewing patterns. Sensitive customer files should have additional controls.
Employee training is essential. Many breaches occur not through complex cyberattacks but through careless communication, informal sharing, unauthorized family inquiries, wrong e-mail recipients or misunderstanding of customer consent.
23. Practical Checklist for Banks
A bank operating in Turkey should follow a structured confidentiality checklist:
Identify whether the data is a bank secret, customer secret, personal data or all of them.
Determine whether the customer relationship has been established.
Check whether the disclosure is based on customer request or statutory exception.
Avoid relying only on explicit consent for customer secret sharing.
Apply purpose limitation and proportionality.
Use anonymization or aggregation where possible.
Verify public authority requests.
Document disclosures.
Control group company transfers.
Review cross-border transfers under both banking secrecy and KVKK.
Ensure vendor confidentiality and audit rights.
Train employees regularly.
Monitor unauthorized access.
Respond quickly to incidents.
24. Practical Checklist for Customers
Customers should also protect their banking confidentiality rights:
Request written explanations when data is disclosed.
Avoid signing broad and unclear data sharing instructions.
Check whether the bank makes data sharing a condition of unrelated services.
Use written complaints rather than verbal call center complaints.
Preserve evidence of unauthorized disclosure.
Request correction or deletion where appropriate under KVKK.
Ask who received the data and for what purpose.
File legal complaints where serious damage occurs.
For companies, include confidentiality controls in banking relationship agreements.
25. Common Mistakes in Banking Confidentiality Compliance
Common mistakes include assuming that customer consent alone is enough, sharing more data than necessary, treating group companies as internal departments, failing to document foreign transfers, using broad marketing consents, disclosing customer status to unauthorized callers, failing to separate customer secrets from ordinary personal data, ignoring KVKK in corporate banking systems involving individual representatives, and failing to monitor vendor access.
Another mistake is treating regulatory exceptions as unlimited permissions. Even where disclosure is permitted, the bank must still consider proportionality, purpose, data minimization and security.
26. Why Legal Support Is Important
Banking confidentiality in Turkey is technical because it combines banking law, KVKK, AML compliance, litigation procedure, outsourcing, cross-border transfers, fintech regulation and contractual risk management.
A Turkish banking lawyer may assist with confidentiality policies, customer data sharing structures, group transfer analysis, banking secrecy disputes, BRSA compliance, KVKK alignment, fintech and open banking agreements, outsourcing contracts, MASAK-related disclosure procedures, litigation disclosure strategy and compensation claims.
Legal support is especially important where customer data is transferred abroad, shared with group companies, disclosed in litigation, processed by fintech partners, requested by foreign authorities, or involved in a data breach.
Conclusion
Banking confidentiality in Turkey is a strict and sophisticated legal regime. Article 73 of Banking Law No. 5411 protects customer secrets and bank secrets, while the BRSA Regulation on the Disclosure of Confidential Information provides detailed rules on data sharing, legal exceptions, purpose limitation and proportionality.
The most important principle is that customer secret information cannot generally be shared with domestic or foreign third parties without the customer’s request or instruction, even if explicit consent is obtained under KVKK, unless a statutory exception applies. This makes Turkish banking secrecy stricter than ordinary personal data consent rules.
However, confidentiality is not absolute. Banks may share information with legally authorized public authorities, courts, arbitrators, mediators, MASAK, regulatory bodies, parent companies, banks, financial institutions, auditors, service providers and transaction systems where legal conditions are met. In all cases, sharing must remain limited to the specified purpose and proportionate to what is necessary.
For banks, compliance requires strong governance, data classification, employee training, access control, vendor management, cross-border transfer review and documentation. For customers, banking confidentiality provides meaningful protection against unauthorized disclosure of financial and commercial information.
In Turkish banking law, confidentiality is not merely an ethical duty. It is a statutory obligation that protects trust in the financial system, privacy of individuals, commercial secrets of companies and the integrity of banking relationships. A bank that mishandles customer secrets may face legal, regulatory, reputational and financial consequences. A customer whose banking secrets are unlawfully disclosed may have strong legal remedies, provided that the claim is supported by clear evidence and the correct legal route is chosen.
Yanıt yok