In the light of the growing demand from all sectors to develop, market and use digital technologies, products and services at a scale that boosts their productivity and global competitiveness, Turkey is committed to setting certain principles and procedures for the emerging technologies. Accordingly, as a part of digital transition in banking, the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment has been published in the Official Gazette dated 1 April 2021 and numbered 31441 and shall enter into force on 1 May 2021 (the “Regulation”).
The Regulation sets out terms relating to (i) remote identity verification of customers (the “Identification”) to be used by banks in gaining new customers; and (ii) establishment of a contractual relationship in an electronic environment for banking services to be offered after the Identification. This Monthly Updates aims to provide a brief explanation on the Regulation and highlights the essential novelties introduced therein.
Remote Identity Verification
- Identification Process
As per the Regulation, the Identification enables banks to carry out identification procedures for customers by customer representatives (the “Representative”) through online video conferences without a physical meeting. In this context, the Identification is considered as a critical process that should be designed in such a way that the customer representative will not allow this transaction to be initiated, approved and completed alone. In other words, banks shall ensure that the process is initiated by the customer, controlled by information technologies systems and completed with the approval and additional controls by the Representative. The Regulation includes further technological and operational measures which are designated to guarantee security of the Identification process for both customers and banks in order to minimize risks such as predictable assignment of a customer to a specific Representative or forgery of documents.
The Identification process shall be carried out in two stages in general. Firstly, before the video call with a Representative, the Identification process shall be initiated by the customer by making an application with a form filled in electronically via the bank app where the Identification is operated. The data collected via this form is subject to pre-interview risk assessment. As a result of the risk assessment, if necessary, the process can be terminated by the respective bank without starting the video call.
Following the first stage, the video call stage of the Identification shall be carried out in real time and without interruption with the Representative. Additionally, as per the Regulation, in order to ensure the integrity and confidentiality of the audio-visual communication between the Representative and the customer, the video call shall proceed with end-to-end encrypted communication. The Regulation also stipulates that the Representatives shall be trained on the Identification process at least once a year and after each operational or legislative update including the legislation on protection of personal data.
During the video call, the Representative is obliged to verify the identity of the customer by using his/her valid identity card which should include security items (i.e., rainbow print, optical variable ink, hidden image, hologram micro lettering), photograph and signature.
As per the Regulation, following the verification through the documentation, the Representative shall confirm the accuracy that visual appearance of the customer matches with his/her identity card. At this stage the bank is obliged to take necessary technical and operational measures to avoid potential risks that may arise from deep-fake technologies. Also, the verification of the mobile phone number, the centrally generated SMS OTP which is valid only for the Identification shall be used for mutual confirmation. Consequently, the Identification process shall be concluded upon the completion of above-mentioned verification and confirmation processes and the customer shall be informed about the banking services to be provided and asked for a verbal confirmation on whether he/she accepts to be a bank customer.
In cases where (i) visual verification and/or verbal communication with the customer is not possible due to poor lighting conditions, low image quality or transmission and similar situations; or (ii) there is a suspicion of the validity of the document submitted by the customer during the video call or any acts that may constitute fraud or forgery, the video call phase of the Identification can also be terminated.
Upon the Identification, the customers who cannot go to the branches for several reasons (e.g., residing abroad or being under quarantine because of Covid-19 pandemic) shall be able to benefit from the products and services of the respective bank as if such verification is concluded through face to face in branches.
- Responsibility in Remote Identity Verification
Pursuant to the Regulation, banks are responsible for ensuring the methods used for the Identification are used in a way that minimizes the risk of misidentification. Also, banks shall (i) monitor the customers who are identified by remote verification in a different risk profile and additional security; and (ii) apply control methods depending on the type and amount of the transactions to be made by such customers.
Among other responsibilities of the banks set out in the Regulation and other banking legislation, banks shall also take customers’ explicit consents at the beginning of the video call in accordance with the Law on Protection of Personal Data numbered 6698 and except for the biometric data, customers’ sensitive personal data shall not be processed during the Identification.
Lastly, the entire Identification process shall be recorded in a way that includes all the stages and stored available for any audit by the competent authorities.
Establishment of Contractual Relationship Electronically
Following the Identification within the scope of the Regulation or the identification of customers face to face through branches, any contract on banking services that regulates the relations between banks and customers shall be deemed to have been executed in written form, save for those which are subject to an official form or any special procedural requirement.
As per the Regulation, in order to execute a contract electronically, (i) all terms of the contract shall be submitted to customers’ review through online banking or mobile banking platforms in a proper way; (ii) contracts and customers’ declaration of intention to execute such contracts shall be signed and submitted to banks with customer-specific encryption key specified in the Regulation on Information Systems and Electronic Banking Services of the Banks which was published in the Official Gazette dated 15 March 2020 and numbered 31069; and (iii) banks shall take necessary measures to ensure that content of contracts signed by customers are aligned with the information provided to such customers under paragraph (i).
In the current Covid-19 pandemic period, where remote transactions are in high demand, the Regulation introduces general principles and procedures to perform remote identification of customers and execution of contractual relationships for the products and services to be offered by banks electronically. Nevertheless, further matters regarding the application of the Regulation shall be formed with practice and secondary legislation of the Banking Regulation and Supervision Agency.