Turkey: Draft Circular On Authentication And Transaction Security In Electronic Banking Services
Monthly Updates - December 2022

The Draft Circular No. 2022/2 on the Criteria for Authentication and Transaction Security in Electronic Banking Services and Establishment of Contractual Relationships in Electronic Environment (the"Draft Circular") has been published by the Banking Regulation and Supervision Agency (the "BRSA") for consultation in order to clarify the application of different regulations regarding authentication and transaction security in electronic banking services and to in the establishment of electronic enforcement contractual relationships in the electronic environment.

Within the scope of the Draft Circular, the issues regarding the implementation of the Regulation on Banks' Information Systems and Electronic Banking Services ("BSEBY"), the Regulation on Remote Identification Methods and Establishment of Contractual Relationship in Electronic Environment ("UKTY") and the Regulation on Operating Principles of Digital Banks and Service Model Banking ("DBY") have been clarified with respect to the following topics.

This Monthly Updates aims to briefly explain the Draft Circular and highlight the novelties introduced therein.

Amendments to Principal on Use of Customer-Specific Encryption Secret Key and Transaction Signing

Within the framework of the provisions of BSEBY a "verification code" should be generated for authentication and authorization in order to verify the transaction. The verification code is used for encryption secret key assigned for, and specific to the customer in terms of internet banking and mobile banking transactions. Thus, the verification code should be signed with a customer-specific encryption secret key.

The "factor known to the customer", the customer's security data such as the personal identification number ("PIN") to be used for activating the encryption secret key before signing the content, must be verified online at the bank, instead of on the device where the mobile application is installed.

In addition, pursuant to the seventh paragraph of Article 34 and the third paragraph of Article 38 of BSEBY, customers who have activated the mobile banking application by installing it, except in cases where the mobile banking application is first installed, activated, reactivated or the application is inaccessible at the time, can be used to log in or continue to the session. It is not possible to send a one-time password or verification code via SMS in order to verify any transaction, and such notifications that are sent via SMS should only be applied in exceptional cases specified in these provisions and it is not necessary to make this a routine practice.

Amendments to Principle on Ensuring the Realization of Transaction Signature/Approval in Accordance with the Information Submitted for Customer Approval

As per the Draft Circular, the signing of customer-specific encryption secret key and verification codes alone is not sufficient for identity or transaction verification and for the establishment of a contractual relationship by electronic means.

Therefore, to mean as a substitute for written form, in the light of the provisions of the BSEBY and UKTY, it is accentuated that the encryption secret key should be securely assigned to the customer, measures should be taken to prevent its use by unauthorized persons, and the undeniability of these transactions and the assignment of responsibility should be made possible by signing/confirming transactions according to the information provided for customer approval.

Within the Draft Circular, the methodology to be followed in order to ensure that said signing transactions comply with the above-mentioned provisions has been explained in detail as follows:

• Primarily (i) a Specific Software Development Kit ("SDK") and (ii) a Security Server ("SS") configured to communicate directly with this SDK over a secure separate channel needs to be created.
• The customer-specific encryption secret key to be used for signing must be stored in an encrypted form in a secure area under SDK control and must be activated only after security checks by SS and for transaction signing with the key to be provided by SS. For this activation, it needs to perform security checks to confirm that the signing request is coming from the service bank's secure mobile application, which is a "customer-owned" authentication element.

In accordance with the 15th paragraph of Article 34 of BSEBY, the precautions to be taken regarding the deterioration of the reliability of the mobile application and the mobile device are detailed in the Draft Circular.

According to the third paragraph of Article 38 of BSEBY, the verification codes for transactions that have financial results are specific according to the amount approved by the customer when performing the transaction and the recipient information, and in case of any change in the amount or the recipient information to which the fund will be transferred, the relevant verification code created according to this information will also be invalid and verification codes must be produced as disposable, signed with a cryptographic secret key assigned to the customer.

Amendments to Provisions on Ensuring that the Interface Provider's Mobile Application or Internet Browser Based Interface Complies with Authentication and Transaction Security Obligations

As per the 13th provision of the DBY, SDK of the service bank should be embedded in the mobile application interface of those who will operate as an interface provider, and the transaction signing specified in the second part of the Annex of the Circular Draft needs to be executed over the SDK of the service bank within the scope of the mobile application interface and the service bank SS. With this provision it is stipulated that the interface provider and the service bank are jointly and severally responsible for ensuring that the mobile application or internet-browser-based interface of the interface providers fulfills the abovementioned obligations.

Amendments to Provisions on The Adaptation of the Products Used, Developed and Purchased for the Purpose of Authentication and Transaction Signing

The Draft Circular states that the compliance of the products developed or purchased in-house must be considered within the scope of the information systems audit to be conducted under the BRSA's Regulation on the Independent Audit of Information Systems and Business Processes published in the Official Gazette dated 31 December 2021 and numbered 31706.

Conclusion

As a result of the Draft Circular, substantial amendments have been made to clarify the provisions on the implementation of various BRSA regulations on authentication and transaction signing. Stakeholders may submit their comments and opinions on the Draft Circular via email to the BRSA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.