The Regulation on Remote Identification Methods to be used by Banks and the Establishment of Contractual Relationships in Electronic Media (“Regulation“), which will enter into force on 1 May 2021, was published on 1 April 2021 in the Official Gazette No. 31441. You can refer to our legal alert dated 25 September 2020 for information on the Draft Communiqué on Remote Identification Methods to be used by Banks, which is the draft text of the Regulation.
The Regulation sets out the terms relating to the remote identification methods that Turkish banks can use for the acquisition of new clients and client identity verification, which are substantially the same as proposed in the draft communiqué. The Regulation also oversees the establishment of contractual relationships in electronic media following remote identification.
Remote identification methods
The remote identification process will be carried out by bank personnel (“Client Representative“) through online video conferences and communications with the client, without necessitating the client’s physical presence.
The identification process will be initiated with the client’s completion of an electronic form on the bank’s application. The client’s explicit consent must be recorded at the beginning of the call in accordance with the Law No. 6698 on Protection of Personal Data and the client’s sensitive personal data, other than their biometric data, must not be processed.
Remote identification via video calls will be made in real time and uninterruptedly, and the call will be carried out with end-to-end encrypted communication. Accordingly, banks must adopt certain security measures, such as the requirement of sufficient lighting; the confirmation of the documentation’s authenticity; and issuance of a one-time password (SMS OTP) to the client’s telephone for confirmation of the client’s identity.
Processes and systems for remote identification will be considered critical processes in accordance with the separation of duties principle; a single person cannot be in charge of approval and completion of the process.
Identity verification and relevant documentation
Identity cards will be used for security confirmation and the bank will verify whether the client’s identity cards have the required security items (rainbow print, optical variable ink, hidden image, hologram micro lettering), photograph and signature. The bank will also verify whether the identity document satisfy the criteria set forth by the competent authority, is still valid and has not been damaged or altered.
Following this verification, the bank will confirm the client’s visual appearance and veracity of the information provided by the client in the identity card. Further, the bank will confirm that necessary measures are in place to avoid potential risks relating to deep-fake technology.
The remote identification process will be recorded and stored, in full and as available for any audits. The Law No. 6698 and relevant regulations in the banking industry must be taken into consideration in the determination of the relevant data retention periods.
Responsibility for remote identification
The bank will be responsible to ensure that its remote identification solutions are used to minimize the risk of the misidentification of the potential client and will monitor those remotely identified in a different risk profile. The bank will apply additional security and control methods depending on the type and amount of the transactions made by these potential clients. The burden of proof lies with the bank in connection with transactions that impose obligations on third parties.
Establishment of Contractual Relationships in Electronic Media
Following the remote identification made in accordance with the methods set out in the Regulation, the bank will be authorized to enter into an agreement with the client electronically, except for agreements subject to an official form (resmi şekil) or special procedural requirement.
To execute an agreement electronically, (i) all terms and conditions of the electronic agreement have to be conveyed to the client through internet banking or mobile banking in a manner that the client would be able to read them properly; (ii) the client’s declaration of intent for the establishment of the electronic agreement together with the agreement itself must be conveyed to the bank with a secret encryption key exclusive for the client; and (iii) the content of the agreement provided to the client under the paragraph (i) above and the agreement executed by the client under the paragraph (ii) above must be exactly the same.
The Regulation constitutes a major step for creating an environment where clients can benefit from banking services without physically going to a bank branch and instead can complete their banking transactions remotely. These recent developments not only serve to decrease the burden of branch operations, but also signals that technological improvements in data verification and confirmation will have an increasing impact on the banking sector.