ARTICLE
22 November 2022

Draft Circular On Authentication And Transaction Security In Electronic Banking Services Opened For Consultation

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership logo
Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
Explore Firm Details
The Banking Regulation and Supervision Agency ("BRSA") opened Draft Circular No. 2022/2 on the Criteria for Authentication and Transaction Security in Electronic Banking Services...
Turkey Finance and Banking
Muhsin Keskin,Can Sozer,Yigit Acar
+1 Authors
 Your Author LinkedIn Connections

Recent developments 

The Banking Regulation and Supervision Agency (“BRSA“) opened Draft Circular No. 2022/2 on the Criteria for Authentication and Transaction Security in Electronic Banking Services and Establishment of Contractual Relationships in Electronic Environment (“Draft Circular“) for consultation in order to clarify the application of different regulations regarding authentication and transaction security in electronic banking services and to establish contractual relationships in the electronic environment. Stakeholders may submit their comments and opinions on the Draft Circular via email to bsmevzuat@bddk.org.tr.

The Draft Circular is available online  here (in Turkish).

What's new?

The Draft Circular clarifies the issues regarding the implementation of the Regulation on Banks' Information Systems and Electronic Banking Services (“BSEBY“), the Regulation on Remote Identification Methods and Establishment of Contractual Relationship in Electronic Environment (“UKTY“) and the Regulation on Operating Principles of Digital Banks and Service Model Banking (“DBY“) with respect to the following topics:

  • Use of customer-specific encryption secret key and transaction signing

A “verification code” should be generated for authentication and authorization (transaction verification), which is used for encryption secret key assigned for, and specific to the customer in terms of internet banking and mobile banking transactions. Accordingly, the verification code should be signed with a customer-specific encryption secret key.

In order to activate the encryption secret key before signing the content, the customer's security data, such as “PIN,” must be verified online at the bank instead of on the device where the mobile application is installed.

In addition, in relation to the verification of log-in and subsequent transactions, a one-time password (OTP) or verification code must not be sent via SMS to customers who have already installed and activated the mobile banking application, except for cases where the mobile banking application is installed or activated for the first time, reactivated, or the application is inaccessible at the time.

  • Ensuring the realization of transaction signature/approval in accordance with the information submitted for customer approval

The Draft Circular states that the signing of customer-specific encryption secret key and verification codes alone is not sufficient for identity or transaction verification and for the establishment of a contractual relationship by electronic means as a substitute for written form. Accordingly, it is emphasized that the encryption secret key should be securely assigned to the customer, measures should be taken to prevent its use by unauthorized persons, and the undeniability of these transactions and the assignment of responsibility should be made possible by signing/confirming transactions according to the information provided for customer approval.

The Draft Circular explains, in detail, the methodology to be followed in this context.

  • Ensuring that the interface provider's mobile application or internet-browser-based interface complies with authentication and transaction security obligations

The DBY and BSEBY stipulate that the interface provider and the service bank are jointly and severally responsible for ensuring that the mobile application or internet-browser-based interface of the interface providers fulfills the abovementioned obligations regarding authentication and transaction security, and that the signing/confirming transactions is carried out in line with the information submitted for customer approval. In this regard, the Draft Circular states that interface providers should conduct their activities in accordance with the methodology described in the Draft Circular.

  • Adaptation of products used, developed and purchased for authentication and transaction signing

The Draft Circular explains that the compliance of products developed or purchased in-house and used for authentication and transaction signing with the Draft Circular will be assessed in accordance with the information systems audit to be conducted under the BRSA's Regulation on Independent Audit of Information Systems and Business Processes.

In addition, the Draft Circular imposes an obligation on organizations that sell these products or provide outsourced services to apply to the BRSA for permission to offer products and services to banks, other institutions under the BRSA's supervision and auditing, and interface providers within the scope of authentication and transaction signing.

Conclusion

The Draft Circular aims to clarify certain issues regarding the implementation of various BRSA regulations on authentication and transaction signing in a holistic manner. The relevant stakeholders will be able to send their opinions on the Draft Circular by email to bsmevzuat@bddk.org.tr.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Muhsin Keskin
Muhsin Keskin
Photo of Can Sozer
Can Sozer
Photo of Büşra Cavas
Büşra Cavas
Photo of Yigit Acar
Yigit Acar
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More