Part One General Provisions
Purpose and Definition Article 1 –
The purpose of this plan (information note) is to establish the Emergency and Contingency Plan and work flow procedures that will set forth the conditions, methods and procedures for the Company to fulfill its obligations to its customers, intermediary institutions, market participants and third parties in emergency and unexpected situations.
It includes urgent measures to be taken for the safety of employees, physical environment and infrastructure in the first minutes and hours following the events that prevent the company from continuing its normal operation.
The events listed below require the activation of emergency action teams and their response with current plans:
• Fire
• Earthquake
• Bad Weather conditions
• Occupation of the Building by Activists / Popular Movement
• Power Outage
• Phone Outage
• Terrorist Attacks
• Attacks via Mail
• Bomb Threat
• Epidemic disease
In case of an emergency and unexpected situation, it is ensured that Company employees act within the established plan. The plan is updated as needed
Base of Plan
Article 2
This plan has been prepared in accordance with the regulations of the Capital Markets Board.
Definitions and Abbreviations
Article 3 - In this plan;
ABBREVIATION DEFINITION
ECS Emergency and Contingency Situation
A sudden, unexpected event that requires immediate action as it poses a potential threat to health, safety, the environment, or property and operations.
EACC Emergency and Contingency Committee
ECPI Emergency and Contingency Plan Information Note
AWA Alternative Work Area ( Areas to be used in Emergency and Unexpected Situations
Shareholder Shareholders participating in the capital of the company
Board Capital Markets Board,
MKK
Central Registry Agency Inc.,
Client/Customer
Collective investment institutions and individual and corporate customers receiving securities trading and portfolio management services within the framework of the contract for the purchase and sale of capital market instruments to be signed.
Safekeeping Company Securities Depository MKK, Takasbank and institutions deemed appropriate by the Board to provide portfolio custody services.
Company Bizim Securities Incorporated Company.
Takasbank Istanbul Settlement and Custody Bank Inc.,
TCC Turkish Commercial Code No. 6102 dated 13/1/2011
Part Two Emergency and contingency plan
Article 4 -
Preservation of Negotiable Documents with All Kinds of Records
The Company keeps all kinds of records and negotiable documents that it is obliged to keep in accordance with the financial statements and current legislation in printed and electronic media in accordance with Article 82 of the TCC. The records and documents in question are stored digitally for 5 years and in hard copy in protected archive areas according to the TCC retention terms and periods.
Article 5 -
Continuation of company activities
In the context of emergency and unexpected situations, information processing systems have been prepared to ensure that our company continues its activities normally.
Critical business processes and functions have been determined to cover all units of the company. Systems (information systems) that enable the execution of transactions regarding the portfolios of the institutions and persons we serve, the execution of clearing and custody transactions, the storage and follow-up of the accounts of the persons served, have been prepared and backed up to meet critical functions.
An alternative work area has been determined for emergencies and unexpected situations. In the alternative work area, the hardware and software that will ensure the continuity of the activities are ready for use. Data transfer services have been established and all office programs and information access systems necessary for the continuation of our activities have been installed. Technical devices and facilities such as telephone, fax, printer required for the continuity of the operations are kept ready for use.
System data record backups are taken regularly. The data of critical systems and applications are stored in accordance with the provisions of the TCC and special provisions of the CMB, in a safe and protected environment with sufficient distance not to be affected by the Emergency and Unexpected Situation that causes the interruption.
Article 6 -
Financial and Information Communication Infrastructure risk assessment
When operational risks are evaluated, there is no risk that will hinder the company's activities within the framework of the prepared plan. The plan was regularly reviewed, system tests and controls were carried out to ensure the continuity of the activities.
Article 7 –
Provision and continuity of alternative communication channels with the people served
In order to ensure the supply and continuity of alternative communication channels with the people served, the alternative work area is ready for use at any time. When there is a situation that requires the implementation of the Emergency and Contingency Plan ( ECPI ), the Leader and the members of the Emergency and Contingency Committee ( EACC ) examine the operability of the communication channels (telephone, fax and electronic media) and determine which communication channels are open and which are closed. The appointed member determined by the USAK leader and members informs the customers through which channels they can reach the Company by using open communication channels and mobile (GSM) phones. In case all communication channels (telephone, electronic media, fax) are closed, customers are contacted via mobile phone and the available communication channels are notified. In the alternative work center, communication will be provided with the communication tools allocated for the use of our company.
