Circular No. 2023/1 (“Circular”) on the Criteria to be Provided for Identity Authentication and Transaction Security in the Establishment of Contract Relations in Electronic Banking Services and the Electronic Media, on the official website of the Banking Regulation and Supervision Agency (“BRSA”), was published on March 27, 2023.
Since 2020, with Regulation on Banks’ Information Systems and Electronic Banking Services (“RBISEBS”), Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contract Relationship in Electronic Media (“RIM”), Regulation on the Operation Principles of Digital Banks and Service Model Banking (“RDF”) and finally the Regulation on Remote Identification Methods to be used by Leasing, Factoring, Financing and Savings Financing Companies and the Establishment of Contractual Relationships and Digital Onboarding (“RIM-2”), certain criteria and obligations have been introduced in order to establish contractual relations that will replace the written form with its provisions.
With the Circular, it is aimed to ensure a uniform application by publishing guidance on identity verification and transaction security with the BRSA Decision dated 23 March2023 and numbered 10546, which is based on the Banking Law No. 5411 and the Financial Leasing, Factoring, Financing and Savings Financing Companies Law No. 6311.
Without prejudice to the provisions in RBISEBS, the Circular underlines that it is not possible to send a verification code via SMS or OTP for login or transaction verification, except in cases where mobile banking applications are installed, activated and unavailable.
Circular emphasizes that the verification code produced by the circular must be signed with a customer-specific private key, and if information such as PIN is verified online at the bank, not locally on the device where the mobile application is installed, the obligations in terms of RBISEBS will be deemed to have been fulfilled.
RBISEBS, RIM and RIM-2 do not find adequate the signing of verification codes with a cryptographic secret key assigned to the customer solely, they seek the establishment of safeguards to prevent secure access by customers to encryption private-key and their exclusive use by customers and ensure that content signed by the customer is content that the customer sees and approves (“WYSIWYS”). With the Circular, the methodology to be followed in order to ensure that the signing process complies with the WYSIWYS principle has been clearly demonstrated.
Circular also regulates that the mobile application or internet browser-based interface of the interface provider, which is stipulated by ROPDBSMB, is in compliance with the authentication and transaction security obligations brought in accordance with the third part of RBISEBS.
Finally, it is stated in the 6. Repeated Official Gazette dated 31 December 2021 and numbered 31706 that the products and services of banks, other institutions under the supervision of the BRSA and the interface providers within the scope of ROPDBSMB that provide products or services to be used in authentication and transaction signing are in compliance with this Circular are required to perform information systems audits within the scope of the Regulation on the Independent Audit of Information Systems and Business Processes.
In this context, relevant institutions are obliged to apply to the BRSA with a report prepared by an audit firm included in the list of Independent Audit Institutions Authorized to Audit Information Systems in Banks by the BRSA, and to obtain permission from the BRSA in order to offer products and services for identity verification and signing transactions.
The full text of the circular can be accessed via this link