Banks are subject to special cyber security obligations within the scope of BRSA and Banking Law No. 5411.
Basic Regulations
- Banks Information Systems Regulation
- BRSA Board of Directors Decision: Penetration test obligation
- ISO 27001 certification (mandatory)
- Business Continuity Plan (BCP)
- Disaster Plan (DRP)
Penetration Tests
- Mandatory to be performed annually
- Reported to BRSA by an independent third party
Data Breach Notification
The Bank reports the data breach immediately to BRSA, must notify its customers and the KVKK Authority (Art. 12/5).
Artificial Intelligence and Algorithm Governance
BRSA seeks AI systems such as credit scoring and fraud detection to be explainable and auditable.
Sanction
- BRSA administrative fine
- Withdrawal of operating permission (heavy in case of violations)
- KVKK additional penalty
Banking and IT law lawyer recommended.