Article 8 -
Procurement and continuity of alternative communication channels with the company and its personnel
• ECPI has been prepared to be given to the Company's employees, shareholders, business partners and customers, public institutions and suppliers upon request, on the company's website and as a printout when requested. Employees have been briefed on the ECPI. When an Emergency and Unexpected Situation (ECS) occurs, it is aimed to direct the personnel with sufficient number and knowledge to implement the ECPI. When the ECPI is commissioned, the responsible member in the Human Resources department communicates with the company personnel about the situation that requires the commissioning of the plan, and gives information about the action to be taken with general information. The arrangements regarding the transportation of the persons responsible for the implementation of the ECPI to the alternative work area are made as follows.
• In a situation that occurs during working hours; convenient transportation facility will be provided with the support of the Administrative Affairs Team with the guidance of the EACC member(s)
• In a situation occurring outside of working hours; If normal services are in working condition, these services will be used; otherwise, the employee in the EACC team will be responsible for providing their own transportation.
• Team members responsible for ECPI implementation were informed about their contact information.
• Special hardware and valuable papers needed for the execution of critical processes will be accessible.
• The ECPI officer and his support teams will meet in the Alternative Work area within 2 hours from the moment of ECS.
• With the decision to commission the ECPI, critical system applications will be made ready within a maximum of 2 hours.
• It has been learned that necessary services can be obtained from suppliers in order to enable fixed and mobile phone access. In case of force majeure throughout the ECS, situational action will be taken for implementation and efforts will be made to ensure that the processes continue without interruption. When communication cannot be achieved, it is assumed that communication will be provided by satellite telephone and radio, which the Group Companies have created with the infrastructure prepared within the scope of the ECPI, and that these communication tools will be usable.
Article 9 -
Identification of alternative corporate headquarters and decentralized organizations
The company has identified primary and secondary backup centers and alternative working areas. Primary Backup and alternative working center has been determined as Istanbul Ataşehir district. In the event that the workplace center that the company serves is unusable, there is a building risk as an alternative work center that will continue to serve, or in case of regional risk, Tuzla Tepeören aimed to continue its activities at Istanbul address.
Article 10 –
Evaluation of the possible effects of the emergency and unexpected situation on the other party
When the relations with public / private institutions and organizations, shareholders, personnel and other 3rd parties with which we have business relations are evaluated, it is aimed that business continuity will continue without interruption even when communication with customers, suppliers and public institutions cannot be achieved during the ECS. Since customer assets (money and capital market instruments) are kept in custody institutions, it is not possible for customers to lose money and capital market instruments in cases where the USP needs to be activated. In order to prevent customers, 3rd parties and public institutions and organizations from being affected by possible situations, it is aimed to make the necessary organization and alternative communication channels active according to this ECPI application.
Article 11 –
Informing the Board about the measures taken, determining how to make routine mandatory notifications
In cases that require the activation of the ECPI, the EACC has been established to coordinate the process. In this team, the authorized manager / personnel authorized by the decision of the Company's Board of Directors, and the Company unit managers and personnel included in the committee by these personnel are determined as committee members. In the absence of members, the instructions of the most authorized member / senior manager available will be followed. The member assigned by this team opens the stored records of the company to the application and contacts the customers. In cases where the ECPI is commissioned, informing the Board through alternative communication channels is included in the business continuity plans. The responsible member informs the Board in writing or verbally about the measures taken. It ensures that routine and mandatory notifications are made in a timely manner. If this situation cannot be met, the Board is informed with a reasoned letter explaining the situation and verbal information is given. Routine notifications are concluded in accordance with the instructions and instructions of the emergency coordinator, by persons authorized in the Relevant Units and backed up to each other. Mandatory notifications will be made from alternative work areas.
Article 12 –
In case the company decides that it cannot continue its activities, access to the accounts of the customers and planning the transfer of the said accounts to another company
Thanks to all these measures taken and the infrastructure established, the continuity of our activities is planned. Since the assets belonging to the customers are kept by the Custody Institutions independently of our Company, no risk is foreseen. It is assumed that suppliers that contribute to the continuity of our services will be able to provide services under the conditions specified in the agreements, if the ECPI is commissioned. If it is decided that the company's activities cannot be continued, the customers are informed of this situation. The necessary transactions for the transfer of customer assets are carried out with the approval of the customer.
Article 13-
Communication
In the event that business continuity is interrupted and business continuity plans are put into use, informing and communicating with customers will be provided via the www.bmd.com.tr website, centrally by sending an SMS or e-mail to all customers, or by means of press releases.
