The Banking Regulation and Supervision Agency (“the Agency”) issued the communiqué on the Management and Auditing of Information Systems (“the Communiqué”), which entered into force following its publication on the Official Gazette on 6 April 2019.
The Communiqué regulates the management of all information systems used by leasing, factoring and financing companies and the supervision of authorized auditors. Companies are required to ensure that their existing activities and systems are following this Communiqué within one (1) year from the date of entry into force of the Communiqué.
Which legal entities are subject to these obligations?
All financial leasing, factoring and financial and capital markets institutions, established in Turkey, fall under the scope of the Communiqué.
Which duties are set forth under the Communiqué?
The primary duties of the companies that fall within the scope of the Communiqué can be summarized as follows:
- Developing policies and processes in three main categories related to information systems: (i) information systems management; (ii) information systems risk measurement; analysis and monitoring; and (iii) information security;
- Allocating financial and human resources for information systems’ management and security;
- Implementing an audit trail mechanism designed to track financial or operational processes by monitoring unauthorized access attempts, unauthorized accesses and user transactions and maintaining the records obtained from this mechanism for a minimum of three (3) years;
- Ensuring the confidentiality and security by classifying all data pertaining to information systems according to security sensitivity levels, including user information;
- Establishing an appropriate authorization access control in terms of access to the system, service and data to ensure data security;
- Establishing an appropriate authentication mechanism for user transactions conducted on information systems, thereby ensuring security against unauthorized access;
- Creating inventories such as: (i) hardware inventory which includes information regarding type of hardware, brand, model, date of purchase, physical location, applications on hardware and person(s) authorized to make the configuration on hardware, hardware criticality level; (ii) software inventory which includes information regarding version of software, the data it has authorized to access, development environment, software criticality level and; (iii) data inventory, which includes information regarding the database where the data is located, whether the backup is received, the logical address of the backup, the applications that use the data, person(s) who can access the data, the level of criticality of the data. For the purposes of managing the information systems , inventory records shall be kept for 3 years and shall be up-to-date; and
- Taking security measures against the internal and external threats to the physical security of information systems.
Who is responsible for the establishment and operation of these systems?
The Communiqué states that the implementation of data security policies must be monitored by senior management who is responsible for operations, and that the boards of directors of the companies have overall responsibility for establishing effective and sufficient oversight of information systems.
Who shall audit the companies in regard to compliance with the provisions of the communiqué and how?
The Communiqué regulates internal audit processes conducted by the board of directors in accordance with the policies determined by the senior management within the scope of information systems management shall be audited by independent auditors. The audit organizations reports to The Agency on the adequacy and compliance of the internal controls in the report. Information systems audit is conducted every three years. The Agency determines the companies to be audited, the audit year and the date on which the audit company’s report will be sent. The Agency has the discretion to amend scope and the frequency of the inspection of independent audit.
What would be the penalties when the companies are non-compliant with the Communiqué?
The existing penalties listed under the Banking Law numbered 5154 and dated 11.10.2015 will likely remain applicable since the Communiqué does not specify particular administrative or criminal penalties that would be applicable for the lack of compliance with the obligations regarding the management of the information systems.
Author: Bengisu Delibalta