Bezen & Partners | News

The Capital Markets Board's New Communiqués On The Management And Independent Audit Of Information Systems

The Capital Markets Board (the “CMB”) (Sermaye Piyasası Kurulu) has recently published two new communiqués on the management and independent audit of the information systems, namely (i) the Communiqué on the Management of Information Systems (VII-128.9) (the “IT Systems Communiqué”) (Bilgi Sistemleri Yönetimi Tebliği); and (ii) the Communiqué on the Independent Audit of the Information Systems (III-62.2) (the “Independent IT Audit Communiqué”) (Bilgi Sistemleri Bağımsız Denetim Tebliği).

The IT Systems Communiqué provides the basis of how information systems should be established and managed and the Independent IT Audit Communiqué regulates how systems should be audited and inspected by accredited independent auditors. Overall, CMB’s approach to IT matters appears broadly consistent with those of the banking regulator, the Banking Regulatory and Supervisory Agency.

Entities which fall under the scope of the IT Systems Communiqué are the Istanbul Stock Exchange (Borsa İstanbul A.Ş.), stock markets, operators of stock markets and other regulated markets, retirement pension funds, Istanbul Clearing, Settlement and Custody Bank (İstanbul Takas ve Saklama Bankası A.Ş.), the Central Registration Agency (Merkezi Kayıt Kuruluşu A.Ş.), custodians, the Capital Markets Licensing Registry and Education Institution (Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş.), all capital markets institutions, publicly listed partnerships, the Turkish Capital Markets Association (Türkiye Sermaye Piyasaları Birliği) and the Turkish Appraisers Association (Türkiye Değerleme Uzmanları Birliği) (the “Capital Markets Entities”).

Pursuant to the IT Systems Communiqué, Capital Markets Entities will need to develop policies on the management of risks associated with their information systems and allocate appropriate financial and human resources for such purposes and ensure appropriate safeguards and protections are available for its data. The IT Systems Communiqué requires both primary and secondary information technology systems to be located within the Republic of Turkey.

Additionally, those Capital Markets Entities specified in the Independent IT Audit Communiqué are required to be audited by independent accredited auditors on a periodical basis and a copy of final audit reports must be submitted to the CMB.

The IT Systems Communiqué provides that banks, insurance companies, financial leasing, factoring and financing companies, which are already subject to comparable IT requirements under applicable banking regulations, will deemed to have fulfilled the requirements under the IT Systems Communiqué by complying with relevant banking regulations.

Note that portfolio management companies subject to regulatory capital requirements of below TRY5 million, certain investment firms, certain market infrastructures, asset lease companies and certain publicly held companies are offered exemptions from certain requirements of the IT Systems Communiqué.

Last Updated: 9 April 2018


Murat Soylu

Can Özilhan

Yasemin Keskin