Provisions Introduced About Authentication and Transaction Security in Electronic Banking Services Under the Regulation on Banks’ Information Systems and Electronic Banking Services

Many changes are introduced by the new Regulation on Banks’ Information Systems and Electronic Banking Services (the “Regulation”) about which the opinions of all the relevant stakeholders were first received and then, submitted to the public opinion as a draft by the Banking Regulation and Supervision Agency (the “BRSA”) and which has been published in the Official Gazette dated 15.03.2020 and numbered 31069 after a long study. The effective date of the Regulation is determined to be 1 July 2020. Within this context, the most significant innovations brought by the Regulation are explained below.

The use of authentication Systems by bank employees is updated in light of technological developments.

What are the innovations brought in respect of authentication and transaction security?

• Mothers’ maiden names shall not be used for authentication purposes at any stage during the provision of electronic banking services.
• The way is paved for performing electronic banking transactions by means of the new Republic of Turkey identity cards.  Authentication becomes possible by using of the new Republic of Turkey identity cards’ PINs or together with biometric data or by using of electronic signature.
• Banks will no longer send OTPs (SMS containing one-time password) or verification codes via SMS and shall no longer use them as an identity item. As an exception, OTPs or verification codes may be sent via SMS in the initial installation and activation phase of a mobile banking application or in the event that the application becomes unusable.
• In electronic banking channels, banks are henceforth obliged to do the opposite (e.g. as regards a card account opened through mobile and internet banking, the closure of the account in the same way) for the transactions they carried out.
• The Regulation imposes various obligations on banks in respect of authentication and ensuring transaction security.
• In order to prevent occurrence of ATM frauds, banks are obligated to eliminate all issues concerning customer security, such as card copying on these machines. Within this context, precautionary and cautionary provisions which contain very strict details have been issued.

What are the innovations brought in respect of the obligation to inform customers?

• As of 1 July 2020, banks shall not send information containing sensitive data or data of secret nature (e.g. credit card account statements, bank receipts, etc.) by means of applications such as e-mail, SMS.
• Information, such as any account statements, bank receipts, abstracts of account containing sensitive data or data of secret nature that will be transmitted by banks to their customers in electronic environment, shall be sent through the channels providing electronic banking services.  Banks are obliged to provide necessary guidance to their customers for use of electronic distribution channels in the provision of such information.

 For further information, the full text of the relevant Regulation is accessible at [1]. 

In the Regulation introduced in addition to the general provisions contained in the Communique that will be repealed as of 1 July 2020, it is seen that the Regulation contains new innovative approaches that may steer the sector in the banking system and services provided through digital channels.

In the light of all above-mentioned and under the provisions introduced by the new Regulation, it is necessary to design a structure conforming to the new rules concerning authentication and transaction security introduced specific to each electronic distribution channel, for customers of banks in the provision of electronic banking services.  

Reference:

[1] https://www.resmigazete.gov.tr/eskiler/2020/03/20200315-10.htm