Article 14-
Application
OPERATIONAL RISK ASSESSMENT
Operational Risks are possible situations, including the risk of loss of reputation, arising from inadequate or unsuccessful business processes, people, the system or external events, which may cause direct or indirect damage if they occur. Within the scope of this document, Operational Risks that may cause Emergency and Unexpected Situations, that may prevent the uninterrupted continuation of the Company's activities and the fulfillment of its obligations, have been evaluated, and measures have been tried to be put forward to prevent them and to reduce their effects if they occur. The work within the company to identify and prevent Operational Risks is not a static process, but a continuous process. Studies and evaluations made for this purpose are repeated at certain time intervals or as needed in case of emergence of new business processes. In these studies, matters that may prevent the fulfillment of our obligations or create a loss of reputation in the eyes of customers, intermediary institutions, regulatory institutions and third parties, thus causing material and reputational loss directly or indirectly, are revealed. Possible Operational Risks that may cause Emergency and Unexpected Situations are listed below.
- Information Technologies Risk: Most of the works related to the company's activities are carried out by making use of information technologies. All accounting transactions of the company, transmission of customer orders, customer information records, portfolio asset movements, money transfers, correspondence, etc. many daily activities are carried out in connection with the information processing system. For this reason, a problem that may occur in the information processing system may result in results that can be evaluated within the scope of Emergency and Unexpected Situation, which may affect the Company's activities. Risks related to Information Technology may be related to hardware (hardware) or software (software). Significant risks associated with hardware are mechanical failures in servers and other electronic devices. Routine device maintenance is carried out in order to prevent the occurrence of such malfunctions. The follow-up of the said maintenance activities is carried out by the IT Department under the coordination of the IT Department Manager. In order to ensure that the devices operate under appropriate environmental conditions (temperature, humidity, dust, etc.), an independent indoor space is created. In case of a malfunction despite all these precautions being taken, the follow-up of the activities of immediately putting the spare devices into operation and notifying the service providers for the repair of the malfunctioning device is carried out by the Information Processing Department under the coordination of the Information Processing Manager. Software-related risks include program errors in the software used by the company, problems that may occur in market monitoring screens, and virus attacks that may come to our website or systems from outside. Daily, weekly, monthly and annual routine checks are made by the IT Department and reported to the Assistant General Manager of our company.
Article 15-
Application Terms
a) While it is obligatory to determine the work flow procedures for emergency and contingency plans according to the size and needs of the company, it is ensured that the said work flow procedures include the minimum issues specified in the communiqué.
b) In the plan prepared in accordance with the provisions of the communiqué in the second article specified as the basis for this plan, if any of the issues in the communiqué are not included in the scope of the work flow procedures, it is obligatory to separately explain why the said situation is not included within the scope of the work flow procedures. The company is obliged to inform the people it serves about how to ensure business continuity in emergency and unexpected situations and the related work flow procedures. It is ensured that the said notification is made through the company's website.
c) Approval of the emergency and contingency plan and related work flow procedures by the company board of directors and appointment of a company personnel at least at the level of assistant general manager and another company personnel to be determined as an alternative to this person by the board of directors as persons responsible for the implementation of the emergency and contingency plan, and it is ensured that the title and all kinds of contact information of these persons are notified to the Board, MKK, Takasbank and other institutions to be determined by the Board.
ç) Changes in the company's activities and organizational structures such as opening or closing branches are taken into account. The adequacy of the work flow procedure is reviewed. Necessary changes are made in the procedures.
Article 16-
Outsourcing Service
The company determines and evaluates the technical equipment, infrastructure, financial strength and experience of the service provider in the services it receives from outside. In case the outsourced service is interrupted or disrupted, it expects the service provider to make a detailed explanation about the duration of the interruption and to act according to the emergency plan and contracts of the service provider.
Responsibility
Article 17 -
All company employees are responsible for the implementation of this Plan within their duties.
Effective date
Article 18 -
This Plan entered into force on 15.05.2015. With the implementation of this plan, the previously prepared and published plans lose their validity. This plan is published on the Company's website within three days of its approval. It is shared with the relevant personnel.
Executive
Article 19 -
The provisions of this Plan are executed by the General Manager or Assistant and other personnel designated by the Board of Directors' Decision.
The customer declares that he has read this form and that he knows and accepts all the matters stated in the form.