The Regulation on Remote Identification Methods to be used by Leasing, Factoring, Financing and Savings Financing Companies and the Establishment of Contractual Relationships through Electronic Media (“Regulation“) was published on January 11, 2022 in the Official Gazette No. 31716 and will enter into force on February 11, 2022. You can read more about the Regulation here (in Turkish).
What Does the Regulation Cover?
The Regulation sets out the terms relating to the remote identification methods that leasing, factoring, financing and savings financing companies (“company/companies“) can use for the acquisition of new clients and client identity verification, as well as the establishment of contractual relationships through electronic media following remote identification. Accordingly, the Regulation enables non-bank financial institutions to acquire clients remotely.
Remote Identification Methods
The remote identification process will be carried out by company personnel (“Client Representative“) through online video conferences and communications with the client, without necessitating the client’s physical presence. The Client Representative must receive the necessary training within the scope of their duty. If this position is outsourced, the Client Representatives will work in the company’s workplace with limited access to the company’s documents and information, further to the permission of the Banking Regulatory and Supervisory Authority.
The identification process will be initiated with the client’s completion of an electronic form provided by the company. The client’s explicit consent must be recorded at the beginning of a call in accordance with the Law No. 6698 on the Protection of Personal Data (“Law No. 6698“). The client’s sensitive personal data, other than their biometric data, must not be processed.
Remote identification via video calls will be made in real time and uninterruptedly, and the call will be carried out with end-to-end encrypted communication. Accordingly, the company must adopt certain security measures, such as the requirement of sufficient lighting; the confirmation of the documentation’s authenticity; and issuance of a one-time password (SMS OTP) to the client’s telephone for confirmation of the client’s identity.
Processes and systems for remote identification will be considered critical processes in accordance with the separation of duties principle; a single person cannot be in charge of approval and completion of the process.
The Regulation also introduced localization provisions: companies must ensure that the processes, systems, products and services to be used for remote identification are produced in Turkey or that their R&D centers are located in Turkey. The relevant service providers and manufacturers must also ensure they have intervention teams located in Turkey.
Identity verification and relevant documentation
Identity cards will be used for security confirmation and the company will verify whether a client’s identity card has the required security items (such as rainbow print, optical variable ink, hidden image, hologram micro lettering), photograph and wet ink signature. The company will also verify whether the identity document satisfies the criteria set forth by the competent authority, is still valid and has not been damaged or altered.
Following this verification, the company will confirm the client’s visual appearance and veracity of the information provided by the client in the identity card. Further, the company will confirm that necessary measures are in place to avoid potential risks relating to deep-fake technology.
The remote identification process will be recorded and stored, in full, and be available for any audits. The Law No. 6698 and the relevant banking regulations must be taken into consideration in the determination of the relevant data retention periods.
Responsibility for remote identification
The company will be responsible to ensure that its remote identification solutions are used to minimize the risk of the misidentification of a potential client and will monitor those remotely identified utilizing a different risk profile. The company will apply additional security and control methods depending on the type and amount of the transactions made by these potential clients. The burden of proof regarding transactions that impose obligations on third parties lies with the company.
Establishment of Contractual Relationships through Electronic Media
Following the remote identification made in accordance with the methods set out in the Regulation, the client’s declaration for establishing a contract must be received after verifying their identity with an identity verification mechanism consisting of at least two independent components. These two components will be selected from the elements what the client “knows” and “owns” or has a “biometric characteristic”.
To execute an agreement electronically, (i) all terms and conditions of the electronic agreement must be conveyed to the client through the internet or mobile applications in a manner legible and understandable to the client; (ii) the client’s declaration of intent for the establishment of the electronic agreement together with the agreement itself must be conveyed to the company with a secret encryption key exclusive to the client; and (iii) the content of the agreement provided to the client under point (i) above and the agreement executed by the client under point (ii) above must be exactly the same.
Artificial Intelligence-Based Applications
A provision regarding artificial intelligence-based applications is also included within the scope of the Regulation. The Banking Regulation and Supervision Agency will be authorized to determine the implementation principles for transactions not exceeding TRY 7,500 and carried out by means of artificial intelligence-based methods instead of a client representative.
Following the introduction of the branchless banking regulations, financial leasing, factoring, financing and savings companies are now able to offer remote client identification and enter into contractual relations electronically. Non-bank financial institutions also have the opportunity to acquire clients remotely and to establish a contractual relationship via leading-edge technologies, without written form requirements. The impact of technological developments on finance and banking sector continues to expand the sectors’ horizons.