Since corporate risk and compliance management matters are not organised under a single source of law, the rules and principles can be found scattered across various pieces of legislation that set general standards and touch upon both civil and criminal liabilities arising from risk and compliance management failures for corporations and individuals.
Privately held companies
The Turkish Commercial Code (TCC), published in 2012, is the general set of rules applicable to all companies, listed and privately held alike, which rests on four main principles: transparency, equality, accountability, and responsibility. It governs board duties and accountability, introduces a clear-cut distribution of liability, requires the formation of early risk detection committees and allows a more transparent system for the benefit of all stakeholders through mandating annual activity reports, company websites and electronic shareholders’ meetings.
Failure to comply with these rules can lead to civil liabilities for the board of directors and the management of a privately held company. As further detailed below, compliance failures could also lead to criminal liability on the part of the board of directors (as the governing body) or the management of a privately held company. White-collar crimes such as bribery, fraud, laundering of criminal proceeds, and embezzlement are the main white-collar corruption offences that would trigger criminal liability as per the Turkish Criminal Code (the Criminal Code), applicable to all individuals within companies regardless of whether they are privately held, listed or regulated.
For listed companies, the main source of law is Corporate Governance Principles Communiqué No. II. 17-1 (the Corporate Governance Communiqué) issued by the Capital Markets Board (CMB). The Corporate Governance Communiqué aims to enhance corporate governance mechanisms and risk and compliance management systems for listed companies. The communiqué provides 20 mandatory corporate governance principles that listed companies must abide by, making an exception for small groups that remain below certain thresholds in terms of overall market value and the market value of floating shares. The mandatory principles mainly focus on maintaining efficient disclosure mechanisms and transparency, appointing independent directors, and forming committees including those monitoring risk and corporate governance compliance within the board of directors.
Owing to their inherent nature, listed companies benefit from a higher level of scrutiny by regulatory authorities as opposed to privately held companies not active in a regulated sector. Therefore, any failure to comply with these principles would be more easily detected in terms of civil or criminal liability.
For listed companies, in addition to the offences exemplified above for privately held companies, the Capital Markets Code also names certain white-collar crimes leading to criminal liability, including insider trading and market manipulation, that are specifically applicable to listed companies.
For banks and other actors in the financial services sector, the main piece of legislation is Banking Code No. 5411 (the Banking Code). The Banking Code sets forth the principles and procedures to establish confidence and stability in financial markets, effective functioning of the credit system, and the protection of the rights and interests of depositors. The regulatory authority, the Banking Regulation and Supervision Agency (BRSA), is entitled to deliver secondary legislation for these issues. For compliance and risk management, the Regulation on Banks’ Internal Systems sets forth the rules for establishing internal control, internal audit and risk management systems for banks by specifying various types of risks and how to mitigate and process such risks.
Insurance Code No. 26551 (the Insurance Code) requires insurance and reinsurance companies to establish an effective internal control system, covering internal audit and risk management, in order to monitor compliance with the legislation, internal directives, management strategy and policies, and to prevent fraudulent acts and irregularities in all transactions.
As data protection is one of the current trending topics in Turkey, duties of the board of directors and senior management to ensure the protection of customer and employee personal data are of increasing importance. The laws on personal data are governed by the Code on the Protection of Personal Data. The Code allows companies to retain and process customer and employee personal data only after obtaining explicit consent (save for specific exceptions).
Back to top