The Banking Regulation and Supervision Agency (“BRSA“) opened Draft Circular No. 2022/2 on the Criteria for Authentication and Transaction Security in Electronic Banking Services and Establishment of Contractual Relationships in Electronic Environment (“Draft Circular“) for consultation in order to clarify the application of different regulations regarding authentication and transaction security in electronic banking services and to establish contractual relationships in the electronic environment. Stakeholders may submit their comments and opinions on the Draft Circular via email to firstname.lastname@example.org.
The Draft Circular is available online here (in Turkish).
The Draft Circular clarifies the issues regarding the implementation of the Regulation on Banks’ Information Systems and Electronic Banking Services (“BSEBY“), the Regulation on Remote Identification Methods and Establishment of Contractual Relationship in Electronic Environment (“UKTY“) and the Regulation on Operating Principles of Digital Banks and Service Model Banking (“DBY“) with respect to the following topics:
- Use of customer-specific encryption secret key and transaction signing
A “verification code” should be generated for authentication and authorization (transaction verification), which is used for encryption secret key assigned for, and specific to the customer in terms of internet banking and mobile banking transactions. Accordingly, the verification code should be signed with a customer-specific encryption secret key.
In order to activate the encryption secret key before signing the content, the customer’s security data, such as “PIN,” must be verified online at the bank instead of on the device where the mobile application is installed.
In addition, in relation to the verification of log-in and subsequent transactions, a one-time password (OTP) or verification code must not be sent via SMS to customers who have already installed and activated the mobile banking application, except for cases where the mobile banking application is installed or activated for the first time, reactivated, or the application is inaccessible at the time.
- Ensuring the realization of transaction signature/approval in accordance with the information submitted for customer approval
The Draft Circular states that the signing of customer-specific encryption secret key and verification codes alone is not sufficient for identity or transaction verification and for the establishment of a contractual relationship by electronic means as a substitute for written form. Accordingly, it is emphasized that the encryption secret key should be securely assigned to the customer, measures should be taken to prevent its use by unauthorized persons, and the undeniability of these transactions and the assignment of responsibility should be made possible by signing/confirming transactions according to the information provided for customer approval.
The Draft Circular explains, in detail, the methodology to be followed in this context.
- Ensuring that the interface provider’s mobile application or internet-browser-based interface complies with authentication and transaction security obligations
The DBY and BSEBY stipulate that the interface provider and the service bank are jointly and severally responsible for ensuring that the mobile application or internet-browser-based interface of the interface providers fulfills the abovementioned obligations regarding authentication and transaction security, and that the signing/confirming transactions is carried out in line with the information submitted for customer approval. In this regard, the Draft Circular states that interface providers should conduct their activities in accordance with the methodology described in the Draft Circular.
- Adaptation of products used, developed and purchased for authentication and transaction signing
The Draft Circular explains that the compliance of products developed or purchased in-house and used for authentication and transaction signing with the Draft Circular will be assessed in accordance with the information systems audit to be conducted under the BRSA’s Regulation on Independent Audit of Information Systems and Business Processes.
In addition, the Draft Circular imposes an obligation on organizations that sell these products or provide outsourced services to apply to the BRSA for permission to offer products and services to banks, other institutions under the BRSA’s supervision and auditing, and interface providers within the scope of authentication and transaction signing.
The Draft Circular aims to clarify certain issues regarding the implementation of various BRSA regulations on authentication and transaction signing in a holistic manner. The relevant stakeholders will be able to send their opinions on the Draft Circular by email to email@example.com.