FINTECH: Turkey’s BDDK Regulated Matters on Electronic Banking Operations
urkey’s Banking Regulation and Supervision Agency (“BDDK”) has recently issued the Regulation on Remote Identification Methods to Be Used by Banks and Establishing Contracts in Electronic Environment (“Regulation”), which will be applicable as of May 1, 2021 which enables all banking operations to be conducted electronically.
Accordingly, the Regulation aims to determine the procedures and principles regarding remote identification methods that can be used by banks in acquiring new customers and banking services to be offered after the identification of the customer. Further, it establishes provisions relating to the establishment of a distance contractual relationship through an informatics and electronic communication device.
What is remote identification process?
The Regulation stipulates a remote identification process which enables banks, in particular customer representatives of banks, to identify their customers remotely through video calls and establish a contractual relationship at a distance. Thus, it is aimed to establish a faster, and more convenient access to banking services. However, remote identification process is considered as a critical process and is subject to strict security measures. For instance, it is designed and operated in a way that does not allow the process to be initiated, approved, and completed by information technologies or a customer representative of the bank alone. Also, it is ensured that the process is initiated by the person, continued with the controls applied by information technologies, and completed with the approval and additional controls to be made by the customer representative. In the event that the transaction is found to be risky during the controls performed by the customer representative, the transaction is sent to a second approval or terminated.
Moreover, the Regulation stipulates that remote identification process is audited at least twice per year. In cases of below, the process is reviewed by considering the technological developments and the experience gained in practice, and it is updated:
– detecting or occurring security breaches,
– making changes in the relevant legislation,
– banks’ being informed of possible acts of fraud or fraudulent activity,
– occurrence of weaknesses in the remote identification process used.
It further sets forth that customer representatives of banks who will make remote identification via video calls at the opening of the bank account, will receive special training on this issue. Therefore, this aims to ensure that the customer representative is aware of the characteristics of the documents that can be used for identification and the valid verification methods applied for these documents and is informed about the acts that may constitute fraud or fraudulent activity. What is more, it is ensured that the customer representative receives training on remote identification process at least once a year and after each update, including trainings covering the legislation of protection of personal data. Finally, the Regulation regulates that at least one customer representative will receive special trainings in relation to customers with disabilities.
Accordingly, before the video call commences in the remote identification process, the application of the customer is received with a form filled in electronically via the bank application where the remote identification process is operated. Then, a risk assessment is carried out about the customer using the data obtained through the application. As a result of the risk assessment, if necessary, the process is terminated without starting a video call.
Another issue which is established by the Regulation is that the integrity and confidentiality of the audiovisual communication between the customer representative and the customer shall be at an adequate level. To that end, the video call is carried out with end-to-end secure communication. Likewise, in cases where visual verification and/or verbal communication with the customer is not possible due to poor light conditions, low image quality or transmission and similar situations, the video call phase of remote identification is terminated.
How to establish contracts after remote identification of customers?
As per the Regulation, after remote identification process is completed, a contract in regard to transactions intended to be carried out by customers whose internet banking or mobile banking distribution channels are open to use, is established with the explicit declaration of intent of the customer. Further, the conditions below must be met for the establishment of a distance contractual relationship through an informatics and electronic communication device under the Regulation:
– Transmitting all terms of the contract in question to the customer in a way that the customer can read through internet banking or mobile banking distribution channels,
-Declaration of intent of the customer shall be signed with a customer-specific encryption secret key through mobile banking apps or internet browser and transmitted to the bank,
-Ensuring that customer only signs the terms of contract which she/he has been informed of.
Ezgi Ceren Aydoğmuş