The Risks and Consequences of Sharing Bank Account Information with Third Parties in Türkiye: 2026 Overview

Legal Framework and Protection of Client Confidentiality

In Türkiye, the transfer of bank account information to third parties is strictly limited under the Banking Law and the Personal Data Protection Law (KVKK). According to recent amendments, all data concerning corporate or individual clients, obtained through their relationship with a bank, are defined as client secrets.

A critical point is that even the client’s explicit consent under the KVKK is not sufficient for the legal transfer of such data. Data cannot be shared with domestic or foreign third parties without a written request or instruction from the client. When it comes to transfers abroad, an additional condition applies: following an economic security evaluation by the Central Bank of the Republic of Türkiye (CBRT), banks may be prohibited from sharing client-related data with foreign entities.

Operational Risks of Unauthorized Data Transfers

The unauthorized distribution of banking information exposes institutions to multiple operational and financial risks, including:

• identity theft and fraud: account and personal details may be used by malicious actors
• unauthorized fund transfers: sensitive account data can be exploited for illicit gains
• facilitation of tax evasion: hidden accounts may be used for money laundering or concealing illicit funds
• money laundering risk: data misuse could support terrorism financing or organized crime

Criminal and Administrative Sanctions

In Türkiye, unauthorized data sharing involving client secrets carries severe penalties.

Criminal sanctions: Under Article 159 of the Banking Law, violations of Article 73/3 may result in imprisonment from one to three years and judicial fines ranging from 1,000 to 2,000 days.

Administrative sanctions: Article 148 authorizes administrative fines for legal violations, while under the KVKK, high-value fines may also be imposed in cases of data breaches.

License-related sanctions: Under the Law No. 5549 on the Prevention of Laundering Proceeds of Crime, breaches may lead to significant financial penalties or even license revocation.

New Supervision Mechanisms Effective in 2026

Starting from 1 January 2026, new provisions under Law No. 5549 introduced additional third-party monitoring mechanisms for banking transactions. Customers must now specify the purpose of each transaction via their bank. If a client selects a vague category such as “other,” they must include a written explanation of at least 20 characters.

This regulation applies to all types of transactions, including cash operations, electronic fund transfers (EFT), and remittances.

Three-Level Control System for Cash Operations

This mechanism enhances the ability of regulatory bodies such as the Ministry of Finance and MASAK to monitor international fund flows and detect suspicious transactions.

Open Banking and Data Sharing Regulations

Türkiye’s open banking framework, governed by the Law No. 6493 and regulations issued by the CBRT, defines the legal boundaries for account information and payment initiation services.

Although customer consent remains vital, explicit consent under KVKK is still mandatory. Türkiye’s API standards (TR-API) have been aligned with European initiatives such as Berlin Group and STET, enabling international fintech participation in the Turkish market while maintaining strict data protection measures.

By 2025, leading banks such as Akbank, İş Bankası, and Garanti BBVA had already published API catalogs, and open banking applications began to expand through the FAST API Portal. However, this expansion has simultaneously raised new challenges regarding data processing, KVKK compliance, and cybersecurity.

Harmonization with European Union Standards

As of 2026, Türkiye’s banking system entered a harmonization phase with the European Union’s PSD2/PSD3 standards, improving security and customer data protection practices. The EU’s Strong Customer Authentication (SCA) framework serves as a model, prompting Türkiye to adopt similar authentication and risk control mechanisms.

International entrepreneurs entering the Turkish market must consider the following requirements:

• technical infrastructure: develop API-compliant systems for banking interconnections
• legal compliance: secure appropriate licenses from the CBRT and the Banking Regulation and Supervision Agency (BDDK)
• data management: integrate KVKK and GDPR compliance processes

Strategic and Risk Management Considerations for International Entrepreneurs

Prioritizing data security: Banks and fintech companies must implement strict encryption standards and internal protocols for any data transfer operations.

Regulatory compliance costs: The new 2026 oversight systems may slow down international transfers due to mandatory reporting and pre-approval processes.

Managing licensing risks: Even explicit client consent under KVKK cannot replace a written customer instruction. Breaches may result in license suspension, disrupting business continuity.

Customer transparency: As transaction reasons must now be explicitly stated, financial service providers are encouraged to adopt transparency-based business models.

Cross-border data limitations: International data transfers must comply with Article 9 of the KVKK, ensuring adherence to the EU’s Binding Corporate Rules (BCRs). In practice, this significantly limits foreign processing of Türkiye-based financial data.

For investors and entrepreneurs aiming to establish or expand financial operations in Türkiye, a deep understanding of the legal landscape—especially the intersection between banking confidentiality, data protection, and open banking innovation—is essential to ensure compliance and long-term success.