Your Partner
in Legal Success
| Reading Time: 3 Minutes
The Banking Regulation and Supervision Agency have published Draft Circular No. 2022/2 on the Criteria to be Provided for Authentication and Transaction Security in Electronic Banking Services and the Establishment of a Contractual Relationship in The Electronic Environment
The Banking Regulation and Supervision Agency have published Draft Circular No. 2022/2 on the Criteria to be Provided for Authentication and Transaction Security in Electronic Banking Services and the Establishment of a Contractual Relationship in the Electronic Environment.
The Circular states how identity verification and transaction security should be carried out in electronic banking service channels in articles 34 and 35 of the Regulation on Information Systems and Electronic Banking Services of Banks (BSEBY), which was published in the Official Gazette dated 15/03/2020 and numbered 31069. It is regulated that for the transactions to be carried out over the channels, techniques that will enable both the bank and the customers to be undeniable and to assign responsibility should be used. Also, in the 38th and 39th articles of BSEBY, additional provisions regarding these issues are included in internet banking and mobile banking distribution channels.
In the second paragraph of article 12 of the Regulation on Remote Identity Detection Methods to be Used by Banks and Establishment of Contract Relationship in Electronic Environment (UKTY) dated 01/04/2021 and numbered 31441, the following provisions are included by referring to the 38th and 39th articles of BSEBY:
(2) Within the conditions set forth in this Regulation, following remote identification or face-to-face determination of the customer’s identity through branches, there are some requirements to be able to establish a contractual relationship that replaces the written form over an information or communication device for the transactions desired to be carried out by the customers, whether distant or not.
- a) All the terms of the contract in question are communicated to the customer through internet banking or mobile banking distribution channels in a way that the customer can read,
- b) The contract communicated to the customer and the customer’s declaration of intent establishing the contract with this contract is signed with the customer-specific encryption secret key specified in the third paragraph of Article 38 and the first paragraph of Article 39 of BSEBY and forwarded to the bank,
- c) It is obligatory to ensure that the customer signs only that information in accordance with subparagraph (b), which information is shown to the customer as the content of the contract in the contract communicated according to clause (a).
Additional Clarifications have been published on the Criteria to be Provided for Authentication and Transaction Security in Electronic Banking Services and the Establishment of the Contract Relationship in the Electronic Environment.
Using the Client-Specific Encryption Secret and Transaction Signing
Within the framework of the provisions of BSEBY Articles 34-38-39, the usage areas of a secret cryptographic key assigned and dedicated to the customer:
- Authentication,
- Authorization (transaction verification).
It is required to generate a “verification code” and sign it with a customer-specific encryption secret key in order to perform authentication and authorization transactions in both the internet banking distribution channel and the mobile banking distribution channel, which is a specialized version of this distribution channel.
The “factor known to the customer”, such as the “PIN” to be used for activating the secret encryption key before content signing, must be verified online at the bank servers, not locally on the device where the mobile application is installed.
According to Article 35 of BSEBY, titled “undeniability and assignment of responsibility”, banks are required to use techniques that will enable undeniability and assign responsibility for both themselves and their customers in transactions carried out within the scope of the electronic banking services they offer.
According to the third paragraph of Article 38 of BSEBY, for transactions with financial results, the verification codes must be specific according to the amount and recipient information approved by the customer while performing the transaction in case of any change in the amount or the recipient information to which the fund will be transferred, the relevant verification code created according to this information should also become invalid, and the verification codes must be kept under a cryptographic secret assigned to the customer. It must be produced for single use, signed with a key.
Click to read more legal news in Turkey.